Department of Defense Industrial Base (DIB) supply chain members must implement cybersecurity programs to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) they may handle on behalf of the DoD. Eventually, DIB members will have to undergo Cybersecurity Maturity Model Certification (CMMC) of their cybersecurity programs. It is imperative to continuously monitor the performance of a cybersecurity program during its lifecycle. This post provides an overview of how the CMMC Continuous Monitoring requirements support a cybersecurity program, and provides a free downloadable worksheet to help small business DIB members plan and implement cybersecurity Continuous Monitoring.
The NIST 800-171 / CMMC Cybersecurity Program Lifecycle
First, let’s take a look at how Continuous Monitoring fits into a cybersecurity program. The diagram below shows the lifecycle of a cybersecurity program built around the CMMC Model and the National Institutes of Standards and Technology (NIST) 800-171 standard for the protection of CUI in non-federal systems upon which CMMC is based:
As you can see from the diagram, the Continuous Program Monitoring is part of the Sustainment phase. So it is only after we have:
- Scoped the system
- Built our System Security Plan (SSP) and any corrective action plans in a Plan of Actions and Milestones (POA&M)
- Implemented the program by executing the SSP and POA&M, and,
- Assessed the compliance of the program
before we enter into a phase of ongoing program management, or program “care and feeding”, to include Continuous Monitoring.
It is therefore apparent that Continuous Monitoring is key to “keeping the program healthy” and determining if there are major system or environmental changes that would necessitate revisiting any of the other phases of the program lifecycle.
So what are the CMMC Continuous Monitoring requirements?
A quick search of NIST 800-171 reveals no fewer than 12 controls that include the word “monitoring”. For instance, control 3.1.12 requires us to “Monitor and control remote access sessions.” In this case we need to have technologies and procedures that allow active, real-time monitoring of remote access such as Virtual Private Network (VPN) connections. This type of monitoring is important, but constitutes only a part of what we mean when we say “Continuous Monitoring” in a cybersecurity programmatic context.
For the context we are presently exploring, NIST defines “Continuous Monitoring” as:
So Continuous Monitoring in the context of cybersecurity program “care and feeding” is related to organizational risk management. For NIST 800-171 and CMMC, Continuous Monitoring means executing “governance” activities to ensure:
- established organizational cybersecurity policies are still relevant, and,
- implemented technical and procedural controls effectively enforce those policies.
It’s a matter of monitoring established measurable goals (metrics) to ensure the organization’s cybersecurity program operates efficiently and effectively over time.
Continuous Monitoring also supports the identification of major system or environmental changes that would trigger a re-scoping and / or adjustment to the SSP and therefore the cybersecurity program. Like a throttle governs the speed of an engine, so does Continuous Monitoring govern the cybersecurity program. Sometimes you’ll want to slow down, pull over, and check the engine. This triggering effect is shown in the diagram above as an arrow linking the Continuous Monitoring cycle and the overall program lifecycle.
NIST 800-171 is a “rubber meets the road” standard for cybersecurity controls. While it does establish some real-time monitoring requirements, it unfortunately doesn’t also make many higher-level recommendations on what aspects of the program should be monitored, what measurements to make, and how frequently to make those measurements. So we’ll provide some recommendations in this post, and provide a downloadable tool you can use to plan CMMC Continuous Monitoring in your small business environment.
What aspects of your program should you be monitoring?
Certainly any of the NIST 800-171 / CMMC controls that require your organization to establish a frequency of activity should be part of your Continuous Monitoring program.
For instance, control 3.11.1 in the Risk Assessment family asks us to define the “frequency to assess risk to organizational operations, organizational assets, and individuals”, and then to follow up by assessing risk at the defined frequency. So part of your Continuous Monitoring program should be to ensure that risk assessments are being conducted at the required frequency. If you subscribe to our Totem™ Cybersecurity Compliance Management tool, you’ll see that our SSP templates recommend risk assessments at least annually or whenever any of the following conditions occur:
- Major system change (e.g. Workstation OS upgrade, addition of new component)
- Change in system operational environment (e.g. introduction into new area of operation)
- Change in types of data process by system (e.g. change in classification level)
- Known breach of system / data
- When new High or Critical vulnerabilities (CVSS Score >7.0) are are published for operating systems (OS) or software (SW) resident in the information system
So your organization’s Continuous Monitoring Plan should address risk assessments.
Another example of Continuous Monitoring is to ensure the organization’s ability to recover data from backup. While there is no requirement (yet) in 800-171 to test backup data recovery, this is a must-do activity for any robust cybersecurity program. So we’d recommend an (at least) annual test of your organization’s data and system backup and recovery capability. In this way the organization measures the effectiveness of the backup system.
As you ponder these Continuous Monitoring Activities, you’ll start thinking of many other aspects of your cybersecurity program that could be monitored. Here are just a few more examples:
- incident response effectiveness
- security impact analysis (SIA)
- access authorizations (i.e. who has both physical and logical access and why)
- security awareness and training execution
In all there are several dozen aspects that even a small business should be monitoring to ensure their cybersecurity program is operating effectively. We won’t enumerate all of them in this post, but we’ll discuss how to plan for them all and provide a template.
A Continuous Monitoring Plan Template
FedRAMP — the Federal Risk and Authorization Management Program for cloud services providers — provides a nice plan template that CSP that wish to sell their wares to the Federal government must maintain to describe how they continuously monitor their cloud service cybersecurity program. While the FedRAMP template is comprehensive, it is a little much for the average DIB small business. So we tailored it and pared it down to meet the needs of the average small business DoD contractor. And we love the fact that it’s based on the FedRAMP template, because we feel you can’t go wrong in CMMC using templates the government already accepts!
The image below shows the overall structure of our tailored CMMC Continuous Monitoring template, which you can download here:
Exploring the template, you’ll see the header rows have a title (with placeholder for your organization’s name), as well as cells to capture version number, Security Officer name, and approval date.
The Monitoring Activity rows are where the magic happens in the template. You see several Activity rows shown in the image above, including Network Traffic Analysis and Intrusion Detection, Vulnerability Scanning, and OS and Software Patching. All of these are required by NIST 800-171 and CMMC.
Associated with each Activity are the following columns:
- Control ID — indicates which NIST 800-171 controls the Activity supports
- (By the way, NIST assumes all businesses are already performing Activities with “NFO” as the Control ID, even if there isn’t a control listed in 800-171)
- Description — a brief description of the Activity
- Frequency — our recommendations for how frequently the Activity should be performed
- Probable Responsibility — what entity associated with your organization will probably execute the Activity, selectable from a pre-loaded dropdown
- “OSC” is the Organization Seeking Certification, aka your organization
- “MSP” is an IT Managed Service Provider
- “MSSP” is a Managed Security Service Provider
- “CSP” is a Cloud Service Provider
- “Other ESP” is another “External Service Provider” in CMMC parlance, for example a printer service company
- “Shared” means the responsibility is shared amongst several entities
- Last Execution Date — capture when the Activity was last executed
- Executed By — capture who last executed the Activity
Rows highlighted with a peach color are those Activities that are required even by CMMC Level 1, for those of you that only handle FCI. CMMC Level 1 OSC are required to implement at a minimum the basic cybersecurity safeguards spelled out in the Federal Acquisition Regulation clause 52.204-21. Some of these safeguards necessitate some ongoing monitoring Activities.
All Activities in the template are required for CMMC Level 2 and 3. Looking at the template you really get the sense that a NIST 800-171 cybersecurity program is not “fire and forget”; the program requires constant care and feeding. To pass a CMMC assessment, you’ll have to demonstrate a healthy and well-maintained cybersecurity program. It’s a healthy, sustained cybersecurity program that represents the “Maturity” in the CMMC model. Of course, sustenance requires money and time, so your organization will have to allocate budget to support all these Activities.
Suggested Activity frequencies in the template range from “Ongoing” to “Every Five Years”. You can customize the frequency as you see fit, but we’d suggest — for best practice as well as CMMC compliance purposes — not performing any Activity less frequently than we’ve outlined in the template.
The template is meant to be a plan for your organization’s Continuous Monitoring program. Enter the plan into document quality control, and capture Activity execution dates as your organization performs them. You can then use the plan as compelling evidence to support the implementation of your cybersecurity program.
We hope you enjoy our CMMC Continuous Monitoring plan template, which you can download below. If you’re interested, we cover cybersecurity program sustainment, as well as all other phases of the NIST 800-171 / CMMC Cybersecurity Program Lifecycle in our interactive Workshops. If you’re interested in how we approach CMMC compliance in our small business, come join us!