As many companies in the satellite industry support the Department of Defense, virtually all will require some level of Cybersecurity Maturity Model Certification (CMMC). CMMC is a unified security standard and a certification process developed by the U.S. Department of Defense (DoD) to further protect critical information.
For DoD, this means increased protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB). CMMC is a critical component of heightened security as all prime and sub-contractors doing business with the DoD will be required to achieve a specific CMMC certification level as a prerequisite to new contract awards. To better understand the implications of CMMC and how it will impact DoD procurement, specifically in the satellite sector, a conversation with Justin Padilla and Cole French from Kratos. The company is one of the leading satellite ground systems providers and are currently in the vanguard of virtualizing satellite ground systems with they have named “Open Space.” Kratos has an extensive cybersecurity offering and was one of the first companies to be authorized as a CMMC Third Party Assessment Organization, referred to as a 3CPAO.
Please explain what a C3PAO accomplishes.
Certainly — a C3PAO is an organization that has undergone their own CMMC assessment and employs assessors that are authorized to conduct CMMC certification assessments. A key component of the CMMC certification process is a detailed assessment of your current technology, processes, and documentation of evidence, against the security practices and processes required by CMMC. Only Authorized C3PAOs, of which Kratos was one of the first, are permitted to conduct CMMC assessments.
How does this process start?
Once Kratos engages with an organization seeking certification, we begin Phase 1 by gathering a detailed understanding of the environment. We work closely with the customer to layout an assessment plan and evaluate the readiness of the organization to ensure a higher likelihood of successfully passing the certification. Following Phase 1, there are three additional phases that include Assessment, Results Reporting and Remediation, if needed.
Why is this a new requirement?
In the past few years, DoD has grappled with the low rate of NIST 800-171 (a government security standard that was specifically created to address confidentiality concerns for federal data that resides on non-federal information systems and organizations) compliance across the Defense Industrial Base (DIB). CMMC was created to remedy that systemic issue of non-compliance by both primes and their subs.
Let’s talk about how organizations can get ready for an assessment — what does this assessment include and how should one best prepare for it?
The organization should first begin by identifying the CMMC level they are looking to achieve and the scope of the environment.
Scope — what does that refer to?
This is where an organization makes the determination of whether to include their entire organization or a specific enclave that only includes specific assets that process, store, transmit , or protect FCI or CUI within the environment. Once that determination is made, you have your CMMC Boundary.
Why would an organization select the entire organization versus a specific enclave?
There are pluses and minuses to both and various factors that can come into play, such as size of the organization, the ratio of commercial vs government work and whether the organization is decentralized or centrally managed from an IT and security perspective. Cost is another factor many organizations are concerned about and that is driven by the scope, CMMC level and level of effort.
Please explain more about certification levels, how many are there and what differentiates them?
There are five levels of certification. In order, they are: Basic, Intermediate, Good, Proactive and Advanced. The CMMC level requirements will be determined by the type and sensitivity of information that a prime or sub- contractor is privy to and defined in the DoD solicitation. It is anticipated that when CMMC requirements are seen in contracts, the company will likely fall into a Level 1, which is only FCI, Level 3, which is CUI, or a level 5, which is anticipated to be CUI that is directly related to technology for military or space application.
Back to the scoping discussion, or boundary. Is the certification level part of the requirement analysis?
That’s a key part of it. There have to be scoping discussion, so all understand what is actually being considered. Then, from there, the assessment requirements are defined, which will correspond with the target certification level.
Who defines the assessment requirements?
The DoD publishes the assessment guides that define the security practice and process requirements. Working with the C3PAO, the lead assessor will identify the type of objective evidence needed to satisfy a security practice. The assessors and organization will work collaboratively to ensure that the requirements are met and that evidence exists to demonstrate repeatable, sustainable, and mature implementation of the practices and processes.
Objective evidence was mentioned… what is that?
Objective evidence can come in three forms and can be collected in three different ways:1) documentationexamination, 2) interview and 3) test(ordemonstration). Say an organization provides their access control policy. That, in and of itself, is a piece of objective evidence and would fall under examination. The C3PAO will also conduct interviews with the organization and document their responses. If additional evidence is needed, the C3PAO can request that an organization perform a certain action or provide evidence of that action being performed. Witnessing performance of that action or the evidence provided in response to such a request would fall under test (or demonstration.)
How long does the assessment usually take?
Depending on the complexity of the assessment Kratos estimates that most assessments will be completed in four to six weeks from beginning to end. But a lot will depend a number of variables including the desired CMMC level, the size of the environment and if any remediation is required following the assessment.
Please explain more about gap assessments or eadiness assessments.
The company views Gap assessments and readiness assessments somewhat differently. Gap assessments should be performed toward the beginning of the company’s CMMC journey in order for any compliance gaps to be noted, to identify solutions and then formulate a roadmap for compliance. A gap assessment should be performed by an advisor or consultant and not by the C3PAO assessor, as the intent is to identify gaps as well as identify solutions to those gaps.
The Readiness Assessment is a gut check and is best performed by the C3PAO that is going managing the assessment. This is like a pre-assessment that gets the C3PAO familiar with the environment and also allows them to identify any security practice failures in order for the organization to remediate them before the actual certification assessment itself. The catch here is that the C3PAO cannot offer advice — they can only identify if a security practice passes or fails and why it failed.
What occurs if a company fails the assessment?
CMMC doesn’t allow any failed security practices in an assessment. If one fails, the entire assessment fails. However, if the number of failures is 10 percent or less of the total number of security practices evaluated, the company has an opportunity to correct the failures and reassess those specific practices. They have 90 days to resubmit the updated report — that equates to roughly 75 days to remediate those findings and then about a 15-day period to reassess whatever remediation they implemented.
What should companies do to prepare themselves so that when CMMC assessments begin they can feel confident that they will pass?
As mentioned earlier, boundary is integral to determining the certification scope, cost and level of effort. Additionally, organizations that process, store, transmit, and protect CUI and FCI will need to meet CMMC Level 3 as a minimum standard. Out of the 130+ security practices included in a Level 3 certification, we have found the following operational challenges among the most difficult and time consuming but will greatly facilitate the assessment process. If not already implemented, these will require the longest lead time and/or changes to the organization’s security culture.
What are those?
First is vulnerability scanning and remediation: Prior to assessment, vulnerability scans should be conducted on all operating systems, databases and applications and remediation plans, if required, should be established.
Multi-factor authentication (MFA) is another. If companies don’t already have MFA for all privileged and non-privileged access to the environment accompanied by regularly scheduled reviews of access privileges, they need to implement one.
Encryption is another key consideration. The satellite engineers may not be familiar with these cryptographic modules, but the security team will be. Specifically, FIPS 140-2 cryptographic modules need to be in place wherever data is processed, stored, or transmitted.
CUI Marking and handling is another important pre- assessment consideration.
Establish guidelines and procedures to ensure that CUI is marked and handled in accordance with CMMC and contractual requirements.
Thank you for providing readers with some insights to CMMC and how to prepare for it. Is there anything you wish to add?