CMMC is relatively new on the compliance stage. It’s designed to bring together and formalize all of the various data security requirements used by the federal government. It is based off of ISO 800-171 for the most part. You can achieve CMMC at 5 levels, 1,2,3,4 or 5. Most business working under contract or sub-contract to the federal government will need to achieve CMMC level 3. All tiers of government contractors are subject to the same requirement.
CMMC has a bunch of requirements for the people that implement it too. There are registered practitioners, register practitioner organization, assessors, and certified assessor organizations. A practitioner cannot be an assessor, which means that you’ll be dealing with at least two organizations who will be pointing fingers at one another. It’s all in the highly organized manner of the defense department and comes with sturdy fees to obtain and retain these certifications.
We can help
The certifications have just now been released. Harbor will have staff registered for CMMC implementation soon. For everyone we are recommending that the journey to CMMC certification begin now with CMMC level 1. For those of you that are planning to enter into contract or sub-contract on government projects we start moving up the levels from there.
We have obtained the necessary licensing and templates to get this started already and we can do that even before the registration process has been completed. There are 89 items like the below just in level 1 CMMC.
Now some of these are already implemented as part of our standard set of security policies that we normally roll out but not all. Basically, what this all means is that everyone is going to have to get used to working within a much more secure environment. Security can be annoying, but this is the world that we live in. Security will be the theme of 2021 I can already tell.
The infamous Solarwinds hack
Poor Solarwinds; the company is just taking a beating. Because of who their client base is, they were used as the vector for the grand espionage or act of war depending on your perspective. It was said over the last few years that Russia was using Ukraine as a testing ground for this type of attack. In Ukraine they use their hack to manipulate government services like lighting, water, fuel distribution and more. It was wondered then what Russia would do with this knowledge gained. Now we know.
In a nutshell, a phishing email set off a chain of events that resulted in the hackers gaining access to Solarwinds Orion source code and more importantly the certificate store. They were then able to insert their code, and certify it so that it went out with an update to Orion. Orion is a network management tool. Once that was pushed out to Orion customers, the second stage of the attack was then to use this code to gain remote access to the network and move laterally through the network, into that companies clients and so on. The tools that are used in the attack come from FireEye a security company that provide penetration testing services and white hat hacking.
So many companies are involved in this. That the certificate was issued labeling these files as coming from a secure source is the biggest problem. For example, that certificate ended up being chained all the way to Microsoft’s root and essentially has hit every large tech firm in one way or another. Which is how it comes down to us in the small business world.
I served on the advisory board, some years back, that provided advice and vetting of corporate acquisitions for Solarwinds. I’m probably more aware than most of just how many pieces of networks are part of Solarwinds. I haven’t heard anything yet that this hack moved from Orion to other Solarwinds products, but that certificate chain is concerning. When you own the trusted certificates that say, “I’m Solarwinds and I’m OK” you can do a lot with it.
Microsoft has a released a tool that will check the 365 environments for activity that could be related to this attack. We don’t expect to find any but we should still look. To do otherwise would be foolhardy. You will see us working on that project in January.
The changes just keep coming
Just like Covid has changed the landscape of medicine and consumer spending habits, so too these security issues are changing the scope of what we need to do as a the new normal in IT. We’ve always pushed for more security adoption but this year we’re going to have to be insistent. 2021 isn’t shaping up to be any more pleasant that 2020 was; it’ll just be annoying in its own way.
I know that this wasn’t your uplifting Happy New Year blog post. Sorry about that. I think that we’re all feeling a bit pressed to see the light at the end of these tunnels. In the IT business when we install a BIG software package or large update there always this point where it says it’s 99% finished, that’s 2020. But that last 1% seems to take just about as much time as the previous 99% did, that 2021.
That’s about as happy as I can get about 2021 coming into view. I’ll be home, as usual, New Years Eve. I never was one to go out and paint the town or watch the ball drop. PJ’s, fireplace, maybe a sparkling drink, perhaps a book. Happy New Year!