Things You Should Prepare for BEFORE Your Assessment w/Amira Armond

[00:00:00] Welcome back climbers! I'm your co-host, Kaylee Floyd and this is another episode of Climbing Mount CMMC. In today's episode, Bobby is joined by Amira Armond and they are going to be talking about things you should prepare for before taking your CMMC assessment. These include things like

[00:00:22] USB drives, taking your CUE information outside of your container and more. Well, okay. So you have some heavy hitting things that I think if you don't take pause to really think about how you're doing these things, you could end up having a bit of a surprise when

[00:00:45] it comes time for your assessment. So Amira hit us. I think the first on the list was USB, right? Sure. External thumb drives. So there's from a scoping perspective, right? So scoping is where companies really get in trouble in CMMC. The individual requirements generally,

[00:01:10] if you mess it up, you can fix it fairly fast, right? There's a couple that are hard to fix. But scoping is one of those ones where you should be spending the effort to get that right way in

[00:01:25] the beginning, right? If you're not super smart CMMC pull-in expert. Such good advice to get the scoping right. I mean how long would it take for that meeting? A few hours? Five hours if you're a big company, maybe 10 hours if you're a very large company,

[00:01:43] right? It's not that much cost compared to like even one IT person doing the wrong thing for a moment. Oh yeah, for sure. Money well spent. Scoping is one of those things where you really want to get it right and that includes talking through how your data flows.

[00:02:07] Well the introduction of USB devices is a critical aspect to get right because there's so many possibilities that could go right or wrong with that process. And from my experience in just scoping for us and working through that, it sucks when you realize that you just put yourself

[00:02:26] in a dead-end road and you're like well we're gonna have to double track and we're gonna have to figure out how to address this and it's not a good feeling. So that meeting is could just

[00:02:35] save your bacon. Please please please listen to that advice on that. But when you're dealing with USB devices you have people that are remote, you got people that are local in the office.

[00:02:46] How do you wrap your arms around that? So external thumb drives are one of the things that will take a virtual assessment or a virtual network where we really don't need to go on

[00:03:00] site. We don't need to even secure a physical facility. If you add external media, that's one of those triggers that the assessors will say okay your facility is now in scope. Even if you're

[00:03:16] like I don't have a facility they're gonna be like well something's in scope right? That might be your home at this point. If you don't have a secure facility or maybe you just are not eligible

[00:03:28] to be certified because stuff is wrong right? So external thumb drives we're talking about ones that have CY on them. We're not too worried about other stuff you know so from an IT perspective if you've got a thumb drive that you're using to reinstall windows

[00:03:54] to gears. It's not a big deal okay? We're fine there. You want to do the stuff, you want to you know label it right identify who the owner is but not a big deal. But when you

[00:04:09] take CY off of your computer or off of your virtual environment and you put it into a media into external media that can move that's when we start needing really strong physical defenses right? So if you've got a physical facility you keep inside the facility maybe you

[00:04:31] have a check-in and check-out procedure right? Let's keep it in a safe when it's not in use. And that's very very common to the manufacturing folks because they'll have operational technology, they'll have say you know a machine that cuts cuts metal and they'll use the external media

[00:04:53] to program it. Yeah that could be built into their process. Yeah yeah and that's a perfectly normal acceptable data flow but you don't want to have that media just kind of like floating

[00:05:07] around the shop. Because I was even sitting in my CCP class and they were talking about oh because you're having to carry it in the building it has to be you know all you know there's all

[00:05:21] these requirements that you have to do even if you're inside a physical building and it has you know the guy with the bat to steal your analogy that you have right? That's there

[00:05:35] protecting it as it's being escorted is that enough? I mean because it's so portable in your pocket like it actually is generally enough I've seen people pass their assessment right that you

[00:05:57] know they're implementing properly with a full set of user training right? So you want to have some pretty strong training maybe you make a PDF booklet right? Here's how we handle external media it goes

[00:06:13] from you know this locked safe to the computer to get programmed to the machine and then you know back to the safe at the end of every day right? Or maybe you do have a secure manufacturing

[00:06:30] facility where you know it's it is a guarded perimeter right? And it's like as an assessor and like this is not great right? I don't like advocating for not great solutions but really

[00:06:47] as long as you make sure it stays inside that perimeter it's okay we want to know where the stuff is right? So don't like just put it random places and golly goodness don't stick it you know

[00:07:02] don't let your employees take it home right because that's going to be an instant oh my gosh this is as soon as it leaves the boundary of the physical protection right? Right now if if you do for some

[00:07:13] reason need to take it outside of a physical protected area what are some options well there are thumb drives that they encrypt themselves right? They're fifths 140-2 and encrypted. You have to like put in a pin code yeah to unlock them. I've never used one of those

[00:07:38] but I've seen them. Yeah I've seen them in our assessments it's pretty cool technology and that's one really good way to reassure your assessors that you're taking protections right? And of course you know windows some other technologies can encrypt it right but then probably it's not

[00:08:03] going to work too well with the operational technology so who knows about that? But you can you know you can have a process to guard stuff when it's outside of the perimeter and then make

[00:08:17] sure it goes into a locked safe again or locked area and just know where it is until it returns right? And that's that's generally what we're looking for. The main thing I wanted to point out

[00:08:30] is just understand that when you put CUI outside of your computer that's when we start pulling in the facility. Whether or not you want the facility to be in scope right? Because a lot of

[00:08:41] people are making enclaves that are virtual and that means that most of the infrastructure is in a cloud it doesn't mean that there's no physical facility it just means that the facility is now in that cloud's data center from an assessment perspective right? And then they can they've

[00:09:04] got lots of money they can do security for you that's fine but as soon as you start moving CUI off of your computer that's where the facility gets a little bit crazy. And you see a lot of people

[00:09:18] like we can get you CMMC ready within you know months weeks I've even heard advertisements days uh that might be one that you don't want to go for. I'm like heck to the note but yeah I yeah that's a whole other podcast but the

[00:09:43] there are lots of situations because we've we've kind of grown up and cut our teeth in manufacturing you know OT environments you know long production type lines of things you know taking all that and magically assuming it's all going to nice and

[00:10:00] neatly stay like a Tetris inside that enclave is just not realistic in the manufacturing world you're gonna have to pull it out you're gonna have to use it one of those mechanisms is definitely

[00:10:12] going to be removable media. So once you pull it out of that enclave what are some thoughts Amir that you really need to think about about how that I don't want to use the word poison but

[00:10:24] it's gonna it's gonna change the scope right? It's gonna change the on-site like if you just envisioned that you have this cloud solution and that's where your scope is at but the moment you start putting it on devices like you said even if you have it's your physical

[00:10:38] device and you start walking it around on the floor and doing those types of things what is well okay so there's very strong precedent that um if you have your scope limited to the

[00:10:57] cloud and laptops they're encrypted and secure and even mobile phones that as long as those laptops have a really strong firewall on them right they're they're protected from the outside world they're not sending any unencrypted CUI all their communications are encrypted basically to a cloud

[00:11:19] um that you don't need to have your local facility and scope very strong precedent which is which is great because facility protections are actually that little family of cyber security can be one of the

[00:11:38] most expensive parts of CMMC right if you need to redesign your building that's very expensive um so for most cases if you can avoid putting your facility in scope you want to right um with

[00:12:00] operational technology what I've seen is that you're generally going to need at least a physical computer to program that that OT right and to manage it right so maybe connect into the

[00:12:12] network do stuff and then and then get out um and if you get an enclave with real computers which is pretty rare to see um that's one of those uh ways to do it um but it's I think we've uh we probably

[00:12:31] talked as much about the media protection is as we are about the media as we can um do you want to talk about uh specialized assets yeah sure okay um so an area that I wanted to bring up

[00:12:52] is the topic of specialized assets which you know according to CMMC scoping we can kind of ignore them okay so um let me let me rephrase that let me give some clarity on that

[00:13:06] so I was like what no right so but but I'm not I'm not wrong okay um so we've got these these categories of of assets that that you'd have to apply you have to apply asset categories each

[00:13:27] of the things in your network right so there's the CUI asset that's that's the stuff that's like a regular computer a regular server that has controlled and classified information on it and that needs to be really secure right all the security and then you've got the security protection

[00:13:46] assets that's the stuff like your antivirus server your log server um you know your heck your your IT person uh and that doesn't necessarily have any CUI on it but you're still supposed to protect

[00:14:02] it like crazy because that could be used to attack rest of your network right because they've got admin rights essentially um whatever whatever your asset is on that's an SPA um and then we've got contractor risk managed assets which are they don't have CUI they don't do security

[00:14:26] they're just kind of there they're nearby right they they're in scope because they're next to the CUI that could be your account they could be a critical detail of it too right I mean like

[00:14:39] some of those some of that equipment is like it's where it's been made right so the cybersecurity the cybersecurity people are going to be like ah what are we doing with the contractor risk managed assets because um for example so you've got a network with 100 computers

[00:15:05] and uh you know you're you're doing what you need to for the CUI stuff right the stuff that you're going to fail your assessment on you're throwing all the security at and then you've

[00:15:18] got these other computers that are on the same network right next to the CUI and they they're this CRMA category which isn't really assessed you don't need to do all the security requirements for it um what's appropriate isn't well defined right the DOD probably thinks more

[00:15:41] security is appropriate um there's lots of people in the industry that say less security is appropriate right um and and as assessors the minimum bar is is quite honestly we we just acknowledge that

[00:15:59] they exist and we don't check them that hard and that's what we have been trained to do according to precedent uh from the DOD dipkac assessments okay they they just say great exists we're we're not

[00:16:15] checking it that hard because it doesn't have CUI on it we're going to make sure the CUI is protected that stuff exists right but we all know that if you've got a computer inside your boundary

[00:16:28] and it's not secure right it has maybe hasn't been patched in a year that thing can get compromised so easily and that can be used to attack the rest of your network that's super scary right so um we're as assessors we're we're probably you know unless something

[00:16:48] changes unless the DOD provides more guidance we're probably just going to kind of let that let that stuff be um but from a real risk perspective may I encourage you right please

[00:17:02] please secure those things right unless you know if if you can do it along with the rest of your network right all the stuff that you do with all the rest of your computers you know good antivirus

[00:17:12] patching right um secure configurations if you can do that for everything please do it because it's just smart you don't want to have your network taken down right um yeah the DOD can come investigate you oh by the way um I have talked to a little company

[00:17:33] that uh you know they were marking that they had a perfect 110 score and um they got chosen as they're a little like 15 employees they got chosen as an assessment target by DIPTAC and it was like a negative you know 160 score or something and Department of Justice

[00:18:01] um I got called by the IT person for that company and she was crying and I mean I feel bad right but at the same time like this has to happen right but they the DOD is actually um

[00:18:21] they're they're trying to crack down you know even before CMMC they're trying to crack down and you can tell it's for real because Department of Justice is involved that's yeah yeah it's a bad day um anyways okay so that's contractor-assessed assets and now we've got into the specialized

[00:18:42] assets so those are generally understood to be um equipment right servers whatever uh that have CUI because if if they don't have CUI then you're just going to call them a contractor-assessed

[00:19:00] asset and we don't care too much about them right so we're going to assume that they have CUI on them and the DOD has said these these specialized assets for various reasons are too hard to secure

[00:19:17] right if we if we insist that the contractor applies security to these things the contractor um will probably fail right thing will blow up but it'll stop working right I have seen

[00:19:33] so many of these types of devices and if you look at it sideways it might not start you know I mean they're like you know XP you know like you're like you you pray it's going to turn on and if you

[00:19:48] try to apply anything security practice wise that thing is just not going to work yeah um so I'm I'm sharing my screen I'm sharing the CMMC level two scoping guide and and we're kind of zoomed in

[00:20:03] on the various types of specialized assets right so if if you want to call something a specialized asset it has to meet the definition of one of these five areas okay um specialized assets

[00:20:26] don't uh really get assessed okay so just like CRMA where we kind of we just kind of hand wave at them specialized assets same thing we're not going to fail you if you don't have antivirus on your

[00:20:43] operational technology for example um but for you to get us to do this for us to agree that it's a specialized asset you have to show us how the thing meets the definition right and and again

[00:21:00] scoping guide um look at these definitions so uh operational technology pretty easy if you think it's operational technology I probably do too okay um and uh but here's one nuance that I teach

[00:21:18] my students when I teach a CMMC courses um so say you've got a uh and and sorry I'm going to try to make this podcast friendly so okay um say you've got a uh a machine that that cuts parts okay so I'm

[00:21:39] just going to draw a little picture here of the machine that cuts parts okay now that machine we're all going to say that is operational technology we don't need to assess it we're

[00:21:55] good okay we know that that thing will will die if we apply any security to it but what is what is very common is you will see a machine right next to that machine that looks like a

[00:22:11] windows desktop right and as an assessor you're like well that looks like a regular computer we should require all the security on it and uh that is actually not necessarily correct okay

[00:22:33] so a lot of times you have some sort of a a you know windows-ish computer connected to this operational technology to controlling and if you mess with that windows computer the operational technology dies that and sometimes they're imaged with specific configurations that are like like you

[00:22:53] void the warranty from the vendor if you even play with that thing yes yes and so the question is you know as an assessor the way I determine whether this this thing that looks like a normal computer

[00:23:07] needs to be secure or whether I call it an operational technology is if I can replace this thing with any other windows 11 computer right or macbook and the operational technology is fine

[00:23:24] then I'm going to say that thing needs to be assessed as like that approach yeah I ask or whatever right if I can swap in something and it's fine right so that does that does handle situations where

[00:23:37] all you need to do is program media right use a use an app to program it right or send the instructions over um say a browser right but if if I talk about swapping out that thing and the

[00:23:53] business owner goes oh no no no no no no no no no then I'm going to say okay that's operational technology right that that is a pair that is a team with this heart cutting machine

[00:24:09] and we're going to treat it like one unit okay um so that's ot and then the next category of specialized asset sorry that I want to talk about is restricted information systems because this

[00:24:33] this category is a underutilized category okay so I've talked to so many sys admins who are trying to prepare for cmmc and they are stressed out because they've got one system right or two systems

[00:24:55] out of their entire network that they just cannot apply the security to they can't get tips on it because it'll break right or they can't restrict the permissions because it'll break

[00:25:08] and they can't take it off the network right they can't remove it because they need it for contracts to actually perform the work right and they can't just move it to a different network because it has cui on it okay well actually guys we're we're defining restricted information

[00:25:29] system right now this is a system that is configured based on government requirements okay so let me translate that a little bit you need it because that that thing is required to do a contract

[00:25:50] right you can't you can't just use some other app right some other app won't work you need this thing for the contract okay and I guess it doesn't have to be provided by the government right it could be a

[00:26:04] a third party system could be your system right um and uh you know configured based on right well if uh and you know don't don't hold me to this on every assessment right because we're going to be

[00:26:23] be having to evaluate you're going to have to show how this applies right but if if it needs to be configured a certain way for example without tips to work there's no other alternative out there

[00:26:37] and you need it for the contract you're making a real good case that it's meeting this definition okay um so so think about that now I will say though if the thing does not have cui on it

[00:26:55] right this the system that you're talking about um I am probably not I'm I'm not going to be thrilled with seeing you calling it um a specialized asset because why is it in your network why is it in your secured network um if it doesn't need to be

[00:27:18] right uh so maybe this is a case where you want to isolate that out uh if it if it is not a cui asset um but think about this this category because a lot of stuff actually does does fit into

[00:27:33] it and honestly I've forgotten about that section until you mentioned that you want to talk about this in the podcast and I was like oh yeah I'm glad you shine some light on that thank you

[00:27:45] yep um I think we kind of ran through our topics Tobi okay well when you're looking at those situations um this goes back to where the scoping is so key because it's a bad day

[00:28:02] when they show up at your door right and they were like knock knock knock you know Amira I think we're ready and you're like okay that sounds great let's talk about how you did some

[00:28:12] of the scoping you're like oh yes this is a specialized asset and you're like that is not a specialized asset things start sliding in not a good way so um but I mean if you have those

[00:28:25] things um well defined your your scoping is dialed in they could be your savior right they could really help you out so one of the things one of the things we do with with our

[00:28:39] assessment clients is way early months ahead of the assessment um we we asked them to fill out an inventory spreadsheet um which we provide a template right hopefully hopefully you're way ahead of us hopefully you've got everything inventory but if you don't you know we provide

[00:28:58] a template and identify what what category everything is and then we provide a space to justify justify that categorization and um this is where you want to put in some extra effort right especially if you're going to call something a contractor risk managed asset

[00:29:20] or specialized asset put in that extra effort go back and forth between the scoping guide definition and what you're writing right and explain how it meets each of each of those items and if if you put in that effort we're probably not going to

[00:29:39] you know um distrust it we're we're gonna we're gonna say this this is fine right we're we're good thank you um there's a reason why specialized assets don't need to be secured all the way

[00:29:51] uh the government agrees right thank you dod they gave us a huge boon with the scoping guide by saying that you don't need to do all the security there so we're going to take advantage of that

[00:30:04] because when I was first being introduced to it immediately because of our experience with manufacturing I was just like what's gonna happen with these things then they're like well you have these things called specialized assets and I'm like oh that's like

[00:30:18] thank you because I'm like I'm not seeing a good outcome uh you know blood was just kind of like running out of the out of my face but um there are as an MSP working with companies that have

[00:30:34] these types of assets you can still provide pretty good security by even isolating those to some extent and separating them and let me just say as someone who has been in the industry for

[00:30:50] quite a few years um you babe mentioned about how if you have assets that aren't appropriately protected in there inside your environment even worse if they're inside scope inside your environment we call those beach heads those could be used as a beach head uh if they get compromised

[00:31:07] because a lot of times you can't put your tool like we can't put our tools that we might want to to see threats that are on those systems right you might not even be able to put defender

[00:31:20] on some of those systems right because if you did it would cripple it you know the IOPS can't handle it because it's a modern AV and you put it on there just the system won't even boot up

[00:31:30] and those are absolute real life scenarios and in that type of situation you don't want those types of systems literally peered if you can absolutely help it you want to create even in scope i would have suggestions of having segmentation because if someone being human clicks

[00:31:51] on a link even with all of defense and depth that you might have you know you have to plan for failure and if you have those systems literally peered right next to them and a threat actor sees

[00:32:02] it and they put some type of malware or root kit or some type of mechanism for them to stay resident on that system it will be almost impossible for you to see exactly where that's coming from

[00:32:14] as they continue to attack you over time um and so you want to you want to have as your users are doing user stuff you want those users to be peered with themselves in scope this is just from a security kind of like a blast or concept

[00:32:32] of how we try to operate things because that way if someone does a user thing and they try to move laterally or things like that at least you're going to keep them limited

[00:32:42] into the environment that you have the best visibility to see um yeah i love to see operational technology on a disconnected network with a with a right or or network that has a really strong firewall that's basically denying everything um between between

[00:33:04] the segments um one thing i did want to say is you know there's 110 requirements in cmc level two and about 70 of them are what i would consider an enterprise requirement right it's it's a

[00:33:25] process it's a it's a um it's something that applies to your entire network right have a policy for this uh do do change control um you know have baselines right have an inventory that it applies

[00:33:42] to everything and those those requirements that are enterprise right that aren't that aren't system specific they're there for the entire information system i still expect them to be performed to include these specialized assets these contractorism managed assets right not

[00:34:01] just to see why assets and sda's i i still want you to know what computers are on your network even if it's the accountant's computer right um and that that does solve a lot of the risk right so it's

[00:34:16] not just a complete uh oh it's a specialized asset i don't even know i don't even need to know that exists right it doesn't even need to be in the building i can put it on the front street

[00:34:26] right right that's that's not gonna fly we're probably going to um ask for for guidance uh from our you know do d cio advisors um if we see something like that where you've literally got

[00:34:42] you know ot sitting in the street in front of your building because it doesn't need to be secure right um but uh uh take advantage of of the specialized asset categories i guess is is the

[00:34:56] bottom line yeah and i agree wholeheartedly as as i've seen so many times where threat actors are going to capitalize on opportunities this specialized asset in my opinion is a great way

[00:35:11] for you to pass your assessment and and be able to operate like you need to as a company um but you it's not about passing your assessment when it comes to if you care about being operational

[00:35:28] if you get breached if you have an incident you know it doesn't matter if you're compliant but you can't work because they own your stuff and have x filled it out um you know so you can

[00:35:39] you can still pass your c m m c certification and still not have some good practices on things if you don't really pay attention to how you're doing so that's why i was uh this is just me being

[00:35:52] an msp put my hat on here you know just please please because i i gotta be the bot i i need to be the minimum line i have to read to the exact minimum and not insist on more but we all should

[00:36:04] be doing more right yeah and and you can do things and still have it like you could have it to where like you're talking about the firewall you could have those those those ot type specialized assets

[00:36:16] in a separate v-land that can talk out by rule of the lough but it's denied by default coming in so all scans all examination initiating from there but you can come and grab uh you know the

[00:36:30] plans or things that you need to from that and pull it in if you need that or there's lots of different ways to kind of slice that bread but you really want to look at separating those if at all

[00:36:41] humanly possible uh because it is just people do people things and when they do it if you've got just iot or not very secure things peered with that it's a it's a bad recipe very very bad there's

[00:37:00] two mandatory reports if you're a defense contractor and you get uh attacked uh cyber incident there's two reasons that you need to mandatory release to report it to the do d one is of course

[00:37:15] if you lose c y if you think that c y has been compromised but the other reason is if you lose the ability to perform on your contract and most people don't know that is is a reason um but the

[00:37:31] duty requires you to report so if you get ransomware right or if you get completely just shut down even if you don't think the bad guys got access to the c u i that's still mandatory report

[00:37:44] to uh div net and then with cirque c around the corner gosh yeah that's going to be interesting if you if this is the first time you're hearing about it on this podcast uh definitely check that out uh

[00:38:03] that's gonna be an interesting see you're more on that yeah that's that scares the p stacking stacking on the reporting um yeah yeah well amir thank you so much for joining us today

[00:38:17] you covered some really good topics that i think don't have the light shine on them enough you went through uh we even got to see paint but you still kept it podcast friendly thank you

[00:38:28] that was a tall order i think you i think you you check the box good there um and so i really appreciate it thank you so much for joining us make sure to follow us on linkedin and youtube to

[00:38:40] stay up to date on the latest c m m c news we hope you guys enjoyed today's episode and listen out for the next one but until then keep on climbing