With the recently announced Cybersecurity Maturity Model Certification (CMMC) version 2.0, many of us within the Defense Industrial Base (DIB) are beginning to turn our attention towards cybersecurity compliance for the first time. Although we know we must adhere to the standards outlined by the National Institute of Standards and Technology (NIST), it is a challenge to know where to even begin when addressing the multitude of cybersecurity safeguards. For those of us who have not yet implemented even basic cybersecurity hygiene, we are likely feeling overwhelmed.
If you are in this position, we recommend that you start your compliance journey by focusing on the best “bang for your buck” – getting the most important cybersecurity safeguards in place right away. We have already identified these in our Totem Top 10™ (TTT), which you can use to set yourself up for long-term success with CMMC. In this blog, we will discuss the first control in the TTT, Know Your Assets. Be sure to grab yourself a copy of our CUI & System Inventory Template at the end!
Cybersecurity starts with knowing your environment
When we say to “know your assets”, we are specifically talking about knowing your IT system assets. This is not limited to, but must include the hardware, software, and sensitive information residing within your environment. This is a crucial first step for building your cybersecurity program; in fact, all other aspects of the program are predicated upon it. If you do not know what sensitive information you handle or the IT systems assets that are used to store, transmit, or process that information, how can you effectively protect it?
Hardware and software solutions are necessary for all organizations, because they make business easier and help us improve our day-to-day operations. Thus, they are worth the money. However, a significant deficiency exists among us small to medium-sized businesses (SMBs) within the DIB in that we spend exorbitant amounts of money on these hardware and software solutions, then we fail to adequately manage and maintain them. It’s akin to hiring a new employee, then sticking them in a corner and telling them to just “do their thing”. We never train them, check in with them, see what needs they have, and as a result, they add no value to the organization and are left to wither away. The same can be said of our IT system assets when we fail to properly manage them: over time, they weaken, and once enough time has passed, they eventually do us more harm than good. Therefore, the need arises for a deliberate and tightly controlled IT system inventory; one that will give us what we need to start building our own robust cybersecurity program moving forward.
There are three key questions that must be answered as you seek to build your IT system inventory, which will also help to guide the course of this blog:
- What information deserves (or requires) protection?
- What is the lifecycle of this information?
- What system components (assets) help facilitate this lifecycle?
What information deserves (or requires) protection?
In our quest to know our assets, the first thing we must do is identify the information we are (or must be) protecting. Is there information you are required, by law or contract, to protect? There are many different types of sensitive information, some of which we have listed along with examples below:
- Personal information (also known as Personally Identifiable Information, or PII)
- Name, SSN, date of birth, financial info, digital info, etc.
- Business information
- Trade secrets, intellectual property, patent documents, tax and financial records, etc.
- Government information
- Top Secret, Secret, Confidential, Controlled Unclassified, Unclassified, etc.
Even if you are not required to protect a certain type of information, that does not mean that it is not a priority to protect. Some subsets of information are expected, by customers, vendors, or others, to be protected, and failing to do so could have an impact on your continued business with them. For example, although there is no single federal law specifically requiring the protection of PII in a broad sense, potential customers may choose to not do business with you if they learn that you do not have the controls in place to safeguard their PII. We have seen a similar outcome occur within the DoD supply chain, although it is because a contractor fails to implement the 17 basic cybersecurity safeguards required by FAR 52.204-21, and consequently their purchase orders (POs) are revoked by their customer until they can attest to meeting these basic requirements. The point is this: those you do business with care greatly about their information, and most of them expect that you will protect it, whether you are required to or not.
In the DIB’s case, we are required via DFARS 252.204-7012 and NIST 800-171 to protect Controlled Unclassified Information (CUI), so we will use this as our basis as we work through our IT system inventory and address these important questions.
What is the lifecycle of this information?
Once we know the information that must be protected, it’s time to identify its “lifecycle”. In other words, how does this information travel throughout our environment? This means describing how information is:
- received/generated
- stored
- accessed
- marked
- disseminated
- disposed
This is where something like our CUI & System Inventory Template can really come in handy. We have created a specific CUI Inventory sheet within the template (see image below) that gives you a great starting point for identifying your own information lifecycles. Performing this information lifecycle exercise will take some time, and it likely will require collaboration from different departments within your organization to really track down everywhere information is traveling. Any aspects of the organization’s operations that handle the information in any way are “scoped in”, meaning that they must be accounted for and secured.
When performing this exercise, we would identify each piece of CUI (or whichever type of sensitive information we handle) and characterize its lifecycle. Be sure to keep in mind if there are any specific business or regulatory requirements dictating how you must approach any of these steps. In our case, when it comes to CUI disposal, we are required to do so according to the data sanitization standards laid out in NIST 800-88.
What system components (assets) help facilitate this lifecycle?
At this point, having characterized our information’s lifecycle, we must begin to associate our network and IT assets to that lifecycle. This step will likely take the longest to initially complete, and it is one that you should expect to revisit on a continual basis as your environment changes and technology is introduced, removed, or updated.
First, you need to list out all of your IT hardware that helps facilitate the sensitive information lifecycle that you identified in the previous step. This is going to include your workstations, phones, servers, firewalls, printers, camera systems… any of the physical components within your network that play a role in facilitating sensitive information. Once you have listed out each hardware component, we recommend that you start by gathering all makes, models, IP addresses, MAC addresses, and open ports for everything that you have listed, if relevant. The CUI & System Inventory Template includes more hardware details you should eventually account for, but this is a great start. There are a number of tools out there that can help assist you with this information gathering; we use Nmap.
Second, with your hardware inventory complete, the next step is to take an inventory of your software. Software introduces a wide variety of security risks to your organization, which is why it must be tightly controlled. We recommend that you create a software baseline – a list of the company-approved software that is allowed to run within your environment – and enforce only approved software execution through a technology such as software whitelisting. Some important information you’ll want to record for each piece of software includes the IT asset group the software is being used on (e.g., all workstations, engineering workstations, etc.), the software type (e.g., OS, system, application, etc.), the software name, vendor, version, and the types of user accounts in the organization using that software (e.g., shared group accounts, administrator accounts, local admin accounts, etc.).
Finally, it’s time to understand how these IT system assets fit into the grand scheme of your network and the sensitive information moving through it. These lists on spreadsheets are great – necessary, in fact – but it’s challenging to truly understand their overall purpose and impact by just looking at the list. For this reason, we recommend you create two specific architectural diagrams to help model this information: a network topology diagram and a data flow diagram.
A network topology diagram is a visual representation of all of your IT system assets and their physical or logical relation to one another. Knowing how your devices are interconnected gives you a much better idea of how they communicate with one another, as well as weaknesses within the model that an adversary may seek to exploit. A (very) basic network topology diagram example is seen below:
A data flow diagram essentially combines the information lifecycles that you identified earlier with the IT assets facilitating those lifecycles, and it presents them in a way that is easy to understand. Note that this diagram should also include how information is sent externally. A basic data flow diagram example for a manufacturing environment is seen below:
Final considerations
Answering these three primary questions will put you on a good path towards building a robust cybersecurity program. However, there are a couple more items of importance that you must take note of as well:
- Who are your system users? What are their system permissions? What privileged access or accounts do they have? It would make sense for you to include your users alongside your hardware and software system inventorying process. Users fall within the scope of your IT system assets, and they are also your most dangerous asset, which is why they too must be managed appropriately. See our Duties & Responsibilities and Contact List sheets in the CUI & System Inventory Template.
- How do your systems connect to and share information with other systems? At this point, we have spent a great deal of time thinking through the information circulating within our environment, but what about information being sent externally? We recommend that you inventory all external connections involving the dissemination of sensitive information, then create a table demonstrating these in addition to the internal system interconnections. See our External Interconnections Inventory and Interconnections Matrix sheets in the CUI & System Inventory Template.
Finishing up
We hear from a lot of folks that cybersecurity hygiene is important to them, but they don’t know where to begin. Well, this is it. Whether you are a DoD Contractor trying to comply with NIST 800-171 and CMMC or a simple private small business curious about cybersecurity, this is step number one to create a cybersecurity program of your own. It will take time, but the effort put into this will determine how well you are able to implement additional safeguards down the road.
If we can help you create your own IT system inventory, or if you have any questions, get in touch with us. If you are a DoD Contractor interested in learning how an IT system inventory can help you enhance your CMMC-compliant cybersecurity program, please come join us in one of our Workshops!
Keep fighting the good fight!
–Nathan Cross, Cybersecurity Engineer