Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders. Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in National Institute for Science and Technology (NIST) Special Publication (SP) 800-171 as well as additional practices from other standards and references to mitigate threats. It is noted that Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”) specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting.
“Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”
Types of CUI are included in the CUI registry located here. For defense contractors that require level 3, you will likely process Controlled Technical Information, DoD Critical Infrastructure Security Information, Naval Nuclear propulsion Information, or Unclassified Controlled Nuclear Information. You may also process Export Controlled Information or Export Controlled Research. The definition of each of these is out of scope for this article but you will want to be familiar with the type of information that you will be processing.
Unlike classified information that has a Security Classification Guide (SCG), CUI does not have a guide as to which data is CUI; the Government Contracting Officer (KO) may refer you to the Program Manager or tell you to use your best judgment. Once fully implemented DoDI 5200.48 “Controlled Unclassified Information” will require each agency to mark their information with CUI markings.
The NIST SP 800-171 is the catalog of security controls (or requirements) required, for which CMMC is based upon. These controls are grouped into a family of similar controls based on what process they impact. One key consideration is that the controls are only applicable to the systems that process CUI. If you’ve segregated your networks between commercial and government customers then you need only focus on the government segment. Below are the families and their impact on your organization. Rather than repeating the control requirements, we’re going to discuss what we believe are high-level impacts on your infrastructure. Obviously this is not meant to override or even supplement the language in the CMMC docs, but rather give you an executive overview of what we believe to be significant impacts to you and your business.
Rather than iterate through each of the controls, we’ll just call out the most impactful controls. There are some computer user account controls that deal with separating duties, preventing admin access, terminating sessions, authorizing remote execution of admin controls, and protecting wireless access. These are all fairly easy to implement on most networks and your Managed Service Provider (MSP) or IT Staff should be able to implement without much trouble.
You’ll need to implement a mobile device management tool and ensure all devices are authorized prior to connecting to your systems as well as encrypting all mobile devices. Some older devices don’t support this requirement very well so you may have to upgrade your devices.
There is only one control and it’s the first time we’ve seen this family as we progress through the levels. This control requires that you define procedures for handling CUI.
In addition to the training in Level 2 you’ll need to add insider threat training to your training schedule for all employees who access CUI.
The major impact of this control family is the implementation of a Security Event and Information Management (SEIM) tool and the assignment of a security professional to manage and monitor the SEIM. A SEIM basically collects all of your audit data from network devices and computers, filters out false positives, and gives the security professional the ability to identify potentially malicious actions on your system.
For level 3 your Configuration Management plan must extend even further into controlling the software and connections to external systems. Further restrictions on which software can be installed are implemented that basically require administrator access to install any software that’s already approved for use.
The major impact here is implementing multi factor authentication for admin access. If you’re running a non-traditional network this could prove to be a bit difficult; however if you’re running a typical Windows server/client network this should be fairly easy.
Your Incident Response capability is further enhanced by tracking, documenting, and reporting to external officials. The other control here requires that you test your Incident Response capability periodically.
Level 3 adds two controls that simply require that you sanitize equipment before it is moved off-site for maintenance. An often overlooked piece of equipment that requires sanitization is your printer; any storage of past documents would need to be cleared out of the buffer.
The second control requires that you check any diagnostic media or test programs for malicious code prior to introducing them into your information system. This is a check that your run with your antivirus software.
Media must be marked as containing CUI with an identifiable owner as well as encrypted on any portable storage devices. Positive control must be maintained while transporting portable media outside of your facility.
Only one additional control is added for the Physical Protection control family and that is to ensure that safeguarding measures for CUI at alternate work sites (employees home office) are equivalent. The additional guidance lists control items such as patch and vulnerability management for remote computers (laptops) and secure VPN connectivity back to the office network.
Risk Management for level 3 requires that you periodically perform risk assessments, implement risk mitigation plans, and manage software/hardware for end-of-life support. This basically requires that you implement a continuous monitoring program that ensures you are keeping up-to-date with your security and fixing any weaknesses that you identify.
We combined them simply because they are tiny controls with not much impact. You will need to backup your data and you will need to have CUI handling procedures. The CUI procedures seem to be a retelling of your SSP and may even be acceptable to be just your SSP and the policies that go with it. This control doesn’t come from NIST SP 800-171 and is unique to the CMMC and its definition is much less fleshed out.
There are several controls within this family where most are firewall and system-level configuration items dealing with cryptography. The two most impactful controls are encrypting CUI at rest, meaning any storage device that contains CUI should be encrypted. Windows uses BitLocker, Mac and Linux have similar products for whole disk encryption. The other major impact control is to control and manage Voice of Internet Protocol (VOIP); these are your more modern telephone devices. While there’s not much guidance from CMMC on what controls need to be in place with VOIP they do say that you need to secure your VOIP with “all required security settings in compliance with the company’s policies and security standards”.
One of the more difficult to implement controls is the employment of architectural designs, software development techniques, and systems engineering principles. As you are designing your information systems and software that will process CUI you will need to employ engineering processes for design, development, and testing.
Lastly, you must implement a policy that restricts the publishing of CUI on publicly facing web sites including your corporate website or any social media. This policy should provide for a review by department representatives who can determine which CUI the company processes and identify any CUI that might be posted, prior to publication.
Level 3 for System and Information Integrity brings about more complex email system requirements. Your email provider will need to implement spam protection, email forgery protection, and use a sandbox technology to detect malicious emails. Depending on your email provider this may be as easy as checking a box or as difficult as buying a new appliance to handle these new requirements.
For any enterprise software that handles CUI you will need to employ a security assessment. This security assessment requires you to review your source code and architecture for security vulnerabilities and defects.