How to Prepare for CMMC 2.0

How to Prepare for CMMC 2.0

In 2020 the Department of Defense (DoD) launched the Cybersecurity Maturity Model Certification (CMMC) to enforce the protection of sensitive unclassified information that’s shared with DoD contractors and subcontractors. However, in 2021 DoD reviewed the CMMC framework and overhauled it after input from industry leaders. After completing the overhaul, CMMC 2.0 was announced and is the current version of CMMC that will apply to all contractors and subcontractors of the Defense Industrial Base (DIB) that handle sensitive unclassified information in their work for the DoD once the rulemaking phase is complete.

When people talk about CMMC, they’re usually referring to the Level 2 certification that requires an assessment by a Certified Third Party Assessment Organization (C3PAO). CMMC Level 2 is based on NIST SP 800-171, which encapsulates the basic security requirements of FAR 52.204-21 that make up Level 1 and provides its own security controls derived from those basic security requirements. CMMC Level 3 is based on NIST SP 800-172 but is out of scope for most organizations and is not a subject for discussion in this article. CMMC Level 2 has 110 practices that an organization must implement. While that can sound like a heavy lift, current DoD contractors may already be legally required to implement these practices even before CMMC. CMMC is an enforcement mechanism for security practices already required under federal law. Many DoD contracts already require the implementation of NIST SP 800-171 under DFARS 252.204-7012. CMMC attempts to verify that these practices are being implemented through third party assessments. If you are a DoD contractor with contracts subject to DFARS 7012, 7019, or 7020 you should be implementing these CMMC practices already. If you’re not already implementing the 110 practices outlined by NIST SP 800-171, the time to implement them isn’t when CMMC begins to show up in solicitations– its now, whether to prepare for the inevitable rollout of CMMC or to bring your organization in line with the commitments its made under DFARS 7012.

As you prepare for CMMC, it is important to determine what Level certification you will likely require and what information is in scope of CMMC. CMMC Level 1 revolves around Federal Contract Information (FCI), while CMMC Level 2 revolves around Controlled Unclassified Information. The Defense Counterintelligence and Security Agency (DCSA) has a good FAQ discussing FCI and CUI and how they differ from one another. In short, FCI is “information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service.” And CUI is unclassified information that may still require “safeguarding and may also be subject to dissemination controls.” Once you’ve determined what information you currently process and what information you’re likely to process in future contracts, you can prepare for the correct level of CMMC. To begin, you’ll want to map what information is within the scope of CUI and FCI and where within your organization that information is stored and processed. CMMC does not require that all controls apply to the entire organization, just the enclave in which CUI and FCI are stored or processed. For smaller organizations this is likely irrelevant as it will be negligible to implement the appropriate CMMC practices across the entire organization versus the subset within the scope of CMMC, but for larger organizations making sure the in-scope information is only found within the necessary enclave can significantly reduce the burden of CMMC.

Once you’ve assessed where CUI and FCI are stored or processed and potentially contained within an enclave in your organization, you should begin a gap assessment to determine what controls to implement in order to satisfy the appropriate practices for your organization’s Level of CMMC. Level 1 maps to FAR 52.204-21, while Level 2 maps to NIST SP 800-171 rev 2. Both are publicly available, but DoD has provided a CMMC Assessment Guide for each Level. Each CMMC Assessment Guide gives additional discussion and considerations that are useful when considering your current controls and when implementing new controls to meet the required CMMC practices. If you are a contractor currently subject to DFARS 7019, you are required to conduct self assessments against NIST SP 800-171 and submit your score to the Supplier Performance Risk System (SPRS). In this case, you may not need to conduct an additional gap assessment as you should already understand where your organization’s shortcomings are if you’ve taken these statutory and contractual requirements seriously. 

When conducting an SPRS self-assessment, you start with a score of 110 and can go down to -203 as you subtract points for missing or insufficient controls. Each practice is worth either 1, 3, or 5 points, and there is no partial credit except for two of the 5-point practices. While we are still in the final rulemaking phase of CMMC 2.0, and some minor details could change, it’s important to note that it’s currently being discussed that to receive your CMMC certification, you’ll need to have met 80% of the practices and have met all of the 5 points SPRS practices. If you fail to meet 80% of those practices along with all the 5-point SPRS practices for your CMMC Level, you will not be able to achieve your certification even with the appropriate POAMs (Plan of Action and Milestones). Once you have completed a gap or self-assessment, you should begin working on completing the Security System Plan (SSP) and a Plan of Action and Milestones. Having those documents prepared and continuously updating them as you implement more controls to meet the practices required by the Level of certification you want or need to achieve will ensure your organization is not scrambling when CMMC requirements begin to appear in DoD contracts after the final rulemaking phase has ended.

Curious if CMMC is the right path for your business? Or could you use some assistance preparing for your CMMC Certification? Either way, CyberData Pros provides you with the guidance to prepare and achieve certification. We maintain a 100% audit success rate! Contact us now for a free consultation and to learn more about our services.

read more

What is an IRC? Why is it Important?

When people think about what factors are most influential in determining the effectiveness of an information security system, typically the first items that come to mind are technologies, policies, and controls. Often overlooked is one of, if not the most critical components of the system – its leadership. Of course secure tech and methods are vital components of the system too, but their effectiveness can be rendered null if leadership is unable to establish, enforce, maintain, and overall direct their usage. 

Effective leadership, however, is a challenge in and of itself; it’s not as simple as hiring a competent c-suite. As talented as a CISO or CPO might be, no one person can be expected to fully understand the culture, processes, and concerns of every individual department of an organization. Imagine if a president was required to understand first-hand all those factors for each government department before making a decision – by the time they could even get close to a full understanding their information on older departments would become outdated and they’d probably be past their term limit anyway; no decision could ever be made. The problem is that those aforementioned factors are instrumental in determining the true effectiveness of these decisions, and thus cannot be ignored in strong leadership. So, barring omniscience on the CISO/CPOs’ end, upper leadership is going to need advice and influence from department representatives, and that’s where the Information Risk Council comes in.

Now if the term Information Risk Council (or IRC, for short) is unfamiliar, there’s no need to worry. The group often goes by different names at different organizations: Department GRC Committee, Risk Management Council, Risk Governance Committee, and likewise are all names you might encounter instead. What is crucial is not the name but the concept behind it, which is defined in the group’s composition and concerns. In essence the IRC (or its alternate names) is a group of senior infosec leadership and department representatives that focuses on composing, ratifying, and implementing security policies, controls, and initiatives throughout the organization. To better understand the council’s purpose, however, it’s best to go into some detail on the composition and concerns themselves.

  • Composition: The major benefit of the IRC lies in granting the executive security/privacy owners in the company a deeper understanding and a wider perspective of the company’s state and needs, and by grouping in representatives (or heads) of every department, that purpose can be fulfilled. Department representatives should be able to collect and report on their specific department’s state and needs and thus provide valuable insight when decisions are made, affecting, or informed by that department. 
  • Concerns: With a general objective in place to provide a cross-departmental informed direction for the information security program, the IRC often takes on a number of duties/tasks in its operation. As a standard these tasks generally include quarterly meetings to discuss the state/direction of the program, a designated policy/assessment review and approval procedure, risk management discussions and reports, and incident handling/response. Of course additional roles may come into play as the organization’s needs change, but these basic responsibilities will cover the base needs of most effective IRC initiatives and do so more decisively than a CPO/CISO could by taking those same tasks on alone.

Altogether, taking the two fundamental considerations above as frameworks makes a strong starting point for an efficacious IRC. The benefits a team like that can bring to an infosec program often impresses clients who implement them as they’re usually multifaceted. Not only does the improved perspective help with the direction of change, but it also typically makes departments feel heard and more accepting of said change, which can encourage new policies to be acted upon in practice rather than just in writing. No need to just read up on the benefits though- try forming a team at your organization and see for yourself. In almost every implementation the barrier of entry is low and the opportunity for improvement is high.

Could your business use help implementing an IRC? Or could you use some assistance directing and refining an existing team? Either way, CyberData Pros have assisted many committees from inception to maturity and can walk your organization’s to that same state. Contact us now for a free consultation and to learn more about our services.

read more

2023 Data Privacy State Laws Series: CTDPA

The next data privacy law coming into effect this year will be the Connecticut Data Privacy Act (CTDPA). The CTDPA  comes into effect on July 1st, 2023, with enforcement beginning on the same day. Like the remaining data privacy laws that we’ll discuss, CTDPA was largely modeled after the Virginia Consumer Data Protection Act (VCDPA) with influences from the California Privacy Rights Act (CPRA). However, the cure provision that allows organizations the opportunity to cure a violation before the Attorney General takes action will end on December 31st, 2024.

The guiding influence of VCDPA on the creation of CTDPA is apparent when you look at the privacy rights protected by CDPA. CDPA protects a consumer’s right to access, right to data portability, right to delete, right of rectification, right to opt-out of sale, right to opt-out of profiling, and the right to opt-out of targeted advertising. However, unlike CPRA, CTDPA does not protect the right to opt out of automated decision-making. This means if you do not opt out of profiling an organization can make choices based on that profile without human input. An area where CTDPA has superior consumer privacy protections over CPRA is with processing sensitive personal data. CTDPA requires opt-in for data processors to process a consumer’s sensitive personal data, whereas CPRA allows consumers to opt-out. Sensitive personal data for CTDPA is defined as “personal data that includes (A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (C) personal data collected from a known child, or (D) precise geolocation data.”

Much like CPRA and VCDPA, CTDPA will require data protection assessments under certain circumstances. Fortunately, CTDPA states that if a data controller conducts a data protection assessment for the purpose of complying with a similar regulation, that assessment will satisfy the CTDPA requirements as long as it is similar in scope and effect. Therefore, conducting a thorough data protection assessment is critical as it will eliminate the need for redundant assessments. Additionally, it would be advisable for any organization subject to CTDPA to conduct a privacy impact assessment. A PIA assesses how an organization handles personal data and will tell whether the organization will be in compliance with new state data privacy laws or not.

read more

Data Privacy State Laws Series: What 2023 Means for CPRA

Next up in our 2023 data privacy laws series is the California Privacy Rights Act or CPRA. CPRA amends the California Consumer Privacy Act (CCPA) to add protection for consumers. It was passed as a ballot initiative in November 2020 and took effect on January 1st, 2023. Enforcement is said to begin on July 1st of this year, but recent modifications to the draft regulations show that there may be some flexibility with early enforcement. The California Consumer Privacy Agency (CPPA), the body responsible for enforcing the CPRA, may take into account the time between the publication of the final regulations and the enforcement date, as well as “good faith efforts to comply with those requirements.”

California previously had a recent data privacy law known as CCPA, but CPRA expands the volume of data that falls within its scope. CPRA also expanded upon the data privacy rights that were in the CCPA. In addition to the right to know, the right to access, the right to deletion, the right to portability, and the right to opt-out of sale, CPRA will add the right to rectification and the right to opt-out of targeted advertising. A change that may catch some off-guard is that CPRA clarifies that a cookie banner is not an acceptable mechanism for handling opt-out requests for targeted advertising or data sales. Other meaningful changes made by CPRA are the significantly increased fines for data breaches of children’s data and breach liability for disclosure of credentials that could compromise a consumer’s account.

An addendum that CPRA brings to California’s data privacy landscape is the creation of a new privacy regulator in the California Privacy Protection Agency (CPPA). The CPPA will begin enforcement on July 1st and the sole mission will be to protect consumer privacy in accordance with California data privacy laws. However, they will have the additional charge of preparing new rules and regulations in the consumer data privacy space. The CPPA will be a well-funded and well-resourced agency for enforcing data privacy laws while taking some of the burdens off the office of the California Attorney General.

Comparatively, this means that CPRA will likely be the most comprehensive data privacy law in the US and will have teeth to back it up. Businesses that are subject to CPRA should already be preparing for enforcement to begin. An essential part of preparing for CPRA should be creating a data map and understanding what data you actually process. From there, you should conduct a gap analysis to find where to make changes to comply with CPRA data privacy mandates. Those subject to CCPA should already be familiar with the ability to opt out of the sale of personal information; However, they should now prepare to provide the ability to opt out of targeted advertising by sharing personal information with third parties. While it can be a heavy lift getting compliant with CPRA, doing so should bring businesses in compliance with other state data privacy laws and will be a solid foundation for future state or national data privacy laws.

read more