HEADSTART from Defenseforce, Inc.

Unsure of how to proceed towards CMMC certification ?

Use our smart, 15-question survey to get a quick assessment of your cybersecurity maturity level and recommended next steps.

Question Title

* What CMMC level do you want to certify at?

Level 1 (FCI Only)

Level 2

Level 3

Question Title

* 1. Which of the following logical access controls are implemented in your Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) environment. Select only those that apply.

a. Access to FCI/CUI information is restricted to authorized users

b. Unapproved personal devices are prohibited from accessing the FCI/CUI environment

c. FCI/CUI information is not stored on publicly-accessible systems

d. Wireless access to your FCI/CUI environment is prohibited or controlled

While a business case may be made for various forms of access to your FCI/CUI environment (as well as for the use of different types of devices within that environment), identifying and evaluating each case is critical to understanding and mitigating the vulnerabilities they may introduce.

Question Title

* 2. Have you recently conducted an inventory of your FCI/CUI? Select only one.

a. Yes, I am confident that it is comprehensive and up-to-date.

b. Yes, but I am concerned we might not have captured everything.

c. No, but we have a good idea of where FCI/CUI is stored.

d. We only work with FCI and we have a good idea of where it is stored.

A basic tenet of data security is identifying where data is located. CMMC requires that you clearly define your FCI and CUI environment. Best practices include minimizing the number of systems processing and/or storing FCI/CUI. This strategy reduces risks to your security program, the resources required to manage it, and the time to achieve compliance.

Question Title

* 3. What types of audit controls are implemented in your FCI/CUI environment? Select all that apply.

a. A Security Event and Incident Management platform (SEIM) is in place

b. Logs are time synchronized

c. Events are reviewed by dedicated personnel

d. Access to audit logs are restricted to approved personnel

The quantity and pervasiveness of all available event data from networks, operating systems, and applications can make capturing and analyzing all collected events a daunting task. Today, limiting such saved information has proven to be a more effective strategy. A good place to begin is to capture all events that directly serve CMMC audit requirements.

Question Title

* 4. Which cybersecurity training and/or awareness programs have been performed in the last year for users with access to FCI/CUI? Select all that apply.

a. Security awareness posters/reminder emails

b. Training to identify insider threat

c. Role-based training for managers, technical staff and those responsible for implementing your security program

Regardless of how strong your physical and technical controls may be, the greatest challenges to security programs emerge from your personnel and their execution of operational controls. Training and awareness will not mitigate all risks, but consistently communicating to staff the importance of their role in your organization's security program will pay dividends.

Question Title

* 5. Which configuration management practices are currently performed in your FCI/CUI environment? Select all that apply.

a. Documented change control processes

b. Configuration baselines

c. Software whitelists/blacklists

d. System hardening

e. Automated tools to detect misconfigurations

Any changes to the hardware, software, or firmware components of your CUI environment can have significant effects on your overall security program. Before you can track changes, baselines must be established that reduce the number of unnecessary programs and processes. A centralized mechanism to save, deploy, and audit these baselines is recommended. Formal procedures to identify, evaluate the risk, and document changes to these baselines should be established whenever possible.

Question Title

* 6. The following logical access controls are implemented within your FCI/CUI environment. Select all that apply.

a. Individual user accounts and a password policy are required for all users in your FCI/CUI environment

b. The storage, distribution and/or transmission of passwords is protected

c. Multifactor authentication is enforced for local, network, and remote access using privileged accounts

d. User and admin accounts are managed

Multifactor authentication (MFA) is the use of two or more different identifiers to authenticate users. These factors include something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); and something you are (e.g., biometric). While MFA does not solve all authentication issues, it can be very effective in reducing the risk from specific threat vectors. For more information about MFA and digital identities, see NIST SP 800-63.

Question Title

* 7. Which incident response practices are implemented in your FCI/CUI environment? Select all that apply.

a. Documented incident response plan

b. Technical capabilities to detect an incident

c. Personnel dedicated to reviewing collected security events

d. Periodic testing of current incident response capabilities

Consider your Incident Response Program a part of the definition, design, and development of your FCI/CUI environment. Understand that effective incident handling capability requires coordination among many people and organizational entities including business owners, system owners, HR, physical/personnel security offices, legal departments, procurement offices, and risk management executives. For more information on developing an incident response program, see NIST SP 800-61, 86, and 101.

Question Title

* 8. What third-party maintenance procedures are in place? Select all that apply.

a. Third-party maintenance is controlled

b. Remote access by third-party maintenance personnel is prohibited or controlled

c. Third-party maintenance hardware is inspected prior to introduction and after removal from the CUI environment

d. Hardware from the FCI/CUI environment follows sanitation procedures prior to being sent to a third-party for repair or destruction

Introducing new personnel, hardware, and/or software to your FCI/CUI environment, even temporarily, increases the risk of unauthorized system activity. In addition to existing configuration management and access control procedures, careful scrutiny must be applied to all third-party maintenance activities. Ensure proper sanitation procedures are in place and executed before any FCI/CUI hardware is sent to a third-party vendor.

Question Title

* 9. Which of the following procedures are in place to protect portable media (digital and non-digital) containing FCI/CUI? Select all that apply.

a. Proper markings applied to electronic and physical storage locations

b. Access is restricted to authorized individuals

c. The use of unknown or unauthorized portable media are prevented from your FCI/CUI environment by a technical control

d. Data is encrypted while in transit and storage while outside the FCI/CUI environment (e.g. backup facility)

e. Sanitation procedures are applied prior to media disposal or reuse

Multiple risks to your FCI/CUI include unauthorized access, malicious modification, and loss of availability. However, the greatest risk is often during transit or storage outside your FCI/CUI environment. Ensure you know where your FCI/CUI is located at all times and minimize any unnecessary transfers outside your FCI/CUI boundary.

Question Title

* 10. How often does personnel screening for employees with access to FCI/CUI occur? Select only one.

a. Never

b. Once

c. On a regular recurring basis

Personnel may intentionally or inadvertently compromise your FCI/CUI environment for many reasons including greed, ideology, mistake, coercion, etc. Ongoing screening helps detect changes in behavior, personal finances, family life, etc. Often, this can help prevent a potential problem before it is too late. When a personnel change is needed (even if the person is simply being transferred elsewhere outside the FCI/CUI environment), procedures must be in place to ensure all hardware is returned, access is revoked, and non-disclosure agreements, if applicable, are maintained.

Question Title

* 11. Which of the following physical access controls are implemented in your FCI/CUI environment? Select all that apply.

a. Physical access is restricted to authorized individuals and access documented

b. Access control is managed, i.e. locks, keycards, combos, etc. are updated following personnel changes

c. Visitor access procedures

d. Requirements mandated for off-site locations

Physical security controls can be very effective at restricting physical access to your FCI/CUI environment. However, it is very common for these safeguards to be implemented by an outside entity, such as building security. Don't get complacent. Research and real-world testing have shown that motivated adversaries have many techniques to bypass many physical security systems. Build-in layers of protection involving technology, monitoring, human observation/authorization, and employee awareness training ("If you see something, say something").

Question Title

* 12. Which procedures are currently followed for your FCI/CUI data back-ups? Select all that apply.

a. Regularly performed and tested

b. Safeguards are in place to protect media and/or data if it is lost or stolen

c. Stored at an alternate site from primary data store

While the focus of the CMMC is on protecting CUI confidentiality, taking basic measures to ensure CUI availability is also very important. At a minimum, a full data backup should be scheduled to an alternative hard drive from the primary data store. Take measures to protect this information in storage and also consider moving off-site to mitigate the risk of the loss of the primary processing facility. Regardless of where your backup data resides, ensure it is tested on a regular basis to ensure the process is working as expected.

Question Title

* 13. Which governance and risk management elements are in place for your FCI/CUI environment? Select all that apply.

a. System security plan developed

b. Risk assessment is up-to-date

c. Vulnerabilities actively identified and addressed

d. Periodic third-party assessments are performed

NIST has defined a formal risk management lifecycle that guides all FCI/CUI security programs. This cycle simply states that we must first identify the risk, then mitigate the risk, and lastly assess and monitor this risk. Any output from this last step serves as input to the first. The cycle repeats. In order to demonstrate the maturity of your security program, specific documentation is expected from each step that must be maintained over the lifetime of the system. For more information, see NIST SP 800-30 and NIST SP 800-171r1.

Question Title

* 14. Are any of the following controls in place on your FCI/CUI environment's network perimeter? Select all that apply.

a. Inbound network access is controlled

b. Outbound network access is controlled

c. Internet-accessible systems storing FCI/CUI are located in a DMZ, i.e. controlled subnetwork within your FCI/CUI environment

d. Domain Name Services (DNS) filtering is enabled

For many organizations, the greatest risk to their CUI environment is a technical cyber attack from the Internet. In order to detect and prevent this threat-source, controls must be implemented that monitor and restrict traffic at the CUI boundary. The less traffic allowed to pass this boundary (inbound or outbound), the better chance your organization will have to protect CUI from Internet-borne threats or to discover successful attempts ASAP after they've occurred.

Question Title

* 15. Which of the following system controls are in place? Select all that apply.

a. Patch management program

b. Threat information tracked and communicated

c. Malicious code detection implemented on endpoints, i.e. antivirus installed on workstations

d. Perimeter email controls are in place, such as sandboxing

Assuming your FCI/CUI boundary defenses fail (which they will), your next layer of protection will be on your FCI/CUI systems. The best mitigation to defend against a successful attack is to reduce the number of software vulnerabilities that exist on any given system. Ideally, only absolutely necessary software should be installed. Any software in use should be fully supported by the vendor so that any discovered vulnerabilities can be quickly patched. In addition to anti-virus software on your workstations, consider other available malware detection tools as appropriate.

Question Title

* GET YOUR RESULTS! Please tell us a little more about you.

Name

Company

Address

Address 2

City/Town

State/Province

ZIP/Postal Code

Email Address