CMMC 2.0: What to Expect and How to Secure FCI and CUI Now

Post updated on January 8, 2024.

The Cybersecurity Maturity Model Certification (CMMC) is a new security requirement for U.S. Department of Defense (DoD) contractors in the defense industrial base (DIB) to combat cyber threats aimed at the supply chain. CMMC sets cybersecurity and data protection standards, certifications and assessment requirements as a condition of a DoD contract award to safeguard government intellectual property and sensitive information. DoD first announced in November 2021 that it was abandoning and revamping the original CMMC requirements. On December 26, 2023, the much anticipated CMMC Proposed Rule for CMMC 2.0 was released, replacing the original five-level model with a simplified three-level model.

The new CMMC model aims to measure and certify the cybersecurity practices of Defense Industrial Base (DIB) contractors and subcontractors to ensure they follow best practices for protecting sensitive information on their networks, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The CMMC 2.0 revisions aim to make it easier for small and medium-sized enterprises (SMEs) to comply with the mandates.

WHAT ARE FCI AND CUI?

The primary purpose of CMMC is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with and handled by contractors and subcontractors of the DoD on non-federal contractor information systems.

The DoD defines FCI and CUI as follows:

Federal Contract Information (FCI) – “FCI is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”

Controlled Unclassified Information (CUI) – “CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

If you are a government contractor or subcontractor that processes, stores or transmits FCI or CUI, you will need to adhere to the new CMMC 2.0 guidelines to compete for DoD contracts and solicitations.

CMMC 2.0 LEVELS

The Proposed Rule outlines three independent levels and requirements for contractors and subcontractors. In addition to certification, a new affirmation requirement requires a senior official from the prime contractor and any subcontractor to affirm continuing compliance with the security requirements annually:

• CMMC Level 1:
  • 15 basic safeguarding requirements
  • Annual self-assessment and affirmation that the organization has implemented all applicable best safeguarding requirements in 48 CFR 52.204-21 (FAR Clause 3)
• CMMC Level 2:
  • 110 requirements aligned with NIST SP 800-171
  • Triennial third-party assessments and annual affirmation
  • Triennial self-assessment and annual affirmation for select programs
• CMMC Level 3:
  • 110+ requirements based on NIST SP 800-171 and NIST SP 800-172
  • Triennial government-led assessment and annual affirmation

Four Phase Roll Out of CMMC 2

The CMMC Final Rule is expected sometime in the fall of 2024. Once issued, it will have a four-phase roll out for solicitations and contracts over three years for all DoD contractors and subcontractors. It’s expected that CMMC requirements will be part of all solicitations for contracts involving CUI or FCI by Oct. 1, 2026, and some contracts even sooner.

• Phase One (effective starting when the final CMMC rule is issued). Must conform to CMMC Level 1 self-assessment or Level 2 self-assessment requirements for contracts involving FCI and CUI.
• Phase Two (6 months after Phase One) will start the Level 2 Certification Assessments and will be added to all applicable solicitations and contracts. CMMC Level 3 certification assessment requirements could be required for applicable solicitations and contracts.
• Phase Three (one year after Phase Two) CMMC Level 3 Certification Assessment requirements for all applicable contracts will begin. Contractors will have to report their assessment results.
• Phase Four (one year after the start of Phase Three) CMMC program requirements will be included by DoD in all applicable solicitations and contracts, including option periods for those awards made prior to Phase 4.

It’s expected to take two years for companies to become CMMC-certified. Now is the time to start the process if you haven’t already.

PROTECTING DEFENSE AND SUPPLY CHAIN DATA FROM INSIDER THREATS

The key focus of CMMC is to prevent the loss of intellectual property and sensitive information that could threaten national security or military advantage. Insider threats are a big part of the problem CMMC aims to address. However, solving the problems posed by insider threats to protect DoD-sensitive data, including CUI and FCI, requires a different information security approach. Insider threats stem from simple human negligence, such as sharing CUI with an unauthorized party, to malicious employee actions, such as nation-state espionage or data theft for personal gain.

Traditional informational security is designed to focus predominantly on outside threats like hackers or unauthorized user access and is no longer enough. SIEMs, SOARs and other solutions are reactive and don’t do anything to prevent the initial loss of data—they are focused on the attacker’s actions and not on the data.

Simply repurposing tools designed to detect external threats is not enough to provide the necessary level of proactive data security required to combat internal threats, which are more challenging to detect and can take longer to identify, even with these tools in place. They also do not address the data tagging and protection required to safeguard sensitive data.

There is also a fundamental flaw with most existing security software solutions and with many security policies making data more vulnerable: the login process is not robust enough to guarantee that the logged-in user is who they say they are, with no attribution at the user level. If someone logs in with stolen credentials, they can use the access and privileges of the compromised account to navigate systems and data, stealing as they go. In this case, the security lies within the permissions of the logged-in user only, not a combination of user and content privileges.

Extending Zero Trust to information security provides a solution.

ZERO TRUST 101

Systems designed using Zero Trust principles are better positioned to address threats and comply with the NIST SP 800 171 requirements underpinning CMMC. Simply put, the Zero Trust model has one basic principle: trust nothing – validate everything.

Transitioning to this new security architecture will require careful planning to avoid weakening the security posture along the way and will continually evolve. Providers migrating to this Zero Trust environment must understand that it will require continuous verification of the operational picture via real-time information. In addition, Zero Trust architectures generally focus on user-to-network, user-to-device, or user-to-application access and are not necessarily focused on the data.

A DATA-CENTRIC ZERO TRUST MODEL

This new Zero Trust security model enforces least-privileged access for each and every access request. An “allow” or “deny” model alone is insufficient to meet Zero Trust data security needs. Access must also be restricted using various/different levels of control (access, read-only rights, encryption, DLP, redaction, UI trimming). Unfortunately, many Zero Trust solutions do not focus on the data; they focus on the network and the application – not the data behind them.

A data-centric ‘Zero Trust’ approach is a far more effective methodology to ensure data, which is the main target, remains secure. A data-centric Zero Trust approach does not automatically trust any user inside or outside your perimeters or applications. Instead, you must verify anyone trying to access an individual data file before granting them access to it – each and every time.

Attribute-based access control (ABAC) is a methodology that evaluates attributes (or characteristics of data and users) rather than roles to determine access and usage rights. It uses a data-centric security approach that assesses each file’s attributes, including security classification and permissions, and user attributes such as security clearance, time of day, location, and device to determine who can access, edit and download files.

ABAC makes a data-centric Zero Trust possible by providing granular, real-time control over the access of information by adjusting security in real-time to determine whether the user should be given access to the requested information – based on all of these parameters – at that point in time. If the user scenario does not match or appears suspicious, access is denied, or a restricted view of the data is provided.

For example, suppose an authenticated user is trying to access a sensitive file they own. It is outside of business hours, and they are using a BYOD device in another country. In that case, file access will be denied – effectively thwarting a hacker using stolen credentials.

ENFORCE KEY CMMC 2.0 REQUIREMENTS IN MICROSOFT APPLICATIONS Using ABAC

NC Protect from archTIS provides capabilities for easily adding ABAC to Microsoft 365, GCC and GCC High, SharePoint on-premises, and File Shares. It’s a complementary product that Microsoft Security has recognized as a Privacy & Compliance Trailblazer Finalist. It allows enterprises to enhance their existing Microsoft environment with ABAC policies to dynamically control data access, usage, and sharing with fine-grain precision to comply with CMMC, NIST, and ITAR requirements and more.

NC Protect policies offer more than just access control. They can also provide file-level protection, such as encryption, secure-read-only access, user-based watermarks, and more. Policies can also control with whom information can be shared – all in real time – using dynamic attribute-based access and data protection policies. These policies automatically adapt to changes in user context and content changes, meaning that a user’s access and usage rights can alter depending on their location at any given time. The product also includes a scanning and classification tool to aid in classification and attribute management.

Using a solution like NC Protect that utilizes dynamic ABAC policies has many benefits and affords granular data security to ensure compliance with CMMC and other information security requirements. It also ensures operational security by delivering a seamless solution to deliver and share information securely with multinational coalition partners.

Some of the capabilities NC Protect offers for CMMC compliance include:

• Scans to find FCI, CUI and other sensitive content in your repositories.
• Adds metadata tagging based on the contents of the document scan.
• Attribute-based access control (ABAC) policies evaluate data, environmental, and user attributes combined with defined policies to determine appropriate access, usage, and sharing rights.
• Leverage Microsoft sensitivity labels and classifications from other tools (Janusseal, Titus, etc.) in access and protection policies.
• Limits overprivileged admin access that is the default in Microsoft applications.
• CUI and FCI can be automatically encrypted at rest or in transit.
• Conditional policies can limit access and usage rights on mobile devices.
• Apply CUI visual markings to documents, CAD files, PDFs, images and more.
• A complete audit trail of all document access and usage is logged and can be ported to Microsoft Sentinel or Splunk for upstream actions and analysis.

This level of granular ABAC-enabled, real-time control is the key to extending the Zero Trust methodology to the data layer. Each time a user tries to access information. All of these attributes are checked against policies to determine if a user can access a file and what they can do with it at that moment in time based on all of the parameters.

NC Protect’s zero trust ABAC-enabled policies help address and dynamically enforce the Access Control (AC), System and Information Integrity (SI), Communication Protection (SC), and Auditing and Accountability (AU) requirements in NIST SP 800 171 that form the backbone of CMMC Levels 2 and 3, and those included in Level 1.

Read this White Paper to understand the challenges of implementing mandated FCI and CUI requirements to meet CMMC, SP 800 171, and the Zero Trust mandate.  Ready to talk? Contact us to discuss how NC Protect can help you more easily meet your Microsoft application data access, protection, and auditing requirements for CMMC compliance.