CMMC Misconceptions
Now more than ever, there’s great emphasis to safeguard government-owned information, especially by contractors working with the Department of Defense. The government has kicked off the Cybersecurity Maturity Model Certification (CMMC) to ensure that contractors abide by the new CUI regulations.
The move does away with the previous casual “self-assessment” for CUI compliance. Instead, contractors must undergo a rigorous audit by authorized third-party organizations to prove adherence.
Given the rigorous testing standards necessary for a CMMC, you can’t afford any blind spots in your cybersecurity. Read on to discover five of the most common CMMC misconceptions that could ruin your chances.
Emails are Optional in a CUI Network
The first step in creating an efficient CUI enclave is to consider how the users will function inside the network. Consider how your clients will use the network for daily and routine work and remove any limitations and vulnerabilities that might arise. Naturally, an in-scope system should let users handle CUI securely when:
- Exchanging emails with people in external networks
- Video conferencing and screen sharing on internal and external networks
- Browsing the internet
- Editing documents
- Moving and storing files in long-term storage
- Exchanging large files with people on an external network
- Backing up work in progress on local and corporate locations
An excellent enclave should address such functionalities to ensure that users can’t access sensitive data through unauthorized systems. Encrypting emails is essential because it’s the most common communication method. For enclaves that don’t use emails, it’s crucial to let users share CUI safely and securely.
Virtual Desktop Infrastructure Can Serve as a Core Solution
Ordinarily, Virtual Desktop Infrastructure VDI is a superb terminal server-type solution. Virtual desktops allow users to view and manipulate CUI from any machine but cannot copy-paste the information to their computers. A VDI solution lets you work with controlled or sensitive information without having it on your computer.
A VDI is an excellent solution in a civilian setting, but that might not fly if you’re a DoD contractor. To date, the DoD has never taken an official position on VDI ability in keeping end-user computers out of scope. The department remains mum on the subject despite consistent prodding.
Although VDIs are effective, they violate a series of protocols and SOPs that the military values greatly. The DoD doesn’t allow staff members to access its network remotely. It follows and enforces a strict on-premises network model that’s secured by military-grade encryptions. Such systems use VPNs access, high-grade firewalls, and are housed in secure facilities.
Switching to VDI solutions would force the military to reconfigure most of these tried and tested security protocols. You can certainly imagine the amount of red tape and resources it would take to institute such sweeping changes.
What are the chances that DoD is likely to bend over backward to accommodate its contractors? Zero. It’s far more convenient, not to mention cheaper to get contractors to conform to the DoD’s infrastructure than the other way around.
It’s Okay to Allow Users Local Admin Rights
While CMMC doesn’t disallow local admin rights, allowing users to modify their computers spells doom during your CMMC compliance test. Numerous CMMC Level 3 practices fail if you enable local admin rights. A high failure rate overburdens your IT department and makes it impossible to maintain level 3 standards.
Granting end-users local admin rights cause a host of problems, including:
- Turning off password complexity requirements
- Disabling screen lock timers
- Installation of unauthorized software
- Configuring browsers to allow insecure mobile codes such as Flash
- Lifting restrictions on the usage of portable storage devices
- Users disabling antivirus after it repeatedly blocks an infected program they wish to install
- Inability to patch computers because each is running a different software version
- Insecure audit logs
- Ability to disable or modify Firewall
- CUI transmission through unvalidated software version of unapproved methods
- Unrestricted access to external systems
Allowing local admin rights creates multiple vulnerabilities, which would call for exceptional security measures. In most cases, allowing users to modify their computers is a recipe for disaster.
Automation Wins
Automation is valuable in IT systems, but this is another area where the DoD might want to maintain the manual processes. Unlike automation, manual processes let you build evidence of Maturity, a core CMMC requirement. Remember, CMMC stands for Cybersecurity Maturity Model Certification – it’s right there in the name.
To ensure CMMC compliance, you should build a solution that captures as much evidence of process maturity as possible. That means hardcoding CMMC compliance into your processes from the get-go instead of a retrofit.
Most contractors start with full technical implementation and migrate users to the solution, then build the processes that perform CMMC compliance.
However, it’s better to start from the opposite direction. Prioritize the processes and manually check the compliance tasks on a small scale. Test and tweak as necessary to ensure the system works seamlessly. You can then build a prototype enclave that accommodates the complex functionalities required for CMMC Level 3. It’s best to have two system administrators test all the mandatory processes for performance.
Some of the processes to start performing from an early stage include:
- Auditing logon events
- Incident reporting and response
- Hardware inventory
- Software inventory and approvals
- Helpdesk procedures
- Onboarding and offloading
- Vulnerability scanning
Assuming Only the Server is In Scope
While contractors who prefer end-to-end email or file solutions think only the encrypted pathway is in scope, the DoD disagrees. While there’s no official definition of CMMC scope, the DFARS 7012 offers great insights. It says that a contractor is required to provide adequate security for all covered contractor information system.
In other words, it’s safe to say that the information system refers to more than the server containing the CUI. The DoD leans towards security systems that provide end-to-end protection throughout your entire IT environment. It’s especially important to set logical and physical boundaries since they define the scope of your environment.
Naturally, the in-scope should cover the endpoints (devices that enable the user to view CUI) alongside the file server or CUI database. Your design should include backups, antivirus, firewalls, switches, and patching.
Final Thoughts
Any of these misconceptions create a vulnerability in your cybersecurity and could ruin your chance of passing the CMMC assessment. Given the importance of CUI management, failing your assessment can spell doom for your company.
Rather than take chances and fly in the dark, you contact a professional service to help you get it right from the get-go.