Welcome everybody to part one of a 17-part series on CMMC (cybersecurity maturity model certification).
There are 17 domains within the CMMC and if you’re a contractor for the Department of Defense you will need to be aware that CMMC requirements are going to start becoming effective later this summer and into the fall as the DoD starts to release RFPs that will require you to be CMMC certified.
Today we’re going to talk about one of the domains, awareness and training, and if you are going to seek a DoD contract you’re going to be required to be a minimum level one CMMC or for a prime contractor you’ll need to be at a level three.
Awareness and training, or AT as it’s referred to, does not have a level one requirement, so today I’m just going to talk to you about level two and level three requirements.
So let’s start with AT level two practices or controls. This is an area where you need to be focused on ensuring that the manager, systems administrator, users of the organizational systems are made aware of security risks and their activities to make sure they understand relevant policy standards and procedures.
So, hopefully everybody would understand that you should have an awareness and you should have training, and you should understand why you have this training, hence the policy standards and procedures.
So, if you’re running the organization and you’re going to start implementing this level two AT requirement you need to determine the type of content and the frequency of the security awareness training that you have and ensure that the training is tailored to the individuals within your organization, and for the authorized access levels that they have to those systems.
That is not that difficult to do, but again it also depends on how large your organization is. If you have 10 people in the organization, that may be very simple for you to do to figure that out. If you have an organization of 500 or a thousand or 10,000, obviously the complexity goes up significantly as you move on.
So remember CMMC level 2 is a transitional level of requirement – level one being the subcontractor primarily, level three all primes and level four and five get into much higher requirements for more complex contracts.
But level two is a transitional between the level 1 and level 3 where you start bringing in better hygiene to your controls, and so it’s a steppingstone from level 1 to level 3.
Everybody, theoretically, should be level one certified already, regardless of the AT we’re talking about today. If you’re “far 52” compliant you may not have tracked that, you may not have documented it, but you probably are and didn’t know it.
But again back on the AT level 2, so now you’ve determined the content and the frequency of the security awareness training so what does that actually mean? You know what kind of training are we talking about?
Well, let’s talk about phishing. Probably everybody who’s listening to this has had some example of a phishing scam that has occurred on their email, whether it’s at home or at work. I’ve had them in both places – we do that as part of our cyber company, we get hired by companies to actually run phishing examples against the various companies to see what their risk and vulnerability is to phishing.
So an example: we had a company that we were doing a phishing expedition on, if you will, on their company so we researched some of their employees and went into the dark web, found out which employees had had compromised passwords or compromised emails, etc. in their history and then we targeted those individuals on the phishing scam.
So we also had access to the company’s actual email protocol, so we were able to send out phishing emails that actually looked like the corporate email. And so for one individual, in particular, that person had a son that played baseball at a college up in the Philadelphia area, and we went in and sent a phishing email to this person and said that “Well hey, our sons played baseball together at the same time at this college and I have dozens and dozens of photos of them together playing games… if you’re interested I uploaded them to the cloud and here’s the link for you to be able to download pictures of your son”.
And sure enough, that person clicked on the link and in so doing set up a potential compromise into that organization. So, part of this training and awareness at, for AT at the level 2 area is to make your employees aware of these phishing type scams that occur, make them aware that if you have some concern about any email that you get that you go in and look at the address, click on and see if it’s the legitimate address.
And oftentimes when you click on it you’re gonna find some string that doesn’t make any sense to you and you can tell immediately that it is not a legitimate email source that’s coming into your organization. So that’s the first and easiest way to do it.
You can also watch out for links that are on the email, so if you get an email that says “hey click here for something” and you’re really not comfortable with the email and the source of the email you shouldn’t click on it. If you think there’s a potential for it to be legitimate, call up the originator of the email and make sure it actually came from a legitimate source before you click on that link.
And also look for grammar errors. We’ve all probably seen emails that come in from various sources and says “Hey I can transfer a million dollars to your account if you’ll just give it to me right now and you’ll get to keep 10% of it”, you know, those scams occur all the time.
But more often than not they’re written in very broken English and very poor grammar and they should jump out at you that these are our phishing scams that are coming into your organization. If you get one of those, you should send and forward that email to a designated IT security… security administrator within your organization.
So let’s look at a second one at the level 2 for AT – there are only two at the level 2 – that one focuses on your need to ensure that your personnel are properly trained to perform their assigned duties and responsibilities.
Hopefully, you’ve included training in this. So as you bring employees on and you’re providing them training and hopefully you’re funding and setting aside funding for those training opportunities, you train your systems administrators, you train your security people to understand how to execute those responsibilities that you’ve provided to them.
So, in addition to providing previous authorization based training, you should also consider role based training – addressing management, operational, technical roles that cover physical, personal, technical controls. So role based portions of this training is part of the level 2 AT control that we’re applying here.
So here’s an example: your company should have a firewall, it’s highly unlikely that you don’t. If you don’t have a firewall, you’ve probably already been compromised from a cyber standpoint. But your company should have a firewall and those firewalls are frequently updated as a result of new vulnerabilities that exist over the Internet, then you put out patches in for the firewall to ensure that you have the proper protections in place for the current known threats that exist.
So the firewall, like I said, is upgraded and you need to identify who’s responsible for ensuring that it’s turned on and used effectively. They should always be using the current version that’s in effect and they need you, as a company, to provide training funds and training for this person to make sure they’re aware of this particular tool, this protection that you have on your system, and apply it appropriately and keep it updated appropriately.
So then you get to level 3, and we have one additional control that’s provided to get you to the level 3 CMMC certification. So at level 3, you’re going to need to provide security awareness training related to recognizing or reporting potential insider threats.
So remember people are usually your number one potential security risk. So you need to train your employees to observe unusual behavior, indicators or situations that could lead an employee to become a security risk.
So we’ve all probably seen this at times, may not have actually thought of as signal or an indicator that this person might be susceptible to be a risk, so being susceptible and being a risk are two different things but you need to understand both of those. You need to understand the people that are susceptible and then you need to track that to make sure that they don’t actually become a security risk.
Things that can affect us: divorces, deaths and family, all of a sudden you notice some unusual affluence or an employee starts to ask a whole bunch of questions about the company that are above their current authorization level or they’re working unusual hours, you know? Maybe it’s a nine-to-five office and this person is always working late at night.
So those are things that typically should tip you off that you might have an employee that is a risk, that could be susceptible due to any personal or family situation that’s come about that you need to pay attention to. And this isn’t a snitch, you know?
So we don’t want to make this look like “Hey I’m going to report on every single person in the organization and everybody’s, you know, gonna throw everybody else under the bus”, that’s not the intent of this but it is important for any given company to make sure they protect the company as a whole, which in turn, protects every individual on the company – for their livelihood, for the resources, for the revenues, etc.
So it’s everybody’s responsibility to make sure that you’re looking out for potential risk, particularly insider threats. So I’ll give you an example: I used to work for the Navy and there was a person who got turned in who was making fifty-six thousand dollars a year but was living in a two million dollar home and driving a top-of-the-line Mercedes. And it was only found out because somebody stopped by their house, thinking they were doing a good deed, to deliver something that… that they needed to do some additional work and they knew this person was gonna be out for a couple days, so they said “Hey I’ll look up his address drop this off on the way home”. And they drove up and like two-million-dollar home and they know the person’s making like fifty-six thousand dollars, because it’s the government and everybody knows how much everybody makes.
So that person reported to security that they thought “Hey this is kind of unusual affluence for somebody making fifty-six thousand dollars a year”. So an investigation was done and it turned out that this employee was diverting funds from the government into his own personal account and actually had scammed the government out of about seven million dollars. So diligence on the part of one of the workers there that highlighted a situation, an indicator that was unusual, reported it to security – a positive outcome for the government, obviously a negative outcome for the security risk, which in this, case since a person did actually break the law, was a positive outcome for everybody except that person. So things you should do!
All right, determine your training needs, the content and the frequency, do that as soon as possible, that’s not hard to do. It does get more complicated the more people you have, but it is not that difficult to do.
Ensure you place an importance on the awareness training and the requirements from the top on down. What does that mean? It means that if you’re the CEO, if you’re the president, if you’re a c-suite person, if you’re the supervisor, etc. don’t impose a requirement on your employees but don’t do it yourself.
And I’ve seen those during my career where people in the c-suite are too lazy, too busy to actually take the training and they’ll delegate it to like their administrative assistant or somebody else to take it to to say that they had completed the training – don’t be that person. Lead by example, take the training, make sure your employees see that you take the training and… you… they see that you think of it just as important for you to take it as them and then it flows downhill and everybody will get on board with you.
Make sure you set aside funding for the training and… and that may be difficult at first, but if you think about how much money you can save if you got compromised versus putting in a good program to keep you from getting compromised you can see the cost to benefit ratio is in favor of doing the training. And make it a part of your culture, you know? Make it a part of your culture to have good cyber hygiene and… and that starts with awareness and training, you know?
And make sure people know this is not a snitch-based system and that really we’re looking out for everybody within the company, everybody’s livelihood, so everybody as they work together is trying to keep the whole company solvent and together as a team.
Make sure you have a security POC, it’s very important, that tracks all the training. Make sure people are current and up-to-speed and it’s a recurring training, it should be, like I said, on a frequency established by your company. Become familiar with the CMMC, in general.
Know the levels one, two, three, four and five. If you go on the Internet, there is information everywhere on CMMC. It doesn’t necessarily break it down like this blog, in terms of going through each of the 17 domains like we’re gonna do for you over over the next 16 episodes, but you will get a lot of information that will help you get ready to be CMMC certified. Become familiar with NIST particularly 800-171 and 800-53 because those are where the controls are pulled from and you will need to eventually comply if you go all the way to level 5, which is difficult and challenging to do, you will have to comply with those controls.
So I appreciate you taking the time today to listen to this vlog, to learn a little bit more about CMMC, to learn a little bit more about AT – awareness and training, one of the 17 domains and in the upcoming vlogs we will cover the remaining 16 domains and hopefully by the end of that you will all be prepared and ready to go and move forward to get CMMC certified.
So thank you. Again my name, Bob Hanley, Sabre Systems, and very happy to have shared this information with you today.