Do the CMMC requirements still apply if I use government-issued systems?

Many organizations have sidestepped much of the compliance overhead by leveraging government-issued and managed systems (e.g., email, workstations) to perform work with CUI data. DFARS and CMMC compliance can be a substantial investment of time and resources, so this method can be a great way for organizations to minimize their responsibility when it comes to securing CUI.

However, using government IT resources does not mean organizations are automatically compliant or that the CMMC requirements are not applicable. Read on to help find the line between your organization’s responsibility for compliance and the government’s when using government-managed systems.

Why doesn’t using government-issued IT resources make the requirements N/A?

The NIST SP 800-171 framework includes technical security requirements, such as Access Control and Configuration Management, as well as organizational requirements such as Physical Security and Personnel Security. Consider this: if organization utilizes government-managed systems but they don’t perform background checks on their employees, how much confidence can you have that those employees aren’t insider threats exfiltrating sensitive information to U.S. adversaries?

Moving away from the specifics of the regulations and focusing on the real-world implications of the requirements: a security assessment under the NIST SP 800-171 framework provides organizations with insight into the scope of CUI processing and barriers/mechanisms present within their IT environment to protect it. Therefore, developing an system security plan (SSP) and performing an assessment against the NIST 800-171 framework ensures organizations have the ability to perform a defensible risk assessment internally and as evidence of practice when working with partners.

So what is my organization still responsible for?

Let’s take AC.L1-3.1.1 as an example:

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

By utilizing government systems, the government is responsible for implementing controls to limit system access (e.g., requiring an authorized username and password before providing access to a workstation). However, the contractor organization needs to demonstrate that it uses only those government systems for CUI work. This can be done through an organizational security policy.

When completing their SSP, the organization would mark 3.1.1 as “Implemented” with a description to the effect of “ACME Corp. has implemented this requirement by utilizing only government-provided systems for the processing, storage, and transmission of CUI, as defined in ACME Policy XYZ and communicated to our employees and partners.”

This shows that the contractor organization has a complete understanding the scope of CUI processing within their environment, that protections are in place (through technical and administrative means), and that there are organizational processes ensuring those protections are enforced.

What your organization is specifically responsible for in regard to the NIST SP 800-171 requirements depends on the combination of government-managed and contractor-managed systems in your environment. As a general rule when using government-managed systems, the government takes responsibility for the technical implementation of the requirement and the contractor is responsible for having policies and processes in place to ensure their employees know what systems can be used for CUI work and what systems cannot.

One useful method of delineating responsibility is through a "Shared Responsibility Matrix" specifying which organization is responsible for which portion of compliance with each of the NIST SP 800-171 requirements.

Can I mark individual technical requirements as N/A in our SSP?

In our experience, we have found that marking any requirement as a N/A is a major red flag for auditors and regulators. Utilizing gov-managed systems minimizes the amount of technical implementation required to be compliant, but it’s not sufficient to make the argument that the requirements aren't applicable. Even where technical requirements are met by using gov-issued systems, there need to be organizational policies & processes that define and demonstrate how your organization ensures CUI is adequately protected while utilizing those systems.

How does this all fit into complying with CMMC?

We’ve seen firsthand how intensive the process can be, but with the upcoming rollout of the CMMC rule, the DoD has signaled that it will be cracking down on contractors’ handling of CUI. Therefore, it will not be sufficient for contractor organizations with access to CUI to argue that the requirements are not applicable because they utilize government-managed systems.

Triumvirate Cybersecurity can help your organization identify CUI in your environment, determine what your responsibilities are for compliance, and define organizational barriers to ensure CUI data is secured as required under DFARS and the CMMC program. Contact us to start a conversation!