[Updated October 2023] As the Department of Defense (DoD) has turned its attention towards the glaring cybersecurity deficiencies within the Defense Industrial Base (DIB), it has established the Cybersecurity Maturity Model Certification (CMMC) as its solution for protecting the DIB from cyber threats. CMMC, which requires implementation of the cybersecurity safeguards outlined in NIST SP 800-171, is both expensive and time-consuming to put in place, especially for small- to mid-size contractors. Additionally, many of these contractors lack the resources and technical/policy acumen needed to interpret and meet CMMC requirements. To remedy this, the DoD has launched Project Spectrum, an initiative for providing resources and training related to CMMC compliance as well as general cybersecurity for small- and mid-sized businesses (SMBs) in the DIB. In this post, we perform a brief (but honest) analysis of Project Spectrum, and we discuss its pros and cons for SMBs facing CMMC compliance.
What is Project Spectrum?
Per its official website, Project Spectrum’s mission statement is as follows:
So, the DoD’s goal with Project Spectrum is to enhance awareness of cybersecurity threats as well as to accelerate the overall cybersecurity compliance of the DIB. Members of the Totem team have attended presentations by the US Air Force and US Navy personnel, as well as by the CMMC’s Accreditation Body (now the “CyberAB”), promoting Project Spectrum as the DoD’s preferred partner for SMBs looking for resources relating to both cybersecurity hygiene or (primarily) for compliance frameworks including CMMC. Project Spectrum provides a platform where you can create an account for free and begin browsing what it has to offer. We analyze these offerings next.
What does Project Spectrum offer for CMMC?
On-demand training courses
At the time of this writing, Project Spectrum offers five video-based training courses, each roughly an hour in length. These courses cover Controlled Unclassified Information (CUI), System Security Plans (SSP), Plans of Action & Milestones (POA&M), and Foreign Ownership, Control, or Influence (FOCI). While the courses do a nice job introducing these four important topics, they do not really branch beyond just an introduction. Contractors may find it difficult to apply some concepts to their organization (such as knowing what CUI is vs. knowing how to identify specific CUI in their environment) given how high-level the training is.
Project Spectrum also provides “Bits & Bytes”: short training courses addressing various CMMC Level 1 controls. (CMMC Level 1 is aligned with the FAR 52.204-21 mandate that all Federal Contractors provide “basic” protection for Federal Contract Information (FCI)). We browsed through several of these courses and found the content to be mediocre. For instance, the “Flaw Remediation” course uses the term “vulnerability” without really defining what a vulnerability is. And the course continues with statements such as “Implementing security controls for any vulnerabilities mitigates the chance of a threat exploiting a vulnerability”, followed by four general examples of security controls. Again, contractors may find it difficult to apply these concepts to their specific environments.
Project Spectrum appears to host webinars on key topics concerning small business cybersecurity and CMMC. Guest speakers from other organizations such as the National Security Agency (NSA) and the Cyber Accreditation Body have been included in some of these webinars. Since 2020, Project Spectrum has only hosted about two webinars per year, although it also advertises other external events, such as small business DoD contracting workshops. At the time of this update [July 2023], no future events were listed on the site.
Project Spectrum advertises partnerships with the following entities: “CMMC”, Manufacturing Extension Partnerships (MEP), and the Small Business Administration (SBA).
Additionally, for small business DIB members looking for a little more guidance with their cybersecurity compliance, Project Spectrum offers a Cybersecurity Mentor-Protégé Program (MPP) Pilot. With MPP, larger DoD contractors team up in a Mentor role with a small business Protégé to execute a government contract. The Project Spectrum MPP Pilot is designed to assist select small business DoD contractor Protégés with their implementation of NIST SP 800-171, and therefore prepare them to receive a CMMC certification.
It is our understanding in fact, based on statements from the US Air Force’s MPP program manager, that Project Spectrum is the preferred resource for small business Protégés facing CMMC. However, the USAF MPP manager implied that the Mentor companies cannot be reimbursed under the MPP for assisting their Protégés with CMMC, because Project Spectrum is preferred. This would be tragic, in our opinion, given Project Spectrum’s current limitations as elucidated in this post.
Additionally, the MPP Pilot seems out of date, considering Project Spectrum’s page states “Following the recently announced changes to CMMC (Version 2.0), we are reassessing these [last MPP Pilot] phases to ensure they follow the new criteria and will re-launch them in the near future.” CMMC Version 2.0 was announced in November 2021 and over a year and a half later the page had not been updated.
Project Spectrum provides quite a lot of information within its Info Hub, including recent cybersecurity-related events, blogs, white papers, video tips, and policies. These cover everything from CMMC to basic cybersecurity hygiene. While we aren’t going to dissect all of these, there are some inadequacies that we want to highlight, as they may be misleading for those pursuing a CMMC certification.
Project Spectrum has a blog series covering all CMMC Level 1 controls. We think this is great, however, we’ve found that a couple of the blogs are missing crucial pieces of information that are necessary for passing a CMMC assessment. For instance its blog on Authorized Access Control discusses the requirements found in Control AC.L1-3.1.1, including identifying authorized users and devices, but there is no mention of identifying processes acting on behalf of authorized users (PAOBOAUs), a specific requirement in the control. PAOBOAUs are critical to identify, given that they rely on user credentials as opposed to SYSTEM credentials and have access into your environment. Failing to track down PAOBOAUs not only is bad for CMMC compliance, but it also increases cybersecurity risk, as your IT system asset scope is incomplete.
The lack of elaboration on PAOBOAU is also evident in a relevant “Video Tips”, which are also accessible in the Info Hub, and which are significantly out of date. The last Video Tip was published in 2020, and many of the videos still reflect the since discarded CMMC Model 1.0 control naming schema (e.g. “PE.1.132”). However, similarly to the Cyber Readiness Check “tooltips” described below, these videos provide a brief and useful introduction to several cybersecurity concepts.
In another blog analyzing Flaw Remediation and Malicious Code Protection, codified in Controls SI.L1-3.14.1 and 3.14.2, the Project Spectrum author(s) provide only a brief interpretation of what DIB members should expect to meet these requirements. As with the “Bits & Bytes” course on this topic (mentioned above), very little context for flaw remediation, besides what is defined in the control, is given. To effectively “identify, report, and correct information and information system flaws in a timely manner”, organizations will need to do more than just patch their systems. While patching is a necessary first step, more proactive measures for flaw remediation are needed, such as routine vulnerability scanning and use of an IT change tracking system. There is no mention of either of these, which was a bit of a surprise.
These examples demonstrate that while the blogs and other information resources are helpful in explaining the requirements at a high level, DIB members may come away thinking that CMMC requires less than it actually does. This may result in failing a CMMC assessment, which is why we need to be as specific and thorough as possible when coaching small businesses on the requirements.
The Info Hub section of the website also has a list of white papers (written by Project Spectrum “Cyber Advisors”) on various topics not directly related to CMMC. There is also a “Policy Corner” with a list of CMMC-related government policy publications. In our experience, government policy publications do little to help small business owners effectively implement CMMC.
For DIB members pursuing a CMMC certification, Project Spectrum offers “Cyber Readiness Checks” — self-conducted manual checklists for assessing compliance with one of three standards: NIST SP 800-171, CMMC Level 1, and CMMC Level 2. Of course, since CMMC Level 2 aligned with NIST SP 800-171, those two checklists are the exact same, except that the NIST SP 800-171 checklist displays the SPRS score once completed and the CMMC Level 2 checklist displays a percent met. To its credit, and unlike other assessment tools we’ve seen, the Project Spectrum checklists operate not only from the controls themselves, but also the associated assessment objectives outlined in NIST SP 800-171A. Assessing to the -171A objectives is a crucial aspect of NIST 800-171 and CMMC compliance.
Most controls within the checklists have a corresponding “tooltip” — essentially a generic interpretation of the control — as well as a short video summary. The videos are typically a few minutes in length and contain computer-generated read-over of generic content. You shouldn’t expect these videos to provide much context for any of the controls. While the checklists themselves are a nice, quick way to perform a rudimentary assessment, you’ll likely need to consult professionals directly if you need help interpreting any of the controls.
Project Spectrum also has CMMC Level 1 and Level 2 “Scoping Assessments” as part of their Cyber Readiness Check. Ostensibly, these scoping assessments would help you generate a list of “in scope” assets, with which you would have an idea of which aspects of your small business IT system require protections. However, in practice, it is not clear what the output of these scoping assessments is, as when complete you simply get a notice that “Your Assessment is complete”. No list of assets, no suggested next actions, nothing…
There is also a placeholder page for “Cyber Readiness Check Training” videos. No videos are present and there is a “Check back soon for Videos…” message.
Luckily, Project Spectrum also offers “Useful Tools”, which is a searchable table of CMMC-related technology and professional service providers. Provision type and price range is listed in the table, as are attributes such as “Ease of Use” and Known Clients. Totem Technologies is thankful to be listed as one of Project Spectrum’s Useful Tools.
Overall Impressions of Project Spectrum's offerings
Overall, it appears Project Spectrum provides high-level interpretation of CMMC requirements, focusing on CMMC Level 1 controls. Admittedly, explaining even CMMC Level 1 controls in enough detail for an average small business owner to effectively implement them is a serious challenge. Project Spectrum’s content does a decent job of initiating a newcomer into the complex world of DoD contractor cybersecurity compliance.
In our opinion, the single most valuable tool Project Spectrum offers for the average small business is the NIST 800-171 Cyber Readiness Check, which helps generate the SPRS score.
Exploring Totem's CMMC resources that bolster Project Spectrum
Totem’s mission is to help small and micro DoD contractors remain part of the DIB. Given that we are a micro DoD contractor pursuing a CMMC certification ourselves, we share in many of the frustrations that come with this journey. We understand CMMC’s complexity, its verbosity, and its potential to push small and micro businesses out of the Defense Industrial Base. We appreciate that Project Spectrum has recognized this potential as well, and that it is taking action.
Totem Technologies aims to support the efforts of Project Spectrum by providing additional CMMC resources and training for the Defense Industrial Base. We achieve this goal by delivering hands-on workshops and training, security control assessments, technologies, and free tools and templates. Please see below for a description of each. You can also explore our Roadmap to CMMC Compliance for an interactive overview of the steps required to achieve CMMC and further explanations of our offerings.
Workshops and training
Totem offers three workshops, two of which we are proud to have partnered with Govology to deliver:
Our DFARS/CMMC/NIST 800-171 Workshop is geared towards small and micro businesses pursuing a CMMC Level 2 certification. During this nine-week course, we get into the weeds of NIST 800-171 and meeting DFARS 252.204-7012 requirements, starting with scoping and including building a System Security Plan (SSP) and Plan of Action & Milestones (POA&M). We discuss CUI protection strategies in depth and address small business struggles with CMMC.
Our SPRS Score Workshop is intended for those contractors that want help generating and submitting their Supplier Performance Risk System (SPRS) score. Whether you are in a pinch to submit the score or just want some help doing it, this 1.5-hour live course will benefit you.
Our Small Business Cybersecurity Essentials Workshop was created for all small businesses regardless of industry. Participants learn the fundamentals of a strong cybersecurity program within a small business environment. The five-week course covers the 10 most important cybersecurity safeguards according to our Totem Top 10™ methodology.
In addition to these workshops, Totem also offers customized user training. We’ll help you develop an IT Acceptable Use Policy (AUP) and train your staff on the policies, threats, and protections they need to be aware of to prevent an incident. If you’d like, we can also perform a phishing simulation to test your staff’s ability to spot and prevent an attack.
CMMC gap assessments
As you have ventured along your CMMC journey, you may have discovered that you want a little more help in preparing for a CMMC assessment. Totem offers a NIST 800-171/CMMC gap assessment, where we will assess your cybersecurity program against the NIST 800-171 requirements. We’ll help you identify deficiencies, build corrective action plans and policies (including your SSP and POA&M), and put together a game plan for CMMC.
One of the greatest challenges small and micro businesses face with CMMC is a lack of affordable (and helpful) technologies. Totem has made it a priority to develop these technologies, which we are proud to offer at affordable rates to our small business DoD contracting peers. We offer two solutions at this time:
Our Totem™ Cybersecurity Compliance Management software is a lightweight, cloud-based tool that you can use to build and manage your System Security Plan (SSP), Plan of Action & Milestones (POA&M), and other documentation needed for CMMC compliance. The tool was built purposefully for those facing CMMC, which helps keep the price lower compared to other similar solutions. Those interested in Totem™ may request a free trial and/or a free demo on our Software page.
Our Zero Client™ as a Service (ZCaaS) offering is an affordable option for the smallest of the small DoD contractors to securely handle (process, store, and share) Controlled Unclassified Information (CUI). Micro-businesses can use the ZCaaS™ temporary “Windows in the cloud” virtual desktop to transfer sensitive information from one cloud service to another without “contaminating” workstations. We call it a “zero client” because the organization’s on-premise or employee-owned (BYOD) workstations (desktop, laptops, mobile devices) simply act as clients to the cloud service and zero information is ever stored, processed, or transmitted on the workstations.
ZCaaS™ is actually a package of three services:
- A non-persistent cloud-based virtual desktop with browser and document editing tools
- SafeShare™ secure file sharing and storage platform
- Totem™ Cybersecurity Compliance Management tool
Free tools and templates
Finally, in addition to these services, Totem Technologies has developed a wide variety of free resources and templates for our small business DIB peers. We learned the hard way that CMMC requires a heavy amount of paperwork, which is why we developed templates based on our own CMMC policies to reduce the burden of developing “artifacts” from scratch. Explore our Free Tools page, where you can download these templates for free, including our Incident Response Plan template, Separation of Duties matrix, System Inventory template, and more.
This wraps up our analysis of Project Spectrum and the CMMC-related resources it offers to the DIB. We compared these resources with our own offerings to determine how Project Spectrum and Totem can both be leveraged by small business DoD contractors pursuing a CMMC certification.
If you have questions about the blog, any of the offerings mentioned, or CMMC/cybersecurity in general, drop us a line! Or, better yet, grab a seat in our DFARS/CMMC Workshop. We’d love to have you join us!
–Adam Austin, co-owner and Cybersecurity Lead