The Cybersecurity Maturity Model Certification (CMMC) is generating a lot of buzz in the commercial space because it impacts over 300,000 business owners. The CMMC has a total of five levels and to date, the primary levels under consideration are Maturity Level 1, which defined as “Performed” and Maturity Level 3, defined as “Managed”. In Figure 1, each level is illustrated demonstrating the progressive enhancements at each level as you move up the pyramid.

Figure 1. CMMC Maturity Levels

CMMC levels and descriptions

In this article, I want to examine two practices. For clarity, the nomenclature utilized by the Department of Defense and the CMMC Accreditation Body (CYBER-AB) construe controls as “Practices”. Along these same lines, the terminology of “assessment” versus “audit” are also employed. Regardless, I have Identified something I have not yet heard about in my spheres of influence and asking for as much input as possible.

Both AC.1.004 “Control information posted or processed on publicly accessible information systems” and SC.3.193 “Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g. forums, LinkedIn, Facebook, Twitter).
According to the instructions issued by the DOD and the CYBER-AB, assessors are to determine if the Organization Seeking Certification (OSC) [AKA the Government Contractor] have policies and procedures forbidding such scenarios from occurring.

There is apparently some level of consensus that this does not occur because there is even a narrative in the instructions that it may not be applicable. While this is likely statistically true, how do we know?

We think our systems are in good shape because our IT person told us so but OSCs are required to have vulnerability scans, etc. to validate the presumption. This comes back to Ms. Katie Arrignton’s “Trust but Verify” model.

So what is the Government’s and/or the CYBER-AB plan to “verify” that CUI isn’t on publicly accessible domains at the hands of OSC’s? Would it not stand to reason that our adversaries are looking for such details? Would it not stand to reason that we should also be deploying tools and techniques to identify the same targets of opportunity our adversaries want to exploit?
Recently I had a discussion with one of the CYBER-AB leaders and there was consensus that such an issue makes sense to evaluate but then the question becomes how… and then take the “how” to something that is scalable. I am interested to get feedback as to where my network “thinks” this responsibility should reside? With the AB, with the C3PAO, with the US Government. Let me know.

Be safe!