By Keren Pollack, on December 18th, 2019

The Department of Defense (DoD) is facing severe difficulties when it comes to securing data. The outcomes of covered defense information (CDI) being stolen or manipulated can be devastating. The DoD found one of its weak points in entrusting data and security to outside entities.

In January 2020 the DoD will publish the Cyber Maturity Model Certification (CMMC) framework into asses and enhance the cybersecurity posture of the Defense Industrial Base (DIB). Every prime and subcontractor on a supply chain will be audited and certified by the CMMC model. This will require special adjustments made by the companies involved in this supply chain but will help the DoD to avoid future loss due to cyber breaches.

The CMMC contains 18 domains. Each domain requires 2-9 Capabilities= Achievements to ensure cybersecurity within each domain. Each capability contains Practices and Processes= Activities that need to be performed in order to achieve the capability.

The CMMC requirements are based on several sources that considered as best practices in cybersecurity. Among those sources are NIST 800-171 rev1, CERT Resilience Management Model, DIB Direct Inputs, NIST cybersecurity Framework 1.1 and CIS Controls.

CIS controls and how to approach them

Contractors will be evaluated based on the implementation of those domains and capabilities. The level of implementation will be scaled to 5 levels (level 1 to 5, 5 being the most secure). The CMMC level requirement is relevant to all contractors, regardless of handling Controlled Unclassified Information (CUI). Various levels of security will be demanded, depending on the services the company provides. The higher the company is certified, the more contracts it will be able to bid on.

 

5 levels in the CMMC model, each demands different practices:

Level 1:

*Basic cybersecurity

*Achievable for small companies.

*Subset of universal accepted common practices.

*Limited resistance against data exfiltration.

*Limited resilience against malicious actions.

 

Level 2:

*Inclusive of universally accepted cybersecurity best practices.

*Resilient against unskilled threat actors.

*Minor resistance against data exfiltration.

*Minor resilience against malicious actions.

 

Level 3:

*Coverage of all NIST SP 800-171 rev 1 controls.

*Additional practices beyond the score od CUI protection.

*Resilient against moderately skilled threat actors.

*Moderate resistance against data exfiltration.

*Moderate resilience against malicious actions.

*Comprehensive knowledge of cyber assets.

 

Level 4:

*Advances and sophisticated cybersecurity practices.

*Resilient against advanced threat actors.

*Defensive responses approach machine speed.

*Increased resistance against and detection of data exfiltration.

*Complete and continuous knowledge of cyber assets.

 

Level 5:

*Highly advanced cybersecurity practices.

*Reserved for the most critical systems.

*Resilient against the most advanced threat actions.

*Defensive responses performed at machine speed.

*Machine performed analytics and defensive actions.

*Resistant against, and detection of, data exfiltration.

*Autonomous knowledge of cyber assets.

 

91-95% of companies will have to be covered by levels 1-3, and most of them will have to cover level 3. Levels 4-5 are for a small set of companies (less than 500).

 

Following are the 18 domains detailed with their capabilities and examples of important practices the organization must pay attention to, as they might change their current behavior:

*new requirements refer to domains that are not required by NIST 800-171 rev7.

1. Access Control:

Capabilities:

C1: Establish internal system access requirements.

C2: Control internal system access.

C3: Control remote system access.

C4: Identify access requirements for each class of data accessible from the internal network.

C5: Limit processes acting on behalf of authorized users.

Practices:

Level 4 companies desire to achieve C5 must enforce access control through automated tools.

 

2. Asset Management (new requirement):

Capabilities:

C1: Identify assets.

C2: Develop a common definition for assets.

C3: Identify asset inventory change criteria.

C4: Maintain changes to assets and inventory.

Practices:

Level 1-3 companies desire to achieve C1 must use software tools to automate and document software within the organization.
This practice will have a big impact especially for companies trying to achieve level 3 classification because most companies don’t have sufficient asset management. It is no longer enough to manage your assets by scanning and adding the assets.

 

3. Audit and Accountability:

Capabilities:

C1: Define the content of audit records.

C2: Identify stakeholders.

C3: Define audit storage requirements.

C4: Audit is performed.

C5: Audit information is identified and protected.

C6: Assign staff to review and manage audit logs.

C7: Audit logs are reviewed.

C8: The information collected is distributed to the appropriate stakeholder.

Practices:

Level 1-3 companies desire to achieve C4 must continuously collect audit logs into a central repository.
This means that using multiple audit repository is no longer applicable.

Level 4 companies desire to achieve C7 must pre-process audit info to identify and act on indicators.

 

4. Awareness and Training:

Capabilities:

C1: The security awareness needs of the organization are identified.

C2: Security awareness activities are conducted for the organization.

C3: The training capabilities for information security-related duties and responsibilities within the organization are identified.

C4: Training is conducted for those with information security-related duties and responsibilities within the organization.

Practices:

Level 1-3 companies desire to achieve C3 must establish training requirements for infosec duties.

Most companies don’t have those requirements established.

Level 4 companies desire to achieve C4 must implement cross-training of admins and defensive cyber ops personnel.
Cross-train admins and security teams, making sure they both know each other’s jobs. If the organization is outsourcing those functions, it must make sure the third-party company is following this practice.

 

NIST guidelines for server hardening

5. Configuration management:

Capabilities:

C1: Establish change management requirements.

C2: Establish configuration management requirements.

C3: Configuration baselines are established.

C4: Change management is performed.

C5: Configuration management is performed.

Practices:

Level 5 companies desire to achieve C5 must fully automate real-time configuration management including inventory, config id, verification and enforcement for all connected systems.

Level 1-4 companies desire to achieve C5 must automate mechanisms to detect misconfigurations.

Both require automated hardening tools to replace the old native configuration tools.

Hardening IT infrastructure-servers to applications

6. Cybersecurity Governance (new requirement):

Capabilities:

C1: Define cybersecurity objectives.

C2: Define cybersecurity critical success factors.

C3: Manage cyber plans.

C4: Manage cybersecurity critical success factors.

Practices:

Level 1-3 companies, desire to achieve C3 must align funding, staffing, and accountability for cybersecurity plans.
It could be internal staffing or third-party outsourcing.

 

7. Identification and Authorization:

Capabilities:

C1: System users, processes and devices are identified before access is granted.

C2: Access is granted to authorized entities.

Practices:

Level 5 companies desire to achieve C2 must use step-up authentication in response to anomalies.
For example, if attempting to log in to a system from a new location or device, another type of authentications method will have to add on the usual user name and password authentication.

 

8. Incident Response:

Capabilities:

C1: Detect and report events.

C2: Define and maintain the criteria for declaring incidents.

C3: Declare and report incidents.

C4: Escalate incidents to appropriate stakeholders for input and resolution.

C5: Develop and implement a response to a declared incident.

C6: Communicate incident to relevant stakeholder as appropriate.

C7: Manage incident to resolution.

C8: Perform post-incident reviews to determine underlying causes.

C9: Plan incident response.

Practices:

Level 4 companies desire to achieve C5 must maintain a SOC during business hours with a call response after hours.
Supposing that you have a SOC either inside your organization or using a third-party’s services.

Level 5 companies desire to achieve C5 must maintain a cyber incident response team that can be deployed to any location within 24 hours.

 

9. Maintenance:

Capabilities:

C1: Maintenance is performed.

C2: Maintenance is controlled.

Practices:

Level 4 companies desire to achieve C2 must treat all maintenance systems as if they contain the highest level of CUI is contained on any system they maintain.
Even if the system doesn’t maintain systems that contain CUI, it must be treated like it was.

How to Automate IIS Hardening with PowerShell

10. Media Protection:

Capabilities:

C1: Media is identified.

C2: Media is protected.

C3: Media is sanitized.

C4: Media is marked.

C5: Media is protected during transport.

C6: Control the use of removable media in system components.

C7: Prohibit the use of portable storage devices when such devices have no identifiable owner.

C8: Protect the confidentiality of backup CUI at storage locations.

Practices:

Level 1-3 companies desire to achieve C2 must have a process for implementation cryptographic mechanisms to protect the confidentiality of CUI data at rest.

 

11. Personnel Security:

Capabilities:

C1: Screen personnel.

C2: Protect CUI during personnel actions.

Practices:

Level 4 companies desire to achieve C1 must have a process for conduction enhanced personnel screening and rescreening on an ongoing basis.

 

12. Physical Protection:

Capabilities:

C1: Identify organizational systems, equipment and respective operating environments that require limiting physical access.

C2: Develop physical access requirements for identified systems, equipment, and operating environments.

C3: Manage physical access requirements for identical systems, equipment and operating environments.

C4: Limit physical access to identified systems, equipment and operating environments based on defined physical security access requirements.

C5: Monitor physical facilities for adherence to physical security access requirements.

Practices:

Level 1-3 companies desire to achieve C1 must identify systems, equipment, and respective operating environments that require limited physical access.
There’s no definition of what those environments are.

 

13. Recovery (new requirement):

Capabilities:

C1: Manage backups.

C2: Manage information security continuity.

Practices:

Level 1-3 companies desire to achieve C1 must complete and automate system backups regularly.

Level 4 companies desire to achieve C1 must ensure all backups have at least one offline backup destination.

Emotet, TrickBot & Ryuk Attack Can Be Mitigated With Hardening

 

14. Risk Management (new requirement):

Capabilities:

C1: Determine risk categories, risk sources and risk management criteria.

C2: Document organizational risk.

C3: Identify risk.

C4: Evaluate and prioritize risk based on defined measurement criteria.

C5: Manage risk.

C6: Manage supply chain risk.

Practices:

Level 4 companies desire to achieve C6 must employ periodic monitoring of supply chain including the use of third-party services leveraging publicly available information.

 

 

15. Security Assessment:

Capabilities:

C1: Develop a system security plan.

C2: Manage the systems security plans.

C3: Define control objectives.

C4: Define controls.

C5: Manage controls.

C6: Perform code reviews to identify weaknesses in in-house developed software.

Practices:

Level 1-3 companies desire to achieve C6 must employ human performed code reviews to identify areas of concern that require additional improvements.
That is a big ask from small companies.

Every prime and subcontractor on a supply chain

will be audited and certified by the CMMC model

 

16. Situational Awareness (new requirement):

Capabilities:

C1: Establish threat monitoring requirements.

C2: Implement threat monitoring based in defined requirements.

C3: Establish the requirement for communicating threat information.

C4: communicate threat information to stakeholders.

Practices:

Level 1-3 companies desire to achieve C1 must establish threat monitoring procedures.

Level 5 companies desire to achieve C2 must maintain a dedicated full-time cyber hunting capability.

 

17. System and Communication protection:

Capabilities:

C1: Define security requirements for systems and communications.

C2: Control communications at system boundaries.

C3: Ensure each system baseline is trust and unmodified.

Practices:

Level 4 companies desire to achieve C2 must employ company-controlled protection mechanisms for UCI data when sharing with subcontractors.
Such protection can include encrypting, labeling or any other modulation you can make to protect the content and communication.

Level 1-3 companies desire to achieve C2 must implement DNS filtering.

 

 

18. System and Information Integrity:

Capabilities:

C1: Information system flaws are identified and corrected.

C2: Sources of vulnerability information are identified and monitored.

C3: Malicious content is being identified.

C4: network and system monitoring are performed.

C5: Implement advanced email protection.

Practices:

Level 2 companies desire to achieve C1 must use automated patch management tools.

 

 

The CMMC is an absolute classification method, meaning that you either got it or not. Each domain’s parameters must be followed flawlessly in order to get your desired level classification. Having said that, are many overlaps inside each domain and between the domains. Most of your energy will probably be invested in the new domains.