How Companies Prove They’re Ready to Handle Classified Information
Approval for access to classified or controlled government data is not your standard background check. It’s not the due diligence many companies expect, but the government must confirm you’re not simply incentivized to keep secrets – everything from the cybersecurity infrastructure to personnel expectations must be instilled and deployed throughout your enterprise once anything sensitive enters your possession and until it destroys.
Many companies are led to believe they’re prepared to store sensitive material based on a few basic firewalls and password requirements. But it’s not nearly enough with unclassified controlled information or classified materials at stake.
The Game-Changing Model
The Cybersecurity Maturity Model Certification (CMMC) was introduced by the Department of Defense because too many breached contractors weren’t enough for the government. Simply having people sign an attestation that their cybersecurity plans were up to par failed the test. Assessing an active defense subcontractor was the only way to guarantee protective measures were implemented and equipped.
The CMMC established levels based on the type of information processed by a given company. If your team simply processes other contract information for your federal work, you require Level 1 compliance. However, if unclassified controlled information passes through your systems (and it does, in most defense-related activities), then you’re in the Level 2 category or higher. With higher levels come more controls, more documented and enforced requirements, and more expensive practical application.
Unlike most compliance certification expectations, CMMC requires external attestations. You can’t simply self-audit and assume you’ve secured certification. Third-party assessors validate levels. They assess your documented policies, test your systems, interview your teams and reconcile gaps between what you say and do.
What Gets Assessed
Overall assessments dig into 17 security domains. Access control, incident response, system security, system monitoring, personnel security, physical protection – the list goes on. Each domain has specific practices that must be assessed, and assessors are fully aware of any shortcuts a company might attempt.
They start with policies and procedures related to security, but reading them is not impressive. They must have documented evidence they exist, are followed, maintained and successfully applied. Audit logs, student training records, final assessments from recorded incidents – and failure to panic should an incident response plan get triggered instead of enacted – are all on the line.
Physical security (if applicable for information storage or processing) gets assessed; assessors walk through a building assessing access control measures, surveillance systems and notification systems which prevent unauthorized personnel from stumbling upon sensitive information. A door with a keypad is no good if fifteen people know the code and no one is tracking who is coming and going.
Technical assessments break down IT infrastructure systems – assessors look for how a company segments its networks, encrypts data at rest and on the go, controls user credentials, functions with patches, and operates an effective monitoring application. Failure to follow best practices puts you at risk as foreign adversaries look to exploit weakness.
Where Documentation Falls
This is where it’s expensive with limited/inefficient time. Every control requires documentation that it exists, is maintained and functions correctly. You can’t tell an assessor you encrypt sensitive data; you need the policies defining their encryption standards and requirements, supported procedures for implementation, system configurations proving it’s actively encrypted, logs showing continued encryption.
To understand each tier’s requirements – and thus why it’s so overwhelming – check out cmmc certification levels to see how they vary from base-level cyber hygiene at Level 1 to advanced methodologies at higher tiers that include additional documentation creation.
Companies fail to recognize how long it takes to build this documentation. It’s not as easy as compiling what you think you do; many companies find their actual practices differ from their intended ones, thus eliminating the time it takes to fix deficiencies before documentation can happen.
The system security plan becomes the architect’s estimate for everything – how your IT environment is configured, your instituted security precautions, how controls work together and why you made specific decisions regarding security implementation all come into play. The assessor relies on this documentation for guidance; if they find something in your environment that does not line up with what’s on paper, it becomes a finding that needs resolution.
Where Companies Fail
Access control probably gets more companies over the line than almost any other domain due to the principle of least privilege; providing access only when needed sounds easy in theory but fails upon implementation as companies must possess intimate knowledge about every tool, purpose/need for different data types accessed by countless roles/use cases over time – and constantly adjust as personnel shift or projects conclude.
Thus, one employee has access to systems as temp required – it never gets taken back. Now multiply that by dozens of employees across dozens of systems. It’s not good and fails at basic tenets of security. This access control cleanup takes effort before an assessment.
Incident response fails next – but only because companies have limited incident response capabilities when it comes time to plan events – plans look great on paper until execution fails implementation during an event. Assessors want to see your incident response plan – they also want to see you’ve exercised it, found problems therein and acknowledged adaptability through lessons learned post-exercise so that any revision meets standards. If you haven’t executed incident response exercises, you’re not convincing anyone you’re prepared for reality in breaches.
Configuration management sounds tame until assessors start probing questions. How do you secure configurations? How do you know what’s been changed? Are there any drafts running in your environment? Organizations without adequate configuration management fall victim to security drift where things become less secure the more undocumented changes occur.
Personnel Related Security
Employees with access to controlled or classified information undergo thorough background checks; the government wants to know if you’ve got financial issues blowing up in your face if foreign contacts are waiting for you at home or legal problems that could tempt coercion or bribery; depending on classification quality mandated investigations vary – but time is money either way.
Security training should be documented across all levels for such personnel – and assessors want to see that documentation; everyone involved needs initial exposure but regular refreshers and position-specific training arrangements as well. When those employees are quizzed on their recommendations or asked about materials, they failed to actually receive instruction on could warrant a finding.
But when it comes time for non-disclosure agreements and security acknowledgments to legally bind persons – they better exist as now-and-later proof so that every involved employee has signed them and acknowledged what they agreed upon without failing due process efforts. Companies that treat these documents merely as checkbox items during onboarding endeavor fail; rarely do employers find signed copies when they’re requested by assessors.
Expectations Going Forward
Certification is not something you achieve in a few weeks – depending on internal baselines and existing tier compliance targets, companies will need six months to two years – or more – to implement security clearances – they need help – but there should exist effective timelines in place for remediation prior to assessment.
Smaller companies can spend anywhere from $50,000-$150,000 for preparation toward a level 2 certification – larger enterprises with complex environments stand at half-million findings (at minimum before the assessment itself), which can be an additional fee based on company size and scope.
It’s worth it upon return on investment – many Defense contracts now require compliance before bidding even begins – without compliance you’ve locked yourself into an opportunity regardless of how good your products/services might be. For companies that plan to pursue work with the federal government – even beyond Defense Projects – certification becomes a necessary evil instead of merely a compliance endeavor.
Going Forward
Everything changes – the guidelines become tighter as threats increase – adequate protection today may not meet standards in two years – companies shouldn’t view certification as just another checkbox but instead as a supportive mechanism worthy of attention in place otherwise substituted by compliance-office-fueled pressure.
Companies change their attitudes – as long as general operating procedures make micro-decisions about social guidance – and understand why controls matter – as action is necessary – with help from leadership – controls get easier and assessments go smoothly.
At the end of the day when companies change their mindset about certification as validation for security measures they would’ve wanted anyway versus bureaucratic hurdles forced upon them – that they’re protecting their own data/reputation while simultaneously fulfilling government requirements-it changes everything about how you approach it and how much value you get out of it all.
Further Reading
