Inside Cybersecurity

September 18, 2020

Daily News

Booz Allen aims to help subs, suppliers reach CMMC compliance through evaluating system security

July 27, 2020

Booz Allen Hamilton -- a large prime contractor and industry consultant -- is working with clients and its own subcontractors to help prepare for the Pentagon’s Cybersecurity Maturity Model Certification program through identifying gaps and assisting with remediation.

The firm sees the CMMC program as an extension of its compliance work over the past 75 years, and the program as a new opportunity to help companies understand how they are part of the defense industrial base through the handling of controlled unclassified information.

“A lot of companies didn’t necessarily consider themselves part of the DOD ecosystem are suddenly finding themselves having CMMC applicable to them,” said Brian Klenke, chief information security officer at Booz Allen. “It starts to come down to who comes into contact with what information and the data and the identities that have access to that data which includes the supply chain in its entirety.”

Brian Klenke

Brian Klenke, Chief Information Security Officer, Booz Allen

For example, a bank that provides credit card services to the Defense Department or a pharmaceutical firm that provides lab services to “the Armed Forces in some capacity” would be subject to meeting the controls in National Institute of Standards and Technology Special Publication 800-171, Klenke said.

Klenke spoke with Inside Cybersecurity about how Booz Allen is approaching the CMMC program and preparing for the “evolution” and new “dimensions” that the program will add to preparing the defense industrial base to secure the supply chain.

The maturity levels outlined in CMMC “can be challenging for some companies,” Klenke said. Through Booz Allen’s supply chain outreach program, the company is “reaching out to each of our suppliers to provide information and let them know what is going to be required,” he said.

“Until CMMC, companies like banks or labs would not even be considered part of the DIB.” Klenke said. “They are realizing that they may need help with this or guidance since they are now part of the DIB as CMMC is defining it.”

Through Booz Allen’s data classification program, companies can get insight into how much their data should be protected, said Christopher Smith, a Booz Allen principal who leads the firm’s Commercial Cybersecurity Strategy Capability.

“Data classification puts a protection standard around CUI where we can put information into buckets,” Smith said. “Publicly facing information would get no protection and proprietary information would have the highest level of security. This could also mean that there needs to be network segmentation.”

Booz Allen can also help companies develop a system security plan.

Companies who do business with the Defense Department are required to have an SSP that describes “the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems,” according to NIST 800-171.

Despite current DOD acquisition rules, Smith said “a lot of time companies don’t have that in place.” In order to get certified for CMMC, companies first need to have an SSP in place and go through the “self-assessment process prior to reaching out to a CMMC assessor to go out and look at them,” Smith said.

Smith said the SSP is “a snapshot in time because organizations are continuously going through and maturing their security programs, but at the time that the SSP is done and formalized and signed, that’s where they were.”

The CMMC program eliminates the ability for companies to get certified through a Plan of Actions & Milestones, where if they don’t meet all of the controls outlined in 800-171, they can outline their plans for mitigation and the steps they will take to reach compliance. Now companies will be required to meet all of the controls at the maturity level that they want to achieve to obtain CMMC certification.

“If companies have not gone through the self-assessment process before, we can help them identify gaps and then we can write up remediation efforts that have been identified,” Smith said. “We have a significant amount of expertise around a wide range of security disciplines so if a company has a gap around the area of authentication tools, we have those experts. If it’s in the area of physical security, we have those experts. We can come in and craft a strategy in a partly tactical plan to get it closed for them.”

Booz Allen is also working with its industry partners and the Pentagon to continue to develop the CMMC standard.

“My team participates in a lot of the CMMC working groups and industry working groups,” Klenke said. “We operate at the CISO level down to the working groups making recommendations and industry perspective to the accreditation board and to the various working groups within DOD.”

Klenke said, “We’re in regular contact with our industry peers as this evolves because it certainly impacts all of us and our supply chain so we want to help DOD ensure that it is both relevant and adequate. We want to make sure that the CMMC program is on point and focused and also adequately meeting the needs to safeguard this kind of information.” -- Sara Friedman (