Welcome to part 11 of “What you need to know about CMMC”. I’m Bob Hanley from Sabre Systems and today we will continue our discussions on the 17 CMMC domains as we help you and your efforts to be CMMC ready. If you remember, we discussed risk management last week. Today, we’re going to discuss security assessments or CA for short. Remember, CMMC is about protecting controlled unclassified information or CUI which includes lim-dis and FOUO, or limited distribution, For Official Use Only.

So, where are we in our journey through these CMMC domains? You’ve been with me for quite a few weeks now, but let’s catch everybody up. We’ve already reviewed ten domains, if you remember: awareness training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, recovery and risk management. If you have missed any, please go back and take a look at the vlogs we have previously posted to get you caught up. All of these domains connect and relate to each other, they are complementary, so it’s important as we move on to think in those terms on how they connect, get that overall understanding of these domains within that context.

So, as a refresher, CMMC (Cybersecurity Maturity Model Certification) has five levels, five being the most stringent. Contractors and subcontractors will all need to have a minimum level one, but prime contractors will need a minimum level three. CA has three level 2 and two level 3 requirements. Today, we will discuss both the level two and the level threes.

CA, security assessments, are focused on three main areas – to develop and manage a system security plan, to define and manage controls and to perform code reviews. Let’s look at the three level 2 requirements. The first requirement is focused on developing, documenting and periodically updating system security plans that describe system boundaries, system environments of operation, how security requirements are implemented and the relationships with or the connections to other systems. The SSP tells all employees how they can meet the organization’s system security goals. The information in the SSP should explain how you should handle your important information. Examples include who can access the important information, where you should store it, how you can transmit it. By defining a clear SSP, you can design and build your network to ensure that it meets the SSP defined goals. Your SSP should outline the organization’s security requirements, the current status of the requirements and your plan to meet the requirements in the future.

Second requirement is focused on periodically assessing the security controls in organizational systems to determine if the controls are effective in their application. You need to ensure that security controls are achieving their objectives and monitor their performance. Perform this review as often as necessary to ensure your organization’s risk planning needs are being met and you comply with any regulations or policies you must follow. When assessing the controls, document what you find. When you find your controls are not meeting your requirements, you should act and make changes. This could include proposing updated or new controls, developing a plan to improve the controls and documenting any new risks that you may find.

The last level two requirement is about developing and implementing plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. You should develop action plans when you discover that your company is not meeting security requirements. Perform a vulnerability scan on your network and this may uncover deficiencies. If you receive notification of a vulnerability that needs fixing, you obviously need to develop a plan to fix it. Your plan should identify the person responsible for fixing it, how they’re going to fix it and when they need to fix it. You must also define how to measure that the person responsible has actually fixed the vulnerability. Document this in your plan of action.

So, let’s move on to the level 3 requirements, there are two. The first requirement is about monitoring security controls on an ongoing basis to ensure the continued effectiveness of the controls. Review the requirements in the associated, preventative, detective or responsive security controls that you’ve implemented to identify any gaps. Create a plan of action to evaluate each control regularly over the next year. You may mark some controls to be evaluated by a third-party security assessor. Lastly, assign the responsibility to evaluate controls within your IT group to ensure you sustain the effectiveness of the controls. Establish recurring meetings with the IT staff to assess continuous monitoring progress, to review security information, to evaluate risks from gaps in continuous monitoring and to produce reports showing your status to your leadership.

Last level 3 requirement is about employing a security assessment of enterprise software that has been developed for internal use and that has been organizationally defined as an area of risk. You must make sure the code is reviewed so that code mistakes do not result in vulnerabilities. You should have a software engineer who is not part of the development team perform a manual code review to ensure the software meets the standards set by your organization. You need to do this for each software update or iteration. And make sure you prohibit the software from being run on the organization’s network until the code review is complete.

So those are the five requirements for CA for levels 2 and levels 3. Hopefully you’re beginning to perform a security assessment now. If you are, you are beginning to close those CMMC compliance gaps and getting prepared for CMMC implementation, good on you. Things you should already be doing: fund your CMMC program, become familiar with CMMC in general and NIST SP 800-171 and 800-53. In our next review, we’re going to discuss CMMC practices for situational awareness or SA. I look forward to seeing you then, until then this is Bob Hanley from Sabre Systems signing off and thanks for tuning in to get CMMC ready. Thanks and have a great day.