FCI and CMMC Level 1 Article Summary:
Department of Defense contractors must secure their information systems to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). According to Federal Acquisition Regulation (FAR) 52.204-21 and the Cybersecurity Maturity Model Certification (CMMC) Level 1 requirements, at a minimum, all DoD contractors will have to implement 17 separate security controls. NIST 800-171A lists 59 separate Assessment Objectives that are required to successfully implement the 17 security controls. Organizations can more easily implement the security controls by grouping the 59 Organizational Actions into six related and progressive steps rather than focusing on each individual security control.
Protect FCI and CMMC Level 1 Compliance
No matter how you paint it, cybersecurity requirements present a substantial challenge for many defense contractors. Defense contractors that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are affected by three cybersecurity requirements –
1. Basic Safeguarding of Covered Contractor Information Systems
Federal Acquisition Regulation (FAR) 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, requires contractors to implement 15 security controls to protect Federal Contract Information (FCI). These safeguards are also the same security controls required for a CMMC Level 1 certification.
2. Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.2104-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, mandates defense contractors to protect CUI by implementing the 110 security controls in NIST 800-171. Keep in mind that the 15 security controls in FAR 52.204-21 are also included in NIST 800-171 but they are broken into 17 controls.
3. Assessing Security Requirements for Controlled Unclassified Information
Although contractors must implement all 110 security controls, the real measure of whether or not the security controls are adequately implemented are the 320 Assessment Objectives in NIST 800-171A, Assessing Security Requirements for Controlled Unclassified Information. In the past many contractors would address the high level controls but not the individual assessment objectives. In order to pass an audit or a certification your company must address all of the required Assessment Objectives.
What’s Coming for CMMC?
The forthcoming Cybersecurity Maturity Model Certification (CMMC) is based on the 110 security requirements in NIST 800-171 but also adds additional requirements on top of them. When fully implemented, defense contractors will be required to implement all 110 security controls in NIST 800-171 as well as 20 additional security controls for CMMC Level 3. Keep in mind that a CMMC Level 1 certification contains the same 17 controls required by FAR 52.204-21 for protecting FCI. We will address how to best implement the controls for CMMC Level 1 below.
As organizations work to implement the various cybersecurity requirements, they often focus, one at a time, on the 110 individual security requirements. That is, of course, a reasonable process to follow. After all, they are the actual controls that must be implemented. However, a security assessor will use the Assessment Objectives to determine if a security control is correctly implemented.
If you analyze only the Assessment Objectives rather than the Security Controls themselves, you will notice clusters of similar and progressive actions that may not be evident by focusing only on the 110 security controls.
How to implement CMMC Level 1 Controls?
In this blog post, I would like to suggest a process by which you can more easily implement the 17 security controls in FAR 52.204-21/CMMC Level 1. To develop this process, we analyzed the 59 Assessment Objectives related to the 17 controls, grouped similar Assessment Objectives together, and finally sequenced the implementation of the grouped Assessment Objectives. The resultant process involves six steps:
1. Identify What to Protect
You are only required to protect the systems on which FCI and CUI are handled and the components that protect those systems. Those systems are called “covered contractor information systems.” Before you begin to allocate resources to securing covered contractor information systems, you should first identify how your organization interacts with FCI and CUI.
In our experience, this is a step that many DoD contractors ignore because they think they already know how they handle FCI and CUI. But when we guide them through the process, they soon discover FCI and CUI on more systems and handled by more employees than they originally thought. Take the time to be thorough because the results may help you save a great deal of time and money.
Consider the following questions:
- From whom do you receive FCI and CUI?
- Where and how do company personnel access FCI and CUI?
- Where and how do you store FCI and CUI?
- Who in your organization handles CUI?
- How are FCI and CUI transmitted outside of your organization?
If a significant portion of your business involves contracting with the federal government, you may have discovered that FCI and CUI are integrated throughout your system. You will need to decide whether it is worth the cost to segment FCI and CUI from the larger system or to keep FCI and CUI comingled with non-FCI and non-CUI data. Remember, if you can limit where FCI and CUI are found, you can reduce the size of what you have to protect.
2. Describe Your System
Now that you’ve decided what needs protections, you need to take a full inventory of those systems. Depending on the size of your networks, this may require some heavy lifting to accomplish. Your description should identify:
- External system boundaries and key internal boundaries (e.g. network segments, separate guest and corporate Wi-Fi, etc.)
- Internal system connections to external systems
- Devices that access and protect your internal system
- Publicly accessible parts of the system
- Personnel authorized access to the systems and facilities in which the system components are located
- Transactions and functions that authorized users can perform based on their role (e.g. regular user, administrative user, security manager, database administrator, etc.)
3. Control Access
Protections must be in place to ensure that only authorized users can access authorized devices. These protections include creating user accounts and issuing a unique username and password to authorized users. Monitor, control, and protect communications at key internal boundaries.
An external system is anything outside of the covered contractor information systems controlled by your organization, to include the internet, cloud services, networks controlled by other contractors, and personally owned computing devices. The use of and connections between your internal networks and the external systems must be approved by the organization and controlled through identification and verification mechanisms (e.g. username and password). Additionally, you must monitor these connections between your internal and external networks and prevent unauthorized actions.
Publicly Accessible System Components
Publicly accessible parts of your system, such as web or email servers, must be placed in a DMZ in order to prevent direct access to the internal network.
Physical access to systems, equipment, and operating environments where FCI and CUI are processed must be limited to authorized employees. Visitors should be escorted and monitored to ensure they do not have access to FCI and CUI. The company must maintain logs of who and when personnel (including employees!) access the protected facilities. Physical access devices, such as keys, proximity access cards, and alarm codes, should only be issued to authorized personnel and protected from unauthorized use.
4. Protect System from Malicious Code
Identify the parts of your system that should be protected from malicious code, such as workstations and mobile devices. Install antivirus (AVS) software at those locations and ensure the AVS is regularly updated and scans your systems for malicious code. The AVS should also scan files as they are downloaded, opened, or executed.
5. Identify and Fix System Flaws
Systems always have flaws and malicious actors are constantly searching for ways to exploit them. You must have a plan to scan for missing operating system and software patches, as well as for misconfigurations and unhardened components (like default passwords on network devices). After system flaws are identified, fix them.
6. Prevent Accidental Release of FCI and CUI
Publicly Sharing Information
Prevent the unauthorized release of FCI and CUI on publicly accessible systems, such as company websites and social media. The organization should limit the number of people authorized to publicly share information and ensure that they understand how to identify and protect FCI and CUI. The organization should have the ability to remove information from publicly available systems.
Before the organization reuses or disposes of system media, it should be destroyed or sanitized before it is reused or disposed of.
Navigating CUI and FCI Compliance
If your organization doesn’t process CUI, then you can stop at FAR 52.204-21/CMMC Level 1. If you do process CUI, you will have to implement the remaining 93 NIST 800-171 controls/261 Organizational Actions.
Although there is still a lot of work ahead, the good news is that by going through the process outlined above, you will have laid down a good foundation on which you can continue to improve the security of your covered contractor information systems.
To further assist your efforts, please download our Systems Security Plan template (below) on which you can document the results of your CUI and system inventories and security control implementation. If you have further questions or need additional help, reach out to our team at Totem Tech.