EXP Technical recently hosted a FREE webinar entitled "Right-sized Solutions for NIST/CMMC Compliance."
Among the items covered in the presentation were:
The webinar was video recorded and is now available, streaming on demand, below.
Contact EXP directly to request a PDF copy of the slide deck.
A transcript of the presentation appears below:
Kelly Paletta: Welcome everyone!
My name is Kelly Paletta. I'm Director of Sales and Marketing here at EXP Technical and I want to welcome you all to our webinar entitled “Right-sized Solutions for NIST/CMMC Compliance.”
I have a few announcements to make at the top, and then we'll get started right away with the presentation here.
The “meat” of the presentation will be about 30 minutes. We're leaving time at the end for Q&A. So with that in mind…There is a lot of detail that Pat will be presenting here. We ask you to submit questions via the Q&A feature in the Zoom webinar tool and we'll get to those questions at the end; and we have allotted time at the end. If we run out of time to answer questions, we'll submit answers…we'll return answers to you via email as well. But submit the questions via the Q&A.
The presentation will go on for about 30 minutes with 15 or so minutes for questions at the end.
Our presenter today is Pat Cooke.
Pat is a principal here at EXP. He leads our cybersecurity practice, IT governance practice, and Pat holds a CISSP certification.
Before coming to EXP…he has a wealth of experience in leadership roles in healthcare and other highly-regulated industries. And, in fact, in 2012 Pat was named “Best CIO” by Puget Sound Business Journal—for a privately held company. So it's not just us here at EXP that recognize him as an expert, but also others in the [Seattle area] community.
And having said that, I think I'll hand things over to Pat and you can take it away from here…
Pat Cooke:
Great. Thanks, Kelly. Thanks for the intro.
A couple of statements before we get started into the meat of the presentation. I, of course, have to make some assumptions about the audience. It's difficult to do that without knowing everybody on the call but here's the assumptions I'm making:
There's a good amount of acronyms mainly because I’m trying to fit a lot of information into not that many slides, and I will explain them as best I can but our goal is to give you a lot of information in a short amount of time, so please excuse any brevity. And if there's any rushed feeling to the webinar, I apologize in advance.
So what we want to do here is the define a reasonable and achievable approach right-sized. That's what we mean by “right-sized”—not that there's any room from a new room within the requirements themselves, but how do you approach this as a small and medium business so that you can achieve and maintain compliance quickly? And what are the tools? And what sort of help can you get to achieve it?
It's a challenge for large businesses, but it's particularly challenging for small businesses. And we also actually want to provide some specific insight into tools that we think might help you meet requirements; give you some rough costs. It's difficult because everybody comes from different size companies and has different environments. But I think it's helpful to provide specifics rather than generalities at this at this point. And we'll also, of course, discuss how we can help. If you choose to engage with us at any level.
So uh our approach… You know there's about 130 requirements—oh there's exactly 130 requirements between NIST and CMMC, and it's a bit overwhelming, so we broke them down into what we call “manageable groups,” and our recommendation is that you're going to need an intelligent combination of both tools and then procedures.
There's really nothing that I’m aware of that just you can put on top of your I.T. organization that does everything. If there is, I'd like to hear about it! And minimize the mix of tools, so that you're not managing all these different tools but do purchase the right ones that give you the best value.
And also spending money! It's a “no-brainer” really, but spending money on high-value items first is probably the way to go; and of course finding out you know what it what is high value. That's something I'll go through in a minute.
And you're probably going to need some help from people like us and we're, of course, happy to help at any level. We’re very much “a la carte.” It’s a term we use here.
Internal leadership is absolutely critical. I don't think it can be done without it. It doesn't have to be technical leadership, but internal leadership and ownership of the compliance program is really key. A designated person ideally, not I.T. Somebody with budgetary power and executive power.
Regular review meetings with that person in attendance. It could be monthly. Strict adherence to milestones and then also: the more people understand what's going on, the better the compliance in general is going to be.
So how can we help?
Before we we go on, I wanted to talk a little bit about the Microsoft GCC high defense cloud which if you're ITAR—if you have ITAR requirements—that's really the only platform that will definitively meet CUI requirements. It's a great option, but very expensive! If you want the E5, it's about $1,050 per year. There's the three pricing levels: There’s $150 for the real limited one $450 for e3 and $1,050 for the top level one.
I don't really have time to go into the different um…what you get with each level…but it's worth considering that the challenge though is: most contractors have hybrid environments, so they're going to need some level of on-site, on-premises, infrastructure
So this slide is a busy slide, but it's actually quite useful.
You're probably all familiar with the points scoring for the various NIST requirements. So what we've done here is essentially bundled them into um about 14 different groups and it looks very dense and there's a lot of acronyms here but hopefully I’ll illuminate that. Further, in the medium the high-value ones of course are the top four. Now you don't get points for these, but you have to subtract points if you can't meet them. So security operations center and are systems information and event management. You, of course, need a firewall with intrusion prevention system; and then regular review of those logs.
I’m not going to go through each line item here because I’ll go through them one by one but the top four there are really really critical and if you can achieve those with the least amount of complexity and the least a mix of tools, I think that's really a good approach.
So CMMC of course adds to the requirements from this. I believe most contractors who are on the call are probably targeting level three. It's a challenge to meet.
Level one is probably reasonably achievable. 20 different, 20 additional practices in addition to this you probably all know that it's got to be managed as well as documented and performed which is the key. So you've got to be able to provide evidence that you're doing this stuff that you say you're doing, on an ongoing basis, and getting the security value out of it.
It doesn't mention the word “SIEM” in the requirements—in the practices—but it's pretty much mandated. I don't know how you could meet them without some level of a sophisticated event manager—incident and event management system—and then that business continuity and disaster recovery plan, and procedures are mandated. And a lot of focus and emphasis on incident response and activity events brought to closure etc.
DNS filtering is included that's a relatively easy one. And then spam and email filtering. Almost everybody has that already.
So the specific requirements and solutions I’ll go through that sort of summary slide one by one and talk about our approach. again this is just our approach but we think it's an appropriate approach for small and medium businesses. You need to aggregate logs and review frequently. Ideally, this would be automated. You can put in Splunk Light or something like that and aggregate logs. The challenge, I think, is reviewing them frequently and acting on them. That's a real challenge for small and medium businesses.
Typically, you know, a fully featured SIEM has been out of reach for small and medium business, but from the implementation point of view, and from the management point of view; but becoming more and more cost-effective. Probably with demand you want to review all logs from firewall active, directory EDR's in an aggravated view. Lots of other things as well, of course. And really importantly, take specific events and incidents to closure. You need to log CUI review CUI access permissions—if you have CUI—and general access privileges on a regular basis.
So we can actually provide SOC as a service, which is uh relatively affordable. 24/7 monitoring and remediation. This is in partnership with another organization. We are not of a scale that we could provide 24 X 7 X 365 SOC services, but we partner with a company that enables us to do that. And it's 24/7/365 monitoring and remediation based upon your preference—artificial intelligence based, and human (actual human) remediation if you so choose. And it can escalate to our text 24/7 or to your own team. And it's about $10. It's $10 per device per month.
There's a screenshot of the product. Connects to your antivirus or your EDR, your firewall logs, through syslog workstations, Office 365. That one's really useful actually if you have Office 365 your email gateway—just about anything threat feeds which satisfy satisfies one of the NIST requirements and as I said escalation or immediate remediation as you choose. They can actually remediate. They can call us to remediate, or they can call you and it's U.S.-based screened staff and data center, which is important. 10 bucks per device per month.
Next sort of bundle is inherent in on-premises infrastructure. You really need to choose in active directory groups—group policy etc.
If you're fully cloud, which I doubt many people are, [Microsoft] Intune is probably the best way to manage that level of configuration management and the reality is—I said before—most federal contractors have CADD files, so they need to have on-premises infrastructure due to file size. And hybrid/on-premises is common.
So EDR, endpoint detection and response. This can knock off a lot of requirements with if you choose the right one. And, as I said, keeping the mix relatively small mix of tools. Relatively small i believe is in your benefit uh I don't believe traditional antivirus is sufficient for for the environment that they want you to have you need something that's “next generation” and I've listed a couple of them there.
Where we're high on single one at the moment. Sophos is very good. Fortinet is very good and the Microsoft Defender endpoint is very good as well, but we try to focus on one that meets most needs. SentinelOne ticks a lot of boxes in the list here. Again they should be behavior, not signature, based. Traditional antivirus is just signatures, so it requires updates. Behavior means it's looking at what is normal behavior and if there's strange behavior it's going to take an action or alert. And most of them start in, you know, “report” mode and then you move them into “protect” mode but there should be the ability to have immediate rule-based isolation of strange processes that is going on. And if they have a device-level firewall it should be centrally managed. That's…that knocks off a requirement.
Application control—white-listing and blacklisting—that knocks off another requirement.
And ideally some level of vulnerability scanning which would meet at least part of the vulnerability scanning the requirement.
And then patch compliance reporting they don't generally have patch management included, but they can tell you what level of patches are needed.
In general, forensics is sometimes included at a cost. It's nice to have but it gets quite expensive.
This one is what I call a sort of “paperwork bundle”—a lot of points, but a lot of work. It's not really tooling. It's managing processes that could be on paper or in SharePoint or something like that. Making sure that you have “least privilege” processes in place. And addition/change/termination of employees—sign off by appropriate managers, so people get access to only what they need to do their duties. And then regular role review.
Physical security—probably all lock down your buildings and have guest access procedures. Again there are some I.T. tools that can help with that but most small medium businesses do not have them. They have sign-in sheets and that sort of process, and then a lot of policies…you know sanitization of media and USB drives etc. vendor management vendor control, media management and marketing etc.
So a lot of non-I.T. stuff to be done there, but of course you probably are managing it in through the I.T. team.
This one is a tough one: the config management/patch management/vulnerability scanning bundle. You're going to need a combination of tools here—probably some group policy and/or Intune. At very least, you're going to have written configuration documents to which you make sure that servers and workstations and devices comply. Device imaging can be really useful in achieving that. And something to report on device compliance. Again your your EDR solution might help you report on that. You need to ensure end users are not local admins, otherwise you'll have a really hard time managing what gets installed. And ideally the ability to run some security hardening scripts from the central location.
Incident response is really big! Especially with the CMMC. I’m bundling it with change control because those two things in my mind are process are related. You need to have written plans and procedures for both.
Change control is a tough one for small medium businesses but it can just be a document that gets signed off by somebody. It doesn't have to be a real fancy process if you have that that's great! But it can be an Excel spreadsheet with approvals. SharePoint is great for that sort of stuff, but you need to build evidence that you're actually using it in in case of future audit.
And risk analysis should be part of change control I recommend a weekly meeting and approval of minor change controls at an I.T. level. Not everything has to go to management approval, but there should be monthly oversight by the security officer of what is going on and what any major changes in the incident response plan.
It's really helpful and useful to map out scenarios some playbooks etc. so that you are prepared in case of an incident.
And contacts are very useful! that sort of thing. And you really need to log all events which might become incidents to resolution, and have evidence that you're doing that on an ongoing basis. And these are probably fairly small but it's going to be a requirement that you show that you're you're bringing everything to resolution. And then you really need to understand the reporting requirements at state and federal levels.
VPN—I think everybody probably knows what that means: “virtual private network.”
DMZ—it's an acronym for “demilitarized zone.” It's a, you know, a subnet that connects to the internet and allows limited communication back to your main network.
And reducing your points of access is really important so that's the sort of the what I mean by this bundle
Ideally you would not have any public servers most people that have them—it’s probably Exchange or SharePoint. Those are hard to manage. If you can afford to go to GCC, or GCC High, that will help you, but not everybody can--it being about $50,000 a year for a 50 person company to go to GCC high.
At the highest level, do you need Outlook Web Access? Maybe not. Most people use that on their phones or devices these days.
Do you need non-guest wi-fi? Probably, but the less you can have, the better is my point here. Cut down the points of access to your Network. Ideally VPN only, with two-factor for remote access and all public an actual requirement a subnet for for public servers and you should have a DMZ for public servers including a front-end Exchange server if you have Exchange.
Very strict firewall rules and regular review of those is critical.
Cybersecurity training is not, in terms of the NIST scoring, not high in the list but it's important from a security point of view you can buy or build. Important that you have at least three levels users:
Some level of training but insider threat is required. And you should log all training. If you have an in-person training or a webinar make sure and save all those logs so you can provide evidence in case of an audit.
This one is really important, I think. It should see sign-off on training received before logging credentials are issued. And this could be a little bit of a challenge. People tend to start working, get a log in, and then they're off and running. You should really make sure they do their training, the cybersecurity training, before they get on the system just from a safety point of view and a procedural point of view.
Annual refreshes is the minimum. ideally quarterly. And you know, mandatory for new hires.
MFA—depending on how far along you are on your journey with this. You've gone through this. It was one of the more onerous requirements of NIST. Almost nobody had…not that many small businesses had it…beforehand. If you have self-assessed has been this compliant, you have to have had it. You need it for active directory, Office 365, VPN, and any access to the system, and also on the local devices. There was some sort of discussion about whether that was necessary, but you really do—in our opinion—you need it on the devices. And that's, you know, expensive to implement and some overhead in terms of the friction on users as they use the systems.
Solutions we like: We like the Duo solution because they've pretty much got a solution to everything from on-prem to VPN, to work with lots of different VPN providers, and remote desktop gateway etc. And it's not that expensive!
Microsoft is probably really only appropriate if you're using GCC. And we like the Fortinet as well. But there's a lot out there and we're not trying to say that these are the be-all and end-all but Duo is probably one that we like the best as a general rule.
So wireless access points—guest wireless etc. My recommendation is to have a separate line for guest access. You can have them separated within the within the firewall etc., but from a comfort point of view I recommend a separate line. It's not that expensive. And it doesn't have to be really high bandwidth for guests. And it should be active directory authentication. And you should MFA once you hit active directory. And you should encrypt all wireless traffic. Needles to say, but make sure it's ideally FIPS level and segments guest and internal traffic. If you need guest access.
To talk a little bit about FIPS, which is one of the again an onerous requirement, you have to look everywhere. You know it just really says “use FIPS level encryption for CUI,” and you know CUI can be in your email. It can be transferred by SMTP, your VPN--you know accessing CUI documents on your VPN for your firewall--you need FIPS encryption and all these different points. And do that for wireless as well, if you're using wireless for transmission of CUI throughout your organization which a lot of people actually are because it's hard to do without secure wireless these days.
Data at rest needs to be encrypted. Laptops need to be encrypted in FIPS mode thumb drives etc. This is relatively low. It's not many points on the NIST scoring but it's one of the hardest to achieve because everything changes all the time. You'll buy a firewall with software that's FIPS—on the FIPS list—and then the new version will not be; that sort of thing! So tough to manage especially since there's so many different places where you have to look for it.
So what does an engagement with EXP look like?
We're very low-key. We don't try to sell packages or contracts. We take a team approach generally—either with the internal non-technical leadership or the internal I.T. team. We'll do a gap analysis, project plan with dates and milestones. We can provide project management at every level our work with your project managers; technical assistance, contractual assistance, looking at the contracts and understanding or answering questionnaires and of course documentation assistance—which is really important.
And then we can be involved in the maintenance of your compliance program and the evolution of it.
So what are some of the costs?
And this is a very broad estimate… It's impossible for me to give an estimate for a varied audience without knowledge of systems but this will give you some idea. I like to go into specifics on this stuff because I think it's helpful to people but don't, you know, “don't hold me to anything!” I guess is what i'd say.
Maybe $6,000 to $10,000 for a gap analysis.
Documentation, getting your various different policies, procedures, security plan of action with milestones, self-assessments etc. maybe $6,000 to $10,000.
There's probably going to be some remediation projects, and you know again this is just a ballpark, excluding hardware/software: probably $20,000 to 30 000, hopefully not that much but there's always something to be done.
The EDR that we recommend is five dollars per user per month. That’s SentinelOne, but we do work with many others
And the SOC as a service is ten dollars per device per month.
So we've tried to find really good products that we can stand behind and know well that are appropriately priced for small medium businesses. I’m not sure if we mentioned that but we pretty much exclusively work with companies below 500 and the majority are below 100 users in the organization.
So in summary, before we go into question and answer time:
It's hard to do it alone! Apart from just the workload, the knowledge uh acquisition and management you're gonna need help. And whether that's from peers or from people like us, I don't think you can do this alone as a small/medium business.
And as mentioned we can help in various capacities. No minimums. If you want to use us to do a gap analysis for a few hours, you know, or just look at your systems we're happy to do that! We don't have a threshold for clients because we work with small/medium clients and we know that their budgets fluctuate.
And we have a simple one-page “terms and conditions” and no binding contracts.
The fact is though you do have to budget for compliance. And it's the new normal in defense contracting and in just about every other arena. We have lots of other clients we're working with who have vendor compliance programs from large tech companies you know Microsoft Amazon etc. GDPR is essentially being pushed out through the top companies. They're expecting anybody who does business with them to be compliant pretty much along the same lines; not quite to the same rigor as CMMC, but pretty much along the same lines.
And we'll happily spend an hour on the phone or in person looking at your environment for free for your attendance at this webinar just let us know by email and now we'll open it up to questions, and hopefully there'll be some questions…
Kelly Paletta:
Yeah there there are a few questions that have come in. Let me pull them up.
So one is: “Is enforcing encryption via Exchange ActiveSync adequate for mobile devices?”
Pat Cooke:
Well it's a basic solution. It doesn't say in in the requirements explicitly that you need to have a full-featured mobile device management, but you should at least have that. And what that does is ensures that the devices that connect to Exchange via Outlook on the mobile app are on encrypted devices and do have a passcode of various…or a reasonable amount of characters. So it sort of ticks the box, but if you want to do it right, you probably are looking at a mobile device management solution, which is another spend and management.
Kelly Paletta:
You know I have a question of my own too. As we're going through this and that is: that you mentioned some items being not many points but difficult to attain. My understanding though is that you need to get a 100% score, correct? Do you have any comments about the journey—a path that makes the most sense to get from where an organization might be today to CMMC level three by knocking off the most high-profile items or those sorts of… that sort of a route?
Pat Cooke:
Yeah sure it's it's a balancing act you know to a certain extent. Knocking off the easy stuff first makes sense. But if you're submitting the score as part of your self-assessment, you know you want that to be as high as you can possibly get. So I would focus on the high value bundles that that we've explained here.
You know FIPS is hard so you need to give yourself some time to do it. I think if you can do it straight off well and good, but you know it's an absolute requirement for level three. And uh you need to plan for it.
The issue is: you're gonna make purchasing choices now that you will need to stand to you as you get to full compliance so to a certain extent you have to look at everything with the the bigger picture but in terms of trying to get to completion, or good level of completion—75% or so, to me it makes sense to to focus on the high value bundles that I outlined in this presentation. And also they provide the most
Protection, I believe, in terms of actual security apart from just the requirements.
Kelly Paletta:
OK, got it.
And this question has come in from multiple sources: Will we be able to send out a copy of the PowerPoint presentation?
We'll be making the recording available and am I correct, Pat, that we'll be able to make the slide deck available for participants as well?
Pat Cooke:
Yeah so we'd be happy to send that to anybody who would like it. We'll send a pdf copy of the of the slide deck to all—everybody who attended—and they'll also link to the webinar.
Kelly Paletta:
Got it.
Another question: “What kinds of MFA are you finding useful for small companies?”
Pat Cooke:
Duo is probably the value/performance leader that we have come across. Again we don't pretend to know everything about everything but it does have various levels. It will protect your workstations, your VPN. If you're using remote desktop gateway, it's got a plug-in for that. So we find duo to be sort of the one that we think is most appropriate for small/medium businesses.
Again it depends on your environment.
If you've got on-premises that's a good one. If you're 100% cloud, which very few people are and you're in the Microsoft cloud, actually the Microsoft MFA, if you have conditional access is very good, we think as well.
Kelly Paletta:
Another question relates to something you said earlier. “Does your quote gap analysis include going through a system security plan, POAM, and generating a DoDAM score?”
Pat Cooke:
A good question!
It sort of depends on the scale. If it's a small company possibly at the higher end of the numbers that I quoted. If it's a very complex environment, no. The way I do a gap analysis though is to feed those three items so the tool that I use essentially gives you the raw material for the plan of action with my milestones. The system security plan—there's a little bit of extra work there in terms of documenting the actual systems and it gives you a score, so uh again I’m sorry to give a specific answer but it depends. In some cases it could, in some cases not.
But the tool I use makes those three documents a lot easier to address once i've gone through the gap analysis, if that makes sense.
Kelly Paletta:
Another one is: “Can you work remotely on compliance work?”
Pat Cooke:
Yeah. We work remotely with lots of companies on compliance work. It's good to have in-person meetings, but not necessary, and especially not if we're supporting an internal team with consulting or guidance or SOC as a service, or anything like that.
Kelly Paletta:
“What is the best way to secure Exchange on premises?
Pat Cooke:
That’s a tough one!
It was hacked pretty much globally in the last month or so. And I’m not sure that methods that were in place… It would have been hard for most companies to secure that but having an external facing server an internal facing server I have an external server subnetted locking down that server; locking down the protocols that are in use and of course you know MFA for all Outlook but it's a complex question I can't really answer but there are ways to do it but it got through the half name attack got through i'd say most people's defenses so the answer is you're never going to be able to fully protect that.
And it's hard to protect on-premises Exchange! One of the reasons being Microsoft. I believe is sometimes neglecting on-premises solutions because they want everybody to go to the cloud hope that answers your question.
Kelly Paletta:
There's a question asking you to speak to assistance in penetrating and landing projects.
Pat Cooke:
We are not a pen testing company. We can provide that through partners but that's not…forensics and pen testing are not things that we do. We do do vulnerability scanning, but that [pen testing] is probably not our or it's definitely not something that we do, but we do work with a company that does that sort of stuff.
Kelly Paletta:
The questions are still coming in: “Is a 24/7 SOC required for CMMC level three?”
Pat Cooke:
No. But it's hard for me to see how you could do it properly without that. It does not specifically mention [SOC]. It just says “regular review” but the question is: “how is a small business going to be able to do real-time regular review without some level of, first of all, a SIEM—a system information and event management system?”
Again it's not explicitly mentioned, but you got to have it for CMMC level 3. Now whether you're watching that yourself and responding to the incidents yourself is one thing. I think that's out of the reach—out of the realistic reach—of small/medium businesses so I would recommend it.
It's not required. It doesn't mention that anywhere.
Kelly Paletta:
“Do you have any ideas on best approaches to tracking/encrypting USB devices and thumb drives—you know external media/storage?
Pat Cooke:
Yeah. I think you need to look to an EDR—endpoint detection response package—that includes that, because that's a tough one to do. You can do it somewhat with group policy. So SentinelOne, the product that we like, allows you to restrict it to serialized encrypted USBs that have owners. That's a key requirement is that they the media needs to have owners and you can lock it down to FIPS encrypted USB drives and only allow those to be used in the system and they are owned by particular people. So there's probably other third-party solutions. But again try to keep your mix as small as possible. So “get an EDR that includes that,” would be my recommendation and both Sophos and SentinelOne include that.
Kelly Paletta:
That leads us to the end of our presentation today. Thank you very much for attending!
As we said before, we will email you a link to the video recordings. We'll make the slide deck available as well.
For those of you that have questions either that we weren't able to answer or that might not be appropriate for this setting you can contact me directly. We'd be happy to schedule a time to have a personal conversation. We can get Pat on the line with you nd direct your answers to your questions there.
And I think that brings us up to the end of our time for this session. Thanks once again for attending and that's all we've got. Thanks again.
Pat Cooke:
Thank you everybody and good luck with this process and we're happy to help in any way we can. Thank you!
Contact EXP directly to request a PDF copy of the slide deck.