Cybersecurity Maturity Model Certification (CMMC) is a tiered system in which defense contractors—or any organization holding Controlled Unclassified Information (CUI) must be vetted by a third-party assessor on a five-level scale to determine the maturity of their enterprise security. This requires companies that do business with the Department of Defense to protect their data since it is critical to national security and America’s competitive military edge.
Even though China and other countries have been stealing plans and other intellectual property (IP )for some time now, the defense industrial base have been allowed to sign off on their own audit of compliance with cybersecurity regulations concerning unclassified information.
As cyber theft of IP has continued, it is important and worth doing to hold contractors to a higher, enforceable standard.
Essentially, CMMC is an expanded, enhanced and enforced version of NIST SP 800-171 compliance. The key differences are:
- Enhanced controls for Levels 4 and 5
- Requirement for third-party audit instead of self-certification
A non-profit organization, the CMMC Accreditation Body has been established to oversee certification of Third-Party Assessment Organizations (3PAOs), assessors who will serve as auditors. A certification is expected to be valid for three years.
The 110 security controls established by SP 800-171 are the foundation of the 171 practices across 17 security domains required to reach the highest level of CMMC. Each Request for Proposal (RFP) will state the level of certification required to be awarded the contract. Based on what we know right now, it is expected for CMMC Level 3 certification to be the de facto standard for most organizations to do business with the DOD— with Levels 4 and 5 reserved for more sensitive projects. The DOD is working on a DFARS rule change to incorporate CMMC into contracts by Fall 2020, although full roll-out is targeted for 2025.
How Can RedSeal Help?
For defense contractors who want to continue to bid and win business, maintaining CMMC standards will now be mandatory. For large organizations, adding CMMC to already existing audit and compliance processes may not be that hard of a lift. However, smaller companies will not have sufficient staff or resources. Therefore, automating and simplifying as much of the process as possible is key to success.
RedSeal’s cyber terrain analytics platform helps automate 67 of the 171 controls mandated by CMMC. Many of the controls are tedious to complete and must be checked repeatedly at specific intervals determined by NIST 800-171. By using RedSeal, your team can quickly identify where your network has drifted out of compliance, allowing them to rapidly remediate identified misconfigurations without having to pore over hundreds of spreadsheets, reviewing tens of thousands of lines of firewall rules and access control lists to determine if you are still compliant.
Additionally, when it comes time for re-certification you can rest assured that your company is prepared for the audit because RedSeal has been continuously monitoring the configuration state of those 67 controls, allowing your network and cybersecurity teams to efficiently use their time by keeping the business prepared and mission ready.
This comprehensive, continuous inspection allows RedSeal to report a risk-based audit of a network and then continuously monitor its security posture. Operators, analysts, and members of your leadership team can track how defensive operations are trending over time via RedSeal’s Digital Resilience Score, which also measures vulnerability management, secure configuration management, and overall understanding of the network.
RedSeal’s platform shows you what is on your network, how it’s connected, and the full context of the associated risk. With RedSeal, you can visualize end-to-end access, intended and unintended, between any two points of the network to accelerate incident response. This visualization includes detailed access and attack paths for individual devices in the context of exploitable vulnerabilities to speed decision making during a mission.
RedSeal builds a complete model of your network—including cloud, SDN, and physical environments—using configuration files retrieved either dynamically or completely offline. It brings in vulnerability and all available endpoint information. Your teams will be able to validate that network segmentation is in place and configured as intended. RedSeal checks all network devices to see if they comply with industry best practices and standards such as DISA STIGs and NIST guidelines. This proactive automation greatly reduces audit prep time (CCRI, others) and assists with speedy and better informed remediation.
RedSeal provides the DOD—as well as commercial, civilian, intelligence organizations—with real-time understanding and a model of their cyber terrain so they can discover, detect, analyze, and mitigate threats and deliver resilience to the mission.