Welcome to part 10 of “What you need to know about CMMC”. I’m Bob Hanley from Sabre Systems and today we will continue our discussions on the 17 CMMC domains as we help you in your efforts to be CMMC ready. If you remember, we discussed physical protection last week. Today, we will discuss risk management or RM for short. Remember, CMMC is about protecting controlled, unclassified information (CUI), which includes lim-dis and FOUO – limited distribution and for official use only.
So, where are we in this journey through the CMMC domains? Let me catch everybody up, especially if you’re new to this vlog. We’ve already reviewed nine domains: awareness training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection and recovery. If you missed any, please go back and take a look at the vlogs that were previously posted to get caught up. All these domains connect and relate to each other, they are complementary so it’s important as we move on to think in those terms and get that overall understanding of these domains within that context.
As a refresher, CMMC (Cybersecurity Maturity Model Certification) has five levels with five being the most stringent. Contractors and subcontractors will all need to have a minimum level one, but prime contractors will need a minimum level three. There will be some contracts that award bonus points for being CMMC level 4 level 5, so don’t forget those. Although, we are concentrating on trying to get you to level 3 certification.
RM has three level 2, three level 3, four level 4 and two level 5 requirements, but as I just stated today, we’re just going to focus on the level 2 and level 3 requirements. RM, as the name suggests, is targeted at managing security risks. This means conducting periodic risk assessments and fixing any vulnerabilities you uncover. Cyber-attacks and the consequences of a cyber attack are an enterprise-wide risk management issue. Cyber-attacks can impact any part of your organization. Attacks can be targeted or general or what we refer to as “fire for effect” and can range in impact from just a minor disruption to a ransomware attack which can bankrupt an organization and lead to the theft of your most critical intellectual property. Don’t let that happen to you. It is critical that an organization identifies and manages these risks.
So, let’s first take a look at the three level 2 requirements. The first requirement is focused on periodically assessing the risks to an organization and its operations resulting from organizational systems and the associated processing storage or transmission of CUI. This includes risks to your mission, functions, image or reputation. First, assess the risk involved with storing your CUI. You might consider storing that information with a cloud provider. Consider the pros and cons of that operation. I, personally, recommend cloud migration to many of our customers and organizations.
The second requirement is focused on scanning for vulnerabilities in organizational systems and applications periodically or whenever new vulnerabilities affecting those systems and applications are identified. Use a vulnerability scanner to test all the assets connected to your network. Perform vulnerability scans to look for errors in your software that may provide ways for hackers to get into your network and do harm. Remember always keep your software up to date. The scan will provide you a prioritized list of vulnerabilities that you can use to commence mitigating those risks. Since the scan is comprehensive, it may take quite a bit of time, you should set it to run off hours. You should also make sure that your vulnerability scanner application gets updated on a regular basis.
The last level 2 requirement is about remediating vulnerabilities in accordance with risk assessments and you are going to start seeing a little bit of redundancy between the level 2 and level 3 requirements as I continue to go through them. So, you will need to look for weaknesses in your software that may provide ways for hackers to get into your network and do harm. You may have just heard me say that on the previous requirement, continuity across the domains. Vulnerability scans are one of those ways to look for vulnerabilities and we will also talk about these scans on our level 3 requirements. You should perform vulnerability scans to try and find weaknesses, then you need to review the vulnerabilities and determine how they will affect your organization. Create a prioritized list of vulnerabilities you should fix, fix them and record a completion date and time for each item. If you have to fix an item, you must document this with the reason and you need to continuously monitor these vulnerabilities.
Now, let’s move on to the level 3 requirements. The first requirement is about periodically performing risk assessments to identify and prioritize risks according to defined risk categories, risk sources and risk measurement criteria. This practice expands upon those level 2 requirements I just talked about and requires defined risk categories, identifying sources of risk and requiring specific risk measurement criteria are included in the risk assessment. These risk assessments should be performed periodically to identify potential risks and mitigate the reoccurrence of an incident.
The second level 3 requirement is about developing and implementing risk mitigation plans. Organizations should not only be aware of their organizational risks, but also have a risk management plan for responding to them when they occur. Risk mitigation plans should include how the vulnerability or threat will be reduced, the actions that will limit risk exposure, controls to be implemented, identifying your staff that’s responsible for the mitigation plan, the resources you require for the plan, the implementation specifics (who, when, where, why, how) and how the plan implementation will be measured and tracked.
The last level 3 requirement is about managing non-vendor supported products often referred to as “end of life”. So, many of us own IT that is outdated and no longer supported by the manufacturer – iPhone one and two. You’re not going to get software updates from Apple, but people still use these phones even though they work, analog and not digital. So, sometimes it is necessary to continue using end-of-life technologies that extend beyond the support offered by the vendor. The vendor no longer provides software updates. These systems present a risk to your network and may be required to meet business objectives so you may continue to use them since the system is old, no longer supported by the vendor and/or cannot meet this new cyber security requirement, you may need to isolate them from the system even though you may continue to use them. In order to mitigate the risk of these end-of-life technologies, you must manage these unsupported products separately.
So those are the six requirements for risk management (RM) for levels two and three. Hopefully, you are beginning to perform a self-assessment of your organization to determine if you have gaps in meeting these requirements. If you do, begin to close those gaps so that you are prepared for CMMC implementation.
Things that you should do: fund your program, become familiar with CMMC in general and NIST SP 800-171and 800-53. In our next review, we will go on to our next domain and we will bring you closer and closer to understanding all the CMMC domains and the implementation requirements. Until then thank you, this is Bob Hanley from Sabre Systems and make sure you do your gap analysis and become CMMC ready. Thank you and have a great day.