The Cybersecurity Maturity Model Certification (CMMC) has always been clear about its mission: to create more secure information systems within the Defense Industrial Base (DIB). Before the establishment of the CMMC, DIB companies only had to self-attest to meeting NIST 800-171 requirements. The CMMC requires that organizations prove compliance through certifications of their information systems through third-party audits. This new approach is much like the “trust but verify” stance that President Reagan took during the nuclear standoff with the Soviets during the Cold War, minus the trust. The added layer of accountability for organizations within the DIB will ensure that organizations are doing what they say they are doing. NIST 800-171 requires every organization, at a minimum, to have a system security plan (SSP), to define system boundaries, and to identify all gaps in a plan of action and milestones (POA&M). Based on the experience of OCD Tech, most Defense contractors currently fall far short of those minimum requirements. The CMMC demands that not only do all Defense contractors have the bare minimum but will have no gaps in their cybersecurity program.
However, the question remains: would this added layer of accountability for compliance have insulated the DIB against the SolarWinds attack? The short answer is no. In the world of cybersecurity consulting and auditing, one thing has always been made clear: compliance does not equal security. Indeed, organizations should look at compliance frameworks like a minimum standard for security. In other words, CMMC establishes the minimum of what an organization ought to be doing in its environment to be deemed acceptable to be awarded contracts.
The CMMC requires organizations to perform maintenance on organizational systems (MA.2.111), which includes installing patches and updates from vendors. Many organizations affected by the SolarWinds attack were engaging in “good” cyber hygiene by updating their software sent by SolarWinds. Cybersecurity professionals at every level should regularly update software after reviewing the system impact and security implications of the changes. Unfortunately, it was a software update that contained the malicious code which installed a backdoor into all of the systems that installed the software update pushed by SolarWinds. Many of the affected organizations were doing their best to do the right thing, however, this attack proves that compliance with cybersecurity frameworks does not always insulate organizations from attacks.
One of the hallmarks of having “good” cyber hygiene is having policies and procedures in place. In fact, the CMMC demands policies and procedures starting in maturity level two (XX.2.999 and XX.2.998 respectively). The main reason that policies and documented procedures are essential to having good cyber hygiene is because they are the founding documents for a company’s cybersecurity program. You simply cannot have a cybersecurity program without policies. Without established policies, procedures are performed ad hoc, practices and responses to incidents are inconsistent, and disparate efforts across your company may not align to support the common goals of security. Policies establish organizational expectations for planning and performing cybersecurity activities and communicate those expectations to the organization. Senior leaders within an organization should sign and support the policies to show their support and buy-in of cybersecurity activities.
Establishing cybersecurity policies is the first step to “good” cyber hygiene and ensuring those policies contain the right controls is the second step. With regards to the SolarWinds attack, and recognizing that this type of exploit could not have been prevented in the downstream, one of the most impactful controls downstream companies can implement is a robust policy to create and review audit logs. The term “audit log” shows up 169 times in the CMMC Assessment Guide, and not just in the Audit and Accountability domain. Audit logs are simply a record of events and changes in a system. Malicious cyber actors and authorized users alike create events and changes in a system and by creating a log of those events and changes, it is possible to detect variation in baseline activities by implementing a tool to detect such variations in activity. For example, if your company is on the East Coast and generally works Monday through Friday from 0800 until 1700 (cushy job!) and observes Federal Holidays you would expect a lot of events and changes during those hours. However, even a manual review of audit logs could uncover potential malicious activities if changes and events are logged over a long holiday weekend or observed nightly after 1700 EST/EDT. Specialized tools can detect much more nuanced variances in baseline activities; however, detection is still based on observed events and changes. Considering the SolarWinds attack, companies should establish, through policy, the types of events that necessitate logging, define the frequency at which those logs are audited, and establish the procedures that enable the established logging and auditing policies.
While the SolarWinds attack itself could not have been prevented by downstream recipients of the SolarWinds software, it is good cyber hygiene combined with a proactive cybersecurity posture that can help companies detect future exploits of the implanted malicious code carried by the SUNBURST malware. No compliance framework can prevent an organization from falling victim to such a sophisticated attack, however, good cyber hygiene can mitigate and remediate damages from malicious cyber actors.
