CMMC 2.0: What to Expect and How to Secure FCI and CUI Now

The Cybersecurity Maturity Model Certification (CMMC) is a new requirement for DoD contractors in defense industrial base (DIB) that sets cybersecurity protection standards as a condition of a DoD contract award. In November 2021, the DoD announced it is revamping the original CMMC requirements with version 2.0. It replaces the original five level model and streamlines it down to three to measure and certify the cybersecurity practices of DIB contractors. The CMMC 2.0 revisions are meant to ensure contractors follow best practices for protecting sensitive information on their networks, while also making it easier for SMEs to comply with the mandates.

What are FCI and CUI?

The main purpose of CMMC is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with and handled by contractors and subcontractors of the DoD on non-federal contractor information systems.

The DoD defines FCI and CUI as follows:

Federal Contract Information (FCI) – “FCI is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”

Controlled Unclassified Information (CUI) – “CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

If you handle FCI or CUI you will need to adhere to the new CMMC 2.0 guidelines to ensure you meet the requirements as laid out below.

CMMC 2.0 Maturity Levels

While the details of CMMC 2.0 are still being finalized, the outlined levels and requirements according to the OUSD will be fairly similar to CMMC 1.0, with differences in the assessment requirements to make compliance easier:

• Level 1 Foundational (same as previous Level 1):
  17 practices with an annual self-assessment.
• Level 2 Advanced (same as previous Level 2):
  100 practices aligned with NIST SP 800-171 with triennial third-party assessments for critical national security information. Annual self-assessment for select programs.
• Level 3 Expert (similar to previous Level 5):
  110+ practices based on NIST SP 800-172 with Triennial government led assessments.

Once the new regulation is implemented, the required CMMC level for contractors and sub-contractors will be specified in the solicitation and in Requests for Information (RFIs). In the meantime, CMMC piloting efforts have been suspended until CMMC 2.0 is put in place.

Protecting Defense and Supply Chain Data from Insider Threats

The new operational environment that’s being developed and tailored for the DoD Cyber Domain significantly impacts all other Defense Domains, which rely heavily on secure cloud, intranets (SIPRNet/NIPRNet), collaboration portals and COTS-based network technologies, services, and applications to service the needs of the defense, Coalition partners and tactical communication across the battlespace from the Battle Command systems, weapons platforms down to the individual soldier.

There are additional moves to implement multi-domain operations/environments which will additionally impact various “Cyber AORs,” to include the Air Force Information Environment (AFIE), the Enterprise Battle Management Command and Control Systems, JADC2 (Joint All-Domain Command and Control), along with manned/unmanned (UAS/UAV/UUV) assets, along with how and what information will be shared in a multi-coalition environment.

There has also been a lot of discussion and interest in permitting unclassified users to use the SECRET High Tactical Internet to access unclassified computers connected to the commercial Internet. This capability is of particular importance to certain users, who typically use unclassified applications and data, and need to communicate in a split-based mode with large computer systems. This will inherently create even greater operational cyber risks and an even greater need for not only Zero Trust network solutions, but a way to extend this same level of control to all applications and data access across private and public networks.

Solving the problems posed by insider threats, and protecting sensitive data, including CUI and FCI, requires a different information security approach. Traditional informational security is designed to focus predominantly on outside threats like hackers or unauthorized user access and is no longer enough. SIEMs, SOARs and other solutions are reactive and don’t do anything to prevent the initial loss of data—they are focused on the actions of the attacker and not on the data. Re-purposing tools created to detect threats from outside is not sufficient to provide the level of proactive data security and metadata tagging required to battle the types of threats that come from the inside and are harder and will take longer to detect even with these tools in place. Extending Zero Trust to information security provides a solution.

There is a fundamental flaw with most existing security software solutions and with many security policies that are making data more vulnerable: the login process is not robust enough to guarantee that the logged in user is who they say they are, with no attribution at the user level. So, if someone logs in with stolen credentials, they can use the access and privileges of the compromised account to navigate systems and data, stealing as they go. In this case, the security lies within the permissions of the logged in user only, not a combination of user and content privileges.

Zero Trust 101

Systems that are designed using Zero Trust principals should be better positioned to address existing threats, if done properly. Simply put the Zero Trust model has one basic principle: trust nothing – validate everything.

Transitioning to this new reference architecture will require careful planning to avoid weakening the security posture along the way and will continually evolve. For the providers that are trying to migrate to this Zero Trust environment, they need to understand that it will require continuous verification of the operational picture via real-time information. In addition, Zero Trust architectures generally focus on user-to-network, user-to-device, or user-to-application access, and are not necessarily focused on the data.

A Data-Centric Zero Trust Model

This new Zero Trust security model allows the concept of least-privileged access to be applied for every access decision, allowing, or denying access to resources. A model that is just “allow” or “deny” will not be sufficient to meet Zero Trust needs. Access must also be restricted using various/different levels of control (secure reader, encrypt to audience, DLP, redaction, trimming). Remember that all of the Zero Trust players bringing their solutions still do not focus on the data, they focus on the network and the application – not the data that sits behind them.

A data-centric ‘Zero Trust’ approach is a far more effective methodology to ensure data which is the main target remains secure. A data-centric, Zero Trust approach does not automatically trust any user inside or outside your perimeters or applications, instead you must verify anyone trying to access an individual data file before granting them access to it – each and every time.

Attribute-based access control (ABAC) is a methodology that evaluates attributes (or characteristics of data and/or users), rather than roles, to determine access and usage rights. It uses a data-centric security approach that evaluates each file’s attributes including security classification and permissions, as well as user attributes such as security clearance, time of day, location, and device to determine who is able access, as well edit and download files.

ABAC makes a data-centric Zero Trust possible by providing granular, real-time control over the access of information by adjusting security in real-time to determine whether the user should be given access to the requested information – based on all of these parameters – at that point in time. If the user scenario does not match, or appears suspicious, then access is denied, or a restricted view of the data is provided.

For example, if an authenticated user is trying to access a sensitive file they own, but it is outside of business hours and they are using a BYOD device in another country, file access will be denied – effectively thwarting a hacker using stolen credentials.

Enforce Key CMMC 2.0 Requirements in Microsoft Applications with ABAC

The NC Protect solution from archTIS provides dynamic data-centric security that leverages ABAC policies to automatically find, classify and secure unstructured data on-premises, in the Cloud and in hybrid environments. NC Protect dynamically adjusts data access and protection based on real-time comparison of data and user attributes to make sure that users view, use, and share files according to your agency’s regulations and policies to comply with CMMC, NIST and ITAR requirements, and more.

NC Protect is fully integrated with Microsoft 365 apps including SharePoint (Online and On-premises), Teams, Yammer, OneDrive, Exchange, as well as Nutanix Files, Dropbox and Windows files shares to centrally secure your collaboration in accordance with CMMC requirements. For organizations that leverage Microsoft 365 and SharePoint On-Premises including DIB, Federal and DOD environments, using a solution like NC Protect that utilizes ABAC policies has many benefits and affords granular data security to not only ensure compliance with CMMC but any other regulation with information security requirements. It also ensures operational security by delivering a seamless solution to deliver and share information securely with multinational coalition partners.

NC Protect:

• Scans for FCI, CUI, and/or other sensitive content and adds metadata tagging to the documents or can leverage MIP sensitivity labels.
• It then evaluates both data, environmental and user attributes against defined policies to determine appropriate access, usage and sharing rights.
• A complete audit trail of all document access is logged and can be ported to Microsoft Sentinel or Splunk for upstream actions and analysis.

This level of granular, real-time control is the key to extending the Zero Trust methodology to the data layer. Each time a user tries to access information. All of these attributes are checked against policies to determine if a user can access a file and what they can do with it at that moment in time based on all of the parameters.

Gran a copy of our new White Paper, to understand the challenges of implementing mandated best practices for the handling of FCI and CUI to meet CMMC, NIST, the Zero Trust mandate, and other regulatory requirements. Ready to talk? Contact us to discuss how we can help you meet information access, protection and auditing requirements in CMMC and more.