
Don't buy products you don't need for CMMC!
One of the most concerning trends I’ve noticed with CMMC is consultants or internal security officers deploying unnecessary, expensive products in their efforts to become compliant. While this may be fine in organizations with unlimited budgets, it’s important to review these tools in the context of what requirements they are satisfying. Today, we’ll go over some commonly deployed security products that - while they may server a purpose - aren’t actually required for CMMC compliance.
- Data loss prevention tools. While they’re not a bad idea, they’re not required for CMMC. These tools can be expensive and tend to be challenging to effectively tune.
- E-mail encryption products. Almost all modern e-mail products encrypt e-mail traffic, and layering an additional encryption capability on top of the existing encryption is almost always unnecessary. To date, I have yet to audit an organization that wasn’t using either Google or Microsoft mail services; and those solutions seldom need any additional encryption. In short, if you have encryption at rest enabled on your CUI data stores and are using a standard e-mail system, you won’t need an add-on product. If you do need to ensure that a file sent over e-mail has additional encryption, you can encrypt just the file using a zip utility that enables you to select FIPS encryption.
- Audit management systems. While all tools have their bells and whistles that can create some shortcuts for you, audit management systems aren’t required and aren’t going to solve your CMMC preparedness problems. You’re still going to need to go through all the controls and figure out if you’re compliant and collect evidence to satisfy your assessor. These tools typically serve as a repository for the collection of artifacts and control implementation statements, and enable you to upload artifacts associated with each control. These can be helpful if your organization is dealing with multiple cybersecurity compliance frameworks, but if CMMC is the only framework you need to worry about, the juice won't be worth the squeeze with many of these products. You also need to worry about where your data is being stored. Many artifacts collected as part of an assessment provide a roadmap for a targeted attack. Where is it living when you upload it to these tools?
- Automated asset inventory systems. While you need to know what’s in your system boundary, there’s no requirement that asset management be automated. You can periodically scan your network with an NMAP scan or comparable to identify all devices that are connected to the network and use that to maintain a manual inventory.
- Zero trust solutions. I’m sure they’ll be required one day soon, but that day is not today. Don't be a bleeding-edge adopter. Wait for these tools to mature and for requirements to become solidified
- Conditional access solutions.These can actually be pretty handy if you're dealing with large, multisegmented CUI data repositories; but if you know where all your CUI lives and it's pretty straightforward, role-based or discretionary access coupled with some manual practices will be enough for CMMC. So while conditional access tools can be helpful, there's no requirement to use them.