September 30, 2021
Security , Encryption , Regulatory Compliance , CMMC

How Encryption Enables CMMC Compliance

As the Defense Industrial Base (DIB) begins preparing to meet Cybersecurity Maturity Model Certification (CMMC) compliance, companies need to know where they fall in the maturity model and how to move forward. As organizations move towards meeting these new requirements, understanding how the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule aligns with CMMC Certification can help streamline your compliance program. 

What is CMMC?

CMMC is a cybersecurity maturity model rather than a regulation, meaning that it establishes a set of best practices for policies and procedures so that organizations can create benchmarks for measuring their cybersecurity controls’ effectiveness. 

CMMC sets out five levels based on the type of federal information an organization collects, processes, and transmits. Additionally, CMMC increases the number of controls necessary for compliance as an organization moves along the maturity scale. 

Finally, in an attempt to secure the DIB supply chain, CMMC requires contractors to oversee their subcontractors’ compliance. Thus, many prime contractors will be required to monitor and review their subcontractors’ cybersecurity compliance. 

What is the DFARS Interim Rule?

Effective November 30, 2020, the Interim Rule requires companies seeking Department of Defense (DoD) contracts to implement a DoD Assessment Methodology and CMMC framework that applies the National Institute of Technology and Standards (NIST) Special Publication (SP) 800-171 security requirements. The Interim Rule focuses explicitly on any “covered contractor information systems” that store, process, or transmit Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). 

The Interim Rule requires organizations looking to bid on DoD contracts to engage in both NIST SP 800-171 and CMMC assessments. Additionally, the Interim Rule states that a contractor must account for “information flow down to its subcontractors in a multi-tier supply chain.” In other words, an organization is responsible for ensuring that its subcontractors meet the same assessment requirements to bid on a contract successfully. 

What is the difference between the Interim Rule and CMMC?

Several differences exist between the Interim Rule and CMMC. However, fundamentally, the Interim Rule paves the way for organizations to determine their CMMC Level and how mature their programs are. 

Levels

Both CMMC and the Interim Rule set out levels that organizations need to define for themselves. However, they structure these differently. 

CMMC

CMMC levels are based on the type of information an organization collects, processes, and shares. Two types of information are involved in CMMC compliance. Federal Contract Information (FCI) is defined as information provided by or generated for the Government under contract not intended for public release. Controlled Unclassified Information (CUI) is defined as  information that falls under Executive Order 13526, Classified National Security Information, meaning that a company needs to prevent it from being disseminated.

  • Level 1: Performing best practices for cyber hygiene but often on an “ad hoc” basis, only manages FCI.
  • Level 2: Documenting processes for consistency as intermediate cyber hygiene, manages FCI and CUI.
  • Level 3: Managing processes for good cyber hygiene programs, manages FCI and CUI.
  • Level 4: Reviewing and measuring activities for a proactive cybersecurity program, manages FCI and CUI.
  • Level 5: Optimizing and standardizing processes across the organization for an advanced/progressive cybersecurity program, manages FCI and CUI.

Meanwhile, the Interim Rule establishes only three assessment levels. 

  1. Basic: self-assessments showing implementation status and including review of system security plans provide low confidence as a self-generated score.
  2. Medium: DoD conducted assessments consisting of system security plan descriptions and documenting summary level scores with medium confidence as externally generated scores.
  3. High: DoD conducted assessments with on-site or virtual verification/examination/demonstration of system security plan effectiveness for high confidence level as externally generated score complete with assurance documentation.

Assessment Type

Although both are considered assessments, CMMC requires a CMMC Third-Party Assessor Organization (C3PAO) to provide an independent report. The Interim Rule is a self-assessment or assessment done by DoD personnel that needs to be forwarded to the DoD.

Controls

CMMC leverages NIST SP 800-171 controls but also incorporates additional controls for Levels 3 and above. The other requirements include the ones outlined in DFARS Clause 252.204-7012. Meanwhile, the Interim Rule limits necessary controls to those contained in NIST SP 800-171. Additionally, the Interim Rule provides a scoring system, weighting controls by importance. All organizations need to submit a self-assessment showing their score with a “perfect” score considered 110 points. If an organization does not score 110, it needs to submit a plan with a timeline for implementing all controls and achieving the required score. 

How encryption enables organizations to meet Interim Rule and CMMC compliance

Ultimately, the Interim Rule acts as a precursor to CMMC compliance. Organizations that need to meet CMMC Levels 3 and above must incorporate all NIST SP 800-171 controls. Because Level 2 is considered a transitional stage, organizations need to implement 65 NIST SP 800-171 controls for that level as well. 

The NIST SP 800-171 scoring methodology mentions encryption several times as both a Security Requirement and a Derived Security Requirement. A Basic Security Requirement is one that, if not implemented, makes any Derived Security Requirements or the subsets of those requirements ineffective. Basic Security Requirements are valued as 5 points, while Derived Security Requirements can be valued at either a 3 or 1. Controls valued at 3 or 5 are considered more important than those valued at a 1.

The following Security Requirements incorporate encryption specifically:

Requirement Number

Text

Value

3.1.13

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions

5

3.1.17

Protected wireless access using authentication and encryption

5

3.1.19

Encrypt CUI on mobile devices and mobile computing platforms

3

3.5.10

Store and transmit only cryptographically-protected passwords

Comment: Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords

5

3.8.6

Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards

1

3.13.8

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards

3

3.13.10

Establish and manage cryptographic keys for cryptography employed in organizational systems

1

3.13.11

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

Subtract 5 points if no cryptography is employed; 3 points if mostly not FIPS validated

3-5

 

Additionally, several other requirements suggest encryption as a best practice without using the term. For example, 3.13.16 states, “Protect the confidentiality of CUI at rest” which can be interpreted as encrypting digital data-at-rest would be a control meeting this Security Requirement. 

Atakama: Distributed KMS Encryption Solution for Data In-Transit and At-Rest

With the Interim Rule now in effect, organizations need an encryption solution that they can rapidly deploy to meet some of the most essential Security Requirements. Additionally, because the Interim Rule acts as a stepping stone to CMMC compliance, organizations obtaining a NIST SP 800-171 score of 110 will be closer to certification than those not earning the score. 

Atakama’s distributed KMS encryption solution can be quickly deployed, piecemeal or across the entire organization, enabling companies to mature their security and compliance programs more rapidly. Once deployed, organizations will immediately benefit from Atakama’s multifactor granular level of security without interference in day to day operations. With Atakama, files can remain stored in the same cloud-based storage locations or on prem servers already in use. 

Additionally, when users share files, Atakama relies on the same distributed KMS architecture to ensure that the intended recipient is accessing the file. Atakama prevents accidental sharing and ensures encryption over data both at-rest and in-transit. 

Unlike other encryption solutions, Atakama makes it easy for end-users to interact with encrypted data while also continuously enforcing security and privacy controls. 

For more information about how Atakama can help your organization meet Interim Rule and CMMC requirements, contact us for a demo

background cta