Evaluating an organization’s ability to protect against, respond to, and recover from cyber threats.
Since September 2020, there have been several global supply chain attacks such as SolarWinds, Kaseya, NPM IconBurst, and Cyber Av3ngers Unitronics. Many of these incidents involved nation-state actors and resulted in significant disruptions and failures. In this threat landscape, the Department of Defense and critical infrastructure sectors have frequently and repeatedly come under attack, sustaining extensive damage. This damage includes: the theft of valuable technical data (a form of industrial espionage); the sabotage of control systems used in critical infrastructure, manufacturing, and weapon systems; the compromise of quality and assurance across various product types and categories; and the manipulation of software to enable unauthorized access to connected systems in order to undermine the integrity of system operations.
In May 2021, the White House issued Executive Order 14028, “Improving the Nation’s Cybersecurity”, which highlighted the need to enhance cybersecurity protections for both the federal government and the private sector. At the same time, to protect the Defense Industrial Base’s Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), the Department of Defense created the Cybersecurity Maturity Model Certification (CMMC) framework to review defense contractors’ compliance with NIST 800-171.
From the above regulations, it is clear that the U.S. Department of Defense (DoD) does not wish to conduct business with companies that may pose risks to them. To address cybersecurity risks, the DoD has implemented several Defense Federal Acquisition Regulation Supplement (DFARS) clauses and specific Supplier Performance Risk System (SPRS) reporting requirements, such as DFARS 252.204-7019.
The Supplier Performance Risk System (SPRS) is managed by the DoD to assess and manage company and supply chain risks. It evaluates suppliers based on project risk, price risk, and supplier risk. Supplier risk specifically pertains to adherence to cybersecurity standards outlined in DFARS clauses, ensuring that defense manufacturers and their supply chains comply with stringent cybersecurity requirements.
Additionally, there is a significant distinction between DFARS 252.204-7012 and DFARS 252.204-7021. Under DFARS 252.204-7012, compliance with NIST SP 800-171 does not require consistent validation. However, under the new DFARS 252.204-7021 regulation, CMMC compliance is now mandatory. In other words, the defense supply chain will use CMMC to validate the effective implementation of NIST SP 800-171 standards. This validation mechanism is divided into three levels (Level 1 – Level 3), as shown in Table 1 below.
If a company is involved in handling, transmitting, and storing Controlled Unclassified Information (CUI), it must undergo validation by an independent third-party assessor certified by the DoD. For Level 3, government-led assessments are required. Regardless of the organization’s size, even small and medium enterprises must meet the cybersecurity standard requirements.
Table 1: Choosing the Right Level for Your Organization
CMMC 2.0 Level | Type of Data | Assessment | Assessment Frequency |
Level 3 (Expert) |
CUI (highest priority program with data critical to national security) | Government-led assessments | Every 3 years |
Level 2 (Advanced) |
CUI (prioritized acquisitions with data critical to national security) | Third-party assessments (C3PAOs) | Every 3 years |
Level 1 (Foundational) |
FCI (data not critical to national security) | Self-assessments | Every year |
The SPRS score is calculated based on a comprehensive assessment of organizational project risk, price risk, and supplier risk. Supply chain risk, in particular, involves factors such as cybersecurity maturity, risk management strategies, and ensuring supply chain resilience. Key elements considered in the scoring methodology include the implementation of robust cybersecurity controls, adherence to industry best practices, incident response capabilities, and overall supply chain resilience. By understanding these factors, contractors in the U.S. defense industry can effectively implement the NIST SP 800-171 framework (“Protecting Controlled Unclassified Information”), which is a set of security requirements for non-federal information systems and organizations, to improve their SPRS scores. There are two critical factors to consider when conducting a NIST 800-171 assessment: Assessment Scope and Assessment Methodology.
During a CMMC assessment, various asset categories fall within the assessment scope and must comply with relevant CMMC practices. These categories include:
The purpose of CMMC assessments is to ensure that organizations comply with specific cybersecurity standards, such as NIST 800-171 and CMMC-specific standards (e.g., NIST 800-172). CMMC is divided into three levels: Level 1 “Foundational”, Level 2 “Advanced”, and Level 3 “Expert”. Each level has distinct security objectives and guidelines.
Before conducting a Level 1 CMMC assessment, organizations need to identify which assets are within the assessment scope. Any assets that handle, store, or transmit Federal Contract Information (FCI) fall within this scope and must be evaluated according to Level 1 CMMC practices. This level applies to organizations that handle only FCI, including personnel, technology, facilities, and external service providers. Level 1 requires compliance with 17 basic security controls.
Level 2 applies to organizations handling Controlled Unclassified Information (CUI). This level requires more detailed documentation and a broader scope, encompassing all assets involved with CUI. For instance, contractors need to record these assets in an asset inventory and detail them in the System Security Plan (SSP). Additionally, for scope discussions before the assessment, contractors must provide network diagrams that include these assets. Level 2 demands stricter security measures and more comprehensive risk management practices, adhering to all NIST 800-171 assessment standards and the DoD scoring methodology. Depending on contract requirements, a C3PAO (Certified Third-Party Assessor Organization) certification assessment may also be necessary.
The Level 3 CMMC scope includes all assets that can (intentionally or unintentionally) or actually handle, store, or transmit CUI, as well as all assets providing security protection for these assets. These assets must comply with NIST 800-171 and NIST 800-172 control requirements. The Level 3 assessment scope also includes all specialized assets but allows for relay devices to enable specialized assets to meet one or more CMMC security requirements. These assets (or applicable relay devices in the case of specialized assets) will be comprehensively assessed against CMMC security requirements. Out of Scope assets are not considered in the assessment. Additionally, organizations must obtain Level 2 certification before conducting a Level 3 assessment.
CMMC is a critical component in evaluating an organization’s ability to identify, protect, detect, respond to, and recover from cyber threats. This includes implementing security measures such as access control, data encryption, network monitoring, and incident response plans. Effective risk management practices, including risk assessment, mitigation strategies, and continuous monitoring, also contribute to achieving a good SPRS score.
On December 26, 2023, the final rule for the CMMC entered a 60-day public comment period. This stage allows the public to provide feedback and suggestions on the rule. After the comment period ends, the final rule is expected to be formally issued by late 2024 or early 2025. Once the rule is issued, companies should begin to anticipate seeing clear identifiers for FCI and CUI in bids and contracts. This will affect over 200,000 companies in the defense industrial base, requiring them to comply with the new security standards.
The implementation of CMMC certification is divided into five main phases:
TXOne’s solutions offer valuable assistance to customers in addressing a wide range of controls and sub controls outlined in the CMMC Assessment Guide. This includes various NIST SP 800-171 domains such as:
Network segmentation: Segmenting the network mitigates risk and contains the spread of both malware and unintentional commands by separating your ICS network topology into different zones, minimizing production line downtime as well as accidental mishandling of operations. An OT solution should be able to implement segmentation immediately, without changing the OT network architecture or requiring costly network reconfigurations. OT-native solutions can establish protocol-driven policies, enabling them to regulate the types of commands that can be executed both entering and exiting the system, as well as among assets. TXOne’s Edge Series products can assist with network segmentation and segregation, dividing the network into distinct zones of control, even down to the cell level.
Vulnerability remediation: Virtual patching is especially important as many businesses still rely heavily on older legacy systems and equipment in the OT environment. TXOne’s Edge series of products allows you to integrate segmentation and virtual patching into the OT network without disrupting production.
Network monitoring: Clear visibility is crucial for strong ICS security. A centralized network monitoring and control solution such as TXOne’s EdgeOne can provide defense line management and clear visibility into all installed ICS assets, including their connectivity and security status, with real-time alerts and incident events. The ability to perform all node maintenance tasks from a centralized dashboard facilitates tasks such as managing and deploying different security policies or signature-based virtual patching, editing OT protocol trust lists, or deeply analyzing L2-L7 networks by node group.
System & file scanning: TXOne Stellar includes support for malware scanning of network drives and removable media. By integrating this capability, all data accessed or transferred through network drives and removable media is meticulously scanned for malware, enhancing overall security and mitigating the risk of infection.
Advanced malicious code protection: TXOne Stellar uses advanced algorithms and analytics to identify any abnormal behavior within system operations. It detects deviations from expected patterns or behaviors in real-time, providing protection against fileless malware attacks.
Application execution policy: This cutting-edge feature ensures that only authorized operations and executions can take place, effectively preventing any unauthorized activities within the system. It ensures operational integrity, reduces downtime, and lowers recovery costs, which is particularly valuable for “unpatchable” systems.
Media protection: TXOne Stellar’s USB Vector Control feature blocks the use of unauthorized external storage media. It can also allow a select few external storage devices based on device identification parameters such as Vendor ID, Product ID, or Serial Number; this ensures that only authorized assets are permitted access.
Security inspection: One of the primary threats to the OT environment lies in external individuals, contractors, and assets. Therefore, it is crucial to audit new and foreign equipment before and during the time they are active in the production line, and even beyond the production line. Our Portable Inspector allows you to scan new devices entering the OT environment and detect what apps are installed on the asset and what internet ports are opened on the network.
Secure OT data transferring: The Portable Inspector is also designed for secure data storage and transfer. It incorporates robust security features to protect stored data from unauthorized access or potential corruption. During data transfer, it scans files to verify their integrity, allowing only verified files to be stored in the Portable Inspector.
Comprehensive monitoring: Continuous monitoring of OT environments is crucial. Implementing SageOne can offer a multi-dimensional view of an organization’s cybersecurity posture through visual representations. It provides a holistic security perspective with granularity, including insights into protected and unprotected assets, asset health, anomaly detection, exposure levels, and asset lifecycle management.
With the introduction of the CMMC 2.0 framework, companies in the Defense Industrial Base (DIB) face new cybersecurity challenges. CMMC 2.0 features three levels of certification, but most contracts involving CUI will likely only require Level 2 certification, with only a few contracts necessitating the more stringent Level 3 incremental assessments. Level 1 certification requires only self-attestation, designed to help smaller DIB organizations begin their security fortification process. The DoD recommends that organizations continue using NIST 800-171 control measures to implement CMMC.
TXOne Network’s OT-native security solutions help companies identify and address vulnerabilities in their cybersecurity posture, implement necessary OT security controls, and establish robust programs that comply with CMMC framework requirements. This not only ensures the security of OT systems but also enhances competitiveness within the defense industry by enabling organizations to consistently meet stringent OT security standards and protect sensitive information and systems.
Leave a Reply