Securing The Supply Chain: CMMC Essentials For Defense Contractors In OT Cybersecurity

Since September 2020, there have been several global supply chain attacks such as SolarWinds, Kaseya, NPM IconBurst, and Cyber Av3ngers Unitronics. Many of these incidents involved nation-state actors and resulted in significant disruptions and failures. In this threat landscape, the Department of Defense and critical infrastructure sectors have frequently and repeatedly come under attack, sustaining extensive damage. This damage includes: the theft of valuable technical data (a form of industrial espionage); the sabotage of control systems used in critical infrastructure, manufacturing, and weapon systems; the compromise of quality and assurance across various product types and categories; and the manipulation of software to enable unauthorized access to connected systems in order to undermine the integrity of system operations.

In May 2021, the White House issued Executive Order 14028, “Improving the Nation’s Cybersecurity”, which highlighted the need to enhance cybersecurity protections for both the federal government and the private sector. At the same time, to protect the Defense Industrial Base’s Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), the Department of Defense created the Cybersecurity Maturity Model Certification (CMMC) framework to review defense contractors’ compliance with NIST 800-171.

Understanding SPRS score and CMMC

From the above regulations, it is clear that the U.S. Department of Defense (DoD) does not wish to conduct business with companies that may pose risks to them. To address cybersecurity risks, the DoD has implemented several Defense Federal Acquisition Regulation Supplement (DFARS) clauses and specific Supplier Performance Risk System (SPRS) reporting requirements, such as DFARS 252.204-7019.

The Supplier Performance Risk System (SPRS) is managed by the DoD to assess and manage company and supply chain risks. It evaluates suppliers based on project risk, price risk, and supplier risk. Supplier risk specifically pertains to adherence to cybersecurity standards outlined in DFARS clauses, ensuring that defense manufacturers and their supply chains comply with stringent cybersecurity requirements.

• DFARS 252.204-7012 states that “the Contractor shall provide adequate security on all covered contractor information systems”, and details what constitutes adequate security, including compliance with NIST SP 800-171 (110 controls).
• DFARS 252.204-7019, newly added in 2020, requires contractors to conduct a self-assessment based on the DoD assessment methodology for NIST SP 800-171 and report the assessment score to the Supplier Performance Risk System (SPRS) database.
• DFARS 252.204-7020, also introduced in 2020, aims to increase enforcement of DFARS 7012 requirements by ensuring that contractors and subcontractors meet the necessary cybersecurity standards.
• DFARS 252.204-7021, published in January 2024, serves as the mechanism for incorporating CMMC requirements into defense contracts.

Additionally, there is a significant distinction between DFARS 252.204-7012 and DFARS 252.204-7021. Under DFARS 252.204-7012, compliance with NIST SP 800-171 does not require consistent validation. However, under the new DFARS 252.204-7021 regulation, CMMC compliance is now mandatory. In other words, the defense supply chain will use CMMC to validate the effective implementation of NIST SP 800-171 standards. This validation mechanism is divided into three levels (Level 1 – Level 3), as shown in Table 1 below.

If a company is involved in handling, transmitting, and storing Controlled Unclassified Information (CUI), it must undergo validation by an independent third-party assessor certified by the DoD. For Level 3, government-led assessments are required. Regardless of the organization’s size, even small and medium enterprises must meet the cybersecurity standard requirements.

Table 1: Choosing the Right Level for Your Organization

Achieving CMMC compliance: The necessity of including OT assets in the protection plan

The SPRS score is calculated based on a comprehensive assessment of organizational project risk, price risk, and supplier risk. Supply chain risk, in particular, involves factors such as cybersecurity maturity, risk management strategies, and ensuring supply chain resilience. Key elements considered in the scoring methodology include the implementation of robust cybersecurity controls, adherence to industry best practices, incident response capabilities, and overall supply chain resilience. By understanding these factors, contractors in the U.S. defense industry can effectively implement the NIST SP 800-171 framework (“Protecting Controlled Unclassified Information”), which is a set of security requirements for non-federal information systems and organizations, to improve their SPRS scores. There are two critical factors to consider when conducting a NIST 800-171 assessment: Assessment Scope and Assessment Methodology.

Assessment scope: CMMC asset categories

During a CMMC assessment, various asset categories fall within the assessment scope and must comply with relevant CMMC practices. These categories include:

• FCI Assets: Assets that handle, store, or transmit FCI, which is non-confidential information used in federal contracting. Despite its non-confidential nature, protecting FCI is essential. Assets must ensure FCI security and adhere to relevant security policies.
• CUI Assets: Assets that handle, store, or transmit CUI. When an asset handles CUI, it means it can access, input, edit, generate, manipulate, or print this information. Assets that store CUI are those that hold CUI at rest, whether in electronic media, system component memory, or as physical documents. Assets that transmit CUI involve transferring CUI from one asset to another, either physically or digitally.
• Security Protection Assets: Assets that provide security functions or capabilities within the contractor’s CMMC assessment scope. Identifying these security protection assets is a key part of determining the CMMC assessment scope. These assets must comply with relevant CMMC practices regardless of their physical or logical location. For example, an external service provider (ESP) that offers security information and event management (SIEM) services, even if logically separated and not handling CUI, still contributes to meeting CMMC practice requirements.
• Contractor Risk Managed Assets: These assets have the capability to handle, store, or transmit CUI, but due to existing security policies, procedures, and practices, they are not designed to do so. This means these assets do not need to be physically or logically separated from CUI assets. However, they are still part of the CMMC assessment scope, managed according to the contractor’s risk management information security policies, procedures, and practices, without needing to comply with CMMC practices.
• Specialized Assets: These assets are specifically documented in a CMMC Level 2 assessment and include government property, Internet of Things (IoT) and Industrial Internet of Things (IIoT), Operational Technology (OT) devices, restricted information systems, and testing equipment. These specialized assets are part of the CMMC assessment scope. Contractors must document these assets in the System Security Plan (SSP) and detail how they are managed according to risk management information security policies, procedures, and practices.
  1. Government Property: All property owned or leased by the government, including materials, equipment, special tools, testing equipment, and real property provided by the government or purchased by the contractor. This does not include intellectual property or software.
  2. IoT and IIoT: Interconnected devices with physical or virtual representation in the digital world, capable of sensing, executing, and programmable functions with unique identifiers. Examples include smart grids, lighting, HVAC systems, and fire and smoke detectors.
  3. OT Devices: Used primarily in manufacturing systems, Industrial Control Systems (ICS), or Supervisory Control and Data Acquisition (SCADA) systems. These devices may include Programmable Logic Controllers (PLCs), Computer Numerical Control (CNC) machines, and robotic controllers.
  4. Restricted Information Systems: Systems configured based on government requirements, supporting contract needs, such as on-site systems, legacy systems, and duplicates of product deliveries.
  5. Testing Equipment: Hardware and related IT components used for testing products, system components, and contract deliverables, such as oscilloscopes, spectrum analyzers, and power meters.
• Documentation and Management: These specialized assets must comply with CMMC practices and be recorded in the contractor’s asset inventory. They should be detailed in the SSP, explaining how they are managed according to the contractor’s risk management security policies, procedures, and practices. These assets must also be marked on network diagrams to show their management and protection measures within the CMMC assessment scope.
• Out of Scope Assets: These assets cannot handle, store, or transmit CUI because they are physically or logically separated from CUI assets or inherently lack such capabilities. Since these assets do not handle CUI, they are not within the CMMC assessment scope and do not need to participate in the CMMC assessment.

Assessment methodology

The purpose of CMMC assessments is to ensure that organizations comply with specific cybersecurity standards, such as NIST 800-171 and CMMC-specific standards (e.g., NIST 800-172). CMMC is divided into three levels: Level 1 “Foundational”, Level 2 “Advanced”, and Level 3 “Expert”. Each level has distinct security objectives and guidelines.

Level 1: Foundational Scope

Before conducting a Level 1 CMMC assessment, organizations need to identify which assets are within the assessment scope. Any assets that handle, store, or transmit Federal Contract Information (FCI) fall within this scope and must be evaluated according to Level 1 CMMC practices. This level applies to organizations that handle only FCI, including personnel, technology, facilities, and external service providers. Level 1 requires compliance with 17 basic security controls.

Level 2: Advanced Scope

Level 2 applies to organizations handling Controlled Unclassified Information (CUI). This level requires more detailed documentation and a broader scope, encompassing all assets involved with CUI. For instance, contractors need to record these assets in an asset inventory and detail them in the System Security Plan (SSP). Additionally, for scope discussions before the assessment, contractors must provide network diagrams that include these assets. Level 2 demands stricter security measures and more comprehensive risk management practices, adhering to all NIST 800-171 assessment standards and the DoD scoring methodology. Depending on contract requirements, a C3PAO (Certified Third-Party Assessor Organization) certification assessment may also be necessary.

Level 3: Expert Scope

The Level 3 CMMC scope includes all assets that can (intentionally or unintentionally) or actually handle, store, or transmit CUI, as well as all assets providing security protection for these assets. These assets must comply with NIST 800-171 and NIST 800-172 control requirements. The Level 3 assessment scope also includes all specialized assets but allows for relay devices to enable specialized assets to meet one or more CMMC security requirements. These assets (or applicable relay devices in the case of specialized assets) will be comprehensively assessed against CMMC security requirements. Out of Scope assets are not considered in the assessment. Additionally, organizations must obtain Level 2 certification before conducting a Level 3 assessment.

Key components of CMMC assessments

CMMC is a critical component in evaluating an organization’s ability to identify, protect, detect, respond to, and recover from cyber threats. This includes implementing security measures such as access control, data encryption, network monitoring, and incident response plans. Effective risk management practices, including risk assessment, mitigation strategies, and continuous monitoring, also contribute to achieving a good SPRS score.

Implementation timeline and phases for CMMC certification

On December 26, 2023, the final rule for the CMMC entered a 60-day public comment period. This stage allows the public to provide feedback and suggestions on the rule. After the comment period ends, the final rule is expected to be formally issued by late 2024 or early 2025. Once the rule is issued, companies should begin to anticipate seeing clear identifiers for FCI and CUI in bids and contracts. This will affect over 200,000 companies in the defense industrial base, requiring them to comply with the new security standards.

The implementation of CMMC certification is divided into five main phases:

• 2024: A detailed 6 to 18-month preparation phase begins to ensure readiness for certification.
• March 2025: Phase I starts with 6 months of self-assessments for Level 1 (L1) and Level 2 (L2) certifications.
• September 2025: Phase II initiates a 12-month implementation of Level 2 (L2) certification.
• September 2026: Phase III focuses on a 12-month implementation of Level 3 (L3) certification.
• September 2027: Phase IV achieves full implementation of the CMMC program.

How to secure OT assets to comply with CMMC

TXOne’s solutions offer valuable assistance to customers in addressing a wide range of controls and sub controls outlined in the CMMC Assessment Guide. This includes various NIST SP 800-171 domains such as:

Network segmentation: Segmenting the network mitigates risk and contains the spread of both malware and unintentional commands by separating your ICS network topology into different zones, minimizing production line downtime as well as accidental mishandling of operations. An OT solution should be able to implement segmentation immediately, without changing the OT network architecture or requiring costly network reconfigurations. OT-native solutions can establish protocol-driven policies, enabling them to regulate the types of commands that can be executed both entering and exiting the system, as well as among assets. TXOne’s Edge Series products can assist with network segmentation and segregation, dividing the network into distinct zones of control, even down to the cell level.

Vulnerability remediation: Virtual patching is especially important as many businesses still rely heavily on older legacy systems and equipment in the OT environment. TXOne’s Edge series of products allows you to integrate segmentation and virtual patching into the OT network without disrupting production.

Network monitoring: Clear visibility is crucial for strong ICS security. A centralized network monitoring and control solution such as TXOne’s EdgeOne can provide defense line management and clear visibility into all installed ICS assets, including their connectivity and security status, with real-time alerts and incident events. The ability to perform all node maintenance tasks from a centralized dashboard facilitates tasks such as managing and deploying different security policies or signature-based virtual patching, editing OT protocol trust lists, or deeply analyzing L2-L7 networks by node group.

System & file scanning: TXOne Stellar includes support for malware scanning of network drives and removable media. By integrating this capability, all data accessed or transferred through network drives and removable media is meticulously scanned for malware, enhancing overall security and mitigating the risk of infection.

Advanced malicious code protection: TXOne Stellar uses advanced algorithms and analytics to identify any abnormal behavior within system operations. It detects deviations from expected patterns or behaviors in real-time, providing protection against fileless malware attacks.

Application execution policy: This cutting-edge feature ensures that only authorized operations and executions can take place, effectively preventing any unauthorized activities within the system. It ensures operational integrity, reduces downtime, and lowers recovery costs, which is particularly valuable for “unpatchable” systems.

Media protection: TXOne Stellar’s USB Vector Control feature blocks the use of unauthorized external storage media. It can also allow a select few external storage devices based on device identification parameters such as Vendor ID, Product ID, or Serial Number; this ensures that only authorized assets are permitted access.

Security inspection: One of the primary threats to the OT environment lies in external individuals, contractors, and assets. Therefore, it is crucial to audit new and foreign equipment before and during the time they are active in the production line, and even beyond the production line. Our Portable Inspector allows you to scan new devices entering the OT environment and detect what apps are installed on the asset and what internet ports are opened on the network.

Secure OT data transferring: The Portable Inspector is also designed for secure data storage and transfer. It incorporates robust security features to protect stored data from unauthorized access or potential corruption. During data transfer, it scans files to verify their integrity, allowing only verified files to be stored in the Portable Inspector.

Comprehensive monitoring: Continuous monitoring of OT environments is crucial. Implementing SageOne can offer a multi-dimensional view of an organization’s cybersecurity posture through visual representations. It provides a holistic security perspective with granularity, including insights into protected and unprotected assets, asset health, anomaly detection, exposure levels, and asset lifecycle management.

Conclusion

With the introduction of the CMMC 2.0 framework, companies in the Defense Industrial Base (DIB) face new cybersecurity challenges. CMMC 2.0 features three levels of certification, but most contracts involving CUI will likely only require Level 2 certification, with only a few contracts necessitating the more stringent Level 3 incremental assessments. Level 1 certification requires only self-attestation, designed to help smaller DIB organizations begin their security fortification process. The DoD recommends that organizations continue using NIST 800-171 control measures to implement CMMC.

TXOne Network’s OT-native security solutions help companies identify and address vulnerabilities in their cybersecurity posture, implement necessary OT security controls, and establish robust programs that comply with CMMC framework requirements. This not only ensures the security of OT systems but also enhances competitiveness within the defense industry by enabling organizations to consistently meet stringent OT security standards and protect sensitive information and systems.