Earlier this year, we got a peek into the latest iteration of the DoD’s cybersecurity supply chain risk management initiative the Cybersecurity Maturity Model Certification (CMMC) model. Currently, DoD supply chain members are allowed to self-attest to their cybersecurity obligations, CFR 52.204-21 or DFARS 252.204-7012, but the winds of change have begun to blow. Right now, supply chain members are receiving requests from Defense Contract Management Agency (DCMA) representatives to assess their current posture against the DFARS cybersecurity clause (252.204-7012) and in the near future, third party certification of these obligations will be required using the CMMC model.
While initially fast and furious, a slow roll out with full supply chain adoption by 2026, has DoD running CMMC model tests for select vendors of its supply chain. So, while we’re waiting, let’s have a chat about one of the issues with the CMMC model…
FIPS 140-2 validated algorithms.
While the CMMC control SC.L2-3.13.11 (CMMC 1.0 3.177) verbiage is borrowed from NIST SP 800-171 control 3.13.11, to actually have this control implemented properly, take a look at NIST 800-171A. Suppliers are required to use encryption algorithms that withstand the NIST Cryptographic Module Validation Program (CMVP) process and have been awarded a validation certificate. For most organizations, this means remote access, disk encryption, web servers, SFTP servers, site to site virtual private networks (VPN) and really anything that will have Controlled Unclassified Information (CUI) resting on it or transmitting through it. To help us out NIST has provided a site that allows us to search for products that have been validated and have a certificate.
With the current DFARS cybersecurity clause 252.204-7012, if hardware or software performing encryption of data in transit or at rest can’t support FIPS validated cryptographic algorithms, it’s really not that big of a deal. Drop it on the plan of action and milestones (POA&M) and track the remediation as part of your vulnerability management program. For those seeking contract awards requiring proper safeguarding of CUI and Covered Defense Information (CDI) under the CMMC model, for which CMMC L2 is the projected minimum maturity level, a POA&M is not an option. If all CMMC L2 controls must be implemented to achieve CMMC L2 certification award, SC.L2-3.13.11 will be problematic.
So, what’s the problem?
Holding onto FIPS 140-2 validated algorithms introduces unnecessary challenges to commercial organizations that want to do business with the DoD. Organizations may already be heavily invested in hardware and software that provides equivalent or superior cryptography but have not been validated by the CMVP. Should these organizations be required to rip and replace?
Organizations may upgrade away from software versions, that have received FIPS 140-2 validation, to address critical vulnerabilities associated with that software version or those specific cryptographic algorithms. Adoption of FIPS 140-2 validated cryptographic algorithms doesn’t guarantee a cryptographic implementation is secure or provides the level of encryption strength necessary. Organizations adopting the CMMC model need to have the flexibility to make the appropriate risk, cost and technology decisions. Adopting NIST SP 800-171 control 3.13.11 as SC.L2-3.13.11 could force commercial organizations into an awful decision, be secure or be compliant. Compliance should facilitate security adoption and improve cybersecurity posture.
How can we solve?
Fortunately, the trail has already been blazed. In late December 2019, the Department of State submitted an update to ITAR 120.54 allowing for “…security strength that is at least comparable to the minimum 128 bits of security strength…” and they refer to NIST SP 800-57 part 1 revision 4 table 2, page 53, for acceptable alternative cryptographic algorithms. This approach provides a way to secure data appropriately and address vulnerabilities in validated hardware and software without locking the information system into older versions of cryptography. I’d like to propose CMMC model adopt a similar approach for SC.L2-3.13.11.
“Employ high strength cryptographic algorithms (FIPS 140-2 or comparable) when used to protect the confidentiality of CUI.”