CMMC Weekly Series #11
Posted on June 26, 2020 by Nicholas Bukowski, CPA
Since the predominant goal of the Cybersecurity Maturity Model Certification (CMMC) is the protection of Controlled Unclassified Information (CUI), it is imperative to ensure the Confidentiality, Integrity and Availability (CIA) of data and information systems within Defense Industrial Base (DIB) companies. One of the chief components of safeguarding the CIA of data and information systems resides in the CMMC Domain of Recovery (RE). Data and/or information systems must be recoverable. If an adversary (or nature) compromises or completely decommissions a system or the data therein, there must be safeguards in place to assist an organization to recover from this loss.
The Recovery Domain has a total of 4 practices, residing at Levels 2, 3 and 5 of the CMMC framework. Each of these 4 practices will be addressed in more depth in the following paragraphs. The RE Domain essentially boils down to two primary capabilities:
1. Manage backups
2. Manage information security continuity
For the most part, these capabilities can be accomplished in an automated fashion. The key methods of achieving compliance with the processes of this domain are: 1) ensuring redundancy in both data and information systems and, 2) implementing processes for a fail-safe in the event that data or an information system becomes comprised. It is imperative to eliminate and/or mitigate single points of failure. The steps taken to achieve this depend on an organization’s required Level of CMMC and organizational needs. Naturally, as the CMMC level increases, the amount of effort (and cost) increases.
RE.2.137: Regularly perform and test data backups.
All CMMC Level 2 processes must be documented. This means that the regular performance and testing of backups must reside in documented policies and procedures, whether contained within an organization’s Disaster Recovery Plan (DRP) or Business Continuity Plan (BCP), or the overall System Security Plan (SSP). Backups must be performed of both the data and the systems. Additionally, it is a best practice to have individual users create backups of their own data at specified intervals to ensure continuity of work. However, a more streamlined approach would be the organization, as a whole, backing up both data and information systems at the periodic frequency determined to be most adequate for the organization, when considering organizational requirements and cost.
Backing up data can often consume extensive resources. An example of a best practice that reduces this resource consumption is scheduling backups to automatically occur during non-peak hours. Additionally, rather than always performing full backups, a full backup could be performed on a semi-recurrent basis, with incremental backups being performed more regularly, only backing up new or changed data.
When considering the method and location of backups, it is important to ensure that if a disaster and/or breach occurs, the live data and backup data are not both vulnerable. For example, if backups of a physical server are stored in a closet next door to the server room, what practical function do those backups serve if there is a fire in the building? Both live data and backups would be destroyed, and the desired Recovery would become impossible. Typically, backup data ought to be stored offsite, whether at another facility or in the cloud.
The testing of backups can be performed in a variety of ways. The key here is to ensure that the data or system being backed up is usable and matches the production data or system. One way this can be accomplished, at least when looking at production systems, would be to periodically switch between the backup system and the production system. A successful test of this nature would all-but guarantee the backup system is performing as desired.
RE.2.138: Protect the confidentiality of backup CUI at storage locations.
Protecting the confidentiality of backup CUI can most easily be achieved through data encryption of the backup files, both at rest and in transit. In addition to encryption, managing the personnel who have access to the backup is a best practice. It is recommended that the principle of least privilege, i.e., only granting access to those who require it, be employed. Additionally, one ought to monitor how personnel with access use the data, whether through system audit logs or another method. The location of the backed-up data should also have physical security in place to ensure the confidentiality of the data.
RE.3.139: Regularly perform complete, comprehensive, and resilient data backups, as organizationally defined.
At Level 3 of the CMMC, processes not only have to be performed and documented, but they also must be managed. In addition to the Level 2 requirements, this process requires additional action. All system data must be automatically backed up on a regular basis. The organization’s key systems must be backed up as a complete system to allow for a quick recovery. While this process does not give a specific time requirement for recovery, beyond the use of the term “quick”, within the more detailed discussions of this practice it must be noted that the amount of recovery time an organization requires can have drastic effects on the cost of the desired recovery system.
Backups can be classified as located at a Hot, Warm or Cold site. A hot backup site would be the most expensive, as this would require a complete duplication of all production systems and likely a near real-time backing up and transmission or mirroring of data. As the name suggests, these backups could “go live” almost immediately in the event of a disaster to the production environment. Unless an organization’s need for timely availability was very high, this method of backup would likely be cost-prohibitive for most companies. Warm sites are similar to hot sites, although somewhat less expensive since the site retains a redundant set of hardware and software, but not near real time data or the ability to be immediately ready to go, and would likely take some time to be put into production. Cold sites require much more time and would not typically have any of the required hardware and software already configured and ready to go.
Finally, the backups must have at least one offline destination, which essentially means there must be a backup that is not connected to the network. This makes sense, since if an attacker gained access to the network, they could potentially compromise both the live system and its backup, thereby hiding the damage they’ve done and rendering the backup useless for recovery in that specific compromised area.
RE.3.139: Ensure information processing facilities meet organizationally defined information security continuity, redundancy, and availability requirements.
At Level 5 of CMMC, processes not only have to be performed, documented, and managed, but they also must be reviewed and maintained in a constant state of optimization. This Recovery process requires that more be done than just backing up data and information systems. It requires that redundancies are put into place for any single point of failure in the overall cybersecurity posture. Not only must the data be recoverable, but the information security measures being undertaken must also be recoverable.
So how does this process play out in practice? Mainly through ensuring each CMMC capability has a fail-safe embedded within it. For example, if a company is required to use a firewall to prevent malicious traffic from accessing a network, what happens if the firewall fails? This Recovery process would require that there is either a backup firewall to take its place, performing the same required function, or there is a mechanism in place to ensure no data enters the network until the firewall is replaced/repaired.
While redundancy is the most common method used to achieve the goal of the Recovery domain, it cannot solve these requirements alone. There must be processes in place to ensure any gaps in cybersecurity are filled in an automated fashion. Having a redundant piece of equipment or software must be coupled with a mechanism in place to ensure the redundant resource takes over in the event of a system failure. This requires managing, testing, and constant optimization, as is the hallmark of Level 5 processes within the CMMC framework. An organization requiring CMMC Level 5 must be ever vigilant in protecting CUI against malicious actors.