As of now, the final rule for the Cybersecurity Maturity Model Certification has been published. The clock is ticking for organizations to make the changes they need to make, adhere to the multi-phase schedule required to achieve certification, and continue their work with the federal government across the board.
As organizations, both large and small, start to dig into this work, it becomes increasingly clear that certain individuals and roles are critical to have on hand. One such role is the FSO or Facility Security Officer.
BLUF - Bottom Line Up Front
As CMMC 2.0 is implemented, Facility Security Officers (FSOs) play key roles in securing both digital and physical access, safeguarding classified information, and ensuring compliance with NISPOM. FSOs must collaborate with IT and cybersecurity teams, developing security measures and conducting audits. Despite no direct expansion of duties under CMMC, FSOs may need to learn new digital security skills to meet stringent requirements for incident response and risk management. Compliance incurs significant costs, with documentation and flow-down requirements also emphasized.
What are FSOs?
Facility Security Officers are traditionally the people in charge of facility security. In the past, they have primarily been concerned with physical security, from the locks and key systems used throughout the organization to personnel vetting and clearances to compliance with NISP, the National Industrial Security Program.
However, as CMMC 2.0 is rolled out, the role of the FSO has expanded. Today, an FSO may take on more responsibility, including compliance with cybersecurity access controls and other standards. The FSO’s new role often overlaps with a chief compliance officer, as two sides of the same coin. Modern FSOs are frequently tasked with overseeing the hybrid solutions of physical and digital security necessary to keep a facility secure, and that means knowing more than just the names on badges and the keys to different doors.
What Are the Primary Responsibilities of the FSO?
When you distill the responsibilities of the facility security officer down into a single line, it would be this: They are responsible for ensuring that classified information within a facility is safeguarded effectively. Typically, they do this by adhering to the rules and compliance standards set out by NISPOM, the National Industrial Security Program Operating Manual, which can be found here.
On the physical side, the FSO has a lot on their plate.
- Reviewing and overseeing various security protocols as laid out in relevant security frameworks.
- Managing individual personnel clearances, including verification of security clearances.
- Managing facility physical access control systems, such as badging and identity verification.
- Conducting training, briefings, and meetings to review security protocols throughout the organization.
- Working with any relevant governmental security agencies, like the DCSA, as necessary.
- Working through frameworks like CMMC and NISPOM to conduct self-audits for compliance verification and continuous monitoring.
- Iterating on and developing the security procedures, policies, and systems the organization must have in place.
- Identifying and reporting on any violations or incidents of security breaches or failure to comply.
- Investigating the results of those breaches, and implementing fixes to policies and procedures to fix them and prevent them from happening again.
This is a lot for an individual to contend with, and that’s all just surrounding the physical security side of operations.
As CMMC rolls out, many FSOs are finding that the pile of work heaped on their plates is increasing. In our increasingly connected, digital, internet-of-things world, physical security, digital security, cybersecurity, and information security are all overlapping and conjoined. Sensitive information needs to be secured both from physical access and digital access, and the FSO may find that they have to learn not just about the door locks, but the password protection on access controls, to use an example.
The modern FSO will increasingly be an important personage in overall compliance, playing a role in overseeing, developing, maintaining, and improving overall security, not just physical security. At the end of the day, it’s all about making sure that national security information, classified information, CUI, and anything else meant to be secured is, in fact, secured.
Does CMMC Require FSOs to Expand Their Duties?
Not directly. CMMC does not make specific demands of specific roles; rather, it’s a framework for achieving robust security, encompassing primarily cybersecurity with an overlap in physical security.
FSOs are effectively being roped into an expanded role. However, it’s not always the case that the FSO takes up the mantle of a compliance officer; often, they work closely with IT and cybersecurity teams to develop policies and procedures together.
The truth is that CMMC puts additional restrictions and controls in place for physical access to digital systems. After all, the strongest firewall in the world can’t stop a poorly-trained door guard from letting someone with a badge and a clipboard through security when they shouldn’t, and if someone has physical access to a computer or a server, they can do a lot more than they could from the outside. Physical security, in today’s modern world, is digital security, and vice versa.
What FSOs Need to Know About CMMC
The use of the term “cybersecurity” in CMMC might make some FSOs feel like they don’t need to pay much attention to it; after all, if they’re focused on physical security, cybersecurity is the purview of another team, right?
Truthfully, while CMMC is largely focused on digital security, some elements of cybersecurity overlap or are broad enough to encompass physical security as well. More than that, CMMC also has some specific provisions for certain kinds of physical security, as well as incident response and general risk management, that an FSO will need to know. It’s also important to know that different maturity levels of CMMC will have different requirements.
A company’s FSO will generally need to consider what CMMC does to affect elements of facility security, including:
- Digital access control
- Physical access control with digital systems
- Incident response procedures
- Overall risk management and mitigation
- Protection for CUI and classified information
There are also increasingly strict documentation requirements for both incidents and for general security measures. The new CMMC 2.0 requires third-party auditing from a C3PAO in either the second phase or, in the case of fast-tracked organizations, in the first phase. Documentation is an absolute must-have to pass these audits.
What Role Will FSOs Play in CMMC Certification?
Within the next two years, organizations seeking CMMC certification will have to pass a qualified assessment for their intended level of maturity, with the assessment being conducted by a third-party assessment organization. This is a detailed and intensive process, and many organizations are starting to lay the groundwork for it now, even with the deadline so far in the future. Don’t forget, however, that the first phase – a self-attestation – will need to happen within the first year.
What role will the FSO play in obtaining this certification?
- They will help provide security measure documentation, paperwork, and records necessary to prove both personnel training and physical security implementation.
- They will work with cybersecurity and IT professionals and contractors to conduct internal audits and ongoing monitoring to ensure that practices are followed and policies are effective.
- They will directly address gaps in both training and implementation as identified in internal audits.
- They will participate in the overall auditing process and work with the C3PAO when the time comes to certify.
While most of this is still standard for the FSO, the increased scope can make it all feel like a whole new role.
Do FSOs Need to Learn New Skills for CMMC Compliance?
Possibly.
This generally comes down to how much of a hand the FSO has already had in digital security. In some organizations, digital security and physical security are handled by different people and different teams, and while they work together, they don’t need to know the details of each other’s procedures.
In other organizations, the FSO has essentially already taken on a hybrid role and works with both physical and digital security. In these cases, they are often more akin to a compliance officer with a focus on security.
In either case, FSOs will generally need to gain a more intimate knowledge of where digital security overlaps with physical security and of the policies, procedures, and requirements that CMMC brings to the table regarding incident response, risk management, and other generalities. The FSO can’t persist with a sub-standard incident response plan and expect to achieve CMMC certification.
The government offers a training course called the Certified CMMC Professional course, or CCP. This training course is one option for FSOs who want to expand their knowledge and learn what it will require of them to achieve full CMMC compliance within their organizations.
What Areas do FSOs Need to Cover?
The Defense Counterintelligence and Security Agency provides a handy list of types of information that the FSO will generally need to know in order to comply with CMMC. You can find the full list here.
It includes:
- Processing applicants
- Maintaining clearance
- Interim clearance
- Field locations
- NISP and NISP Authorization
- Facility clearances
- FOCI
- CUI
This page is a general resource for facility security officers, but has a lot of useful general information as well.
What Changes in Facility Security with CMMC 2.0?
As CMMC 2.0 is rolled out and organizations adapt, facilities will see significant changes. While a lot of those changes are “under the hood” in terms of policies and implementations that don’t necessarily have a visible impact, they’re still critical.
One of the biggest changes is that there are likely to be more security controls, including both digital and physical controls, that will need to be implemented. CMMC’s use of an older NIST SP version is also likely to cause some friction in the near future; NIST has updated their security control guidelines, but it hasn’t carried over to the current implementation of CMMC just yet.
Regardless, it means that many facilities will see more tools, more policies, more documentation and recordkeeping requirements, more training, and more services in action. All of this will be necessary to maintain existing DoD and governmental contracts, or win new ones.
Another change is, unfortunately, to budgets. Everything involved in CMMC is costly, both in terms of money and in the time necessary to pursue it. Balancing budgets for compliance will be an ongoing source of stress for many organizations, and it’s also one where the government has no sympathy; they can’t allow small businesses or businesses with thin margins to be security holes.
As we’ve mentioned a lot already, there will also be a lot more overlap between digital and physical security and the requirements associated with compliance. FSOs don’t get to operate in their own corner of the organization; they will have to work closely with digital security and IT teams.
Don’t Ignore Flow Down
Some FSOs may be resting easy because they aren’t working directly with the government and, thus, don’t think they will need to adhere to CMMC. Part of CMMC 2.0, however, is the removal of exclusions and an increase in flow-down requirements.
Companies that don’t work with the government directly but who work with other companies that do and, as a consequence, handle CUI or classified information will be required to achieve the same level of compliance as the companies they work with. The DoD no longer allows further reaches of the supply line to sacrifice security, as a breach is still a breach, no matter where it occurs.
Learning and Preparing for CMMC 2.0 Audits
If you’re an FSO or in another role that will be responsible for the overview and implementation of new CMMC rules, it’s a good time to start getting ahead of the game. Here at Ignyte, we can help in a few different ways.
First, you can browse our blog. We’ve been covering CMMC extensively from a variety of different angles, and many of the common questions are answered in one of our recent posts. You can also leave comments for questions or concerns you have; we can answer directly, or use it to write more resources for everyone.
Second, you can reach out and contact us directly. As one of the certified third-party assessment organizations, we know CMMC inside and out. We can offer some useful guidance on where you might look for additional assistance and resources, or can help you directly.
Third, the Ignyte Platform is an exceptional option for building up your documentation base for audits and self-assessments. Book a demo today, and you will see what it can do for you; we’re sure it will help.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.