The future of CMMC will evolve to address SCRM, so it is necessary to address a path forward.

The following recommendations are designed to:

- Evolve CMMC from a DoD-centric model to an approach that is “all government” applicable;

- Learn from the successes and mistakes of CMMC; and

- Leverage industry-recognized practices.

metaSCRM - Path From CMMC To SCRM
.pdf
Download PDF • 813KB

Recommendations:

  • Develop an “all government approach” that is global and scalable to include all US Federal Agencies and the Department of Defense (DoD):

  • Appoint Department of Homeland Security (DHS) as the agency to oversee Cybersecurity - Supply Chain Risk Management (C-SCRM).

  • Assign operational authority to run the C-SCRM program with the DHS’ Cybersecurity and Infrastructure Security Agency (CISA).

  • Develop a C-SCRM program that focuses on “right-sizing” controls to help ensure secure and resilient practices both internal to contractors, as well as those organizations that make up the contractor’s supply chain through:

  • Secure development practices;

  • Standardized procurement practices;

  • Risk management practices; and

  • System, application and service management practices.

  • Avoid the conceptual trap of a “maturity model” by focusing on (1) the sensitivity of data and (2) the criticality of the systems, applications and services that store, transmit and process that data. The end result allows the government to right-size controls based on FIPS 199 impact levels that correspond with data governance considerations and the organization size:

  • Unregulated Intellectual Property (UIP) – low impact per FIPS 199;

  • Sensitive Personally Identifiable Information (sPII) – low impact per FIPS 199;

  • Federal Contract Information (FCI) – low impact per FIPS 199;

  • Controlled Unclassified Information (CUI) – moderate impact per FIPS 199; and

  • International Traffic in Arms Regulations (ITAR) – moderate or high impact per FIPS 199.

  • Utilize the National Institute of Standards & Technology (NIST) for standards to avoid creating any redundancies (e.g., bespoke CMMC practices & processes):

  • NIST SP 800-53 R5 as the basis for cybersecurity and privacy controls;

  • NIST SP 800-53B R5 that defines the low, moderate, high and privacy baselines;

  • NIST SP 800-161 is the basis for C-SCRM practices;

  • NIST SP 800-171 R2 is applicable for CUI protection (CUI & NFO controls);

  • NIST SP 800-172 is applicable for high-risk contracts that are designated at a higher-risk for Advanced Persistent Threats (APTs).

  • Leverage NIST SP 800-53A R5 assessment criteria as the basis for assessing control implementation, since the other 800-series publications map back to NIST SP 800-53 as the basis for the controls:

  • This is an important way to reduce redundancies and unify the overall assessment process for NIST SP 800-171, CMMC and even NIST SP 800-161; and

  • With NIST SP 800-53B R5, there is now no reason to base controls selection and assessment on anything else, while utilizing controls designated as applicable for CUI and Non-Federal Organization (NFO) controls per NIST SP 800-171.

  • Address the issue where many businesses that make up the Defense Industrial Base (DIB) do not consider themselves to be “defense contractors” by structuring an “all government contractor” awareness program to help develop a security-minded culture to influences people, processes or technology decisions, since:

  • Many of these DIB / government contractors are outside of other statutory, regulatory and contractual obligations for cybersecurity or data protection since they do not operate in a regulated industry; and

  • Without security and data protection being an influencer for business decisions, cost is generally the determining factor and that leads to insecure and non-compliant practices.

  • The current methodology proposed by the DoD PMO’s office is “compliance over security” which is a losing proposition:

  • Other compliance obligations, such as FedRAMP, RMF, PCI DSS, etc., allow for compensating controls via a Plan of Action & Milestones (POA&M) process to track and remediate risks;

  • CMMC explicitly prohibits any form of compensating control, which equates to a 100% pass or 100% fail;

  • No acknowledgement of POA&Ms means not acknowledging the System Development Life Cycle (SDLC) and that ignores the cyclical nature of risk methodologies (e.g., Risk Management Framework (RMF)) where compliance should “shadow” the SDLC; and

  • Within CMMC, there is no technical solution for Operational Technology (OT) solutions used in manufacturing to pass 100% of controls, based on technical limitations. This will lead to nearly all manufacturing / machine shops to fail CMMC.

  • Establish a formal Certification & Accreditation Program (CAP) for C-SCRM that is properly funded and staffed by a quasi-government organization (e.g., MITRE, etc.):

  • Similar to DITSCAP, DIACP, RMF, there could be three ways to identify the confidence point for a CMMC assessment:

  • Authority To Contract (ATC)

  • Contractor successfully demonstrated conformity with necessary controls.

  • Interim Authority To Contract (IATC)

  • Contractor failed to successfully demonstrate conformity with necessary controls, but the combined deficiencies do not represent a material risk to the contractor’s cybersecurity program;

  • Define a minimally-acceptable Supplier Performance Risk System (SPRS) score for an IATC;

  • Provide a 180 or 365 day grace period to allow the contractor to “move the needle” and remediate the deficiencies to allow flexibility in applying compensating controls without disrupting the supply chain; and

  • Require re-evaluation of those corrected deficiencies controls by a Certified Third-Party Assessment Organization (C3PAO); or

  • Denied Authority To Contract (DATC)

  • Contractor failed to successfully demonstrate conformity with necessary controls; and

  • The combined deficiencies represent a material risk to the contractor’s cybersecurity program.

  • A hierarchical approach to working with the global supply chain where the SCRM-AB is the root Accreditation Body (AB) that has dedicated teams (or even subordinate, geo-specific ABs) to support well-established geographies that encourage the involvement of allied, pro-western governments:

  • US (US-based organizations);

  • Americas (non-US north, central & south America);

  • Asia Pacific (APAC); and

  • Europe, Middle East & Africa (EMEA)

  • Disband the current CMMC-AB via cancelling its contract with the DoD.

  • Per the current contract between the CMMC-AB and DoD, since the DoD owns the content of the CMMC-AB, the SCRM-AB can take the lessons learned from what did & did not work from the CMMC-AB, including a list of its certified practitioners, C3PAOs, etc.

  • In order to avoid any conflict of interest with the People’s Republic of China (PRC) for its current leadership role of the International Accreditation Forum (IAF) for ISO-based assessments, the SCRM-AB must develop a process that is based on industry-recognized practices, but does not require formal certification via ISO 17020.

  • The C-SCRM program cannot have any direct or indirect foreign oversight, especially by hostile nations.

  • Develop a risk-based program to utilize US and foreign-owned organizations to serve as assessors for the CAP:

  • Lower-risk assessments can be performed by US or foreign-owned C3PAOs and assessors; but

  • Higher-risk assessments must be performed by US-owned C3PAOs and US-citizen assessors.

  • Avoid misguided certification schemes that increase the cost of certification with no additional benefit:

  • Leverage existing certification requirements (e.g., DoDI 8570) to determine what industry certifications are appropriate to determine competence for SCRM-specific roles; and

  • Allow the free market to provide training and education, based on published standards.

  • Leverage the following publications to help determine geography-based risk:

  • United States Trade Representative’s (USTR) Special 301 Report;

  • Watch List (moderate risk)

  • Priority Watch List (high risk)

  • USTR Notorious Markets List (NML) (moderate risk); and

  • State Department’s designated state sponsor of terrorism list.

  • SCRM assessments should utilize a structure to the assessments that is based on risk that uses two forms of assessments:

  • First Party Declaration (1PD) (internal assessment) – this would be acceptable for low-risk contracts, when an attestation of compliance is acceptable; and

  • Third-Party, Audit, Inspection & Attestation (3AIA) (external assessment) – this would be used for higher-risk contracts where a C3PAO would perform the assessment.

  • NIST SP 2000-01 does not mention the words “fail” or “pass” since conformity assessments are designed to assure that a particular product, service, or system meets a given level of quality or safety. Instead of CMMC’s 100% pass criteria, conformity assessments rely on a “confidence point” that determines a risk-based threshold to establish if the intent of the objective(s) has been achieved:

  • Utilize compensating controls through the established POA&M concept;

  • Develop a risk-based address to identify a “materiality threshold” for what constitutes unacceptable risk;

  • Hold contractors accountable for remediating deficiencies; and

  • Implement a scalable approach for POA&M submissions to be approved and tracked by DHS/CISA.

  • Specific to the SCRM, a “material weakness” would be defined as a deficiency (e.g., control failure), or a combination of deficiencies, in an organization’s security controls where it is probable that reasonable threats to regulated data (FCI/CUI) will not be prevented or detected in a timely manner:

  • Leverage the DoD Assessment Model (DAM) to identify high, moderate and low-risk controls;

  • A deficiency in a high-risk control would be a material weakness of the organization’s SCRM practices, since its overall capabilities would be significantly impacted;

  • A deficiency in a low or moderate-risk control would not by itself materially impact the integrity of the organization’s SCRM program; and

  • Within the same domain of controls, more than [to be determined #] of deficiency in low or moderate-risk controls would combine to become a material weakness of the organization’s SCRM program.

  • Support the Defense Contract Management Agency (DCMA) to utilize the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) for selective audits of the DoD supply chain (prime and subcontractors):

  • Build upon this model for other US government agencies; and

  • Use the findings to develop a centralized risk register to gain situational awareness on weaknesses that require program adjustments or investment to fix systemic flaws.

  • Publish detailed scoping guidance for C-SCRM that includes:

  • Authoritative scoping for CUI and FCI environments; and

  • Authoritative scoping for sPII; and

  • Recommended scoping for UIP.

  • Take a very narrow approach to “reciprocity” since the process of managing reciprocity can be more work than it is worth and adds unnecessary complexity to compliance efforts:

  • FedRAMP certified environments would conform and address “compliant” controls only in scope for how the Infrastructure as a Service (IaaS) is used; and

  • The process of “managing reciprocity” likely exceeds the effort required to simply demonstrate compliance, due to the scoping nature of controls.

  • Zero Trust Considerations:

  • Develop a scalable cloud-based enclave for cleared contractors (e.g., Trusted Enclave Architecture (TEA)). The contractors pay for access and have messaging/file sharing capabilities (e.g., GCCH type environment).

110 views0 comments