CMMC: Not Just an IT Challenge

The title, “Cybersecurity Maturity Model Certification” seemingly indicates that certification under DFARS 252.204-7021 is an IT concern. However, CMMC isn’t just an IT challenge. Review these examples below to identify some of the key areas where NIST Special Publication 800-171 requirements (part of CMMC certification) require a cross-functional, company-wide approach to securing Controlled Unclassified Information (CUI).

Executive Leadership

“Affirming Official”

In the context of CMMC, 32 CFR 170.22(a) requires a senior level representative (an “affirming official”) to confirm continued compliance with all NIST SP 800-171 requirements annually, following initial certification. Your company must provide the name, title, and contact information of this senior-level executive in the DoD Supplier Performance Risk System (SPRS) when submitting your annual affirmation.

1. Why it matters: claims made by the affirming official are used as evaluation criteria for contract awards.

2. Why IT can’t be responsible: IT doesn’t own contractual obligations for the organization.

Policy adoption

NIST SP 800-171 requires organizations to establish several policies, which generally require executive approval. These policies include:

• information flow control policies (3.1.3)

• policies related to the security of the system (3.2.1)

• a policy specifying whether whitelisting or blacklisting is to be implemented (3.4.8)

• a policy for controlling the installation of software by users (3.4.9)

• a policy for terminating system access in coordination with personnel actions (3.9.2)

Additional NIST 800-171 requirements directly benefit from policy governance.

1. Why it matters: CMMC Third Party Assessment Organizations (C3PAOs) will sometimes check to confirm whether policies are formally adopted through manager approval/sign-off and revision control.

2. Why IT can’t be responsible: IT will often implement policies, but they don’t have authority to impose a policy on management and the organization as a whole. 

Legal

Applicable Laws and Regulations

NIST 800-171 requires companies to perform certain activities based on applicable laws and regulations acting as an authority for Controlled Unclassified Information (CUI).

• Information Sharing (3.1.3): part of meeting 800-171 involves documenting the allowed sources and destinations for CUI. Legal teams must specify how employees are allowed to receive sensitive data (in accordance with customer agreements and NDAs), where sensitive information can be stored (often by geographic region), and who the organization can send regulated or confidential information to (by company, based on export licenses, nationality, or country).

• CUI Risks (3.2.1): some CUI authorities impose sanctions (penalties, fines, minimum prison sentences) that directly inform users’ actions. In order to adequately educate employees on the real impact of their actions, legal teams should assemble a running list of the negative impacts associated with the misuse of all CUI categories handled by the organization. These impacts should be integrated into awareness training.

• Unlawful System Use (3.3.1, 3.14.7): Security teams are required to generate the system logs necessary to report on “unlawful system activity” and, “unauthorized use of the system.” Legal teams must define the kinds of system activity prohibited by CUI authorities (laws and regulations). Unlawful system activity often includes:

• Access from specific countries

• Access by foreign persons

• uploading or downloading regulated files

• System Use Notifications (3.1.9): Legal should be involved in creating system use notifications presented to all users accessing IT systems (computers, user sessions, cloud apps, etc.) containing CUI. Since each CUI category handled by the company may carry its own necessary disclosures, system use notifications are often customized by system, program, or other factors.

Beyond implementing NIST 800-171 and CMMC certification, legal teams are critical contributors to a variety of other challenges related to CUI including contract negotiations, data rights assertions, subcontracting, and other CUI-adjacent topics.

1. Why it matters: Failing to inform everyday employees of risks, rules, and impacts related to their actions (especially when government contracts directly require this education, awareness, and notification) creates liability for the company.

2. Why IT can’t be responsible: System administrators can help enforce information flows, generate system logs, and configure system use notifications based on inputs from stakeholders. They cannot define CUI categories, unlawful use, or awareness requirements on their own.

Human Resources

Personnel Screening

NIST 800-171 requires personnel screening before individuals are granted access to CUI or systems handling CUI (3.9.1). This often includes criminal background checks and screening against the Consolidated Screening List (CSL), a list of parties for which the United States Government maintains restrictions on certain exports, reexports, or transfers of items.

1. Why it matters: Inadequate personnel screening can violate “lawful government purpose” rules for allowed access to CUI.

2. Why IT can’t be responsible: Basic separation of duties mandates that the individual providing system access (i.e., an IT administrator) cannot approve the request. It’s also inappropriate for IT personnel to review the results of criminal background checks and make their own suitability determinations.

Offboarding

NIST 800-171 requires documented processes for managing employee terminations and transfers. Under upcoming rules for 800-171 Revision 3, companies must terminate system access within four (4) hours.

1. Why it matters: HR must document its personnel decisions to demonstrate coordinated offboarding activities.

2. Why IT can’t be responsible: IT should revoke system access for employees as part of a coordinated effort by HR to communicate the decision to a former employee and reclaim company property, along with reminding the individual of any nondisclosure obligations. If IT revokes access too early or too late, terminated personnel will likely have a window of time in which to perform malicious or vengeful activities involving company data or property.

Training

NIST 800-171 requires general security awareness training (3.2.1), role-based training for managers and system administrators (3.2.2), and insider threat training (3.2.3).

1. Why it matters: Training completion must be tracked and documented.

2. Why IT can’t be responsible: IT cannot be held responsible for training completion companywide.

Corrective Action

Organizations must develop plans of action for control deficiencies related to any of the 110 security requirements in NIST 800-171 (3.12.2). Almost all of these requirements include a human element, from policy definition, to following procedures, to enforcing rules at a facility, departmental, or system level. When deficiencies are identified in an individual or team’s ability to follow requirements, HR will often be involved in creating or monitoring the necessary corrective action plan.

1. Why it matters: Corrective action plans, performance improvement plans, and other plans are valuable audit proofs to prove the company meets 8001-71 requirements.

2. Why IT can’t be responsible: IT is rarely responsible for an employee’s ability to follow policies, procedures, and other guidance tied to security controls ranging from everyday operations to physical security, to travel arrangements, to rules of behavior.

Facility Security

Facility Access

NIST 800-171 includes quite a few requirements for securing facilities, controlled areas, and separating public areas from CUI access and observation.

1. Why it matters: 32 CFR 2002 (the CUI Program) requires all authorized holders of CUI create a “controlled environment” where unauthorized personnel cannot access, observe, or overhear CUI.

2. Why IT can’t be responsible: IT isn’t generally responsible for facility-wide security.

Visitors

NIST 800-171 requires visitor check-ins, escorts, and supervision.

1. Why it matters: Unsupervised visitors can easily access or observe CUI, violating rules for “lawful government purpose.”

2. Why IT can’t be responsible: Not all visitors come to see the IT department. Each team needs their own process for escorting visitors who arrive for meetings, tours, inspections, service appointments, and personal visits.