Welcome back everybody to Part Two, what you need to know about CMMC and becoming compliant, so that you can compete on future government contracts. I’m Bob Hanley from Sabre Systems, hopefully you remember me from our first in the series, which we did last week, Part One where we covered awareness and training one of the 17 domains of CMMC.
And let’s remember, CMMC is about protecting CUI (Controlled Unclassified Information) and our goal is to give you the information you need to get CMMC level 3 qualified which will be the minimum to be a prime contractor. CMMC has 5 levels, 1 to 5. You will get extra points for being CMMC level 4 or 5, and some contracts in the future may actually require something above level 3, but we are gonna be focusing on CMM level 3 today and we’ll be covering the second domain in our series here on configuration management or CM.
So CMMC is a critical factor in all contracting in the future that will be coming out, and this year will be phased in later in the summer with a small number of contracts coming out with CMMC requirements. As we progress into 2021 and beyond, you can expect more and more contracts coming in with the minimum level 3 requirement for CMMC to be a prime contractor. Subs will also need to be minimum level 1, so remember if you have subcontractors you will, will need to monitor them to make sure that they achieve the minimum level 1.
CM, configuration management, doesn’t have any level one requirements or controls so we’re today are going to talk about level 2 and level 3. There are some additional requirements for level 4 and level 5, but today we’re just going to talk about getting you to the level 3 requirement. So what is CM, configuration management? What are the things that you need to focus on? I’ll pause for a second and let you think about that. Okay so you probably didn’t come up with anything if you haven’t read any CMMC, but the two key things that you need to think about are establishing configuration baselines, that’s number one. Number two, perform configuration and change management – two things that you may or may not have been doing within your company and we’re going to talk about the factors that are required to get you to level two and a level three.
So CM level two, six practices or controls, as they were referred to. We’ll go through them each briefly here for the first six for level two and the additional three for for level 3 on the CMMC scale. Our first one here at the CMMC level two focuses on establishing and maintaining baseline configurations and inventories of organizational systems – think hardware, software, firmware – What are the configurations? Do you know what they are? Do you know what the end points are in your corporation and what are end points? End points: desktops, laptops, servers, workstations, smartphones, tablets, all of these things fall into the category of end points. You can also consider them access points to your company because somebody could access through any one of those end points to figure out a way to access or attack your corporation and compromise it in some way.
So the goal of this particular control that is applied here at level two is to protect your company in that way. So what are things that you need to know? Understand your baseline configuration, understand things like security patches and how they’re applied, software updates when they’re pushed, you know? Think of this even in your home computers. So if you didn’t maintain your virus protection and your virus a virus protection and firewall how long would it be before you got compromised? Pretty quickly, you know? And you may do the minimum amount of protection on your home system, but probably everybody listening to this at one time or another has had their home laptop/computer compromised in some way with a virus. You don’t want that in a corporate situation because you’re only as strong as your weakest link.
so if you have a lot of laptops or endpoints across your company and you don’t pay attention to a couple of them, but there’s still access to all the rest of your corporation then you set up a vulnerability that could compromise your whole system. So think about that, understand what the security practices are associated with your systems. Some companies don’t have any idea how many laptops they even have. We actually worked with the company, when we talked to them about their endpoints, they actually answered by saying “we right now can’t tell you how many laptops we have in the company we can’t even tell you what software is installed on many of these laptops and we have no idea if one or more of these laptops has a virus”. Not a situation you want to be in. So this is an area that you want to come forward with and make sure that you’re applying all the right configuration management that you put those security patches out to all of your systems and you probably need a CCB, a configuration change control board, that oversees this for your company. Even if you’re a small company you need to have some dedicated IT manager that’s making sure that all of your endpoints are consistent, the same, all the patches are applied, all the software updates are applied uniformly across your system.
So what’s the second practice? Well the second practice deals here with employing the principle of least functionality by configuring your organizational systems to provide only essential capabilities. So what does that mean? Well it means that if you have ten laptops in your company and one person’s a financial analyst and one person is a software developer, one person’s the president or CEO, one person is your HR person, etc. they all don’t necessarily have to have the same access to all the same information across your company. So you need to make sure you understand what the requirements are and in what the least functionality is each endpoint requires for that individual that uses that endpoint to do their job in the big in the big picture of things. Think of it in terms of the President of the United States – How many people really should have the nuclear launch codes? Right? So you got the president and maybe one or two other people or a very small number of people actually have that. Every federal government employee should not have access to the nuclear launch codes. So that’s an extreme example of what we’re talking about here, but that is simplistically what we’re talking about when we talk about least functionality on your organizational systems. What should you do? Disable unused ports and services, remove software that’s not required, review the role in minimum required capabilities of your system and you might have numerous variations, remember that. So again, everybody may have a different requirement on their end point or laptop or system that they have so you may have multiple configurations, but you still need to manage it and still make make sure that you’re understanding the least functionality associated with that.
Okay, the third focus area that we’re gonna talk about is controlling and monitoring user installed software. So think about this on your home laptop as well – you go out and buy a new computer at Best Buy, you bring it home, boot it up, one of the first things you’re going to see are a bunch of Windows that will pop up and say “this software is pre-installed on your computer, do you want to activate it for $39.95?”…”this software is installed”, etc. so that’s common practice when you’re buying laptops off the shelf at places like Best Buy, etc. So those are things that you have to control because a lot of times they’re going to come with malware which isn’t necessarily malicious code but malware in there that could be tracking what you’re doing, seeing what sites you go to, etc. So you definitely want to control and monitor user installed software and you need to ensure that your team and staff can’t just randomly download software especially from unknown sources that could impact your least functionality of that system and that happens frequently even on controlled systems you will get pop-ups from sites. Adobe may come up and say “the latest update is available to download” maybe you don’t have the admin rights to do that and you should have somebody that’s controlling that for configuration management as well as making sure you’re controlling the install software on your system. Many organizations blocked this capability and they put permissions out there for what you are allowed or not allowed to do. I used to work for the Navy, Navy Marine Corps internet system, and they had a lot of administrator control functions on there that precluded me from being able to download any software on the system. So your company needs to look at that make sure those kind of protections are built in. So that’s an example. You get solicited friend points to download updates or new software that may be perceived to help you do your job better maybe you just want to download Spotify or something like that to your your laptop so there are many things that keep, you know, hitting you every single day that you’re working in the cyber world that, in some cases, are all valid, good, may be no problem to your system, but there’s always that one that can slip through and end up compromising your system – be aware of that, don’t let that happen, don’t let it break the chain of your configuration management.
So fourth focus area is establishing and enforcing security configuration settings for information technology products that you may employ in your company. Do you know what a security setting is? Some of you do, some of you probably don’t, but you use them every day and that’s the key thing is that a lot of these things you just get used to using but you don’t realize you’re using them and you don’t even necessarily know how important it is to you to actually understand and know how these security settings are applied and what they’re applied for. So settings can range anywhere from firewalls, sites being blocked, least privilege capabilities, application control policies, downloading policies, etc. and there are a lot of settings built in to protect that, most of which, are controlled by your admin or your IT person in your company. Those are good things and they should be consistent across your company and you should make sure the proper settings are are in place you don’t necessarily want to overprotect, and you definitely don’t want to under protect. So another example: back when I worked for the Navy and with NMCI, unfortunately some of the security settings were set so high that you couldn’t even access sites that were Navy secure sites so there were times when working for the Naval Air Systems Command I could not actually access a secretary of Navy site that was blocked because our setting was too stringent. So it prohibited me from doing certain aspects of my job and you have to go back and then get settings changed etc. so it is a constant iterative process to make sure those security settings are all in place and monitored and applied. This area – tracking, reviewing, approving, disapproving and logging changes to your system.
So how are you managing your configurations? Small companies maybe ten people or less, may have limited CM being done, but even small companies need some IT lead or leader within the company that understands your requirements and makes sure all of these areas are being applied that we’ve been talking about. Not just the Geek Squad, if you’re a company and you have intellectual property, you have critical financial data, you have customer data, etc., no offense to the Geek Squad, but you want to make sure that your security is configured for your company and gives you the best protection to ensure that you don’t have a work stoppage. Maybe you have a monthly configuration Change Control Board, maybe that should be implemented, mm-hmm, and that is in place to help you understand your fiscal and computing cyber environments and how to protect them.
So that’s CCB may be where you approve changes and updates and upgrades and make sure all your tools work together. As your company continues to evolve and grow, you’re gonna find more and more tools which then gets into a more complicated least functionality solution for you as you try to figure out how do all these endpoints work together. Are you implementing the right tools for your workforce? You don’t want to buy tools that you’re not really going to need. You don’t want to buy the wrong virus protection or firewalls, etc., you want the right one for your particular job and that that’s where making sure this all comes to fruition under this particular focus area is critical. And don’t forget, you may have developer tools and HR tools and recruiting tools and financial tools all across your different end points that all have to work together. Understand how you’re going to track, review, approve and disapprove changes to those, very important to your home.
And the last one for CM level 2 is a practice that centers around how you analyze the security impacts of changes prior to implementation. See your organization’s constantly changing and adapting to the cyber world. Internet of Things (IOT), it’s changed way many organizations operate. Think about COVID-19 – how has that changed your company? It certainly has changed ours. It certainly has changed the way the Department of Defense works and the federal government works, etc. Prior to COVID-19, a lot of people didn’t do a lot of remote work. Post COVID-19, it’s now normal, almost everyday occurrence, that a significant, may be your entire company, is working remotely. Some companies have come out and stated that they will be working remotely for the rest of the year.
Alright, so that’s changed how we do things, right? So maybe your company did very little remote work and now you do a lot – you you zoom, you use Teams, you use Skype, you use online chat for Windows, you use IMO desktop. How are you communicating with everybody in your company? Every one of those tools that I talked about has certain security issues/concerns that may apply to your company. Not all of them necessarily may be one applies to one company but different to another company it depends what you’re trying to protect. It also depends what you’re talking about as you work remotely with the rest of your company. They each come with different security risks and protocols, make sure you find the right one that fits your company and especially if you plan to talk corporately remotely about IP or personally identifiable information or controlled unclassified information, etc., very important to make sure you’ve got the right one.
So let’s talk about CM level three. Configuration Management level three has three practices: the first one we’re going to talk about is defining, documenting, approving and enforcing physical and logical access restrictions associated with changes to your organizational systems. It sounds like a lot of work, right? But what does that mean to you? Well it means that let’s say you have servers or you work in the cloud or you have a data center and you have somebody who’s supposed to be managing this, well you definitely don’t want everybody to have access to these servers and data centers, etc., so you have to figure out how you’re going to allow changes and modifications to be performed by an authorized individual and possibly use things like key cards for access into these systems and maybe locked and not allowed to just let anybody come through. So think about that, how are you gonna protect access to these resources that you’re using in the company? You will need to determine how you define and document this even for a small company so keep that mind. Second practice: restricting, disabling, preventing the use of non-essential programs: functions, ports, protocols, services, etc. This complements actually the least functionality. Remember CMMC level 2 is a segue between level 1 and level 3 where you’re increasing your cyber hygiene level 1 minimum for subcontractors level 3 the minimum for prime contractors, so level 2 is a building block to get you to level 3.
So level 2 is about documenting your policies and procedures, level 3 is about managing these policies and procedures and ensuring good cyber hygiene. So remember, as you’re building from level 1 to level 3 you’re figuring out how you’re going to document your policies and procedures, but then you’ve got to manage them, you can’t just do it once and done you have to be good managing them once you to get to level 3. So if you purchase new endpoints and configure them according to your corporate policies, do you have a system that removes, automatically removes unnecessary services, that you stopped using certain protocols, or you closed unused ports? You will need to ensure you complete the configuration by securing a system and that’s what this particular practice covers.
And then the final practice for CM level 3 is referred to as blacklisting. Alright so what is blacklisting? Blacklisting is denying, by exception. This is to prevent unauthorized software from being used and also complements the CMMC level 2 requirements, but through a management process. So you’ll hear the terms blacklist and whitelist and we hear that every day in society so not surprisingly blacklist and whitelist are opposite. Blacklist details known malicious or suspicious entities that shouldn’t be allowed access or running on your system or network. Conversely, whitelist is the list of acceptable entities such as software applications, email addresses, users, processes, devices, etc. that are allowed access to a system or network and then block everything else. So it’s based on a zero trust principle which essentially denies all and allows only what is necessary. So a complementary here, blacklisting and whitelisting, but it’s very important for your organizational setup and how you manage your systems.
So there you have it, today we covered those nine practices on CM, Configuration Management, to get you to CMMC level 3. Things you need to do: get a handle on your cyber assets and endpoints, if you don’t know that you’re already starting in the negative. As a minimum, you need to understand all of your endpoints that your company uses and how each of your staff members and employees are able to communicate and access with with each other. Are they using the right assets? Do they have the right functionality associated with our system? Etc. Determine your requirements for a CCB and an IT lead and how you manage configuration management overall. Failure to do so can lead to a wide range of vulnerabilities and risk to your organization and it could result in a stop-work or loss of critical data and information you don’t want that to happen. So regardless of being compliant with CMM level 3, these are just good practices that you should do today for your company to protect yourself and protect your future. Fund a program, should be obvious that once we put that criticality associated with this the configuration management you need to fund it and you need to make sure you do it and you need to make sure you sustain it, hence the management of it.
And lastly, as I said last week, become familiar with CMMC in general and NIST SP 800-71 and 800-53. Those are the building blocks for the CMMC levels that we’ve been discussing. So the two down, 15 to go on our domains. I hope you’ll join me next week when we move on to our third domain and I appreciate you taking the time to spend with Sabre and me to talk about CMMC level 3 compliant.
Thank you, have a great day, stay safe, stay cyber safe, thank you.