MICS Capstone Project Fall 2023

SecuritySage

SecuritySage

Problem Statement

"To protect American ingenuity and national security information, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 program to reinforce the importance of DIB cybersecurity for safeguarding the information that supports and enables our warfighters."

- Department of Defense (DoD)

The CMMC program is the largest and most ambitious cybersecurity compliance framework, aiming to secure the 300,000 companies within the Defense Industrial Base (DIB) and protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Most of these organizations are small businesses without the technical expertise, budget, or time to achieve the compliance necessary to bid for, and maintain, federal contracts that are crucial to their businesses. Organizations Seeking Compliance (OSC) typically work with a Registered Provider Organization (RPO) that will work with the OSC to conduct assessments, provide implementation guidance, and navigate the complexities of the CMMC certification process.

However, security controls need to be implemented before compliance can be assessed, which generally takes 12-18 months. Plus, a shortage of RPOs means that OSCs often face just as long of a wait before being able to get started. RPOs spend a few months simply explaining CMMC and basic cybersecurity hygiene while working with OSCs to identify the CMMC maturity level required and the assets that need to be protected before they can begin to address the implementation and certification requirements.

Solution Description

SecuritySage provides small businesses access to on-demand CMMC expertise by leveraging AI to guide organizations through initial readiness checks, to generate reports to aid self-assessment, and to save time working with consultants.

SecuritySage helps OSCs navigate their CMMC journey and compresses the first few months into a couple short, self-guided sessions. In particular, this enables non-technical organizations to understand CMMC requirements, develop an asset inventory list, and self-assess for Level 1 compliance. SecuritySage empowers OSCs to start at their own pace and reduce the amount of time RPOs need to spend onboarding, freeing them to focus on implementation and assessments.

CMMC Journey Step 1 - Scoping

The first step of an OSC’s journey is to specify the scope. The scope informs which assets within the contractor’s environment will be assessed and the details of the self-assessment. Assets that process, store, or transmit FCI are considered in-scope, including people, technologies, facilities, and external service providers. SecuritySage guides OSCs through the DoD’s scoping assessment, leveraging LLMs to provide an AI chatbot with CMMC expertise (the Scoping Sage), and to generate an asset inventory list from the scoping results.

CMMC Journey Step 2 - Self-Assessment

The next step is the Level 1 CMMC Self-Assessment. SecuritySage’s Self-Assessment Sage chatbot can use the asset inventory list and other documentation (such as information security policies) to enable OSCs without cybersecurity expertise to understand the requirements for compliance and accurately self-assess using references to supporting evidence.

Last updated: July 16, 2024