We understand that some of your contract language might be tough to understand. We are here to help. Below is a collection of definitions and some of the most frequently asked questions we get as Cybersecurity Experts.
| Topic | Definition |
|---|---|
| Cyber Risk | Organizational cyber risk consists of three (3) variables: 1) a scenario whereby harm can come to an asset ("threat", e.g. phishing email); 2) a weakness in the organization the threat can exploit ("vulnerability", e.g. untrained users); 3) an impact to the organization should the threat exploit the vulnerability ("impact", e.g. ransomware infection costs organization time and money to recover). There is some probability that a threat event can exploit a vulnerability (threat x vulnerability), and so the risk calculation becomes: probability x impact = risk. Risk is typically calculated qualitatively first ("high", "moderate", "low"), but ultimately needs to be calculated quantitatively in terms such as dollar amount, time required to recover, etc. Quantitative calculation is required for the organization to understand the resources it may need to outlay to appropriately mitigate the risk. Proper risk management dictates that an organization expend the minimum resources required to mitigate risk to an acceptable level. To use the example of the risk of phishing attack spreading ransomware in an organization, the organization must first calculate the impact: many organizations would realize a high impact from a ransomware outbreak, in that such an attack may cause irreparable, catastrophic impact to the organization. The impact is then deemed qualitatively to be "high". The organization then analyzes the probability of successful attack. Phishing emails and other social engineering tactics represent the single biggest threat to most organizations, and users are typically the organization's weakest link. Thus the probability of a successful phishing attack against a user is high. The unmitigated risk (probability x impact) in this case is "high". To mitigate this risk, the organization determines that the average cost of recovery from ransomware in its industry sector is, say, $50,000. The organization then undertakes to spend no more than $50,000 on mitigators such as user awareness training, email protections such as attachment scanning, and purchasing insurance that would offset the cost of the ransom. |
| System Security Plan | The System Security Plan (SSP) is the blueprint for your organization’s cybersecurity program. By way of an analogy, similar to how a blueprint contains drawings and instructions for the construction of your home, the SSP will contain all the details and specifications for how to build and run your program. But these details and instructions are confined by parameters—for example, you can’t build your home on the side of a cliff without certain structural elements; nor can you place electrical sockets wherever you want or use insufficient wiring for the sockets. So, in addition to outlining the building structure, your home blueprint needs to comply with certain codes and regulations. It’s the same with your SSP. In regard to building an SSP, those codes and regulations are cybersecurity frameworks--often dictated by laws or regulations--that contain cybersecurity safeguards or best practices, also known as "Controls". The SSP is the medium that contains the descriptions of the managerial policies, operational procedures, and technical components that the organization plans to implement to meet the requirement of each Control. That medium—Word document, Excel spreadsheet, web form, whatever—is up to the organization to determine. |
| Plan of Action and Milestones (POA&M) | The Plan of Action and Milestones (POA&M) is an organization's "get well plan" for its cybersecurity program. The POA&M is the summary of individual Corrective Action Plans (CAP) to address cyber risks in an organization. These risks are discovered as a result of a risk assessment, and are inevitable as security controls, threats, vulnerabilities, or organizational mission change over time. These risks represent "gaps" between an expected standard for a cybersecurity program (as defined by standard security control sets, such as NIST SP 800-171 or the CMMC), and the current state of safeguard implementation at an organization. For instance, the NIST SP 800-171 standard requires an organization to implement an audit logging generation, collection, correlation, review, analysis, reporting, and reduction capability to discover anomalous behavior within its network. If the organization doesn't have that capability, it has a gap between expected and implemented state. This gap represents organizational risk that must be mitigated through corrective action. The organization then develops a CAP for its auditing capability, and adds that CAP to the POA&M. A POA&M may contain multiple CAPs, as there may be (and typically are) multiple deficiencies in an organization's cybersecurity program at any given time. By way of analogy, consider a get well plan to mend a broken bone. The visit to the Dr.'s office will results in several different corrective actions: first to set the bone, second to stabilize the wound with a cast, third to prescribe medication for pain and infection, fourth to rehab physically, and so on. The sum total of these various CAPs would be the overall "get well plan" for the broken bone, analogous to a cybersecurity POA&M for an organization. Completion of a CAP should be noted on the POA&M, but as a CAP provides information on organizational risk, CAPs should not be deleted from the POA&M. Organizational risks, even when mitigated, should be cataloged in perpetuity, so the organization has an ongoing risk "register". This register can then be periodically consulted to determine if, despite mitigation, identical or similar risks re-occur over time, which would indicate some sort of systemic issue. |
| What is a Security Control Assessment? | Picture buying an older home. Before you go to settlement, you’ll hire a professional contractor to perform a home inspection. You expect the contractor to be knowledgeable about local building regulations and codes—such as proper layout, electrical wiring codes—and to understand what keeps a home in good working order—impermeable roof, working appliances, door locks, etc. The inspector may even obtain a copy of the building plans to compare to the current layout to see if previous owners have made modifications, additions, etc. In the end, the inspector will submit to you a list of issues that need to be addressed. Invariably with older homes, there will be some problems: codes and regulations change over time, foundations settle, water heaters break, etc. It’ll be up to you and the inspector to determine which issues are “showstoppers” for the settlement, and which can wait until after to be fixed. There is an analogous process in cybersecurity in which we inspect, aka “assess”, the organization’s System Security Plan (SSP) (i.e. the blueprints) and the current state of implementation (how the cybersecurity program is actually built and running) against the requirements in whatever cybersecurity framework is required. This is what is known as a cybersecurity controls assessment. Most of us aren’t building an IT system from scratch to process important information, we are trying to obtain compliance on an older, legacy IT system. Hence the “older home” analogy. Invariably our organizations have some gaps between our System Security Plan (SSP), the actual implementation of that plan, and the requirements themselves. |
| How are security controls tested and verified? | Cybersecurity Assessments confirm the existence of security safeguards and whether those safeguards are functional, correct, complete, and can be improved over time. Several factors affect how a cybersecurity assessment is performed, to include how the system is organized and used, the types of threats the system is designed to protect against, and regulatory requirements that affect the information system. A cybersecurity assessment consists of three variables - Methods, Objects, and Attributes. The Assessment Method describes how evidence is obtained and Assessment Objects describe the specific items assessed. These tables are listed in the NIST SP 800-171A (https://doi.org/10.6028/NIST.SP.800-171A) or CMMC Assessment Guides (https://www.acq.osd.mil/cmmc/docs/CMMC_AG_Lvl3_20201208_editable.pdf) An assessor will use different methods and objects to help facilitate understanding, achieve clarification, and obtain evidence to help support the determination that an information system is adequately protected. NIST 800-171A, Assessing Security Requirements for Controlled Unclassified Information, provides lists potential Assessment Objects for each of the 110 Security Controls in NIST 800-171. Assessment Attributes describe the rigor, level of detail, and sample size used to support the determination that an information system meets regulatory compliance. Generally, more objects and more scrutiny of those objects results in a higher level of confidence in the assessment results. |
| What is a Vulnerability Scan? | A vulnerability scan is an inspection of a computer workstation, server, or network to identify susceptible points of exploit or security holes. A vulnerability scan detects and categorizes IT infrastructure weaknesses through use of automated and manual scanning tools such as Assured Compliance Assessment Solution (ACAS) and the DoD Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs). A vulnerability scan can be performed by an organization’s IT department or a third-party cybersecurity service provider. Vulnerability scans are wide scope in nature and are focused primarily to identify potential weaknesses by identifying missing patches and unsafe system configuration such as registry, and group policy settings. Vulnerability scanning is ongoing cycle of continuous system inspections and not a single event. |
| What is NIST? | NIST, the National Institute of Standards and Technology, is a federal government agency in the U.S. Department of Commerce. NIST’s mission is: To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. One of NIST’s primary missions is help create standards for measurements, such as weight, distance, and time. However, NIST’s mission has expanded over the past decades and it currently operates six scientific laboratories for research in engineering, communications, information technology, neutron research, and physical and material measurements. NIST is heavily involved in creating computer security/cybersecurity standards, which are published in the NIST Special Publication 800-series. There are almost 200 different publications in the SP 800-series that provide standards and guidance for things such as access controls for cloud systems, encryption standards, wireless local access networks, and Bluetooth security. Some of these standards apply specifically to the federal government, such as NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. NIST also published NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which is a standard for non-federal organizations that do business with the federal government, NIST also publishes that Cybersecurity Framework which consists of various security controls that any organization can adopt in order to strengthen their cybersecurity. |
| What is NIST Cybersecurity Framework? | The NIST Cybersecurity Framework (CSF) is a voluntary set of cybersecurity guidelines an organization can follow to better manage and reduce cybersecurity risk. The Framework is only guidance; it is not a checklist or a list of required controls like those in NIST SP 800-171. It should be customized by different sectors and individual organizations to best suit their risks, situations, and needs. Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework to achieve positive outcomes will vary. The Framework should not be implemented as an un-customized checklist or a one-size-fits-all approach for all critical infrastructure organizations. The Framework was developed in response to Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, which was issued in 2013. This EO outlines responsibilities for Federal Departments and Agencies to aid in improving the cybersecurity of Critical Infrastructure, such as the electrical grid, water treatment plants, transportation, and internet backbone providers. The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles. The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand. The Core guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk management processes. The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management. The Tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget. Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization. |
| Who must comply with CMMC? | All members of the Defense Industrial Base (DIB) that process Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) for the Department of Defense (DoD) must comply with the CMMC. The DIB consists of the prime contractors and suppliers and vendors to those prime contractors and the DoD itself. By the way, CMMC isn't necessarily something an organization "complies" with; it is better stated that the CMMC will result in a certification issued to organizations whose cybersecurity program passes an assessment. There is one exception--those organizations that supply Commercial Off The Shelf (COTS) items to the DoD do not need a CMMC certification. For confirmation of this, see the FAQs on CMMC here: https://www.acq.osd.mil/cmmc/faq.html. All of the other 350,000+ members of the DIB will need a certification. Those DIB members that only process FCI will require a CMMC Level 1 certification--this includes simple service providers such as lawn maintenance and janitorial services at DoD facilities. Those organizations that process CUI will be required to carry a CMMC Level 2-5 certificate, depending on the risk level associated with the particular information. Prime contractors are expected to flow CMMC certification requirements ALL the way down their supply chain. This supply chain encompasses a vast number of organizations; the DoD estimates 350,000+. |
| What are the penalties for not being compliant with CMMC? | When a contract includes requirements for the contractor to be CMMC certified, and that contractor does not achieve or maintain the requisite level of CMMC certification, the contractor could be barred from proposing or executing on the contract. Existing contracts could be revoked. |
| What are the differences between NIST 800-171 and the CMMC? | NIST 800-171 is a Controls standard that lists the required safeguards to be implemented to protect CUI. CMMC includes Controls--which they call "Practices"--as well as Process requirements for an organization, whereby an organization is required to demonstrate it has the resources required to fully implement and maintain the Practices. All 110 NIST 800-171 Controls are included as Practices at some level of the CMMC. Some levels of the CMMC add additional Practices over and above NIST 800-171. CMMC Level 1 includes 17 Practices, all of which are included in 800-171. CMMC Level 2 has 72 Practices, including 65 800-171 Controls and 7 additional Practices. CMMC Level 3 includes all 110 Controls from 800-171 and 20 additional Practices. For a breakdown of these additional Practices, see the Totem.Tech blog here: https://www.totem.tech/cmmc-nist-800-171/. CMMC Levels 4 and 5 build off Level 3 and contain 26 and 41 additional Practices, respectively. CMMC also contains additional resources, including a Clarification of the intent of each Practice, an Example of implementation of the Practice, and references to sources the DoD drew from to define the Practice. It appears the DoD will develop the CMMC Assessment Methodology from NIST Assessment Objectives, for example those contained in 800-171A and -171B. |
| How much does the CMMC Certificate Cost? | NIST 800-171 is a Controls standard that lists the required safeguards to be implemented to protect CUI. CMMC includes Controls--which they call "Practices"--as well as Process requirements for an organization, whereby an organization is required to demonstrate it has the resources required to fully implement and maintain the Practices. All 110 NIST 800-171 Controls are included as Practices at some level of the CMMC. Some levels of the CMMC add additional Practices over and above NIST 800-171. CMMC Level 1 includes 17 Practices, all of which are included in 800-171. CMMC Level 2 has 72 Practices, including 65 800-171 Controls and 7 additional Practices. CMMC Level 3 includes all 110 Controls from 800-171 and 20 additional Practices. For a breakdown of these additional Practices, see the Totem.Tech blog here: https://www.totem.tech/cmmc-nist-800-171/. CMMC Levels 4 and 5 build off Level 3 and contain 26 and 41 additional Practices, respectively. CMMC also contains additional resources, including a Clarification of the intent of each Practice, an Example of implementation of the Practice, and references to sources the DoD drew from to define the Practice. It appears the DoD will develop the CMMC Assessment Methodology from NIST Assessment Objectives, for example those contained in 800-171A and -171B. |
| Will there be a self-certification for CMMC? | Cost is unknown at this time, but according to the Dod at the CMMC FAQ site: "The CMMC assessment costs will depend upon several factors to include the CMMC level, the complexity of the DIB company’s network, and other market forces." However, the FAQs go on to state: "The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive." Considering the cost of an ISO 9001 certification is somewhat less than $5000 for a micro business, we would expect CMMC to be similar in cost. |
| Who will perform CMMC Assessments? | CMMC assessments will be conducted by a trained and licensed assessor employed by a Certified Third Party Assessment Organization (C3PAO), which must be accredited by the CMMC Accreditation Body (CMMC AB). The C3PAO must not be affiliated with your organization. For more information see the CMMC FAQ: https://www.acq.osd.mil/cmmc/faq.html |
| What is CUI/Examples of CUI | Controlled Unclassified Information, or CUI, is defined by two key elements. 1. It is information created by or for the federal government. Information that organizations create outside of a contract with the federal government is not CUI. 2. A law, regulation, or Government-wide policy requires the information to be protected with safeguards or dissemination controls. Information is CUI only if a law, regulation, or policy requires the information to be protected. In the absence of a federal requirement to protect a piece the information, it is considered uncontrolled unclassified information. Currently, CUI is divided into 20 broad Organizational Groups such as Critical Infrastructure, Defense, , Law Enforcement, Privacy, and Tax. The Organizational Groups are further divided into 125 CUI Categories. For example, the Organizational Group “Defense” consists of four CUI Categories - Controlled Technical Information, DoD Critical Infrastructure Security Information, Naval Nuclear Propulsion Information, and Unclassified Controlled Nuclear Information – Defense. Each CUI Category is defined by a specific law, regulation, or policy. For example, the CUI Category “Controlled Technical Information” is associated with 48 CFR 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. 48 CFR 252.204-7012 defines Controlled Technical Information as: Research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog item identifications, data sets, studies, analyses and related information, and computer software executable code and source code. To determine if something is CUI, first determine whether the information was created by or for the federal government. If yes, then determine whether a law, regulation, or government-wide policy requires the information to be protected. If you answered yes to both questions, it is CUI. With that said, the government is required to notify contractors what information is CUI. If the government does not define what specific information is considered CUI, the contractor should seek additional guidance from the government. An official list of all CUI Categories can found at https://www.archives.gov/cui/registry/category-list |