Piecing Together the CMMC Puzzle Requires “Creative Compliance”
By now the Defense Industrial Base, the collective of Department of Defense (DoD) prime contractors, subcontractors, and suppliers, have all heard the warnings being issued regarding the emergent release of the Cybersecurity Maturity Model Certification (CMMC) framework. It’s a daunting compendium of 110 cybersecurity “practices” that the DoD requires its contractors to self-attest to doing today and could enforce third-party audits of the same as early as mid-2023.
On the upside, CMMC endeavors to change organizational behaviors by encouraging and normalizing a more persistent information security focus. Who could argue with that, right? After all, we witness every day how the dangers in cyberspace are substantial, and intolerable. Then consider the nature in which the DoD openly shares information with its suppliers has created an unhealthy cyber ecosystem over time, as a vulnerability to one has become a risk to all. Therefore, the DoD is intent on leveraging its buying power and reshaping the cyber ecosystem toward greater security at a national scale, lowering the likelihood of successful attacks.
On the downside, there is no silver bullet to becoming CMMC compliant. Finding the right solution to 110 problems could involve a different answer for each. From a business viability perspective, acquiring and maintaining 110 solutions is not only a technical nightmare, but also a fiscal impracticability. It stands to reason then that the best option for combining success and compliance is to find most answers in the fewest solutions – a form of “creative compliance” that can fulfill several requirements in a single capability.
One of the best multipoint solutions available today is the BlocSec Sollensys™ Technology called Sollensium™ – a unique technology that can make quick and easy work of several of the 110 CMMC problems. Sollensium™ is a private, double blockchain that allows clients to upload, encrypt, secure, and safely recall any type of data, including video assets, which is a first for blockchain technology.
Successful businesses use Sollensys™ to create immutable repositories for their most critical government data and intellectual property. Files backed up into the Sollensium™ blockchain are encrypted, fragmented, and distributed across thousands of U.S.- based nodes to ensure that information can never be changed or corrupted. It’s an equally simple process to restore files when needed. Authorized reconstitution automatically reassembles the unique blockchain sequence and reforms a perfect unchanged and uncorrupted archive of the data. Every file and system image is securely restored, and ready for immediate use.
Here are some examples of how Sollensium™ helps tackle CMMC compliance:
Incident Response IR.L2-3.6.1 – INCIDENT HANDLING: Establish an incident-handling capability that includes recovery. Utilizing Sollensium™ for system recovery and restoration can promptly return systems to pre-incident functionality. Additionally, Sollensium™ is an ideal for storing immutable evidence of an incident. Organizations leverage Sollensium™ as a part of improving their overall resilience to future attacks.
Incident Response IR.L2-3.6.3 – INCIDENT RESPONSE TESTING: Test the organizational incident response capability. Sollensium’s™ archive reconstitution capability makes it easy to practice and demonstrate how to restore system images and files, well before its ever needed in a crisis.
Media Protection MP.L2-3.8.1 – MEDIA PROTECTION: Protect (securely store) digital system media containing Controlled Unclassified Information (CUI). The Sollensium™ process of encrypting, fragmenting, and distributing file fragments acts as a form of cloud-based off-site storage to ensure immutable protection of digital artifacts.
Media Protection MP.L2-3.8.2 – MEDIA ACCESS: Limit access to CUI on system media to authorized users. Access to every Sollensium™ archive is protected by a multifactor authentication (MFA) combination of a username (something you are), password (something you know), and an authenticator code (something you have).
Media Protection MP.L2-3.8.6 – TRANSMISSION ENCRYPTION: Implement cryptographic mechanisms to protect the confidentiality of CUI during transport. All information upload into Sollensium™ is cryptographically secured using Transport Layer Security (TLS) as an asymmetric public key infrastructure. Proper encryption ensures that even if data is intercepted its rendered inaccessible.
Media Protection MP.L2-3.8.9 – PROTECT BACKUPS: Protect the confidentiality of backup CUI at storage locations. Information storage locations varied and may include cloud backup. Sollensium™ ensures that CUI remains private (confidentiality) and unchanged (integrity). It maintains confidentiality through file encryption, fragmentation, distribution, and managing who has access to the information.
Risk Assessment RA.L2-3.11.1 – RISK ASSESSMENTS: Periodically assess the risk to operations (including mission, functions, image, or reputation), assets, and individuals, resulting from the processing, storage, or transmission of CUI. Risk arises from anything that can reduce an organization’s assurance of mission/business success; cause harm to image or reputation; or harm individuals, other organizations, or the Nation. Therefore, it’s imperative to assess the risk to operations and assets at regular intervals. Sollensium™ is a complete and scalable disaster recovery solution designed to address system weakness or vulnerabilities related to the:
· inadvertent actions of people, such as modification of information;
· intentional actions of people inside and outside the organization;
· failure of systems to perform as intended;
· failures of technology; and
· external events, such as natural disasters, public infrastructure, and supply chain failures.
It’s clear then that Sollensium™ is a valuable tool to have in any organizations’ toolset. Using Sollensium™ as part of a robust backup and disaster recovery program helps ensure that any business’ worst day isn’t it’s last day.