By now, most business leaders understand the importance of achieving adequate IT security standards, especially if they have contracts with the US Department of Defense. The CMMC program aims to standardize these requirements across the entire Defense Industrial Base, effectively replacing the DFARS 252.204-7012 clause.
Perhaps the most significant challenge of achieving a high-level CMMC certification is that it is not always entirely clear exactly what constitutes adequate security. While the NIST SP 800 171 framework, upon which CMMC is based, is clear on which controls you need to achieve a high standard of security, exactly how you implement them is largely up to you.
A security gap assessment goes beyond simply determining which controls you currently have in place. It will also evaluate how effective those controls are, thus building the foundations for a fully documented cybersecurity framework to demonstrate your security capabilities. A gap assessment will ultimately uncover potential vulnerabilities and help you prioritize remediation strategies. That way, when the time comes to have a formal CMMC audit, you should be ready to earn your desired certification level.
Here are some of the key issues that a gap assessment should uncover:
#1. Weak access controls
Weak access controls are the bane of any technology and operational infrastructure. The fact that the average business now has hundreds of connected devices in use means there is likely to be multiple single points of failure. Many of these are a result of weak access controls or a lack of adequate endpoint security. A gap assessment will reveal devices and services lacking strong access controls, such as zero-trust security and multifactor authentication.
#2. Improper data storage
CMMC compliance does not only concern data confidentiality and security. It encompasses integrity and availability too. Improper storage for data records not only poses a security threat, but also a very real risk of accidental data loss. Backup and disaster recovery strategies must be complete and fully documented to reduce risk to both your business and your clients. Gap assessments will also evaluate these areas to ensure maximum availability and data integrity.
#3. Lack of a disaster response plan
A disaster response plan covers more than just backup and disaster recovery. It also offers a uniform approach to how you tackle matters like data breach notifications and remediation. If you do not have an up-to-date disaster response plan, then an otherwise minor incident could lead to far-reaching consequences. This may include contract cancellations or even litigation. A gap analysis will thoroughly inspect your incident response capabilities too.
#4. Insufficient network segmentation
Most defense contractors do not work exclusively with the DoD, and instead may serve a wide range of industries. However, CMMC compliance has some unique requirements that non-defense-contractors might not need to worry about. It might not always be practical to achieve the highest possible security standards across your entire network, which is why it is important to segment your network appropriately. In other words, any data that falls under the auspices of CMMC should be contained and isolated, rather than spread across multiple systems with multiple single points of failure.
#5. Inadequate security awareness
The common misconception holds that IT security is the sole responsibility of the technology department and the CISO. This is simply not the case, especially at a time when data breaches almost invariably have a social engineering element. These scams can target any employee, which is why everyone needs to be aware of the risk and held accountable for their actions. Security awareness training is critical for all administrators and employees. After all, security is everyone’s responsibility.
#6. Lack of IT security documentation
It is also imperative that you have a comprehensive and up-to-date documentation of your IT security and training efforts. This serves as objective evidence for the practices and controls you have put in place to achieve CMMC compliance. A gap assessment will also evaluate all your policies and related documentation to ensure they align with the reality of your current situation. This documentation will also help you plan and prioritize remediation strategies to progressively improve your cybersecurity maturity.
Charles IT can provide a comprehensive security gap analysis to measure your current state of conformity to the NIST 800-171 IT security framework. Call us today to book your gap test!