In January 2020 the DoD published the Cyber Maturity Model Certification (CMMC) framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). Every prime and subcontractor on a supply chain will be audited and certified by the CMMC model. This will require special adjustments made by the companies involved in this supply chain but will help the DoD to avoid future losses due to cyber breaches.
Implementing new security models my impose a challenge in understanding what is the practical impact on your organization and what actions should be taken in order to achieve compliance.
To ease this task, comparing the new model to known frames may help you understand where to begin.
In this post we'll present a comparison between the CMMC model and the CIS 5th Control, to explain which practical measures instructed in the CIS 5th Control should be taken by each level in the CMMC in order to comply with the CMMC demands of baseline hardening.
CIS Control 5.1- Establish Secure Configurations:
Maintain documented, standard security configuration standards for all authorized operating systems and software. This control requires you to follow known hardening benchmarks, such as the CIS Benchmarks or DISA STIGs, and known frameworks, such as NIST 800-53 to secure your environment. In order to establish a secure baseline, you must first design the right policy for your organization. This policy can be based on one of the best practices but must be adjusted to your organization's unique needs and infrastructure structure. Before implementing the policy, it must be tested and approved to cause no damage to your production. When the policy is proved to have no harmful impact on production you can enforce it and make sure to continuously maintain it and remediate any deviation.
The practical requirements form different CMMC levels:
L1- Implement privileges and access control. Limit which user's access only to necessary machines and their privileges only to functions that are essential for their role.
L2- Establish secure baseline configurations and inventories to organizational hardware, software, firmware, and documentation. The secure baseline should be maintained throughout the system development life cycles.
L3- Use advanced methods such as architectural designs, dev techniques, and system engineering principles that will better your ability to secure your information in a baseline configuration perspective. Adding automation to your toolbox may be helpful to enforce and maintain a secured baseline.
CIS Control 5.2- Maintain Secure Images:
Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or an existing system that becomes compromised should be imaged using one of those images or templates. The main challenge here is to keep up with the frequent OS and application updates. As the master image should be stored offline, it might be difficult to update it immediately after every change in production.
The practical requirements from different CMMC levels:
L3- Use advanced methods such as architectural designs, dev techniques, and system engineering principles that will better your ability to secure your information in a baseline configuration perspective. Adding automation to your toolbox may be helpful to enforce and maintain a secured baseline.
CIS Control 5.4- Deploy System Configuration Management Tools:
Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. Hardening your system should be a continuous process, as already proven in the previous requirement. In order to prevent any configuration drifts resulted from intended or unintended changes, configuration settings should be redeployed automatically at scheduled intervals. Using automation to achieve continues remediation can be critical for success.
The practical requirements from different CMMC levels:
L3- Use advanced methods such as architectural designs, dev techniques, and system engineering principles that will better your ability to secure your information in a baseline configuration perspective. Adding automation to your toolbox may be helpful to enforce and maintain a secured baseline.
Levels 1,2,3 of CMMC require different actions in baseline hardening. While L1 only needs to take basic actions of privilege and access control, L2 and above must have a full process of baseline hardening, including the implementation of benchmarks such as the CIS Benchmarks. L3 is required to implement tools and advanced mechanisms to achieve and maintain secure configurations. Addressing these requirements using native tools may impose major challenges. CHS by CalCom is the perfect solution for this matter. CHS will automate your entire hardening process, eliminate your need to perform testing for your policy, and will enforce it directly on your production. CHS will also keep your compliance posture and maintain your infrastructure hardened. For more information, click to download our datasheet.