With next year’s anticipated deadline for DoD contractors to comply with CMMC, many in the Defense Industrial Base are scrambling to understand how to comply, the tools they need, and how much it will cost them.
Big-picture, your customers will need to comply if they want to continue to do business with the DoD. And while it’s essential for them to know what they should do, it’s also important to remember what they shouldn’t do. Based on Egnyte’s experience working with firms that are tackling the CMMC 2.0 requirements, we’ve assembled the following list of common blockers that you and your clients will likely encounter.
1. Thinking “This Project Can Wait”
Many MSPs assume that CMMC compliance can be achieved in a short time period, because they (and/or their customers) already have cybersecurity policies and practices in place. However, the business reality is that even the most sophisticated organizations can take months to achieve and document their compliance efforts. This is because CMMC compliance is way more than an IT exercise or a quick technical fix. Detailed planning is required, often leading to add-on technological decisions, and that’s just the beginning. All employees need to be trained and new processes and procedures need to replace the old ones. Most importantly, the initiative can’t succeed without executive level engagement, which extends well beyond budgetary approvals.
2. Including Everything But the Kitchen Sink
Security engineers tend to be extremely inclusive when they define the scope of the infrastructure that could fall under CMMC. This is usually because they generally don’t know where all of their Controlled Unclassified Information (CUI) is housed. That can lead to the unnecessary inclusion of multiple repositories, including associated infrastructure and network capabilities like Identity and Access Management (IAM) services across numerous systems.
Likewise, engineers sometimes target a higher CMMC level than the company requires; for example, striving for CMMC Level 2 when Level 1 is sufficient for their Federal Contract Information (FCI) data. Similar to scoping the infrastructure too broadly, that approach multiplies cost, complexity, and resource requirements. Even if Level 2 compliance is necessary, it might be more practical and less disruptive to target Level 1 compliance prior to attempting Level 2 compliance.
Another scoping issue is not considering the impact of partners and supply chain participants on your CMMC compliance efforts. For example, unique specifications that you send to a supplier may contain CUI data. Therefore,your partner should be informed that they may also need to comply with CMMC requirements. At the very least, the information needs to be passed to supply chain partners in a secure manner, with employees trained on proper handling of the data.
3. Having an Incomplete SSP
According to the National Institute of Standards and Technology (NIST), the System Security Plan (SSP) “..describes: the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems.” In other words, it is a formal, written plan that documents the infrastructure, associated risks and security controls that are in place to mitigate those risks. The SSP is where auditors begin their review. Auditors need to review complete documentation on the systems that are under the company’s control. Almost no small- or medium-sized company produces documentation to the depth and complexity that’s required by these auditors. And frequently, major components of the architecture are outsourced, and/or no formal documentation exists. which is why your clients need a comprehensive inventory of exactly what falls into CMMC’s scope.
4. Producing Too Little Documentation
When working through checklists, companies often don’t spend enough time documenting the details on key focus areas in their requirements. For example, logging should be documented to show not only that logs are collected, but also to reflect how often they are collected, how they are stored, and most importantly, how often they’re reviewed and analyzed. Likewise, access controls are often neglected in detailed documentation because they are complex and cross many different internal system boundaries.
Finally, many security engineers overlook documentation on key procedures, including details about the administrators who configure and monitor the company’s systems and users who manage its CUI data.
5. Becoming Complacent with CMMC Compliance
Many organizations work hard to achieve CMMC compliance, only to relax and become complacent when they’ve done so. CMMC requires ongoing executive engagement, technical reviews, controls monitoring and process improvement. The best way to achieve that is through tools and architecture which allow you to automate as much of your ongoing monitoring and maintenance as possible.
6. Viewing CMMC Compliance with a “Checklist Mentality”
CMMC compliance is not a one-time event. Users may require significant training, business culture may need to be modified, new processes and procedures may need to be implemented and the company’s workflows and technological decisions may need to change. Over time, your business will evolve, which ultimately impacts your risk profile and the size of your cyberattack surface. Meanwhile, new security risks will emerge, and cybersecurity solutions will evolve with them. Therefore, your SSP will need to be reviewed frequently and updated to meet the new risks. That’s why the DoD plans for CMMC audits to be performed on a routine basis rather than as one-off engagements.
Start Your CMMC Compliance Journey
Most organizations cannot navigate the CMMC compliance journey on their own. They often engage consultants and contractors to supplement their own internal expertise. They also work with industry groups and forums to understand standards and regulations. They may even combine efforts with partners to build compliant solutions. Importantly, Egnyte has deep expertise in the space, including conducting CMMC Workshops with customers to discuss their compliance journeys.
Join Egnyte’s CMMC Community: As such, Egnyte has assembled a CMMC Community of practitioners, security engineers, business leaders and thought leadership contacts, to encourage information exchange about CMMC. Egnyte provides educational documentation, solution details, discussion opportunities with industry experts, and other resources that enable community members to keep informed. For additional information on CMMC and to join the community now, click here.
Webinar Invite: If you are interested in getting ready for CMMC, we have an on-demand webinar where we cover:
- The basics of CMMC - who is impacted, what’s required, when are the deadlines;
- Pro tips to limit the scope of the auditable environment;
- What makes Egnyte’s “CMMC in a box solution” the most cost-effective and comprehensive solution for MSPs in the market today.
- Register here
Guest blog courtesy of Egnyte. Read more Egnyte guest blogs here. Regularly contributed guest blogs are part of ChannelE2E’s sponsorship program.