Cybersecurity Maturity Model Certification (CMMC) Levels

/0 Comments/in /by

The CMMC model has five defined levels, each with a set of supporting practices and processes, illustrated in Figure 2.  Practices range from Level 1 (basic cyber hygiene) and to Level 5 (advance/progressive).  In parallel, processes range from being performed at Level 1, to being documented at Level 2, to being optimized across the organization at Level 5.  To meet a specific CMMC level, an organization must meet the practices and processes within that level and below.

Each of the levels is described in more detail below.

Level 1

CMMC Level 1 focuses on basic cyber hygiene and consists of the safeguarding requirements specified in 48 CFR 52.204-21.  The Level 1 practices establish a foundation for the higher levels of the model and must be completed by all certified organizations. Not every domain within CMMC has Level 1 practices. At both this level and Level 2, organizations may be provided with FCI. FCI is information not intended for public release. It is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public. While practices are expected to be performed, process maturity is not addressed at CMMC Level 1, and therefore, a CMMC Level 1 organization may have limited or inconsistent cybersecurity maturity processes.

Level 2

CMMC Level 2 focuses on intermediate cyber hygiene, creating a maturity-based progression for organizations to step from Level 1 to 3.  This more advanced set of practices gives the organization greater ability to both protect and sustain their assets against more cyber threats compared to Level 1.  CMMC Level 2 also introduces the process maturity dimension of the model. At CMMC Level 2, an organization is expected to establish and document standard operating procedures, policies, and strategic plans to guide the implementation of their cybersecurity program.

Level 3 

An organization assessed at CMMC Level 3 will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1. Organizations that require access to CUI and/or generate CUI should achieve CMMC Level 3.  CMMC Level 3 indicates a basic ability to protect and sustain an organization’s assets and CUI; however, at CMMC Level 3, organizations will have challenges defending against advanced persistent threats (APTs).  Note that organizations subject to DFARS clause 252.204-7012 will have to meet additional requirements such as incident reporting.  For process maturity, a CMMC Level 3 organization is expected to adequately resource activities and review adherence to policy and procedures, demonstrating management of practice implementation.

Level 4

At CMMC Level 4, an organization has a substantial and proactive cybersecurity program.  The organization has the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures (TTPs) in use by APTs. For process maturity, a CMMC Level 4 organization is expected to review and document activities for effectiveness and inform high-level management of any issues.

Level 5

At CMMC Level 5, an organization has an advanced or progressive cybersecurity program with a demonstrated ability to optimize their cybersecurity capabilities.  The organization has the capability to optimize their cybersecurity capabilities in an effort to repel APTs. For process maturity, a CMMC Level 5 organization is expected to ensure that process implementation has been standardized across the organization.

Understanding Cybersecurity Maturity Model Certification (CMMC)

/0 Comments/in , /by

By: Kellep Charles and Adrian Williams

So, if you haven’t heard or if you are not familiar with the cybersecurity maturity model certification (CMMC), don’t worry about it, we are here to explain it all to you.

The CMMC is a certification procedure developed by the Department of Defense (DoD) to certify contractors have the controls to protect sensitive data including Federal Contract Information and Controlled Unclassified Information (CUI).  The CMMC Model is based on the best-practices of different cybersecurity standards including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one cohesive standard for cybersecurity.  The Domains have seventeen (17) sections listed below:

  1. Access Control
  2. Asset Management
  3. Audit and Accountability
  4. Awareness and Training
  5. Configuration Management
  6. Identification and Authentication
  7. Incident Response
  8. Maintenance
  9. Media Protection
  10. Personnel Security
  11. Physical Security
  12. Recovery
  13. Risk Management
  14. Security Assessment
  15. Situational Awareness
  16. Systems and Communications Protection
  17. System and Information Integrity

The CMMC contains five levels ranging from basic hygiene controls to state-of-the-art controls, but unlike NIST 800-171, the CMMC will not contain a self-assessment component. Every organization that plans to conduct business with the Department of Defense will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime.

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides in the Department’s industry partners’ networks.  CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Version 1.0 of the CMMC framework will be available in January 2020 to support training requirements. In June 2020, the industry should begin to see the CMMC requirements as part of Requests for Information.  The initial implementation of the CMMC will only be within the DoD, but we predict this will be expanded to the Federal sector at some point as well.

So, how can we obtain the CMMC for our organization?

As stated, there is no self-certification.  Your organization will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule a CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.  Once your certification has been obtained, the level will be made public, however, details regarding specific findings will not be publically available. The DoD will only see your certification level.

Why is it important?

Existing measures have failed the U.S., just take a look at the Chinese J-31 aircraft as a prime example, which is very similar to the American F-35 Joint Strike Fighter.  The question is not whether U.S. adversaries have become better innovators, as compared to becoming better thieves.  The NIST 800-171 relies on organizations to self-assess their posture and then report their compliance.  Self-assessments cannot be truly trusted, thus a new approach is needed.

In addition, compliance does not mean you are secure and will never equal that.  Compliance requires only achieving a level of implementation and making sure items are in place.  For example, putting a lock on a door may satisfy a compliance requirement, but the type of lock and the type of door that affects how safe and secure the item being protected can actually be safeguarded.  To address these shortcomings, as well as protect the information, CUI and national security the CMMC is a welcome and needed mechanism.

September Is Insider Threat Awareness Month

/0 Comments/in /by

“Detect, Deter, Mitigate.”

That’s the theme of a new government program designating September as Insider Threat Awareness month. With it, SecurityOrb.com joins our colleagues in government, industry, and education to promote awareness of this critical threat to the nation and your organization.  Beginning next week, we will be making weekly posts on our social media pages on this topic to help us all stay vigilant in our security awareness and in protecting the data entrusted to us.

Anyone can wittingly or unwittingly become an insider threat, and all organizations are vulnerable. Insider incidents damage national security, risk lives and cause the loss of classified information and profit.  They can also result in trade secret theft, fraud, and sabotage that can significantly damage an organization’s business and reputation.

Look for the first of our weekly messages this September.

Cyber Safety for Students: The Back to School Edition

/0 Comments/in /by

As the summer break comes to an end, many students will be returning to school with mobile devices, such as smart phones/watches, tablets, and laptops. Although these devices are a great aid in helping students complete school assignments, projects as well as stay in touch with family and friends, there are numerous risks associated with using them. The goal is to help our students manage their digital lives responsibly.  Here are a few simple steps parents and students may use to help keep them safe while using their devices.

Kellep Charles, Digital Protection Expert, Researcher and Educator at SecurityOrb.com recommends:

For the student:

No matter what social media platform you are using, consider the type of information you are sharing with others and ensure you are limiting it to prevent your identity from being compromised. Here are the common cyber risks you may face when using social media:

  • Sharing sensitive information – Sensitive information includes anything that can help a person steal your identity or find you, such as your full name, Social Security number, address, birthdate, phone number, or where you were born.
  • Posting questionable content – Remember when applying for school or future employment, they may look at your social media accounts before bringing you on board. Questionable content can include pictures, videos, or opinions that may be offensive, rude, vile, seem unprofessional or mean and can damage your reputation or future opportunities.
  • Tracking your location – Many social media platforms allow you to check in and broadcast your location, or automatically adds your location to photos and posts. Think twice before allowing that to happen.

 

SIMPLE TIPS

  1. Remember, there is no ‘Delete’ button on the Internet. Think before you post, because even if you delete a post or picture from your profile only seconds after posting it, there is a good chance someone still saw it and may have obtained a copy.
  2. Don’t broadcast your location. Location or geo-tagging features on social networks is not the safest feature to activate. You could be telling a stalker exactly where to find you or telling a thief that you are not home.
  3. Connect only with people you trust. While some social networks might seem safer for connecting because of the limited personal information shared through them, keep your connections to people you know and trust.
  4. Keep certain things private from everyone. Certain information should be kept completely off your social networks to begin with. While it’s fun to have everyone wish you a happy birthday, or for long-lost friends to reconnect with you online, listing your date of birth with your full name and address gives potential identity thieves pertinent information. Other things to keep private includes sensitive pictures or information about friends and family. Just because you think something is amusing does not mean you should share it with the world.
  5. Speak up if you’re uncomfortable. If a friend posts something about you that makes you uncomfortable or you think is inappropriate, let them know. Likewise, stay open-minded if a friend approaches you because something you’ve posted makes them feel uncomfortable. People have different tolerances for how much the world knows about them, and it is important to respect those differences. Also report any instances of cyber bullying you see.

 

For the Parents:

BE AWARE OF WHAT YOUR KIDS POST ONLINE. Understand the cyber risks kids face when using social media. Talk to your kids about the following risks:

  1. What they are posting – Talk to your kids about the information they post online. Many of them don’t understand the damage they could do to their reputation or future prospects with unkind or angry posts and compromising photos or videos.
  2. Ensure your kids are not sharing or posting sensitive information – Sensitive information includes anything that can help a person steal your child’s identity or find them, such as their/your full name, Social Security number, address, birthdate, phone number, or place of birth.
  3. Compromising content – This includes photos or status updates that may damage your child’s reputation or future prospects.
  4. Unkind or angry content – This includes anything malicious directed at themselves or another person, as well as opinions that are probably better left unshared.
  5. Who they are connecting with – Social media allows kids to connect with their friends, but there is also a risk of connecting with someone they do not know or who is only pretending to be a kid.
  6. What level of privacy they are using – Many social media platforms have privacy settings that allow users to limit who sees their content. There are also settings for location tracking and geo-tagging of photos or statuses.

 

SIMPLE TIPS FOR PARENTS

  1. Talk to your kids. Help them understand the importance of owning their digital lives and only sharing things that will not put them in danger, negatively affect their future, or harm others.
  2. Emphasize the concept of credibility to teens: not everything they see on the Internet is true and people on the Internet may not be who they appear to be.
  3. Watch for changes in their behavior. If your child suddenly avoids the computer, it may be a sign they are being bullied or stalked online.
  4. Review security settings and privacy policies for the social media sites kids frequent. These settings are frequently updated so check back regularly.
  5. Periodically review social media accounts to ensure no questionable content or inappropriate connections are established.

 

The bottom-line mobile devices and the Internet are wonderful things and every step should be taken to be a good digital citizen.  Unfortunately, even when you follow the proper steps, bad things can occur.  Understanding what to do and where to go can be the difference maker.

EC Council Coming to Capitol Technology University

/0 Comments/in , /by

November 14 and 15 Capitol Technology University is hosting a cybersecurity conference. Day 1 will be EC Council Advanced workshops. You may sign up here https://iclass.eccouncil.org/capitol-technology/.  Day two will be presentations of accepted research papers. All papers must be submitted by October 15 and accepted papers will be published in a special edition of the American Journal of Science and Engineering ( you can get their template here:http://ajse.us/instruction-for-authors/ ) Send submissions to:wceasttom@captechu.edu

The Capital One Data Breach and What Can You Do to Protect Yourself

/1 Comment/in /by

In one of the biggest data breaches, a hacker by the name Paige Thompson gained access to more than 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people’s names, addresses, credit scores, credit limits, balances, and other information.  However, the company stated no credit card account numbers or log-in credentials were compromised in the breach.

Capital One first heard about the hack on July 19th, but waited until July 29th to inform customers as they worked with law enforcement to investigate the breach.

Paige who is 33-year-old, and lives in Seattle, had previously worked as a software engineer for Amazon Web Services, the cloud hosting company that Capital One was using. She was able to gain access on March 22 and 23 by exploiting a misconfigured web application firewall.

Thompson posted the information on GitHub, a site where developers store their projects and network with like-minded people, using her full name and also boasted on social media that she had Capital One information and the method she used to obtain the data.

What will Capital One do for you?

The breach affected around 100 million people in the United States and about 6 million people in Canada, according to Capital One.  Consumers and small businesses who applied for Capital One credit cards from 2005 through early 2019 are most at risk at this time.  Capital One will offer $125 to anyone whose data was hacked or free credit monitoring for 10 years.

What should you do to protect yourself?

SecurityOrb.com recommends the following steps to protecting yourself after a possible data breach:

  • Change your passwords immediately and when creating the new password use a combination of upper and lower case letters, numbers and symbols, and that each website you visit should have a unique password.

 

  • You should consider using multifactor authentication instead of passwords.

 

  • You should never give out personal details over the telephone, even if the caller seems to represent Capital One or the email appears to be from a Capital One address.

 

  • You need to be careful whenever you are contacted by an unsolicited caller. Hang up and call the number on your card.

 

  • You should immediately freeze your credit reports at the three major firms: Equifax, Experian and TransUnion.

 

  • You should check your credit card statement to make sure there are no unauthorized charges.

 

  • You should file your taxes as early as possible.

 

This is the latest in a long line of data breaches, privacy violations and hacks affecting hundreds of millions of Americans.

  • Two years after Equifax revealed that hackers accessed the personal information of up to 147 million people.

 

  • Last year, Facebook announced that U.K.-based Cambridge Analytica improperly accessed 87 million Facebook users’ data.

 

  • WhatsApp, the messaging and audio app owned by Facebook, announced last May that hackers were able to install spyware on Android smartphones and Apple

Capital One says it will notify affected individuals via a variety of channels, and make free credit monitoring and identity protection available to everyone affected.