Thank you for Attending the CMMC Big Bang Theory!
On June 12, 2020, Chapter meetings/lunches resumed with the CMMC Big Bang Theory Panel from DC BLOX.
Thank you to our sponsor for a great event and helping us break the CoviD-19 doldrums. Rachel, Becky and the Panel did a great job. The message below is from Rachel Smith to attendees of the event:
Thank you so much for attending the DC BLOX CMMC Big Bang Theory webinar with the NAC-ISSA Chapter. DC BLOX was honored to be able to bring together this panel of experts to help answer the uncertainties surrounding CMMC. I also wanted to send out a big congrats to Gregory Harris with S4 on winning the door prize!
As promised, I wanted to provide you all with the additional questions we weren’t able to get to. Here they are.
So are the days of internal auditors over?
“I don’t think so. The more external audit type requirements that continue to be added suggests to me that companies will need more of a “where do we stand” assessment as they move toward the audit date. FedRAMP is one example of that. Clients spend as much, if not more, money getting an initial assessment, preparing all the documentation, and of course changing/plugging the gaps, than they do on the actual formal audit. I suspect we will have lower costs for performing official CMMC audits than we do right now providing “readiness reviews”. Our Readiness reviews often involve back and forth discussions, requests for further explanations or recommendations, and updates as they close gaps. The formal audit won’t have any of that time consumption.”
Chandler Hall, Cyber Security Evangelist, Sentar
If you are NIST compliant are you pretty much Level 1 CMMC?
“Assuming this means NIST 800-171 compliant- all controls in CMMC Level 1 requirements are also covered by a control requirement in the DFARS NIST 800-171 document. There is one to one mapping between the CMMC and DFARS controls. So yes, if you have met all 110 NIST 800-171 controls then you would have also met the 17 controls for Level 1.”
Angela Rittenbach, CEO, Riverstone Solutions
Is wired/wireless 802.1x (EAP-TLS and CA) required to authenticate devices/users before granting network access as per CMMC IA.1.077 / 800-171 3.5.2?
“802.1x is not required to meet this practice. This practice requires that users and devices be uniquely authenticated. For users, this can be accomplished by giving every person a unique username and authentication credentials to access the system. For devices, we recommend you use something like Active Directory, or Microsoft’s Endpoint Manager (InTune).”
Steve Pratt, Sr. Systems Engineer, Sentar
How do we address CUI transmitted over PSTN/VoIP and voicemail? I assume traditional PSTN voice traffic is outside the scope of CUI/DFARS since it is not IP-based?
“Typically PSTN would be out of scope. The only practice that addresses VoIP technology is SC.3.189, which primarily covers the proper configuration, and monitoring of VoIP systems to ensure they are not compromised. There is no guidance in CMMC or NIST SP 800-171 that specifically addresses voicemail, though with current voicemail storage technology, and the ability to have voicemail sent to your email, it shouldn’t be ignored. Our recommendation is that your voicemail storage should be protected through a combination of encryption and access controls. If you are unable to provide protection, your users should include a statement in their voicemail greeting message stating that this voicemail system does not meet the security requirements for protecting CUI, and discussions including CUI should not be left in the voicemail.”
Steve Pratt, Sr. Systems Engineer, Sentar
Is level 3 the minimum for DoD related contracts? Is this required level stated in a policy that we can reference?
“Level 3 is the minimum level necessary if you will handle CUI or Export Controlled (ITAR) data. If you will only handle FCI content, you may be able to certify at CMMC Level 1. References will be provided in the RFP and in the Contract language of each contract. We will see that language for the first time when the pathfinder RFPs are released in October / November or in an updated DFARS 252.204-7012 rule that is expected around the same timeframe.” Scott Edwards, Managing Partner & President, Summit 7 Systems
Many thanks to our panel for addressing these additional questions! If you missed our webinar or would like to see the CMMC Big Bang Theory again, we will be hosting another webinar with The Catalyst Center on July 23rd from 3-5pm. I will send you all the registration details when they become available!
Lastly, here is the link with the recording.
Recording password: 2bRM5fn5