In our previous blog, we discussed the purpose of Level 2 and the requirements that potential contractors will need to meet to achieve readiness for Level 2. As we build upon Level 2 and progress to Level 3, we will provide *Readiness Notes* to highlight potential roadblocks for achieving Cybersecurity Maturity Model Certification (CMMC) Level 3 readiness.
Purpose of Level 3
Potential contractors’ cybersecurity maturity is measured with five levels in the CMMC model. What is the purpose of Level 3? To protect Controlled Unclassified Information (CUI). This Level requires that the potential contractor establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. Level 3 includes all of the security requirements in NIST SP 800-171 with some additional practices. Additional requirements including incident reporting are found within DFARS clause 252.204-7012.
Defining Process and Practice for Level 3
Each level is broken into two parts: processes and practices. Level 3’s process is managed, and its practice is good cyber hygiene. Each level and the corresponding sets of processes and practices across domains are cumulative. For potential contractors, that means encompassing all the requirements of Level 1, Level 2, and Level 3 before reaching Level 3 readiness.
DFARS clause 252.204-7012 indicates that cyber incidents should be reported within 72 hours of discovery. Potential contractors should have clear instructions and training for all employees on how to appropriately report incidents.
Level 3 Requirements
There are 58 additional requirements between Level 2 and Level 3. The bulk of the added requirements for Level 3 focus on access control, audit and accountability, and system and communications protection. For a potential contractor to progress from Level 2 to Level 3 readiness, it will require process implementations and could include additional resources. The potential contractor should make sure there is ample time to obtain any additional resources needed to be ready to bid on new contracts and achieve CMMC readiness.
Potential contractors must meet each requirement as the grading for the certification is pass/fail. No partial credit is given to potential contractors. CMMC Version 1.0 Appendices identifies 130 requirements within Level 3 (including 72 from Level 2). For perspective, there are 171 total CMMC requirements. Below we have selected requirements where we anticipate pitfalls the potential contractor may face.
1. AC.3.017: Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
Segregation of duties is not an easy task to implement for many organizations. The potential contractor will need to include controls that ensure user accounts avoid conflicts of interest where security problems could occur. Implementing user access reviews to include inspecting segregation of duties will add an additional mitigating factor to meet this requirement.
2. AC.3.022: Encrypt CUI on mobile devices and mobile computing platforms.
Potential contractors will need to employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices (smartphones and notebook computers). It is especially necessary that potential contractors have solid practices in place for protecting cryptographic keys. This requirement can be quickly implemented, but potential contractors will need to ensure resources have been secured to acquire the needed tools.
3. AU.3.045: Review and update logged events.
Many organizations have implemented event logging. This requirement is specifically looking for potential contractors to periodically re-evaluate which events are logged and which events should be added, modified, or deleted. It is important that this process of re-evaluating event log types is documented by the potential contractor.
4. AU.3.048: Collect audit information (e.g., logs) into one or more central repositories and AU.3.049: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Logging of audit information became a requirement within Level 2; however, Level 3 requires audit logs be maintained in a centralized location or locations. Potential contractors will need to ensure that the central repository has the appropriate infrastructure, protection mechanisms, and capacity level to meet logging requirements.
5. AU.3.050: Limit management of audit logging functionality to a subset of privileged users.
Potential contractors should ensure that individuals with privileged access to a system do not have access to modify the audit records and audit logging capabilities of the system. By restricting this access, it will protect the integrity of the audit logs.
6. SC.3.191: Protect the confidentiality of CUI at rest.
CMMC requirements do not state that data at rest must be encrypted. Although encrypting data at rest is a best practice, further explanation shows that potential contractors may use file share scanning or off-line storage in combination with appropriate physical controls. Potential contractors that choose full disk encryption should ensure there is ample time to obtain resources for implementation.
In this blog series, we will continue discussing each of the two remaining CMMC levels and suggested steps for achieving CMMC readiness.
For more information regarding CMMC readiness, please contract Director of Cyber Intelligence, Kendall Blaylock, at Kendall.firstname.lastname@example.org.
Cybersecurity Maturity Model Certification v1.0 (CMMC v1.0)
National Institute of Standards and Technology Cybersecurity Framework (NIST CSF v1.1)