Blog

COVID-19 and the CMMC Timeline

COVID-19 has impacted every angle of our society and how the DIB gets ready for Cybersecurity Maturity Model Certification (CMMC) is no different. While Katie Arrington has made clear that her task force is staying on mission and going full speed ahead, DIB companies inevitably need to modify their practices and platforms.
 

To get a greater understanding of this question, PreVeil spoke with Gustav Plato of It’s Just Results in Washington DC. It’s Just Results (IJR) is an MSSP focused on guiding companies on how to improve their security maturity and achieve compliance with various regulatory frameworks. Our conversation has been edited for clarity and brevity.
 

 
PreVeil: How do you see COVID-19 impacting the IT priorities of DIB companies you’re working with?
 
Gustav Plato: All of the companies we are working with are focused on COVID-19. Everyone is trying to expand their IT from what it was in the office to a remote support environment. And so they need to figure out how to reassess their corporate security posture to focus on securing their remote workers.

Everyone is trying to expand their IT from what it was in the office to
a remote support environment.

Their tool base and tech all have to be rethought and architected. This is particularly true for things like access control. You need a much higher granularity there so you know who has access to what. And this level of granularity needs to be focused not just on users but also devices, applications, and locations as well.
 
PreVeil: So, access control is clearly a big deal during this time – even more so when it comes to CMMC. In a corporate environment, you are able to enforce requirements like AC.2.007 that says ‘Employ the principle of least privilege, including for specific security functions and privileged accounts’. However, in a home environment, wouldn’t it be really challenging?
 
Gustav: Companies need to first think through the protection of FCI and critical CUI data. So, they are asking numerous questions such as do employee laptops need to access controlled data. Who are the users of the technologies? At what time of day are they accessing information? And who is monitoring those behaviors? Are there permissions and are they being followed? Where is that data I’m trying to protect and how much am I going to invest in protecting it?
 
Companies also need to create a checklist that identifies things employees need to do in order to protect access control. This can be simple things like creating a separate physical space to work in – separate from the rest of their family. They also might want to create a separate segment on home network that can only be accessed by your devices.
 
For limiting access, companies should also limit the logical access in addition to physical access. They also need to ensure policies can’t be changed.
 
When it comes to protecting CUI, this is more challenging. Fortunately, there are all sorts of tools and technologies out there to limit access. In the case of CUI, we ask clients to store data in platforms like PreVeil with end-to-end encryption in order to cordon off data so that it can be centrally managed and protected.
 

Learn more about what the DoD’s new CMMC requirements mean for contractors.
Download our whitepaper


PreVeil: A few weeks ago, the NSA released guidelines for telework that prioritizes the use of end-to-end encryption and MFA for collaboration tools such as email and file sharing. What do you think about this? Does it impact the recommendations you would provide to your clients?
 
Gustav: We are regularly reviewing the latest research and recommendations from a wide variety of sources. The security stories continue to evolve and you have to make the best decisions you can and understand the stories are never fully complete, but continuously evolving.
 
Clients must look at their policies and processes and make sure they adapt to changing threats. Tools should be under regular review and action. Look at the recent exposure of Zoom and their subsequently working to correct the deficiencies identified in their collaboration suite.
 
That is why we stress situation awareness (see CMMC SA.3.169 as one example, there are many more in CMMC). The tools need to be examined and determinations made if they still hold up to the firm’s security requirements.
 
PreVeil: Remote working adds on additional CMMC practices. What language or documentation are you providing your customers on how to understand these changes and how to comply with them?
 
Gustav: To give you some perspective, Corona’s impact has caused a great shift to working-from-home in the government and private sector. Usually around 25% of government employees and 40% of enterprise workers work-from-home and now those numbers have grown precipitously.

Usually around 25% of government employees and 40% of enterprise workers work-from-home and now those numbers have grown precipitously.

So, we have been providing customers with documentation on how to understand changes that need to happen when working from home. Part of this is encouraging companies to move away from BYOD to using corporate devices.
 
For really small companies where corporate devices wouldn’t work, we try to help leadership establish protocols around using remote monitoring tools, antivirus, and malware, and having employees use encrypted devices. We also have them walk each user through the process of setting all this up including setting up a non-administrative account of that computer and only use that non-administrative account when using the computer. We also have heard that there are procurements that may prevent companies from using any BYOD approach. Again, corporate devices are the best approach.
 
PreVeil: What guidelines and guidance are you offering to your clients around things like log monitoring or identification controls?
 
Gustav: We are telling our clients that to ensure a secure work from home environment the home environment needs to have the security look and feel of the office.
 
We highlight the need to look at physical security. We ask them to look at what assets they have in a home environment? How will they secure these assets? This can include storing paper documents they are using in the home office.
 
They need to look at home internet connections and home networks and need to ask who has access and how design home network. In addition, we recommend having an office VPN that will encrypt communications and that logs can be monitored with a SIEM solution. And they cannot forget the devices themselves. If they are using a work laptop at home, it’s easier to manage the device. It gets a lot more challenging when you start using your personal computer.

If they are using a work laptop at home, it’s easier to manage the device. It gets a lot more challenging when you start using your personal computer.

We tell clients to be careful about how they share computers. If someone at home like one of their kids is on their computer and visiting various websites with malicious code, they expose the company to malware.
 
Our recommendation to our clients is to lock down technologies as much as possible in order to minimize risk. We do not have a tolerance for a lot of risk at It’s Just Results. So, we tell our clients to minimize risk as well.
 
PreVeil: Is cybersecurity being taken more seriously now with everyone working from home?
 
Gustav: We have always told companies to take security seriously by doing things such as locking down their employees’ devices. It’s an important part of security and as we know, cybersecurity is the gateway for government procurement.
 
Four or five years ago, no one was that interested in discussing cybersecurity over culture. Everyone wanted a very collaborative environment. For clients today, it’s all about security first. COVID-19 just pushed companies to think more about collaborative computing and how do we protect our applications.
 
PreVeil: Do you think all 5 levels of CMMC will be impacted equally?
 
Gustav: I don’t think the writing up of processes, which is a big part of the levels beyond level one, is going to be effected all that much.
 
First, if you look at Level 1, there aren’t any additional processes that need to be implemented there. It’s 17 basic security practices. So no one will feel much of an impact there.
 
I believe that Level 3 is a really good target for companies. Getting to level 3 maturity in CMMC is a good target goal for most companies wanting a good security program. For companies we’ve been working with, we have always focused on the requirements of DFARS and NIST SP 800-171 so most of them already have it under control. Any POAM they have will be pretty small from a practice/controls perspective to move from NIST 800-171 to full compliance with CMMC Level 3.

Getting to level 3 maturity in CMMC is an good target goal for most companies wanting a good security program.

My overall feeling is that it won’t be too much of a hurdle so long as clients don’t put it off.
 
But looking at level 4 and level 5, the work there is proportional to size of the company. Most likely it will be the larger companies or companies that have a higher mission requirement.
 
In the end, writing up process descriptions is an organizational-wide responsibility. Being able to do that, is not impacted by COVID-19. It can even be done remotely.
 
PreVeil: Getting on the cloud is a big part of CMMC work. How are you explaining risk or advantages of cloud at a time like this?
 
Gustav: The companies we work with are primarily already on cloud. They moved from on-prem to cloud a while ago. With cloud, we suggest our clients to take advantage of cloud service providers and the work they already do to be audited. If a company is using Azure or AWS, we tell them to look at the compliance requirements of those services and look at what kind of audit reports are available. It is a shared responsibility model.
 
Look at what type of audit reports are available such as SOC-2 and FED RAMP or ISO 27000. These will give you a sense of how they need to attest to security on their end.
 
But it’s important for companies to recognize that just because they are on the cloud or looking at cloud, it doesn’t mean they don’t need their own practices in place. The client also has actions they need to take to complement existing controls. The client needs to make sure they understand these controls and can put them into their own language and follow them.
 
With a company like PreVeil, you are able to take advantage of what the company has invested in security and that always strengthen the company that’s using the service.
 
PreVeil:Eventually, we’ll move past COVID-19. How can DIB companies use this time effectively?
 
Gustav: Many companies are thinking about COVID-19 so it provides an opportunity for companies to consider their security policies and bring them up to date. Do we have processes we need to have? Is our security architecture what it needs to be?

[B]ecause companies are thinking about COVID-19, it’s a great time to consider your security policies and bring them up to date

In times of crisis, like this, it is important to take stock and to rethink their security and how employees access data. Are they flexible enough and secure enough? And that’s a big question that companies can and should focus on.
 
PreVeil: Gustav, thank you for speaking to us. We appreciate your time.
 
Gustav: Thank you.

Learn more about how PreVeil can facilitate your compliance with CMMC. Download our whitepaper!

Download Whitepaper