Paul Bergman

Category: CMMC

  • Cybercriminals Target Small Companies to Breach Defense Industrial Base (DIB) Supply Chain

    Cybercriminals Target Small Companies to Breach Defense Industrial Base (DIB) Supply Chain

    In today’s increasingly interconnected digital landscape, cybercriminals are leveraging smaller, often less-secure companies to infiltrate larger targets, particularly within the U.S. Defense Industrial Base (DIB). These attackers exploit the weaker cybersecurity measures of smaller businesses to gain initial access and then pivot toward larger, high-value targets in the supply chain.

    The DIB supply chain consists of thousands of organizations, many of which may not see themselves as primary targets. However, this “upstream” threat model shows how even the smallest players can be the starting point for major breaches. These attacks often lead to exfiltration of sensitive data, impacting national security and leaving larger defense contractors vulnerable.

    To mitigate this risk, it is crucial for every company within the DIB—regardless of size—to implement robust cybersecurity measures. The Cybersecurity Maturity Model Certification (CMMC), developed by the Department of Defense (DoD), addresses this need by setting clear cybersecurity standards that all contractors must meet. Through the CMMC, the DoD aims to ensure that every DIB member, from small businesses to major corporations, implements consistent security practices, thereby reducing the attack surface for cybercriminals.

    The Homeland Security Cybersecurity Infrastructure and Security Agency (CISA) also plays a vital role through the Homeland Security Information Network (HSIN) initiative. This program emphasizes collaboration between the public and private sectors, providing resources and guidelines that help companies strengthen their defenses. I highly recommend all senior information officers pay attention to this great feed.

    In summary, every company involved in the DIB must prioritize cybersecurity and adhere to frameworks like the CMMC. By doing so, they not only protect themselves but also contribute to the overall security of the national defense supply chain.

  • Talking CMMC preparation

    Talking CMMC preparation

  • How often should I update my NIST800-171 assessment?

    How often should I update my NIST800-171 assessment?

    Under the NIST SP 800-171 DoD (Department of Defense) guidelines, companies that handle or store Controlled Unclassified Information (CUI) must perform specific cybersecurity assessments. The Federal Government’s Interim Rule, which took effect on November 30, 2020, mandates that organizations subject to the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 must conduct a Basic Assessment of compliance using their System Security Plans (SSPs).

    This Basic Assessment involves calculating a score based on the 110 security controls found within NIST SP 800-171. Full compliance with all NIST SP 800-171 controls maintains the maximum score of 110, while points are deducted for each unimplemented or partially-implemented control. After completing this assessment, organizations must enter their scores into the Supplier Performance Risk System (SPRS), along with a commitment date to achieve full compliance.

    The crucial aspect of this requirement is the update frequency. All members of the Defense Industrial Base (DIB) subject to DFARS 252.204-7019 and -7020 must update their entries on SPRS at least once every three years. This includes the date of the Basic Assessment, the score, the relevant Commercial and Government Entity (CAGE) codes, and the date by which they expect to achieve the maximum score.

    Therefore, a company must reassess its compliance with NIST SP 800-171 and update its SPRS entry at least every three years. This periodic reassessment is crucial to maintaining eligibility for future contracts involving the exchange of CUI and ensuring adherence to the DoD’s cybersecurity requirements.

    This information was obtained from the NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, dated June 24, 2020, as outlined on the website Acquisition.GOV.

    But requirements changed in CMMC 2.0!

    Under the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework, the frequency of self-assessments for Level 1 (“Foundational”) compliance is annually. This level of compliance does not involve sensitive national security information and is viewed as an opportunity for contractors to develop and strengthen their approach to cybersecurity. The annual self-assessment is intended to identify gaps between a contractor’s current security posture and what is needed to pass the full assessment by a Certified 3rd Party Assessment Organization (C3PAO). This information was obtained from Cuick Trac, a website providing guidance on CMMC self-assessment.

    image of CMMC Self-Assessment Guide - Cuick Trac

    CMMC Self-Assessment Guide – Cuick Trac

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • Three mistakes companies make in cybersecurity

    Three mistakes companies make in cybersecurity

    Throughout my consulting career, I have had the opportunity to guide numerous companies through challenging situations arising from inadequate cyber maturity. While each case presented its unique challenges, I consistently observed three major mistakes that companies tend to make when approaching cybersecurity. These mistakes, if left unaddressed, can leave organizations vulnerable to significant risks and potential cyber threats. By understanding and rectifying these mistakes, companies can strengthen their cybersecurity posture and mitigate potential damage.

    Mistake 1: Relying Solely on Compliance-Focused Programs

    One common mistake is relying solely on compliance-focused security programs, which prioritize meeting regulatory requirements such as PCI DSS, HIPAA, SOC 2, and ISO 27001. While compliance is important, it alone does not provide comprehensive protection against cyber threats. This approach often leads to a false sense of security and reactive measures that only address known risks and vulnerabilities. In today’s ever-evolving threat landscape, this approach falls short as cybercriminals constantly develop new attack methods. Compliance-focused programs are fragmented and do not adapt well to the changing nature of cyber threats. Organizations need a proactive and comprehensive security strategy that goes beyond compliance to effectively defend against evolving threats.

    Mistake 2: Treating Security as Solely an IT Problem

    Treating cybersecurity as solely an IT problem is another mistake that fails to recognize it as a business risk requiring board-level oversight. Cybersecurity impacts the entire organization and extends beyond technical aspects. Breaches can result in substantial financial losses, reputational damage, and loss of trust. Viewing cybersecurity as solely an IT issue leads to siloed thinking, inadequate investment allocation, and a lack of accountability at the highest levels. It overlooks the importance of cross-functional collaboration, cultural change, and non-technical factors such as employee training, incident response planning, and third-party risk management.

    Mistake 3: Thinking a Penetration Test Implies Security

    A misconception is assuming that conducting a penetration test guarantees complete security. While penetration testing is valuable for identifying vulnerabilities, it does not provide a comprehensive solution on its own. Organizations often rely solely on penetration testing without addressing other critical aspects of cybersecurity. It offers a snapshot of security at a specific time, but cannot account for emerging threats or ongoing changes. Robust security requires a layered approach, including regular assessments, vulnerability management, training, incident response planning, and continuous monitoring. Recognizing the limitations of penetration testing and implementing a comprehensive security program helps protect against evolving threats and enhances overall security.

    To address these challenges, organizations must adopt a holistic approach to cybersecurity. Indeed, I first considered this to be a fourth mistake for the list but see it more as a method. It should be treated as a business problem and an enterprise-wide risk. It also must align with the business objectives of the company. This approach involves integrating regulatory requirements into a broader security strategy and engaging the entire organization, including the board of directors. By recognizing cybersecurity as a strategic concern, organizations can develop a comprehensive and systemic approach that encompasses people, processes, and technology.

    Tracc Development offers cybersecurity consulting services to small businesses. If you are a board member looking for great advice, consider EgonZehnder.

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • What is NIST 800-171 scoring and why do I care?

    What is NIST 800-171 scoring and why do I care?

    Background

    If you have found this, you are looking for NIST 800-171 scoring. If you are, you must have a taste for alphabet soup so this background is for you…

    New DFARS (Defense Federal Acquisition Regulation Supplement) Interim Rules went into effect in December 2020, forcing defense contractors to adhere to new processes and requirements, and placing greater emphasis on compliance with cybersecurity regulations (namely NIST 800-171).

    Contractors who handle Controlled Unclassified Information (CUI) must now conduct self-assessments of NIST 800-171 compliance status in accordance with NIST 800-171A assessment guidance; score themselves on a subtractive, weighted formula as prescribed by the DoD Assessment Methodology scoring system; and report their scores and expected POAM completion dates to the government through the Supplier Performance Rating System (SPRS) in order to remain eligible to win new contract awards that involve handling CUI. In addition, the Defense Contract Management Agency‘s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is now able to mandate more detailed analysis of contractor compliance through Medium and High confidence assessments at the government’s discretion. For Medium and High assessments, DIBCAC personnel may perform detailed reviews of contractor SSPs, or conduct full NIST 800-171A evidence-based assessments of contractor compliance.

    The NIST 800-171 Self-Assessment

    How to score the assessment

    First of all, there are a number of checklists out there that can help you come up with a score for your assessment. Those are extremely helpful in calculating that score. In general the score is derived from the following:

    Your assessment score is calculated by adding the total score from each implemented requirement (controls). Each of the fully implemented 110 security requirements translates into one point, for 110 points total. But that’s not all.

    Any controls that are not implemented result in a subtraction of points from the overall score, and since some omissions have a larger impact on security of CUI, a weighting system is used.

    The subtraction of points for the non-implemented requirements is as follows:

    • For any high-level “Basic Security Requirements” with a significant impact on security, non-implementation results in a deduction of five points from the total score of 110.
    • For “Basic Security Requirements” and “Derived Security Requirements” with a more moderate impact on security, non-implementation results in a deduction of three points.
    • For all other “Derived Security Requirements” deemed to have a low impact on security, non-implementation results in a deduction of just one point.

    What do I do with the score?

    Doing the above assessment will result in a score between -203 and 110. Yes, you can get a valid negative score!

    Once you have found your score. You will need to report that to the DoD through the SPRS system. Details can be found here: Supplier Performance Risk System (disa.mil)

    DoD Assessment Methodology scoring system

    Clearly, a self-assessment score can vary based on who is filling it out. Some contracts are extreemly sensitive while others may be less sensitive. If you handle sensitive CUI, a self-assessment may not be enough guarantee that CUI is being protected. This is where your self-assessment may be challenged with requests for supporting evidence.

    3 Levels of confidence scores

    The NIST 800-171 DoD assessment is consists of three levels at which compliance is evaluated:

    • At the first level, contractors can conduct basic NIST 800-171 self-assessments of their systems to achieve self-generated “low” confidence scores
    • Assessments at the medium level result in “medium” confidence scores, following a designated DoD official’s evaluation of:
      • A contractor’s NIST 800-171 self-assessment score 
      • Documents provided by the contractor
    • Assessments at the highest level lead to “high” confidence scores, following a designated DoD official’s evaluation of:
      • A contractor’s NIST 800-171 self-assessment score
      • Documents provided by the contractor
      • The security plans provided by the contractor as evidence of NIST 800-171 compliance (This is often termed as “over the shoulder” which, to me, means audit)

    #DFARS #NIST800-171 #CUI #SPRS

  • CMMC audit confusion causing panic?

    CMMC audit confusion causing panic?

    There is a lot of confusion around CMMC. It is NOT dead…just being reworked. Many contractors have been told that they must “get a CMMC certification”. Well, that isn’t exactly true because there is no certification…yet. However, just because a certification isn’t ready, you aren’t off the hook for putting security controls in place.

    Regardless of marketing CMMC 2.0 isn’t ready

    The rules for CMMC 2.0 are still being developed. There are no CMMC Certified instructors or auditors. You can’t become a CMMC 2.0 certified…anything yet. If you pay close attention, they are all “provisional” because they haven’t seen, and been tested on, the final rules.

    According to the Cyber AB (the CMMC certification body) the work proceeds. It is clear that the DoD has every intention of augmenting NIST 800-171 with a formal certification process. Also worth note is that other government bodies may join the DoD and use CMMC as a requirement.

    It is clear that every company should be taking security seriously enough to be putting controls in place. Companies with government contracts should probably be moving security toward NIST 800-171. When a certification becomes available, they will be ready.

    NIST 800-171

    While CMMC isn’t ready, all DoD contract owners should already be compliant with NIST 800-171. This was a requirement back in 2020 and all 110 controls defined in NIST 800-171 should be addressed.

    DIBCAC can issue a POAMs (basically a plan to resolve any non-compliance with controls) and require a date those will be complete. Often this can be a request for documentation but can be an ‘over the shoulder audit’ to prove the controls are being performed.

    Do I need a CMMC Audit?

    I’ve had clients that are being contacted by their contract managers that they need to complete their “CMMC certification”. I think this is a result of confusion. There is a requirement that a NIST 800-171 self-assessment be performed every three years. I think that CMMC is easier to say than NIST 800-171 so this request is usually a call for that the required 3-year self-assessment. (Sometimes this request is driven by the Prime contract holder because they need to keep their sub-contractors compliant)

    What is the SPRS Score?

    The Supplier Performance Risk System score is really a confusing score. The maximum score is 110, representing all 110 controls. Every assessment starts with 110 points, but each control a company doesn’t have in place takes away from that score (-5, -3, -1) based on a weight for each control. Because of the weights, it is very possible that you can have a negative assessment score.

    According to Basic Self-Assessment data, the average score in 2012 is about 56. I believe this is a surprisingly high number. In fact, the average score when the DIBCAC asks for the documentation behind the score, the average drops to -57.75. That shows that it is not enough to report ‘Yes, done’, you need more behind it. (A cynical view of this is that most companies are over-reporting their security position.)

    Reporting a score of 110 is a real mistake unless you are literally perfect! You really aren’t and everyone knows it. If you report 110 points, you are putting a target on your back for an audit.

    Is a self-assessment valid?

    A self-assessment is certainly valid but it may not reliable. It is really easy to “fake” the assessment and kick the can down the road. The DoD knows this and CAN audit a contractor to confirm the assessment is valid. This may not seem like a big risk but you can lose your contract and may face criminal charges for making false claims.

    Where are the biggest challenges?

    According to the DCMA (Defense Contract Management Agency) is the responsible party for DIBCAC assessments. These are the most common problems:

    3.13.11 – FIPS-validated cryptography (50% of ‘other than satisfied’ results have this noted)

    3.5.3 – Multifactor Authentication (38% of ‘other than satisfied’ results have this noted)

    3.14.1 – Identify, report and correct system flaws (22% of ‘other than satisfied’ results have this noted)

    Proactive assessments, scans, and reviews – more generally, most contractors don’t play an active role in system security. They are not periodically assessing risks (3.11.1), scanning for vulnerabilities (3.11.2), or monitoring logs and alerts (3.3.3, 3.3.4, 3.3.5)