By Kevin J. Slonka, Principal IT Security Consultant, CMMC Assessor
In today's economy, it seems that every business sector has its own set of cyber security requirements (e.g., HIPAA for healthcare, CMMC for DoD contractors, PCI DSS for credit card payments). These requirement documents are often written in a "legal" language and style unfamiliar to the technical employees responsible for their implementation. This article, using the CMMC set of requirements as an example, will give practical examples on how to interpret the requirement language and ensure your organization is on the right path to passing your cyber security assessment.
The first key item is knowing how many requirements documents are to be used. Some cyber frameworks are presented in multiple documents and missing any of them could lead to a failing score. CMMC, for example, requires companies to implement the 110 requirements in the NIST Special Publication 800-171. Just having that document alone is only the tip of the iceberg. Hidden within 800-171 is a reference to a second document, NIST SP 800-171a, which clearly shows that even though there are 110 requirements that have to be implemented, 320 separate objectives must be met in order to pass an assessment (one requirement typically has many objectives within it).
Without the “a” document, you don’t have the necessary detail to know what needs to be implemented. Other frameworks are in a similar situation. HIPAA, for example, lists its requirements directly in the federal law (45 CFR Part 160, Part 164 Subparts A & C) but NIST also has Special Publication 800-66 that gives technical staff much more detail on the requirements. Be sure to gather all required documents or risk implementing your security incorrectly.
Many companies also struggle with determining what part of their network is in scope. Some companies think that if they have 100 computers, but only 10 of them are meant to process sensitive data, they only need to implement their respective cyber framework on those 10 computers. That is incorrect. The term that arises here is "enclave." If the company can put those 10 computers in an enclave, then they are correct in only securing those 10 computers. The definition of "enclave," however, is difficult to implement. An enclave is a segmented part of your network that is “walled off” from the rest of your network. This means that those 10 computers can’t talk to your corporate Active Directory environment, file server, email server, etc. You can’t get your email on those 10 computers, because that would break the segmentation, allowing data transfer from the secure segment to the insecure segment. Once companies understand the full extent of operating a segmented network, they realize how difficult (and usually expensive) it can be.
In addition to the above “big picture” items, many of the individual security requirements can be difficult to understand. Take, for instance, controls that require disconnecting user sessions and disconnecting network sessions. Do you understand the difference? The former speaks of logging out users (from their computer, website, etc.) after a defined condition, such as a timeout. The latter speaks of terminating network sessions, such as VPN connections.
Some controls mention mobile devices or portable media. Many people think mobile devices are simply phones, tablets, etc. Aren’t laptops devices that are mobile? Any requirements imposed on mobile devices must be imposed on laptops. Simply saying you don’t allow people to use their personal phones for work purposes doesn’t get you out of these requirements. When it comes to portable media, this too is different. Media is the key word here, meaning portable items that can store data (e.g., USB sticks, removable hard drives, CD-ROMs, etc.). Many companies try to skirt these requirements by having a written policy saying that employees are not to store sensitive data on portable media. That isn’t good enough. What are you doing, technically, to ensure employees don’t use portable media? Does your EDR software block USB storage devices? Do employees need to have IT enable such functionality if they have a business case?
There are so many more instances of confusion in the various cyber security frameworks. CTC has free, grant-funded services to assist Pennsylvania companies. Reach out at https://www.ctc.com/pa-cybersecurity or pa-cybersecurity@ctc.com