SolarWinds' Category and its Relation to CMMC

SolarWinds has been on our minds and in news feeds for more than a month now. It’s no wonder that attendees of our latest webinar were interested in how this – probably the most dramatic hack – is related to the recent changes and adaptation of the emerging Cybersecurity Maturity Model Certification (CMMC).

Max Aulakh, CEO at Ignyte Assurance Platform, is answering our first question about CMMC and SolarWinds in the pilot recording below.

Watch the Video Here:

Read the Transcript Here:

Question

Does SolarWinds fall under the commercially available off-the-shelf category?

Answer

Yes, it does. 

Question

In that case, would that not be part of the CMMC requirements?

Answer

No, it is not a part of the CMMC requirements. The reason is that COTS (Commercial Off-the-Shelf) products, as defined by FAR rules, fall under totally different legislation outside CMMC authority. Of course, you want to consult a qualified attorney on this matter, as we did during our webinar. My answer will just simply provide you with a backup for where such information can be located. If you go to acquisition.gov you can look up FAR Part 12, and then section 12.212 where it defines the commercial and software items. By searching the word “software”, you’ll be pointed to the same section with the legal definition of computer software, which falls within COTS.

If you are looking for more assurance, like everybody else who’s following the attack on SolarWinds, you can check an approved product list that is not widely known. Cybersecurity professionals like myself, a former Assurance Officer (AO), always checked the DISA Approved Products List (APL) whenever we did our ATO packages (Approval To Operate). It is publicly available and it states all different device types, software types, and vendors. SolarWinds is actually on the DISA APL and it provides a model number, version, expiration date, things like that. The APL certification is very different from CMMC. It’s more software-specific than a generally broad CMMC certification with, what I would say, a loose scope around Controlled Unclassified Information (CUI). It requires actual software testing, ports that it opens up, ports that it closes, source code analysis, things like that. These APL certificates are very closely tied to the software product itself. So if you’re looking for a higher level of assurance this is the first place you should go to. It is not a long list, compared to what the world needs, and what we’re looking for. There are other lists available as well, that I’m going to share with you.

Yet another product certification list is Common Criteria. It has a higher level of assurance for any kind of common criteria certified product. As you can see, all the big guys are here, Microsoft SQL Server, for instance. I did not search for SolarWinds, but this would be another step that I used to perform as an AO to make sure it has a common criteria certification.

The last product e-certification list that is worth mentioning here is FedRAMP. It includes cloud service providers such as Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and of course, Platform-as-a-Service (PaaS). This is a fairly new program compared to the Common Criteria and the Approved Products List mentioned above. Those are more mature and have been on the market for quite some time. There are only over 200 authorized SaaS products registered here at the moment, and I think some of these products are available to the government.

Summary

COTS software products do not equally go through CMMC. COTS product certifications are entirely different, and the legislative authority behind COTS is different as well. 

Thank you so much for watching. I’ll be creating more recordings like this. If you have any questions please feel free to send them to us. Have a good day!