At Rimstorm, government cybersecurity compliance is our specialty. We realize the importance of this area for numerous organizations, and assist with compliance for not only CMMC, but also NIST 800-171 and HIPAA.
CMMC, or the Cybersecurity Maturity Model Certification, is the most recent certification created to protect the Defense Industrial Base. It contains five levels ranging from Basic Cyber Hygiene up through Advanced/Progressive, and for many contractors or companies, the most important of these levels will be Level 3. This is because at this level of CMMC compliance, contractors are permitted to handle Controlled Unclassified Information (CUI). Naturally, many of our clients are concerned primarily with this area.
What are the general requirements for Level 3 compliance under CMMC, and what do these take to achieve? In addition, how are these similar to DFARS 7012 (Defense Federal Acquisition Regulation Supplement), how do they differ, and what are similar considerations and additional practices that must be implemented on top of NIST 800-171 for those in this position? Here’s a primer.
Basic CMMC Level 3 Compliance Requirements
As we’ll get to more specifically in subsequent sections, many of the practices found in Levels 1-3 of CMMC are similar to those in the previous NIST 800-171 and DFARS 7012 guidelines. For instance, there are 110 specific controls in NIST 800-171 for handing CUI – in CMMC, however, 20 practices and numerous maturity processes are added in addition.
For those who are already in compliance with DFARS 7012 and NIST 800-171, here are a few of the most notable areas you should be looking into with regard to CMMC Level 3 compliance:
- Backups: It’s vital that contractors hoping for CMMC Level 3 compliance certification have the ability to backup and restore data through methods that are comprehensive and have been fully tested.
- Technical solutions: For areas like logging, monitoring, incident response and reporting capabilities, SIEM or related solutions must be used.
- Filtering: DNS filtering, spam protection and email sandboxing will all be used to guard against malicious traffic.
- Risk management: Involving areas like separate management of unsupported products with network restrictions or risk assessments, all of which identify major security vulnerabilities.
Similarities with DFARS 7012
As we noted, there are several distinct similarities between new CMMC guidelines and DFARS 7012. In particular, here are the three key basic requirements they share:
- Security: CMMC involves the 110 different security controls laid out in NIST-171, plus 20 more practices we mentioned earlier.
- Flowdown of contracts: It’s not just the primary contractor who must meet DFARS and CMMC requirements – so must all subcontractors and vendors, though there are some situations where a lesser CMMC level will be required for said subcontractors.
- Reporting: If an incident or cyber event takes place, DFARS requires notification of DoD through formal reporting mechanisms. In addition, DoD will require access to your environment, such as cloud tenants and other cloud systems that have been involved in handling CUI.
Practices to Implement Under NIST 800-171
Generally speaking, although CMMC will be the governing set of practices moving forward, those who have not already become NIST 800-171 compliant will have no chance at CMMC Level 3. While it won’t be explicitly covered in this article, meeting NIST 800-171 requirements should be a basic first step here, and our team will be happy to assist you with this.
Once compliance for NIST has been completed, there are 10 technical and 10 procedural practices that make up the 20 total implementations you need for CMMC Level 3. Again, while we won’t dig into each and every one of these here – though our team will go over them with you in detail as-needed if you work with us – here are some examples of the kinds of practices that need to be implemented on top of NIST 800-171 for CMMC Level 3 Compliance to be reached:
- Comprehensive, resilient data backups are performed at regular intervals, and are able to directly meet the definitions and requirements of the organization.
- Events are analyzed and triaged in great detail, supporting the resolution and incident declaration of any significant events.
- Procedures for handling of any CUI data at Level 3 are fully defined.
- Non-vendor support products are managed separately, including cases where access is restricted to reduce security risks.
- DNS filtering services are implemented fully.
- Spam protection mechanisms are put in place, both at information access system entry and exit points.
Here are some of the solution sets that can be used to reach Level 3 compliance within CMMC:
- SIEM solutions (for meeting incident response requirements laid out by compliance regulations): LogRhythm, LogVault, AlienVault, Splunk, Microsoft Azure Government Sentinel, and some others.
- Data backup and storage solutions (must be able to met FedRAMP Moderate standards and must have capabilities to backup Office 365 GCC High or GCC): AvePoint, Veeam, Azure Backup
- Spam and email protections: Cisco Email, Microsoft Office 365 GCC High Exchange Online Protection and Defender, Proofpoint, FireEye, Barracuda
- DNS filtration: OpenDNS, Webroot, Cisco Umbrella, Palo Alto DNS Security Service, TitanHQ
Defense contractors subject to DFARS 7012 will need to meet CMMC Level 3 if CUI is stored or transmitted.
An easier solution, of course, would be to use our GovCon EnclaveTM which includes a SIEM, IDS, Policies, Logging, etc…
For more on assistance with CMMC compliance, or to learn about any of our managed security services, speak to the staff at Rimstorm today.