Clearing the clouds: Comparing CMMC to other frameworks

These days, I spend a lot of time talking to our cloud-based clients about Cybersecurity Maturity Model Certification (CMMC): what it is, why it’s important, and how they can prepare.  As one of the leading cybersecurity consulting firms and third-party assessment organizations (3PAO), Coalfire’s clients range from small businesses to the largest technology companies in the world; many of whom are offering essential services to the Department of Defense (DoD).  Our firm conducts compliance assessments across multiple frameworks such as SOC, ISO, HIPAA, HITRUST, PCI, FedRAMP, NIST 800-53, NIST 800-171, DFARS, DoD SRG, and many others.  Many of our customers are cloud services providers (CSPs) that undergo multiple audits every year to maintain their security posture and the compliance certifications required to offer services in their various markets. To them, the DoD’s new CMMC may just seem like another framework.

In anticipation of these future requirements, many forward-looking firms are already mapping the security controls they are assessed against each year to the CMMC practices. However, if firms rely solely on this approach, the significant nuances and unknowns can lead to pitfalls. In order to properly plan for navigating CMMC requirements, it is crucial to understand the differences between some of these security frameworks and what makes CMMC unique.

What we know about CMMC and what we don’t

The CMMC program is a much-needed security standard for the Defense Industrial Base (DIB).  We know that the program seeks to assess whether good cybersecurity controls or practices are implemented, and review the maturity of the organization implementing them. Most importantly, CMMC will help to improve the overall cybersecurity posture of the DIB and our national defense supply chain. Beginning in 2020, it will impact every current and potential DoD contractor that intends to pursue new DoD contracts. Independent assessments of organizations will be implemented to add rigor to the certification process. CMMC offers a comprehensive approach to cybersecurity that starts with the acquisition process. Read my previous blog to learn more about the CMMC framework.

Defining the meaning of “enterprise” is key to determining the scope and cost of certification at each CMMC level. What does that mean to large, global organizations or those that provide cloud services to the DoD? What controls or practices should firms expect to follow to be able to compete for and perform the contracts they seek with the DoD?

Scope

It does not really make sense to talk about frameworks and planning for assessments until the testing scope is understood. From a practitioner’s perspective, before we can even start planning a risk or compliance assessment, we must identify two critical factors to determine scope.  In fact, Coalfire’s standard practice is to walk through these factors before every assessment.

First, the assessor must understand and document which controls, standards, practices, parameters, and requirements will be applied to the assessment. For the Controlled Unclassified Information (CUI) program these are covered in NIST Special Publication 800-171. Additionally, requirements that relate to cybersecurity are spelled out in DoD contracts and their prescribed Defense Federal Acquisition Regulation Supplement (DFARS) clauses. These standards, controls, practices, parameters and requirements allow the assessor to determine the depth of an assessment. Breadth is primarily determined by the second critical factor: the boundary.

For that second factor, assessors scope their assessment within the bounds of an imaginary line around the components, from the standpoints of organization and data flow. This is the assessment boundary. Anything that crosses this imaginary line and connects to something else will be characterized against risk and compliance. Interconnection security agreements, discovery scanning, dataflow diagrams, firewall rules, and customer responsibility matrices are just a few of the artifacts that can help define the assessment boundary. 

The CUI program and the DoD Cloud Computing (CC) Security Requirements Guide (SRG), in conjunction with the FedRAMP program, provide guidance for determining the assessment boundary. While we wait for DoD and the CMMC Accreditation Body to finalize their CMMC implementation guidance, including boundary scoping, organizations are advised to focus on current CC SRG, CUI and DFARS requirements.

The CUI Program and DFARS

The CUI program was established in 2010 by Executive Order 13556 and incorporated into the Code of Federal Regulations (CFR) in 2016, with the goal for all DoD contractors to be compliant by the end of 2017. The program was specifically designed to protect unclassified information deemed sensitive enough by the owning agency to control its dissemination. The National Archives and Records Administration has executive oversight of the program, but each federal agency is responsible for its implementation. 

The focus of the CUI program is confidentiality, and while no agency can add additional requirements or controls to the program, the DoD complements the standards through DFARS 7012 and 7010 contract clauses, which take aim at incident reporting and cloud security. In order to comply with the CUI program, a contractor must attest that it has implemented the 110 controls for safeguarding CUI on their non-federal information systems as defined in NIST 800-171. The boundary in scope for CUI program compliance is determined by the path of the CUI data on these contractor systems and is very information system centric. 

One of the stated shortcomings of the CUI program is that contractors can “self-attest” to compliance of the DFARS clauses and 800-171 controls. To counter this weak spot, the CMMC requires an authorized CMMC third-party assessment organization (C3PAO) to conduct the compliance assessment and recommend certification. For some government contractors, the requirement to get a third-party attestation to do business with the DoD isn’t new. Cloud services providers (CSPs) have always been required to obtain an independent risk assessment to receive a provisional authorization to operate under the requirements of FedRAMP and the DoD Cloud Computing Security Requirements Guide (CC SRG). But according to DFARS 7010, even if a DoD contractor is not a CSP it still may need to meet the requirements of the CC SRG. The clause states that “when using cloud computing to provide information technology services in the performance of the contract”, a contractor must meet the requirements of the Defense Cloud Computing Security Requirements Guide.

“…even if a DoD contractor is not a CSP they still may need to meet the requirements of the CC SRG according to DFARS 7010.”  

DoD cloud computing security requirements

In late 2014, the DoD CIO issued guidance for acquiring and using cloud services. The guidance heavily leverages the FedRAMP program, as well as additional controls, parameters, and requirements as defined in the CC SRG. The CC SRG applies to DoD provided cloud services and those provided by a contractor on behalf of the Department¹. The guide details the requirements for information systems rated at impact levels from 2 to 6 (there is no level 1 or 3).  Impact level 2 is equivalent to FedRAMP’s “Moderate” requirements which are based on NIST SP 800-53 controls. Impact level 5 is required for systems that are considered “national security systems” while impact level 6 is reserved for classified offerings. 

Interestingly, according to the DoD CC SRG, CUI can only be stored and processed on an impact level 4 (IL4) accredited cloud service offering or higher. This is a much higher bar than the CUI program alone, because an IL4 authorization requires that no less than 363 NIST 800-53 security control implementations be assessed and validated by a third-party assessment organization (3PAO) versus the 110 or so NIST 800-171 controls required to be self-assessed by the current CUI program. Additionally, many of these NIST 800-53 controls required for IL4 have more stringent parameters than the controls in NIST 800-171. 

There are many other complexities involved in an IL4 certification such as requiring a DoD internet connection access point (CAP) and more stringent personnel screening. These CSPs must also have already been assessed by a 3PAO and received a FedRAMP “Moderate” or higher Authorization to Operate (ATO). Implementing these much tighter security requirements typically has a higher cost than self-attesting to DFARS and NIST 800-171 compliance.  From an assessor standpoint, an IL4 assessment requires a significantly higher level of effort to test and validate.

What does all this mean for DoD contractors that are not CSPs but use cloud services? If a DoD contractor stores or processes CUI on its corporate information systems, doesn’t that mean it is hosting on behalf of the DoD? Do it need to meet the requirements for IL4 or the CUI program?  NIST 800-171 or NIST 800-53?  363 controls or 110?  What CMMC level should it pursue if they already have an IL4 authorization? 

While we don’t know all the answers yet, DoD contractors that use cloud services, but are not a CSP, will likely need to target CMMC at the appropriate level for contracts they intend to pursue. CSPs should also prepare to get CMMC at the maturity level required for their contracts with the DoD (as a prime or sub), but seek to ensure their offerings to be DISA IL4 compliant (or above) if they want to support customers that desire to store or process CUI using their services.

^{-----------------------------------------------------------
1} Defense Information System Agency (DISA), Department of Defense Cloud Computing Security Requirements Guide, Version1, Release 3 dated 6 March 2017