CMMC Weekly Series #3
Posted on April 9, 2020 by John Forrester, Ted Wernet and Brigham Slocum
In the new Cybersecurity Maturity Model Certification (CMMC) framework there is a requirement to ensure that media storing sensitive data be protected at varying levels of effectiveness. It is especially important to remember that if a system is required to be CMMC level 3 compliant, the practices from CMMC Level 1 and 2 will also apply to that information system.
The most basic requirement for the removal of all data on a drive before reuse or disposal presents varied cost based upon the method used. This is best determined according to the level of protection needed, whether the drive will be reused, and if the classification of the data on the drive will change. Other practices, as required by Levels 2 and 3 of the CMMC model, aim to further limit access to relevant information, both physically and digitally. One example of these practices, per CMMC MP Level 3, is the requirement for cryptographic protection, which scrambles the information in a way that requires a password to make it readable again.
Some practices required by the CMMC model ensure that removable media and sensitive information be tracked. This practice allows the owner of that information to easily look up the location of the data and maintaining accountability, also required for Level 3. There are a wide variety of inventory/document tracking software tools, however the simplest method to accomplish this is to simply record and track the necessary information in spreadsheets, such as those supported by Microsoft Excel.
Required by CMMC Level 1 is the process of destroying sensitive data on storage drives, called sanitization, which allows for various methods of ensuring that the data cannot be retrieved. It is important to remember that some methods of sanitization will only work on certain types of removable media and some methods are more effective than others. For example, a Solid-State Drive (SSD) transfers data far more quickly than a mechanical Hard Disk Drive (HDD), but cannot be sanitized using a machine called a degausser. The most important lesson here is make sure your method of sanitization matches the media you are working with.
The most important lesson here is make sure your method of sanitization matches the media you are working with.
The most effective method of sanitizing data stored on an electronic media device is physical destruction. Examples of tools used for this type of destruction include hard disk shredders, pulverizes, incinerators, etc. A second method of media sanitization is repeatedly overwriting the data present with other random and uniform data, thereby scrambling the original data to the extent that it cannot be recovered. While this is cheaper than the other methods since it allows the drive to be reused and its performance does not require additional machinery, it is less effective at ensuring that the data is not recoverable. Factors such as required sanitization method along with the expense associated with said method should be considered and balanced against other functional requirements of the drives as needed to support business functions.
Some practices required by CMMC, such as securing and tracking removable media in transit, may incur additional overhead costs due to the processes required to ensure that these tasks are being performed regularly. Given the fact that media transportation is a common necessity and that encryption can be performed easily and inexpensively, the practices that require the data to be encrypted will likely be very effective at protecting the data and meeting requirements. There are many tools and techniques for ensuring that removable media is encrypted, ranging from encryption hardware integrated into the media, to Universal Serial Bus (USB) storage devices encrypted using the proprietary encryption tool, by Microsoft, called BitLocker To Go. There are also a variety of software and hardware applications that can encrypt files and/or media drives. Regardless of the chosen method and tool, one must ensure that ever solution is chosen is adequate and approved for the sensitively of the data being encrypted.
Another manner of protecting sensitive information is via USB blocking and USB whitelisting. USB Blocking prevents specific USB subsystems – that are a part of the information system – from functioning while USB whitelisting prevents USB devices that are not recognized (whitelisted) by the system from functioning when plugged into a USB port. A caveat to be aware of for whitelisting is that authorized USB devices can be recognized by their Vendor ID (VID) or Product ID (PID), which, if discovered, could be written to another USB device therefore bypassing the blocking protection. However, although simpler to configure, filtering the devices by VID/PID is not the only possible way to identify removable media. Ultimately, any measures taken to protect the system from unauthorized access to and by unrecognized removable media can be a very useful as part of a holistic approach to securing an information system.
At CMMC Level 2 and beyond, regardless of how it is accomplished, there must be some way of controlling the use of removable media on the information system. Another effective protection method to consider is the assignment of a particular removable media item to a privileged user as the “steward” of the information. This practice also helps to satisfy the following Level 3 requirement: ”In this way, it can be ascertained which individual loaded any data found on the given removable media into its storage space, as only one individual has the capacity to decrypt the drive and load data onto it and vice versa. It is clear from the description that the individual assigned to the removable media in question would have to decrypt the contents of the drive if it were deemed necessary to review such information. This requirement may arise due to the suspected or anticipated likelihood of an insider threat or a software/hardware-based threat that may be identifiable based on the contents of such a drive and upon inspection or periodic review.
Regardless of the way that the check is initiated, the decision to search the drive in question – if done in anticipation of an insider threat – should be abrupt such that the “steward” of the information contained on the drive will have no chance to hide any evidence of malicious intentions.
These eventualities and appropriate precautions should be considered when developing policy regarding the search or investigation of information system users. If, upon review of the environment and requirements, such measures are deemed necessary, management should be involved in the policy development and its enforcement. That means that for the policy to be effective, management will need to be able to have such information readily available. This entails either those managers being able to recall such policy requirements in the scenarios that require it, or at least recall that there is a policy requirement that relates to a given scenario.
All organization policies will need periodic review. It is imperative that in this review process the correct stakeholders have input. These individuals not only implement and enforce the policy but have a vested state in the processes that each policy defines. Without their input, these policies often contain misinformation or at worst, a policy that is not followed.