As the Department of Defense (DoD) has turned its attention towards the glaring cybersecurity deficiencies within the Defense Industrial Base (DIB), it has established the Cybersecurity Maturity Model Certification (CMMC) as its solution for protecting the DIB from cyber threats. CMMC, which requires implementation of the cybersecurity safeguards outlined in NIST SP 800-171, is both expensive and time-consuming to put in place, especially for small- to mid-size contractors. Additionally, many of these contractors lack the resources and technical/policy acumen needed to interpret and meet CMMC requirements. To remedy this, the DoD has launched Project Spectrum, an initiative for providing resources and training related to CMMC compliance as well as general cybersecurity for small- and mid-sized businesses (SMBs) in the DIB. In this post, we perform a brief (but honest) analysis of Project Spectrum, and we discuss its pros and cons for SMBs facing CMMC compliance.
What is Project Spectrum?
So, the DoD’s goal with Project Spectrum is to enhance awareness of cybersecurity threats as well as to accelerate the overall cybersecurity compliance of the DIB. Members of the Totem team have witnessed both the US Air Force as well as the CMMC’s Accreditation Body (now the “CyberAB”) promote Project Spectrum as the DoD’s preferred partner for SMBs looking for resources relating to both cybersecurity hygiene or (primarily) for compliance frameworks including CMMC. Project Spectrum provides a platform where you can create an account for free and begin browsing what it has to offer. We analyze these offerings next.
What does Project Spectrum offer for CMMC?
On-demand training courses
At the time of this writing, Project Spectrum offers four video-based training courses, each roughly an hour in length. These courses cover Controlled Unclassified Information (CUI), CMMC Level 1, System Security Plans (SSP), and Plans of Action & Milestones (POA&M). While the courses do a nice job introducing these four important topics, they do not really branch beyond just an introduction. Contractors may find it difficult to apply some concepts to their organization (such as knowing what CUI is vs. knowing how to identify specific CUI in their environment) given how high-level the training is. Additionally, some of the content is outdated, particularly the CMMC-specific training, which still references the old CMMC 1.0 model. It would be nice to see the training reflect the most recent and most critical industry/ecosystem changes.
Project Spectrum hosts webinars on key topics concerning small business cybersecurity and CMMC. Guest speakers from other organizations such as the National Security Agency (NSA) and the Cyber Accreditation Body have been included in some of these webinars. Since 2020, Project Spectrum has only hosted about two webinars per year, although it also advertises other external events, such as small business DoD contracting workshops.
Mentor-Protégé Pilot Program
For small business DIB members looking for a little more guidance with their cybersecurity compliance, Project Spectrum offers a Cybersecurity Mentor-Protégé Program (MPP) Pilot. With MPP, larger DoD contractors team up in a Mentor role with a small business Protégé to execute a government contract. The Project Spectrum MPP Pilot is designed to assist select small business DoD contractor Protégés with their implementation of NIST SP 800-171, and therefore prepare them to receive a CMMC certification.
It is our understanding in fact, based on statements from the US Air Force’s MPP program manager, that Project Spectrum is the preferred resource for small business Protégés facing CMMC. However, the USAF MPP manager implied that the Mentor companies cannot be reimbursed under the MPP for assisting their Protégés with CMMC, because Project Spectrum is preferred. This would be tragic, in our opinion, given Project Spectrum’s current limitations as elucidated in this post.
Additionally, the MPP Pilot seems out of date, considering Project Spectrum’s page states “Following the recently announced changes to CMMC (Version 2.0), we are reassessing these [last MPP Pilot] phases to ensure they follow the new criteria and will re-launch them in the near future.” CMMC Version 2.0 was announced in November 2021 and over a year later the page had not been updated.
Project Spectrum provides quite a lot of information within its Info Hub, including recent cybersecurity-related events, blogs, white papers, video tips, and policies. These cover everything from CMMC to basic cybersecurity hygiene. While we aren’t going to dissect all of these, there are some inadequacies that we want to highlight, as they may be misleading for those pursuing a CMMC certification.
Project Spectrum has a blog series covering all CMMC Level 1 controls. We think this is great, however, we’ve found that a couple of the blogs are missing crucial pieces of information that are necessary for passing a CMMC assessment. For instance its blog on Authorized Access Control discusses the requirements found in Control AC.L1-3.1.1, including identifying authorized users and devices, but there is no mention of identifying processes acting on behalf of authorized users (PAOBOAUs), a specific requirement in the control. PAOBOAUs are critical to identify, given that they rely on user credentials as opposed to SYSTEM credentials and have access into your environment. Failing to track down PAOBOAUs not only is bad for CMMC compliance, but it also increases cybersecurity risk, as your IT system asset scope is incomplete.
The lack of elaboration on PAOBOAU is also evident in a relevant “Video Tips”, which are also accessible in the Info Hub, and which are significantly out of date. The last Video Tip was published in 2020, and many of the videos still reflect the since discarded CMMC Model 1.0 control naming schema (e.g. “PE.1.132”). However, similarly to the Cyber Readiness Check “tooltips” described below, these videos provide a brief and useful introduction to several cybersecurity concepts.
In another blog analyzing Flaw Remediation and Malicious Code Protection, codified in Controls SI.L1-3.14.1 and 3.14.2, the Project Spectrum author(s) provide only a brief interpretation of what DIB members should expect to meet these requirements. Very little context for flaw remediation, besides what is defined in the control, is given. To effectively “identify, report, and correct information and information system flaws in a timely manner”, organizations will need to do more than just patch their systems. While patching is a necessary first step, more proactive measures for flaw remediation are needed, such as routine vulnerability scanning and use of an IT change tracking system. There is no mention of either of these, which was a bit of a surprise.
These examples demonstrate that while the blogs and other information resources are helpful in explaining the requirements at a high level, DIB members may come away thinking that CMMC requires less than it actually does. This may result in failing a CMMC assessment, which is why we need to be as specific and thorough as possible when coaching small businesses on the requirements.
For DIB members pursuing a CMMC certification, Project Spectrum offers “Cyber Readiness Checks” — self-conducted manual checklists for assessing compliance with one of three standards: NIST SP 800-171, CMMC Level 1, and CMMC Level 2. Of course, since CMMC Level 2 aligned with NIST SP 800-171, those two checklists are the exact same, except that the NIST SP 800-171 checklist displays the SPRS score once completed and the CMMC Level 2 checklist displays a percent met. To its credit, and unlike other assessment tools we’ve seen, the Project Spectrum checklists operate not only from the controls themselves, but also the associated assessment objectives outlined in NIST SP 800-171A. Assessing to the -171A objectives is a crucial aspect of NIST 800-171 and CMMC compliance.
Most controls within the checklists have a corresponding “tooltip” — essentially a generic interpretation of the control — as well as a short video summary. The videos are typically a few minutes in length and contain computer-generated read-over of generic content. You shouldn’t expect these videos to provide much context for any of the controls. While the checklists themselves are a nice, quick way to perform a rudimentary assessment, you’ll likely need to consult professionals directly if you need help interpreting any of the controls.
Luckily, Project Spectrum also offers “Useful Tools”, which is a searchable table of CMMC-related technology and professional service providers. Provision type and price range is listed in the table, as are attributes such as “Ease of Use” and Known Clients. Totem Technologies is thankful to be listed as one of Project Spectrum’s Useful Tools.
Exploring Totem's CMMC resources that bolster Project Spectrum
Totem’s mission is to help small and micro DoD contractors remain part of the DIB. Given that we are a micro DoD contractor pursuing a CMMC certification ourselves, we share in many of the frustrations that come with this journey. We understand CMMC’s complexity, its verbosity, and its potential to push small and micro businesses out of the Defense Industrial Base. We appreciate that Project Spectrum has recognized this potential as well, and that it is taking action.
Totem Technologies aims to support the efforts of Project Spectrum by providing additional CMMC resources and training for the Defense Industrial Base. We achieve this goal by delivering hands-on workshops and training, security control assessments, technologies, and free tools and templates. Please see below for a description of each.
Workshops and training
Totem offers three workshops, two of which we are proud to have partnered with Govology to deliver:
Our DFARS/CMMC/NIST 800-171 Workshop is geared towards small and micro businesses pursuing a CMMC Level 2 certification. During this nine-week course, we get into the weeds of NIST 800-171 and meeting DFARS 252.204-7012 requirements, including building a System Security Plan (SSP) and Plan of Action & Milestones (POA&M). We discuss CUI protection strategies in depth and address small business struggles with CMMC.
Our SPRS Score Workshop is intended for those contractors that want help generating and submitting their Supplier Performance Risk System (SPRS) score. Whether you are in a pinch to submit the score or just want some help doing it, this 1.5-hour live course will benefit you.
Our Small Business Cybersecurity Essentials Workshop was created for all small businesses regardless of industry. Participants learn the fundamentals of a strong cybersecurity program within a small business environment. The five-week course covers the 10 most important cybersecurity safeguards according to our Totem Top 10™ methodology.
In addition to these workshops, Totem also offers customized user training. We’ll help you develop an IT Acceptable Use Policy (AUP) and train your staff on the policies, threats, and protections they need to be aware of to prevent an incident. If you’d like, we can also perform a phishing simulation to test your staff’s ability to spot and prevent an attack.
CMMC gap assessments
As you have ventured along your CMMC journey, you may have discovered that you want a little more help in preparing for a CMMC assessment. Totem offers a NIST 800-171/CMMC gap assessment, where we will assess your cybersecurity program against the NIST 800-171 requirements. We’ll help you identify deficiencies, build corrective action plans and policies (including your SSP and POA&M), and put together a game plan for CMMC.
One of the greatest challenges small and micro businesses face with CMMC is a lack of affordable (and helpful) technologies. Totem has made it a priority to develop these technologies, which we are proud to offer at affordable rates to our small business DoD contracting peers. We offer two solutions at this time:
Our Totem™ Cybersecurity Compliance Management software is a lightweight, cloud-based tool that you can use to build and manage your System Security Plan (SSP), Plan of Action & Milestones (POA&M), and other documentation needed for CMMC compliance. The tool was built purposefully for those facing CMMC, which helps keep the price lower compared to other similar solutions. Those interested in Totem™ may request a free trial and/or a free demo on our Software page.
Our Zero Client™ as a Service (ZCaaS) offering is an affordable option for the smallest of the small DoD contractors to securely handle (process, store, and share) Controlled Unclassified Information (CUI). Micro-businesses can use the ZCaaS™ temporary “browser in the cloud” to transfer sensitive information from one cloud service to another without “contaminating” workstations. We call it a “zero client” because the organization’s on-premise or employee-owned (BYOD) workstations (desktop, laptops, mobile devices) simply act as clients to the cloud service and zero information is ever stored, processed, or transmitted on the workstations. ZCaaS™ is actually a package of three services:
- A non-persistent cloud-based Browser, with optional on-premise read-only Workstation appliances
- SafeShare™ secure file sharing and storage platform
- Totem™ Cybersecurity Compliance Management tool
Free tools and templates
Finally, in addition to these services, Totem Technologies has developed a wide variety of free resources and templates for our small business DIB peers. We learned the hard way that CMMC requires a heavy amount of paperwork, which is why we developed templates based on our own CMMC policies to reduce the burden of developing “artifacts” from scratch. Explore our Free Tools page, where you can download these templates for free, including our Incident Response Plan template, Separation of Duties matrix, System Inventory template, and more.
This wraps up our analysis of Project Spectrum and the CMMC-related resources it offers to the DIB. We compared these resources with our own offerings to determine how Project Spectrum and Totem can both be leveraged by small business DoD contractors pursuing a CMMC certification.
If you have questions about the blog, any of the offerings mentioned, or CMMC/cybersecurity in general, drop us a line! Or, better yet, grab a seat in our DFARS/CMMC Workshop. We’d love to have you join us!
Keep fighting the good fight!
–Nathan Cross, Cybersecurity Engineer