Published 5.3.2024
Author: Rob Teague, CMMC Consultant, PA/PI/CCP/CCA/ISO Lead Auditor
One Cybersecurity Maturity Model Certification (CMMC) requirement for safeguarding Controlled Unclassified Information (CUI) is employing Federal Information Processing Standard (FIPS)-validated cryptography, as mandated by System Communications protection L2-3.13.11 (S.C.L2-3.13.11). This requirement ensures that cryptographic modules meet stringent validation requirements and are certified tested before deployment. However, what happens when updates to critical Security Protection Assets (SPAs), such as firewalls, incorporate encryption that has not yet been validated under the FIPS 140-3 standard?
An example of a FIPS 140-2 validated certificate that organizations must have as part of their documentation.
The Challenge with New Technologies
As Contractors of the Defense Industrial Base (DIB) strive to enhance security measures, they often update SPAs to newer versions that promise improved protection and efficiency. However, these newer firewalls are currently in a limbo of testing for FIPS 140-3 validation, raising concerns about their immediate compliance and the potential risks of deploying unvalidated technologies.
The Assessor’s Dilemma
This scenario presents a dilemma for security assessors: does the use of firewalls with pending FIPS 140-3 validation imply that an organization fails to comply with the required standards? It’s a critical question, as the implications of such a decision could impact an organization’s security posture and compliance status.
A Rational Approach to Compliance – The Solution
The NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, offers a practical resolution in its discussion of “Temporary Deficiencies.” These deficiencies are recognized as a normal part of complex environments where new systems and updates are continually implemented. According to the guidelines:
- Temporary deficiencies should be addressed within plans of action that outline the steps towards remediation. This includes deficiency reviews, setting milestones, and demonstrating progress towards eliminating vulnerabilities.
- For instance, if a previously implemented FIPS-validated cryptographic module is rendered non-compliant due to a new patch, but there is a clear plan to regain compliance, the system can still be scored as “implemented” under the assessment criteria.
Practical Implications and Actions
Organizations are not left to flounder with these interim challenges. Instead, they can document ongoing tests for FIPS 140-3 modules and the expected timeframe for achieving validation. By listing these efforts in their Plan of Actions and Milestones (POA&Ms) as “temporary deficiencies,” they maintain transparency and accountability in managing compliance risks.
The pathway to maintaining and upgrading security systems is often fraught with challenges, particularly when transitioning to newer technologies that are still under assessment. By leveraging the framework provided by NIST SP 800-171, organizations can navigate these waters without compromising their compliance status. Documenting the journey towards full compliance, understanding the scope of temporary deficiencies, and maintaining a proactive stance in remediation are key to achieving a “Met” score in security assessments, thus ensuring that upgrades enhance security without jeopardizing compliance.
This balanced approach underscores the importance of adaptability and vigilant management in the fast-paced realm of cybersecurity compliance. By staying ahead of the curve and adhering to prescribed methodologies, organizations can safeguard CUI effectively while embracing technological advancements.
Book a meeting to start your CMMC journey by filling out the form below