NIST 800-171 & CMMC Kill Chain - A Prioritized Approach

The concept of creating a “Kill Chain” was to create a proof of concept for an efficient way to plan out a roadmap to successfully pass a NIST 800-171 / CMMC assessment. The end result is a viable approach for anyone to use in order to create a prioritized project plan for NIST 800-171 / CMMC pre-assessment activities.

The concept of a kill chain is simply that it is easier to stop and prevent further damage if those malicious activities are discovered earlier, rather than later. When you look at NIST 800-171 / CMMC's zero tolerance for deficiencies, if you have a single deficiency in a process or practice, you will fail your NIST 800-171 / CMMC assessment. Given that reality, the intention of using the NIST 800-171 & CMMC Kill Chain is that if you apply a prioritized, phased approach towards pre-assessment activities, it is possible to avoid rework and cascading failures by addressing dependencies earlier in the process. The bottom line is this model breaks down NIST 800-171 / CMMC in major steps, which can then be translated into a project plan. 

This project was approached from the perspective of, “If I was hired at a company, what would my plan be to start from nothing to get a company to where it could pass an assessment?” All of the NIST 800-171 / CMMC controls are addressed within the NIST 800-171 & CMMC Kill Chain, but it is clear that the prioritization and “bucketing” of practices into phases is a subjective endeavor and not everyone may agree with this approach. Just understand that every organization is different and you will invariably need to modify the approach to fit your specific needs.

There are currently two (2) versions of the Kill Chain:

  1. NIST 800-171 R3; and
  2. CMMC 2.0 / NIST 800-171 R2.

NIST 800-171 R3 Kill Chain

The NIST 800-171 R3 version of the Kill Chain is specific to NIST 800-171 R3.

 NIST 800-171 R3 Kill Chain

Here is information on the twenty-two (22) phases of the NIST 800-171 R3 Kill Chain (these correspond to the picture diagram):

  1. ESTABLISH CONTEXT FOR CYBERSECURITY & DATA PROTECTION. If you fail to establish context (e.g., facts & assumptions), your entire premise for compliance operations may be incorrect and that could lead you down the wrong path. From a due diligence perspective, establishing context for cybersecurity and data protection should be a holistic endeavor to define all applicable laws, regulations and contractual obligations for cybersecurity and data protection. The reason for this is it is better to have a complete understanding of all requirements at the beginning to avoid reworking in the future, which sacrifices both time and resources. This phase has four (4) sub-components:
    1. Define the organization's applicable statutory, regulatory and contractual obligations for cybersecurity and data protection (e.g., DFARS, FAR, ITAR, etc.).
    2. Define what Controlled Unclassified Information (CUI) and/or Federal Contract Information (FCI) is for your specific business case (based on the contract).
    3. Identify the necessary People, Processes, Technology, Data & Facilities (PPTDF) that are necessary and appropriately sized.
    4. Develop & implement a resource plan (e.g., business plan, budget, road map, etc.) to meet the organization's unique compliance obligations.
  2. IMPLEMENT GOVERNANCE PRACTICES. With an understanding of what needs protecting and those associated resources, it is possible to implement appropriate governance practices. This phase has two (2) sub-components:
    1. Develop, implement and maintain policies and standards to address applicable statutory, regulatory and contractual obligations.
    2. Prioritize objectives from the resource plan for People, Processes, Technology, Data & Facilities (PPTDF) requirements.
  3. ESTABLISH THE COMPLIANCE SCOPE. For most organization, there are both internal and external components that are in-scope for NIST 800-171. This phase focuses on eliminating assumptions by clearly documenting where CUI is stored, processed and/or transmitted, as well as developing an inventory of third-parties and their associated roles and responsibilities for protecting FCI/CUI. This phase has five (5) sub-components:
    1. Create a Data Flow Diagram (DFD) that shows how CUI flows from the DoD all the way down to subcontractors.
    2. Create and maintain a detailed asset inventory for all systems, applications and services for both in-scope and out-of-scope assets.
    3. Create a detailed network diagram that includes where CUI is stored, transmitted and/or processed.
    4. Inventory External Service Providers (ESP) to determine ESP access to CUI and/or in-scope systems, applications and/or services.
    5. Define roles and responsibilities for internal and external systems, applications and services.
  4. RISK MANAGEMENT PRACTICES. Risk management is the key building block that other practices rely upon. It is infeasible to govern changes and/or assess vulnerabilities, threats, etc. without first having established risk management practices. Risk management practices establish thresholds for acceptable risk for both internal and external stakeholders. This phase has five (5) sub-components:
    1. Develop & implement an organization-wide Risk Management Program (RMP) to identify, assess and remediate risk. POA&M deficiencies to prioritize, resource and remediate.
    2. Document and maintain a Cybersecurity Supply Chain Risk Management (C-SCRM) Plan that is specific to the CUI environment.
    3. Develop and implement acquisition strategies, contract tools, and procurement methods to operationalize the C-SCRM Plan
    4. Enforce C-SCRM requirements across the supply chain.
    5. Establish a process for identifying and addressing weaknesses or deficiencies in the supply chain elements and processes.
  5. DOCUMENT THE CUI AND/OR FCI ENVIRONMENT. Documenting the CUI and/or FCI environment primarily focuses on populating the System Security Plan (SSP), which should be thought of as a “living document” where the SSP is never complete, since as changes occur throughout the System Develop Lifecycle (SDLC), the SSP also is updated to reflect current technologies, applicable controls and implementation status. This phase has three (3) sub-components:
    1. Start populating the System Security Plan (SSP). POA&M deficiencies to prioritize, resource and remediate.
    2. Create and maintain a Plan of Action & Milestone (POA&M) to track and remediate deficiencies.
    3. Perform a gap assessment from applicable statutory, regulatory and contractual obligations. POA&M deficiencies to prioritize, resource and remediate.
  6. IDENTIFY COMPLIANCE STAKEHOLDERS. Clearly defined roles and responsibilities are necessary to avoid improper assumptions. For external organizations, this requires contractual obligations to enforce those roles and responsibilities. This has two subcomponent steps:
    1. Identify compliance stakeholders (including control owners and control operators) and formally assign those individuals roles and responsibilities. From a governance perspective, this can be simplified in a Responsible, Accountable, Supporting, Consulted and Informed (RASCI) matrix.
    2. Work with Human Resources (HR) to ensure personnel security requirements are integrated into HR operations. POA&M deficiencies to prioritize, resource and remediate.
    3. Define and implement processes to securely handle CUI wherever CUI is stored, processed and/or transmitted
    4. Ensure control owners / operators develop, implement and maintain procedures to operationalize the organization's policies & standards.
    5. POA&M deficiencies to prioritize, resource and remediate.
  7. DATA PROTECTION PRACTICES. This involves developing and implementing data protection practices to limit logical and physical access to CUI and/or FCI. POA&M deficiencies to prioritize, resource and remediate.
  8. SEGMENTED NETWORK ARCHITECTURE. This involves implementing a network architecture that ensures it is built on secure engineering principles and enclaves to protect sensitive information (e.g., FCI/CUI). POA&M deficiencies to prioritize, resource and remediate.
  9. CHANGE MANAGEMENT (CM). This involves developing and implementing Change Management (CM) practices, including a Change Control Board (CCB). POA&M deficiencies to prioritize, resource and remediate.
  10. INCIDENT RESPONSE (IR). This involves developing and implementing Incident Response (IR) capabilities to detect, respond and recover from incidents (e.g., Incident Response Plan (IRP)). POA&M deficiencies to prioritize, resource and remediate.
  11. SITUATIONAL AWARENESS (SA). This involves developing and implementing Situational Awareness (SA) capabilities through threat intelligence, log collection and analysis (e.g., SIEM, XDR, etc.). POA&M deficiencies to prioritize, resource and remediate.
  12. SECURE BASELINE CONFIGURATIONS (SBC). This involves developing and implementing Secure Baseline Configurations (SBC) (e.g., hardening standards) for all technology platforms (e.g., servers, workstations, network gear, applications, databases, etc.). POA&M deficiencies to prioritize, resource and remediate.
  13. IDENTITY & ACCESS MANAGEMENT (IAM). This involves developing and implementing Identity & Access Management (IAM) capabilities to address "least privilege" and Role-Based Access Control (RBAC). POA&M deficiencies to prioritize, resource and remediate.
  14. PROACTIVE MAINTENANCE. This involves developing and implementing proactive maintenance practices. POA&M deficiencies to prioritize, resource and remediate.
  15. ATTACK SURFACE MANAGEMENT (ASM). This involves developing and implementing Attack Surface Management (ASM) practices to identify and remediate vulnerabilities. POA&M deficiencies to prioritize, resource and remediate.
  16. IT ASSET MANAGEMENT (ITAM). This involves developing and implementing IT Technology Asset Management (ITAM) practices. POA&M deficiencies to prioritize, resource and remediate.
  17. LAYERED NETWORK DEFENSES. This involves developing and implementing layered network security for Defense-in-Depth (DiD) practices. POA&M deficiencies to prioritize, resource and remediate.
  18. BUSINESS CONTINUITY & DISASTER RECOVERY (BC/DR). This involves developing and implementing Business Continuity / Disaster Recovery (BC/DR) capabilities. POA&M deficiencies to prioritize, resource and remediate.
  19. CRYPTOGRAPHIC KEY MANAGEMENT. This involves developing and implementing cryptographic key management and data encryption capabilities. POA&M deficiencies to prioritize, resource and remediate.
  20. PHYSICAL SECURITY. This involves developing and implementing physical security practices. POA&M deficiencies & document procedures.
  21. SECURITY AWARENESS TRAINING. This involves developing and implementing training & awareness to ensure a security-minded workforce. POA&M deficiencies & document procedures. POA&M deficiencies to prioritize, resource and remediate.
  22. INTERNAL AUDIT (IA). This involves developing and implementing an "internal audit" or Information Assurance (IA) capability to govern controls. POA&M deficiencies & document procedures. POA&M deficiencies to prioritize, resource and remediate.

Background On The Logic Used In The NIST 800-171 R3 Kill Chain Model

Here is a quick explanation on some of the reasoning used for this version of the Kill Chain model:

NIST 800-171 R2 / CMMC 2.0 Kill Chain

The CMMC 2.0 & NIST 800-171 R2 version of the CMMC Kill Chain introduces the theory of constraints as it applies to your technical and business limitations.


CMMC Kill Chain

Here is information on the 23 phases of the NIST 800-171 R2 / CMMC Kill Chain (these correspond to the picture diagram):

  1. Define What CUI Is For Your Specific Business Case. This should be self-explanatory and is based on your contract(s).
  2. Establish The Scope of The CMMC Assessment Boundary. This has four subcomponent steps: (1) Create a Data Flow Diagram (DFD) that shows how CUI flows from the DoD all the way down to subcontractors; (2) Create a detailed asset inventory for all systems, applications and services for both in-scope and out-of-scope assets; (3) Create a detailed network diagram that includes where CUI is stored, transmitted and/or processed; and (4) Inventory Third-Party Service Providers (TSP) to determine TSP access to CUI and/or in-scope systems, applications and/or services.
  3. Document The Environment. This has two subcomponent steps: (1) Start populating the System Security Plan (SSP); and (2) Create a Plan of Action & Milestone (POA&M) to track and remediate deficiencies.
  4. Define The Network Architecture. This involves implementing a network architecture that ensures it is built on secure engineering principles and enclaves to protect sensitive information (e.g., FCI/CUI). POA&M deficiencies & document procedures.
  5. Plan, Identify Gaps & Prioritize Resources. This has six subcomponent steps: (1) Define applicable statutory, regulatory and contractual obligations (including DFARS, FAR, NIST 800-171 and CMMC); (2) Perform a gap assessment from applicable statutory, regulatory and contractual obligations; (3) Develop & implement policies and standards to address applicable statutory, regulatory and contractual obligations; (4) Identify the necessary People, Processes & Technology (PPT) that are necessary and appropriately sized; (5) Develop & implement a resource plan (e.g., business plan, budget, road map, etc.) to meet compliance obligations; and (6) Prioritize objectives from the resource plan for PPT requirements. POA&M any deficiencies from this phase.
  6. Develop Procedures. This has two subcomponent steps: (1) Develop & implement procedures to implement policies & standards; and (2) Define processes to securely handle CUI. POA&M any deficiencies from this phase.
  7. Risk Management. Develop & implement a Risk Management Program (RMP) to identify, assess and remediate risk. POA&M deficiencies & document procedures.
  8. Change Control. Develop & implement change control processes, including a Change Control Board (CCB). POA&M deficiencies & document procedures.
  9. Incident Response. Develop & implement incident response capabilities to detect, respond and recover from incidents. POA&M deficiencies & document procedures.
  10. Situational Awareness. Develop & implement situational awareness capabilities through log collection and analysis (e.g., SIEM). POA&M deficiencies & document procedures.
  11. System Hardening. Identify, build & implement secure baseline configurations (e.g., hardening standards) for all technology platforms. POA&M deficiencies & document procedures.
  12. Centralized Management. Build & implement Group Policy Objects (GPOs) for Microsoft Active Directory (AD). POA&M deficiencies & document procedures.
  13. Identity & Access Management. Develop & implement Identity & Access Management (IAM) to address "least privilege" and Role-Based Access Control (RBAC). POA&M deficiencies & document procedures.
  14. Maintenance. Develop & implement proactive maintenance practices. POA&M deficiencies & document procedures.
  15. Attack Surface Management / Vulnerability Management. Develop & implement Attack Surface Management (ASM) practices. POA&M deficiencies & document procedures.
  16. Asset Management. Develop & implement technology asset management practices. POA&M deficiencies & document procedures.
  17. Personnel Security. Work with Human Resources (HR) to ensure personnel security requirements are integrated into HR operations. POA&M deficiencies & document procedures.
  18. Network Security. Develop & implement network security practices. POA&M deficiencies & document procedures.
  19. Business Continuity. Develop & implement business continuity capabilities. POA&M deficiencies & document procedures.
  20. Cryptography. Develop & implement cryptographic key management and data encryption capabilities. POA&M deficiencies & document procedures.
  21. Physical Security. Develop & implement physical security practices. POA&M deficiencies & document procedures.
  22. Security Awareness Training. Build and maintain a security-minded workforce through training & awareness. POA&M deficiencies & document procedures.
  23. Internal Audit. Build and maintain an "internal audit" or Information Assurance (IA) capability to govern controls. POA&M deficiencies & document procedures.

Background On The Logic Used In The NIST 800-171 R2 / CMMC 2.0 Kill Chain Model

Here is a quick explanation on some of the reasoning used for this version of the Kill Chain model:

Browse Our Products

  • Digital Security Program (DSP)

    Policy, Standards, Controls & Metrics Template - DSP / SCF

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    $9,500.00 - $14,300.00
    Choose Options
  • NIST 800-171 Compliance Program (NCP). This is a bundle of products that are specific to NIST 800-171 and CMMC 2.0 compliance - policies, standards, procedures, SSP & POA&M templates. Editable CMMC 2.0 Level 2 (old Level 3) policies, standards, procedures, SSP & POA&M templates. CMMC policies & standards. NIST 800-171 policies & standards.

    NIST 800-171 Compliance Program (NCP): CMMC Level 2

    ComplianceForge - NIST 800-171 & CMMC

    NIST 800-171 R2 & R3 / CMMC 2.0 Editable & Affordable Cybersecurity Documentation This short product walkthrough video is designed to give a brief overview about what the NCP is to help answer common questions we receive. Includes...

    $5,200.00 - $10,000.00
    Choose Options

Learn More About Cybersecurity & Data Privacy