Redspin’s CISO and CMMC Registered Practioner Dr. Thomas Graham, and CMMC Provisional Assessor Tony Buenger share the first of four lessons Redspin learned while going through the CMMC Level 3 assessment process before becoming an Authorized C3PAO.
Thomas and Tony introduce “Lesson 1: Corralling Your CUI“, and dive into the details of how knowing where your organization’s CUI lives and breathes will not only help you pass a CMMC Level 3 assessment, but ensure you are protecting your data, and essentially the Nation’s military supply chain.
LAUREN FRICKLE (HOST): Welcome to Cyberspin, the podcast that brings you expert insights into today’s hot topics in cybersecurity, privacy, and compliance for highly regulated industries. Subscribe to Cyberspin on Apple iTunes, Spotify, Stitcher, or your preferred podcast platform. New episodes are released every other week and a transcript of each episode can be found at redspin.com.
Hi, I’m Lauren Frickle. Welcome back to Cyberspin on this episode, we’re going to talk through the first of four of the lessons Redspin learned while preparing, going through, and reflecting on its own CMMC Level 3 assessment. Here to talk about this first lesson is Dr. Thomas Graham.
Redspin’s CISO and Registered Practitioner. We also have Tony Buenger who is a [CMMC] Provisional Assessor. Hi guys, thank you for joining me. Looking forward to hearing insights from an Authorized C3PAO and I truly hope it helps our listeners who may be OSCs (if you don’t know what that is, I encourage you to go back and listen to our previous episodes) – Organizations Seeking Certification themselves! Tony, please tell us what this first lesson is.
TONY BUENGER: Thanks, I’m glad to be here. I’m very excited to share some of our lessons learned. Redspin is an Authorized C3PAO that has passed the CMMC Level 3 assessment as a primary requirement to be authorized to conduct CMMC Level 3 assessments. We’re excited to share with you our lessons learned with respect to going through that CMMC Level 3 assessment and share some of those lessons learned with you to help you prepare for your Level 3 assessment down the road. Starting off with the first lesson that we call “Corralling Your Controlled Unclassified Information” (also known as CUI). Redspin learned early on, that is important to understand where your CUI lives and breathes, so Thomas can you start us off and tell us what does it mean to corral, CUI?
THOMAS GRAHAM: Sure, and one of the first statements that come to mind, it’s very much like herding cats… I digress for a moment. Essentially what it means is that you have to have an understanding of your data. You have to have an understanding of CUI where it is being maintained where it’s being processed, and of course where it’s being transmitted from. This was something that Redspin learned early on in the processes is that we needed to define that boundary, that enclave if you will. For those who are listening with a military background, it’s very much like when you’re setting up a base camp to where you identify the location and you identify what you’re going to have in that base camp. One of the most important parts is you’re defining that perimeter, that boundary on everything that is separated from outside and inside. And then you also define how you’re going to go in and out of that boundary. Being able to properly and quickly and definitively identify that when we were going through our DIBCAC assessment really paid dividends in the long run with their understanding and in their agreement that we really had a grasp on where CUI is maintained in our environment.
TONY BUENGER: That’s a great description, Thomas. And as you know, the CMMC defines just what you explained as scoping and scoping is very important, and it includes all those components within that perimeter, right? It includes your facility. So where is that data located in your facilities? Which systems are storing and processing and transmitting that CUI? What applications are in play and what services are involved in protecting that CUI within that perimeter? And all that is within the scope of an assessment that will be looked at when you do go to become certified for Level 3. So the intent is really to isolate that CUI, wherever possible, to reduce that footprint. I liked your military analogy, because that’s really what it is, it’s to reduce that footprint so it’s much more difficult for the adversary to get to.
THOMAS GRAHAM: Absolutely Tony, I agree. A military analogy here is really appropriate if we’re talking about DoD information and the mechanisms that are being put in place to protect the information in cyber warfare as opposed to you know, physical warfare.
TONY BUENGER: And it’s all about people, processes, and technology. And we’ll cover that in a few minutes. And obviously, there is technology that is going to help build that perimeter but it’s also about the processes involved and procedures, and the training for the people involved to ensure that they are protecting that data appropriately and adequately. So, it’s very important to understand that, and really to define, we called ours the red zone secure enclave. So we knew exactly what was inside, who was allowed inside that enclave and everyone had their procedures on how to properly protect that CUI.
THOMAS GRAHAM: Yes, and that’s some of the lessons learned that we’ve gone through this process. You mentioned secure red zone, but I also remember from the very early days we started getting folks accustomed to talking about the secure enclave. It was at the CUI enclave. It wasn’t the CMMC, it was secure. So when you were talking, you know the people in the process and the technologies. A lot of times the people get overlooked in that, but the people are the ones that are going to be performing your work in. The more habitual you get with the reinforcement that this is secure, it is a secure area, it is a secure environment. The more ingrained it gets within your culture as an organization.
TONY BUENGER: That’s exactly right. Very good point with that. And you know the technical aspect it was very complex for us to build that perimeter technically. We used Microsoft GCC High which is recommended for Level 3. We used a Virtual Desktop Infrastructure (VDI) environment. Once we got that setup and you’re right, Thomas, it’s like we got to set up now. Now we gotta put people inside this and are they ready to perform their tasks? We’re talking Assessors here, CMMC assessors who are going to be operating in this environment, this secure enclave, do they understand what it takes to properly handle CUI, and if something does look awry, do they know where to report it?
THOMAS GRAHAM: Absolutely, and with this lesson, we’re kind of talking about that boundary. And it’s good that you brought up GCC High because what utilization of GCC High allows us to do as an organization was we didn’t have to stand up any additional physical offices. We didn’t have to put any more physical infrastructure in place. We were able to carve out a virtual secure enclave that was able to be accessed by our approved individuals regardless really of where they were at or even the technology that they were accessing it with. Because once they logged in, it established that boundary once that connection was made through the VDI, there was nothing going in and out of that environment other than what we’ve explicitly allowed.
TONY BUENGER: Yes, and that that’s a good point. And from an assessment perspective, the assessor will want to see a clearly defined secure enclave that you have. From our experience, the assessors that interviewed us, they kept grilling us on looking for any holes within that perimeter that was pretty grueling, wasn’t it Thomas? He kept going back to “are you sure the CUI is not leaking from this secure enclave?”, so to speak, right? They kept asking, as they should…It’s like, why do you keep asking us? Oh yeah, really the objective of this Level 3 certification is to ensure that you are adequately protecting CUI from adversaries.
THOMAS GRAHAM: You, you’re correct, Tony and despite popular belief, No, you and I did not lose our hair during this assessment. This is just completely ironic. But I mean think about it guys within any information security, information assurance, cybersecurity, whatever you want to call it. One of the things that a lot of security professionals worry about is mobile devices, the mobility of information. One of the lessons that we took because our organization was all remote before COVID made it in vogue, OK? One of the very first questions we asked ourselves is how can we make this work from a user base that is geographically dispersed across the US and so the virtual infrastructure really makes sense because regardless if you’re logging in from a Mac, you’re logging in from a Windows device, a Linux device on an iPhone, an Android device, or your son’s iPad at home. Once you’re logged in, you’re in that environment. It is being protected by those boundaries. You’re not going to be able to save stuff. It’s only going to allow those communications that have been explicitly defined, and I think you know, in the long run probably the biggest lessons learned for me is that by doing it that way we were able to very quickly and very efficiently show the inspection team it doesn’t matter where we’re at, it is not going to go in or out of this environment regardless of the technology you are using to first access it.
TONY BUENGER: Yes, and I remember us going through that week of assessment with the, as you said, with the assessment team and all throughout, it’s like we’re all kind of whispering to each other “we are so glad we invested in this technology” because it sure did make the assessment process go much smoother. Now, keep in mind this isn’t all about passing an assessment, right? It’s all about protecting your data and we’re very confident that the architecture that we stood up to technically and along with training the employees to properly handle CUI, we’re confident that we can protect the CU that’s going to be in our environment.
THOMAS GRAHAM: No, absolutely. And it’s always, you know, the hardest whenever you’re the first one up the trail. But hopefully, by being first you can pass along any information that you’ve learned to those that are coming behind you.
TONY BUENGER: Exactly and, we’re going to start wrapping this up, but really going back to the title “Corralling your CUI”. Our corral is going to look different from your organization’s corral, so one of the early things we learned is, you know, what does our corral look like and where are all the horses inside, ensuring that the horses are trained to work inside that corral. So for your organization, it all depends if your organization has physical facilities all across the country. That’s going to be a different architecture than, say, a medium-sized company such as us who’s mostly virtual. So you got to really understand your environment and how to architect your environment. For many organizations, you will find you will be re-architecting some of your systems in your environment and how they operate to actually be ready to protect that CUI at the CMMC Level 3.
THOMAS GRAHAM: No, absolutely we definitely look forward to the additional recordings. Additional lessons learned because look guys, bottom line, it’s all about protecting information. If we can pass along, you know what we did, it’s not something that’s static. Security, especially cybersecurity is always learning better ways to do things. So talking about the lessons that we learn. Hopefully, we’re going to pass that knowledge on to you guys, and maybe in return you reach out and you say hey, how about you know something else, you know that we did, that we haven’t even thought up, and by working together we can make sure that CUI is maintained and is secure and safe.
TONY BUENGER: Great yeah, this is fun, Thomas. I can’t wait to get on to the next lesson, so wrapping up this first lesson on Corralling Your CUI. Our next lesson is going to be on how do you prepare yourselves for implementing those practices and processes to be ready for that CMMC Level 3 assessment. So we’re going to talk about an SSP, hopefully, you all on here listening have already started your SSP, your System Security Plan, or it’s already mature. Or some of you have done it for SP-171 and now you need to, you know make it more into a CMMC ready document so we will talk about those in more detail next time.
THOMAS GRAHAM: Look forward to talking again, Tony.
TONY BUENGER: Sounds Good Hope to see you guys next time.
LAUREN FRICKLE: OK, thank you so much, Thomas and Tony. There you have it guys. Lesson 1, from an authorized C3PAO “Corralling Your CUI”. Check back soon for lessons two, three, and four of this CMMC Level 3: Four Lessons Learned From An Authorized C3PAO. Don’t forget to like and subscribe! Thanks for listening.