Woooohoooo, the long awaited CMMC Rule will be published on the Federal Register on October 15, 2024. The Wrightbrained team has spent some time looking at the document. Clarifications are a big theme. Everyone in the CMMC ecosystem had a lot of questions and there were several that stood out as the most common. I want to write about all of them, but I think I am going to write about them one at a time. First I am going to go over the alphabet soup – SPD, SPA, MSP, ESP, CSPs, Oh my!
Security Protection Data (SPD) and Security Protection Assets (SPA) in CMMC
Security Protection Data (SPD) is a new term that first made an appearance when the proposed CMMC rule was published, leaving many (including yours truly) seeking a definition. According to the rule, SPD refers to data necessary for managing and operating security tools that protect Controlled Unclassified Information (CUI). This includes things like configuration files for security appliances, vulnerability scan results, passwords for accessing the in-scope environment, and logs from Security Information and Event Management (SIEM) systems.
Security Protection Assets (SPA) are assets that provide security protection for CUI. Examples include firewalls, intrusion detection systems, antivirus software, and even physical security measures such as fences or security cameras.
When it comes to assessments, the evaluation of SPD is typically conducted as part of the assessment of the SPAs managing that data. While SPD itself may not be directly assessed against CMMC requirements, the SPAs processing or storing SPD are assessed based on their role in protecting the Organization Seeking Assessment (OSA)’s environment..
SPD and External Service Providers (ESPs)
The assessment requirements for External Service Providers (ESPs) handling SPD depend on two factors:
• Cloud Service Provider (CSP) Status: Whether the ESP is a CSP determines the applicable requirements.
• CUI Handling: If the ESP also processes, stores, or transmits CUI, it influences the assessment scope.
ESPs that handle only SPD and do not deal with CUI are not required to undergo a CMMC assessment. Instead, their services are considered part of the OSA’s assessment scope and are assessed as Security Protection Assets (SPAs).
It is crucial for OSAs to clearly document their use of ESPs, including those handling SPD, within their System Security Plan (SSP). This documentation should specify:
• The relationship between the OSA and the ESP.
• The services provided by the ESP.
• How the ESP’s services contribute to meeting CMMC requirements.
Although SPD itself isn’t directly assessed against CMMC requirements, it plays a crucial role in safeguarding CUI within the OSA’s environment. The assessment of the SPAs processing or storing SPD is what ensures security compliance.
External Service Providers (ESPs)
An External Service Provider (ESP) is any entity external to the OSA that provides services supporting the OSA’s fulfillment of CMMC requirements. This includes CSPs, Managed Service Providers (MSPs), and Managed Security Service Providers (MSSPs). ESPs that only store SPD or provide SPAs, without handling CUI, are not required to obtain a CMMC certification. Instead, it is the responsibility of the OSA to assess the effectiveness of the security protections the ESP provides.
ESP Assessment Requirements:
| If the ESP is a CSP: | If the ESP is not a CSP |
|---|---|
| Processing, Storing, or Transmitting CUI: Must meet FedRAMP requirements as outlined in DFARS clause 252.204-7012. Not Processing, Storing, or Transmitting CUI: Not required to meet FedRAMP requirements but will be assessed as part of the OSA’s CMMC assessment as SPAs. | Processing, Storing, or Transmitting CUI: Requires a CMMC assessment to verify compliance with CUI safeguarding requirements. Not Processing, Storing, or Transmitting CUI: Does not require a CMMC assessment but is still included in the OSA’s assessment scope. |
Voluntary Assessments: ESPs that are not CSPs and do not handle CUI can voluntarily request a CMMC assessment to demonstrate their commitment to security and possibly gain a competitive advantage.
Managed Service Providers (MSPs)
Managed Service Providers (MSPs), a type of ESP, that provides IT services, which often includes managing and maintaining the client’s IT infrastructure and end-user systems. Their assessment requirements are contingent on whether they are a CSP and whether they handle CUI.
MSP Assessment Requirements:
| If the MSP is also a CSP: | If the MSP is not a CSP: |
|---|---|
| Processing, Storing, or Transmitting CUI: Must comply with FedRAMP requirements as outlined in DFARS clause 252.204-7012. Not Processing, Storing, or Transmitting CUI: Does not require a CMMC assessment but will be considered part of the OSA’s assessment scope as SPAs. | Processing, Storing, or Transmitting CUI: Must undergo a CMMC assessment to verify compliance with CUI safeguarding requirements. Not Processing, Storing, or Transmitting CUI: Does not require a CMMC assessment but is included in the OSA’s assessment scope. |
Examples
• An MSP providing full IT management and storage of CUI would need a CMMC assessment if it is not a FedRAMP-authorized CSP.
• An MSP establishing a VPN connection with the OSA’s equipment would need to meet the OSA’s external access requirements as part of the CMMC scope.
Requirements for Cloud Service Providers (CSPs) Handling CUI
The CMMC program outlines specific requirements for Cloud Service Providers (CSPs) that handle Controlled Unclassified Information (CUI). These are driven by DFARS clause 252.204-7012, which mandates that CSPs handling CUI implement FedRAMP Moderate or equivalent security controls.
FedRAMP Moderate or Equivalent:
CSPs that process, store, or transmit CUI must meet the security requirements of FedRAMP Moderate or an equivalent security standard approved by the DoD. CSPs handling CUI are not permitted to operate below this security level.
CMMC Assessment (Typically Not Required):
CSPs are generally not subject to direct CMMC assessments. Instead, the OSA using the CSP is responsible for assessing the CSP’s security posture and compliance.
OSA Responsibilities:
When an OSA uses a CSP to handle CUI, the OSA must:
• Ensure that the CSP meets FedRAMP Moderate baseline or an approved equivalent.
• Document responsibilities in the CSP’s Customer Responsibility Matrix (CRM) within the System Security Plan (SSP).
Exceptions:
1. ESPs as CSPs: If an ESP acts as a CSP and handles CUI, it falls under the OSA’s CMMC assessment scope and must meet FedRAMP Moderate requirements.
2. Contractual Requirements: In some instances, a DoD contract may require a direct CMMC assessment for a CSP.
Stay tuned for more clarifications of the clarifications. I think I’ll do POAMs next!