Ascolta Secure Environments

Background

The Defense Federal Acquisition Regulation Supplement (DFARS) rule 252.204-7012 requires all non-Federal entities doing business with the Department of Defense that process, store, transfer or have access to controlled unclassified information (CUI) to self-assess compliance with the security requirements published in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting CUI in Non-federal Information Systems and Organizations.

Having determined that self-assessment wasn’t working, and that the Department’s supply chain ran deeper than just those companies handling CUI, the Under Secretary of Defense for Acquisition and Sustainment issued the Cybersecurity Maturity Model Certification (CMMC). An expanded and tiered set of security controls applicable to all companies doing business with the Department, regardless of the classification level of information contained in the contract. As CMMC is implemented companies will have to achieve third-party certification of their information systems prior to winning an award.

CMMC considers the sensitivity of information and provides five certification levels:

• Level 1 meets Federal Acquisition Regulation (FAR) Clause 52.204-21 and is designed to protect Federal Contract Information (FCI); it will be required of all DoD contractors.

• Level 2 is a transition level.

• Level 3 meets DFARS Rule 252.204-7012 and is targeted towards CUI.

• Levels 4 and 5 are reserved for companies at risk of being targeted by advanced persistent threats (APT).

The CMMC framework consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and DoD stakeholders. The model framework depicted in Figure 1 organizes these processes and practices into a set of domains and maps them across the five levels. In order to provide additional structure, the framework also aligns the practices to a set of capabilities within each domain.

Challenges

Currently DFARS Rule 252.204-7012 applies only to contracts that deal with CUI. As part of the CMMC initiative, plans are underway to expand the rule to cover all 350,000+ DIB companies. The change will force companies that have never considered digital risk to adhere to cybersecurity best practices and regulatory requirements. For many, this will present a staffing and expertise problem.

Historically companies have pursued one of several avenues to achieve regulatory security compliance requirements:

• Implement and managed the controls themselves

• Contract professional services to implement the controls and then manage them internally

• Contract with a managed security service provider (MSSP) to implement and manage the controls and their security on their behalf

Larger defense contractors with established security programs can implement the required controls and achieve compliance internally. Small and medium sized companies that are not experienced with federal security requirements and have fewer resources struggle with implementation and compliance. To establish a compliant program requires time and resources to assess, implement, test, and document security controls. Resources consist of the right security tools, software/hardware and security expertise; knowing what tools to purchase, how to properly configure them, and how to effectively manage them. Utilization of the latest tools and products may not be enough to cover exposed vulnerabilities from cyber threats.

Finding experience and talented security professionals is time consuming and expensive. For most companies even with the right people and the right tools, achieving compliance can take up to nine months. Because of this, an increasing number of companies are hiring MSSPs to manage specific security initiatives, or in some cases, outsource their entire security program. This approach is especially beneficial to companies that have limited IT resources, lack internal security expertise, struggle to hire security talent, or simply need to implement a security program faster than they could in-house.

As the CMMC requirement becomes more widely known the market for NIST compliant solutions has grown. Traditional security tool/service providers and MSSPs are offering what they advertise as NIST compliant solutions. Some are even offering premature CMMC compliant solutions. Premature in the fact that the CMMC Accreditation Body has cautioned companies from offering something that doesn’t exist yet. The majority offer consulting services to assist customers in bringing their existing environments into compliance or they offer a tool or service that provides compliance for specific set of NIST controls.

Solution

Per CMMC v1.0 “When implementing CMMC, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for particular segment(s) or enclave(s), depending upon where the information to be protected is handled and stored.”

Rather than trying to protect your existing legacy network and addressing all the baggage that comes with it, Ascolta creates a new, separate cloud-based Secure Environment where work relating to your government contract can be securely conducted. We provide a secure out-of-the-box compliant environment that offers best-of-breed protection for all technical related cybersecurity controls and eliminates an organizations requirement to resource, manage, and integrate these tools. Compliance is obtained quickly, information is secured, and organizations can focus on their core competencies rather than security.

Ascolta’s Secure Environment provides NIST SP 800-171 compliance and a CMMC ready environment for business operations through a secure Platform-as-a-Service (PaaS) offering. Ascolta Secure Environment is rapidly implemented and affordable, contract delivery can begin immediately in a secure, scalable environment. Each deployment comes with the necessary security documentation to include policy templates and a Systems Security Plan (SSP). As new technology, software and security patches are made available, Ascolta seamlessly integrates these updates into the environment.

Ascolta’s competitive advantage compared to the numerous alternatives available on the market lies in:

• Nodes/Instances are born compliant to NIST 800-171 standards

• Endpoint protection and secure SOC (24/7)

• NIST compliant (ongoing automated compliance monitoring)

• System Security Plan (SSP)

• Logging, performance monitoring of telemetry, abnormalities, security and compliance status

• Rapid deployment and scaling of NIST compliant environment

• Managed PaaS environment (NIST and non-NIST)

Conclusion

There’s no question that America’s adversaries are targeting intellectual property, trade secrets and CUI. CMMC raises the security baseline and is a necessary measure in protecting our supply chain. Ascolta Secure Environment is an affordable, easy solution for small businesses that are being targeted and don’t have the time and or resources to implement CMMC.