Summary: Organizations need a cost-effective and structured approach to address Cybersecurity Maturity Model Certification (CMMC) and the “CMMC Kill Chain” provides a 24-step, prioritized roadmap that can be used as a project plan for CMMC pre-assessment operations.
The intent of this article is to break down how to implement CMMC requirements using the CMMC Kill Chain. SecurityWaypoint offers a free, no-strings project plan tracker template to help organizations leverage the CMMC Kill Chain to create a coherent, step-by-step process to track and prepare for CMMC certification. This works for organizations of any size or industry.
These are the common questions surrounding the CMMC Kill Chain that this article will address:
- What is the CMMC Kill Chain?
- Who is it geared towards?
- Why do I need it?
- What is it going to cost me?
What is the CMMC Kill Chain?
Simply put, the CMMC Kill Chain outlines an efficient, prioritized way to plan out a roadmap to successfully implement all the required processes and ultimately pass a CMMC assessment.
Who is the CMMC Kill Chain geared towards?
The CMMC Kill Chain can be used by any organization size or complexity in any industry. This approach is only specific to the requirements implementation, not specific industries or organizations.
Why do I need the CMMC Kill Chain?
The CMMC Kill Chain process provides a roadmap to ensure proper steps are taken to implement the breadth of requirements and also to assess readiness for a CMMC assessment. When you look at CMMC’s zero tolerance for deficiencies, if you have a single deficiency in a process or practice, you will fail your CMMC assessment. Taking a prioritized approach, the CMMC Kill Chain identifies “building block” requirements that need to be done sooner, rather than later, which can help avoid reworking solutions that were not properly designed.
What is it going to cost?
The CMMC Kill Chain is a free resource, so any business can use it at no-cost. SecurityWaypoint also offers a free “CMMC Kill Chain Excel Project Plan Outline” to help clients further guide and track implementation of the processes. Click the button below to download.
Since every organization undergoing CMMC compliance is different, there is no legitimate way to estimate a ballpark cost for CMMC compliance. The underlying costs and resources to implement CMMC will ultimately be associated with the corresponding business processes and resource plans to meet on-going CMMC compliance requirements.
Organizations such as Gartner and Deloitte estimate security budgeting in general for organizations to be on average around 10% of an organization’s IT budget. In many cases open-source and free tools can be leveraged, but there will always be expected processes and resource planning requirements maintained on-going to assure continued compliances.
Costs Associated with Security and CMMC Compliances
- Licensing for security tools and or Compliant Cloud Environments (e.g., Azure Gov Cloud HIGH / E5 licensing)
- Security Incident and Event Monitoring (SIEM)
- Vulnerability Scanning
- Anti-virus, Host Intrusion protection, File Integrity Monitoring
- Multi Factor Authentication (potentially included in E5 Licenses for example)
Costs Associated With Security Staffing Resources (Internal or External)
- Security Leadership and Governance Oversite (CISO, Security Managers)
- Vulnerability, Security and Risk Assessments
- Security Administration, configuration and management of tools
- Security Incident and Event Monitoring
Common CMMC “Pain Points”
From our experience with NIST SP 800-171 and CMMC, most organizations commonly see pre-assessment gaps in a few key areas including:
- Policies and Procedures – Policies and procedures are a required item and provide clear direction of management’s intent to secure the organization. This documentation provides the foundation how the organization will broadly and specifically meet the compliance requirements.
- Vulnerability and Risk assessments – Key areas which we see a lot of gaps is in Vulnerability Identification and Remediation and regular risk assessments. These are critical processes to the organization and are regularly maintained risk management processes.
- Security Resource Planning – CMMC requires business-level integrated resource plans to be documented which outline how the organization will plan, staff and provide support each of the CMMC domain requirements. Organizations must leverage (internal or external) trained and professional certified resources to ensure appropriate due care and diligence as part of expected security and compliance operations.
- Cyber Supply Chain Risk Management C-SCRM – Supply Chain Risk Management is a critical area that the government has put significant emphasis on to ensure third party supply chain requirements, including processes associated with DFARS, 800-171 and CMMC for example. Supply Chain requirements are extensive and implement processes to ensure the organizations critical vendors and suppliers are identified, business impacts are assessed and mitigated, security standards and addendums or exhibits are contractually agreed and adhered, as well as incident response, disaster recovery, and contingency plans and testing is included with the organizations third-party suppliers.
- Security Training for Users and Administrators – Security awareness training, role-based training and insider threat training are critical areas that many times are identified gaps. Organizations must implement training for users and integrate HR processes to ensure security responsibilities are covered.
- Security Environment Architecture – Determining secure engineering and architecture practices is foundational for sensitive data and how the organization secures its IT assets. You’ll need to analyze several aspects to determine if the organization can better maintain and secure the data local, in the cloud or utilize fully supported Azure Government High (GCC-High) architectures for example to take much of underlying technology burdens off the organization. This significantly cuts time and implementation of technology but does have upfront costs in licensing for the year for users.
- Multi-factor (MFA) and Identity and Access Management (IAM) – Many organizations use solutions like Active Directory (AD) in Microsoft environments and of administrative/privileged accounts already but are required to implement MFA additionally which is a separate product (or Azure Premium License) and implementation experience.
- Configuration Management – Configuration management is another area which may need an organizations attention. Configuration management outlines secure hardened configurations for each if the organizations assets. Configuration management extends and supports requirements across many other domains as well including security architecture, threat and vulnerabilities, and technical configuration practices Encryption settings, etc.
- Encryption – Many organizations already implement encryption in-transit natively with IT systems through (HTTPS, TLS, SSH) but not usually encryption at-rest on covered assets such as mobile devices, portable drives, backups, or other systems which maintain sensitive data including CUI and or ITAR restrictions.
CMMC Project Management Benefits
To successfully prepare for a CMMC Level 3 assessment, it requires an organization to have analysis and planning, documentation and repeatable processes. This requires an official or unofficial Project Manager (PM) and organizations of all sizes will have some form of PM whether it is a dedicated PM in a large organization or “the IT guy” who manages the whole infrastructure. This PM role will effectively need to manage a proper sequence of events balancing budget, staff resources and timelines to implement CMMC process requirements successfully.
One of the benefits of the CMMC Kill Chain for PMs, security managers or security executives is it provides a prioritized approach which integrates the necessary critical path dependencies within its own phases for implementation. The steps have already been thought through tactically for critical path dependencies and provides users clear steps to implementation success.
As noted, most every organization’s largest efforts to become compliant starts with the implementation of processes. These processes including even the gap assessment, must be defined, documented and performed regularly to provide assurances as to compliance of the controls.
CMMC Kill Chain
The 24 phases of the CMMC Kill Chain include:
- Define What CUI Is For Your Specific Business Case. This should be self-explanatory and is based on your contract(s).
- Establish The Scope of The CMMC Assessment Boundary. This has four subcomponent steps:
- Create a Data Flow Diagram (DFD) that shows how CUI flows from the DoD all the way down to subcontractors;
- Create a detailed asset inventory for all systems, applications and services for both in-scope and out-of-scope assets;
- Create a detailed network diagram that includes where CUI is stored, transmitted and/or processed; and
- Inventory Third-Party Service Providers (TSP) to determine TSP access to CUI and/or in-scope systems, applications and/or services.
- Document The Environment. This has two subcomponent steps: (1) Start populating the System Security Plan (SSP); and (2) Create a Plan of Action & Milestone (POA&M) to track and remediate deficiencies.
- Define The Network Architecture. This involves implementing a network architecture that ensures it is built on secure engineering principles and enclaves to protect sensitive information (e.g., FCI/CUI). POA&M deficiencies & document procedures.
- Plan, Identify Gaps & Prioritize Resources. This has six subcomponent steps:
- Define applicable statutory, regulatory and contractual obligations (including DFARS, FAR, NIST 800-171 and CMMC);
- Perform a gap assessment from applicable statutory, regulatory and contractual obligations;
- Develop & implement policies and standards to address applicable statutory, regulatory and contractual obligations;
- Identify the necessary People, Processes & Technology (PPT) that are necessary and appropriately sized;
- Develop & implement a resource plan (e.g., business plan, budget, road map, etc.) to meet compliance obligations; and
- Prioritize objectives from the resource plan for PPT requirements. POA&M any deficiencies from this phase.
- Develop Procedures. This has two subcomponent steps: (1) Develop & implement procedures to implement policies & standards; and (2) Define processes to securely handle CUI. POA&M any deficiencies from this phase.
- Risk Management. Develop & implement a Risk Management Program (RMP) to identify, assess and remediate risk. POA&M deficiencies & document procedures.
- Change Control. Develop & implement change control processes, including a Change Control Board (CCB). POA&M deficiencies & document procedures.
- Incident Response. Develop & implement incident response capabilities to detect, respond and recover from incidents. POA&M deficiencies & document procedures.
- Situational Awareness. Develop & implement situational awareness capabilities through log collection and analysis (e.g., SIEM). POA&M deficiencies & document procedures.
- System Hardening. Identify, build & implement secure baseline configurations (e.g., hardening standards) for all technology platforms. POA&M deficiencies & document procedures.
- Centralized Management. Build & implement Group Policy Objects (GPOs) for Microsoft Active Directory (AD). POA&M deficiencies & document procedures.
- Identity & Access Management. Develop & implement Identity & Access Management (IAM) to address “least privilege” and Role-Based Access Control (RBAC). POA&M deficiencies & document procedures.
- Maintenance. Develop & implement proactive maintenance practices. POA&M deficiencies & document procedures.
- Attack Surface Management / Vulnerability Management. Develop & implement Attack Surface Management (ASM) practices. POA&M deficiencies & document procedures.
- Asset Management. Develop & implement technology asset management practices. POA&M deficiencies & document procedures.
- Personnel Security. Work with Human Resources (HR) to ensure personnel security requirements are integrated into HR operations. POA&M deficiencies & document procedures.
- Network Security. Develop & implement network security practices. POA&M deficiencies & document procedures.
- Business Continuity. Develop & implement business continuity capabilities. POA&M deficiencies & document procedures.
- Cryptography. Develop & implement cryptographic key management and data encryption capabilities. POA&M deficiencies & document procedures.
- Physical Security. Develop & implement physical security practices. POA&M deficiencies & document procedures.
- Threat Intelligence. Develop & implement a threat intelligence capability. POA&M deficiencies & document procedures.
- Security Awareness Training. Build and maintain a security-minded workforce through training & awareness. POA&M deficiencies & document procedures.
- Internal Audit. Build and maintain an “internal audit” or Information Assurance (IA) capability to govern controls. POA&M deficiencies & document procedures.
SecurityWaypoint helps organizations of all sizes reduce skills gap and the steep learning curves to implement required processes to become compliant quickly. We provide seasoned and professional certified SMEs specializing in DFARS, ITAR, 800-171 and CMMC compliances and utilize a business risk-prioritized assessment and implementation approaches. SecurityWaypoint offers complete cybersecurity and risk services for the CMMC Kill Chain, C-SCRM and the Secure Controls Framework (SCF) for complex compliance requirements. Contact us today at connect@securitywaypoint or toll free 800-289-3740 today to get started. We offer a no obligation, no-cost consultation, pre-assessments and tailored solutions for every organization size and budget.