CI SecurityMike HamiltonFounder and CISO

Our stuff keeps your stuff from becoming their stuff

The Cyber Maturity Model Certification:

Time To Get Serious

Critical Infrastructure Risk Management

March 5, 2019

• 2

• Founder, CI Security

• Policy Advisor, Washington State

• CISO, City of Seattle

• Managing Consultant, VeriSign

• Senior Principal Consultant, Guardent

• Independent Security Consultant

• Founder, Network Commerce, Inc.

• Ocean Scientist, NASA/JPL

Your Presenter

IR Plan Top Table

Exercise

Incident Response

Plan

Policy, Process &

Procedure Development

Internal & External

Vulnerability Assessment

Focused Security

Assessment

About CI SecurityProfessional Services, Continuous Vulnerability Identification (CVI), and Log Management

Continuous Vulnerability Identification

Managed Detection & Response

Penetration Testing

Log Management

Ongoing / Periodic:

Focused Security Assessment

Periodic/Annual Information

Security Maintenance

Activities

Annual Policy Review

Annual Penetration Testing

Regular IR Plan TTEs

Firewall Rule Review

4For Gartner Use Only

Why Are We Here?Report: Hackers target defense contractors, telecoms

Hacking groups with ties to Iran spent much of their time

targeting the defense and government sectors in the U.S.

and elsewhere, and the firm said it tracked a noticeable shift

in emphasis to the United States in the latter half of 2019.

This targeting of U.S. entities began picking up around the

same time as the 2019 Gulf of Oman incident, when three oil

tankers and a bunkering ship were damaged with

explosives, with U.S. officials blaming Iran.

https://defensesystems.com/articles/2020/03/04/crowdstrike-report-cyber-johnson.aspx?m=1

- Records Disclosure: ~$150/record

- Theft: $75K-$1.2M in our region,

millions elsewhere (and rising)

- Disruption: Loss of business

continuity or operating capacity, loss

of life for certain critical service

outages

Outcomes to Avoid, Financial Impacts

And NOW – You’re a Threat to Business Partners

The Third Party Microscope

Saw This One Coming

• Market forces versus regulatory

requirements to address security –

long, ongoing discussion

• The show-your-papers business

climate was predictable

• Differentiate your business and get

more business based on your

security – there’s an actual ROI

there

What is a Capability Maturity Model?

And What is the CMMC?• The CMMC will review and combine various cybersecurity standards

and best practices and map these controls and processes across

several maturity levels that range from basic cyber hygiene to

advanced. For a given CMMC level, the associated controls and

processes, when implemented, will reduce risk against a specific set

of cyber threats.

• The CMMC effort builds upon existing regulation (DFARS 252.204-

7012) that is based on trust by adding a verification component

with respect to cybersecurity requirements.

• The goal is for CMMC to be cost-effective and affordable for

small businesses to implement at the lower CMMC levels.

• The intent is for certified independent 3rd party organizations to

conduct audits and inform risk.

History• Intended to protect Controlled Unclassified Information

(CUI)

• Still in its development stages

• DFARS regulation required assessment against NIST

800-171

• No one did that

• New capability maturity model adopted, with

certification requirement

• Now at version 0.7

• Practices measure technical activities and processes

measure the maturity of processes.

What Are Those Practices?The Moving Parts of NIST 800-171

Access Control (3.1)

Awareness & Training (3.2)

Audit & Accountability (3.3)

Configuration Management (3.4)

Identification & Authentication (3.5)

Incident Response (3.6)

Maintenance (3.7)

Media Protection (3.8)

Personnel Security (3.9)

Physical Protection (3.10)

Risk Assessment (3.11)

Security Assessment (3.12)

System & Communications Protection (3.13)

System & Information Integrity (3.14)

• ISO 27001/2

• Payment Card Industry Data

Security Standard

• NIST Cybersecurity Framework

• Information Security Forum

Standard of Good Practice

• Criminal Justice Information

Standard

• HIPAA Security Rule

• FFIEC Audit Handbook

• NERC CIPs

Standards of Practice: The

ingredients are the same…

…But the packaging is a little different

CMMC Levels

14https://ci.security/

New (Additional) Total (Cumulative)

CMMC Level Description Practices Processes Practices Processes*

1 Basic Cyber Hygiene with Performed Processes 17 0 17 0

2 Intermediate Cyber Hygiene with Documented Processes 55 51 72 51

3 Good Cyber Hygiene with Managed Processes 59 34 131 85

4 Proactive Cybersecurity Program with Reviewed Processes 26 34 157 119

5Advanced / Progressive Cybersecurity Program with

Optimized Processes16 34 173 153

CMMC Levels

15https://ci.security/

•Level 1 – “Basic Cyber Hygiene” – In order to pass an audit for this level, the DoD

contractor will need to implement 17 controls of NIST 800-171 rev1.

•Level 2 – “Intermediate Cyber Hygiene” – In order to pass an audit for this level, the

DoD contractor will need to implement another 48 controls of NIST 800-171 rev1 plus

7 new “Other” controls.

•Level 3 – “Good Cyber Hygiene” – In order to pass an audit for this level, the DoD

contractor will need to implement the final 45 controls of NIST 800-171 rev1 plus 14

new “Other” controls.

•Level 4 – “Proactive” – In order to pass an audit for this level, the DoD contractor

will need to implement 13 controls of NIST 800-171 RevB plus 13 new “Other” controls

•Level 5 – “Advanced / Progressive” – In order to pass an audit for this level, the DoD

contractor will need to implement the final 5 controls in NIST 800-171 RevB. plus 11

new “Other” controls

Getting Ready

16https://ci.security/

• Self-Assess, using the NIST

Handbook – OR hire a

qualified assessor

• Work down your corrective

action plan

• When certification firms

become accredited, hire one

Status Today

• October 3rd 2019 DoD issued an RFI to solicit

accreditation bodies for CMMC

• By end of year, certification will become a no-nonsense

requirement

• The contracts you may bid on are dependent on your

certification level.

• Must meet certification requirements at the time of award

• Phase 1 only applies to contractor networks, and not

products

• CMMC validation by a third party is expected to be

requested in RFIs starting in June of 2020 and in RFPs

starting in the fall of 2020

The Value of Managed Security Services

• The upper levels will be extremely hard to meet for any

but the largest companies

• Requirements for documented and repeatable

processes are expensive and time-consuming to put in

place

• Monitoring, detection of aberrational network events,

investigation, response and recovery

• Continuing compliance responsibilities are best handled by

point-in-time consulting engagements

• A Virtual CISO is an economical alternative to hiring

Detection & Response is a gapMost organizations suffer deal with the fallout

average days until

compromised asset detected

of victims are notified by a

third party such as the FBIof victims were not compliant

with regulatory requirements

20589%69%

https://ci.security/ 19

Page 20 www.criticalinformatics.com March 10, 2020

Ongoing Compliance ResponsibilitiesKey Performance Requirements – Information Security Officer

Weekly Monthly Quarterly Annually

Weekly Report Conduct vulnerability Assessment Access

authorization

management

reviews

Penetration test

Incident Management Review vulnerability assessment

results, assign disposition and

delegate

Conduct Risk

Governance

Committee meeting

Risk Assessment

Recordkeeping (e.g.

security testing results for

products)

Firewall rules review Perform 2 of the

annual

requirements

Security Awareness

Training / Attestation

Corrective action board;

infosec ritual

Tabletop or functional

security exercise

Meetings (change control,

infosec, governance, etc.)

Policy review

Consulting project

management

Service audits

Ad-hoc service requests

(access changes, e.g.)

Participate in annual

planning and budget

development

Planning for upcoming

monthly, quarterly, or

annual requirements

Page 21 www.criticalinformatics.com March 10, 2020

• CMMC Certification will be a prerequisite to bidding on DOD project work

• Start now – assess, understand your gaps, work down your corrective action plan

• Be ready to engage an accredited assessor in Q3

• Security consulting and managed detection and response services will boost you to higher levels of contract availability

Summary

CONTACT US

Mike Hamilton

mkh@ci.security

Info@ci.security

@detectrespond – Company Tweets

@seattlemkh – Unvarnished Opinions (Buckle Up)

Sign up for the IT Security News Blast

https://ci.security/resources/daily-news

CI SecurityOur stuff keeps your stuff from becoming their stuff