Upload
others
View
16
Download
0
Embed Size (px)
Citation preview
CYBERSECURITY MATURITY MODEL
CERTIFICATION Hype or Help?
Alan Frost, CISSP
Agenda
◦Overview◦ Intended Use◦ Latest Status◦Auditor Certification◦Conclusion
2
MODEL OVERVIEW
3
Objectives◦ John Hopkins University Applied Physics Laboratory (APL) and
Carnegie Mellon University Software Engineering Institute (SEI) reviewed and combined various cybersecurity standards into one unified standard for cybersecurity.◦ The CMMC levels range from basic hygiene to “State-of-the-Art”◦ Must be semi-automated and, more importantly, cost effective
enough so that Small Businesses can achieve the minimum CMMC level of 1◦ The CMMC model will be agile enough to adapt to emerging
and evolving cyber threats to the DIB sector. ◦ A neutral 3rd party will maintain the standard for the Department.
4
CMMC Model Overview◦ Comprised of:◦ 17 capability domains; 43 capabilities◦ 5 processes across five levels to measure process maturity◦ 171 practices across five levels to measure technical capabilities
CMMC Level Practices ProcessesLevel 1 17 -Level 2 55 2Level 3 58 1Level 4 26 1Level 5 15 1
5
Model Structure
Domains(17) Domains
ProcessesSpanning 5-
levels per domain
CapabilitiesOne or more
spanning 5-levels per domains
PracticesOne or more
spanning 5-levels per domain
6
CMMC Domains & Comparison to RMF
Access Control Asset Mgt Audit & Accountability
Awareness & Training
Configuration Mgt
Identification & Authentication
Incident Response Maintenance Media
ProtectionPersonnel Security
Physical Protection Planning Program Mgt
Recovery(similar CP)
Risk Mgt
Security Assessment
Situational Awareness
System & Comm
ProtectionSystem & Info
IntegritySystem &
Services Acq7
Processes
MaturityLevel
Level Description
Processes
ML 1 Performed NoneML 2 Documented Establish a policy for each domain
Document practices for each domainML 3 Managed Establish, maintain & resource a plan for each domainML 4 Reviewed Review & measure domain activities for effectivenessML 5 Optimizing Standardize & optimize a documented approach for all
domains across the enterprise
8
Levels of MaturityLvl Processes Practices Compliance Level Objective
1 Performed Basic cyber hygiene FAR 38 CFR 52.204-21 Safeguarding FCI
2 Documented Intermediate cyber hygiene
• FAR 38• (48) NIST 800-171 r1 practices• (7) CMMC practices
Transitioning to CUI
3 Managed Good cyber hygiene
• FAR 38• All NIST 800-171 r1 practices• (20) CMMC practices
Protecting CUI
4 Reviewed Proactive• FAR 38• All NIST 800-171 practices• (11) NIST 800-171B practices• (15) CMMC practices
Increased CUI protection
5 Optimizing Advanced/ Progressive
• FAR 38• All NIST 800-171 practices• (4) NIST 800-171B practices• (11) CMMC practices
Reduced APT risk
9
Practices per Level
17 17 17 17 17
55 55 55 55
58 58 58
26 26
15
0
20
40
60
80
100
120
140
160
180
Level 1 Level 2 Level 3 Level 4 Level 5
(130 Practices)
(156 Practices)(171 Practices)
(17 Practices)
(72 Practices)
10
Example: Audit & Accountability
11
CAPABILITYPRACTICES
Level 1 (L1) Level 2 (L2) Level 3 (L3) Level 4 (L4) Level 5 (L5)C010Review and manage audit logs
AU.2.044Review audit logs. • CMMC• CIS Controls v7.1 6.7• NIST CSF v1.1 PR.PT-1• CERT RMM v1.2 COMP:SG3.SP1• NIST SP 800-53 Rev 4 AU-6
AU.3.051Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.• NIST SP 800-171 Rev 1 3.3.5• CIS Controls v7.1 6.6, 6.7• NIST CSF v1.1 DE.AE-3• CERT RMM v1.2 COMP: SG3.SP1• NIST SP 800-53 Rev 4 AU-6(3)
AU.4.053Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity.• CMMC• CIS Controls v7.1 6.6• NIST CSF v1.1 DE.AE-3• NIST SP 800-53 Rev 4 SI-4(2)
AU.3.052Provide audit record reduction and report generation to support on-demand analysis and reporting.• NIST SP 800-171 Rev 1 3.3.6• NIST CSF v1.1 RS.AN-3• CERT RMM v1.2 COMP:SG3.SP2• NIST SP 800-53 Rev 4 AU-7
AU.4.054Review audit information for broad activity in addition to per-machine activity.• CMMC• NIST CSF v1.1 PR.PT-1• NIST SP 800-53 Rev 4 RA-5(6), RA-5(8), RA-5(10)
INTENDED USE
12
Intended Use◦ The required CMMC level (between 1 – 5) for a specific contract will be contained
in the RFP sections L & M, and will be a “go/no-go decision”.◦ The CMMC will include a center for cybersecurity education and training.◦ The CMMC will include the development and deployment of a tool that 3rd party
cybersecurity certifiers will use to conduct audits, collect metrics, and inform risk mitigation for the entire supply chain.
◦ Compliance◦ DFARS 252.204-7012, Protecting Controlled Unclassified Information (CUI)◦ NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and
Organizations◦ NIST 800-171B (Draft), Protecting Controlled Unclassified Information in Nonfederal Systems
and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets
13
LATEST STATUS
14
Cybersecurity Maturity Model Certification (CMMC)◦ Current version is 1.0, released 31 JAN 20◦ Next version will be v1.02, release date TBD◦ Updating documentation for CMMC Model v1.0 to correct administrative
errors◦ More accessible version of the model (i.e. tabular format in Excel)◦ No substantive nor critical changes to the model relative to v1.0.
15
CMMC Enforcement Timelines
◦ The current timelines (as of May 2020) are:◦ Mid 2020: 3rd party auditors begin applying for accreditation◦ Late 2020: DoD contractors start getting audited◦ Early 2021: New Requests for Proposals (RFPs) begin requiring
CMMC certification
16
CMMC Updates from OSD A&S
CMMC Third Party Assessment Organizations (C3PAOs) and CMMC Training◦ Requirements for becoming a CMMC Third Party Assessment Organization
(C3PAO) are not yet established. ◦ No third-party entities at this time that have been credentialed to conduct a
CMMC assessment◦ Only training materials or presentations provided by the Department will reflect
the Department’s official position with respect to the CMMC program.
17
FAQ’s◦ How will my organization become certified?
◦ The CMMC Accreditation Body (AB) will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors.
◦ The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs◦ DIB companies will be able to select an approved C3PAOs and schedule a CMMC assessment for a specific level.
◦ Will there be a self-certification?◦ No. DIB companies are encouraged to complete a self-assessment prior to scheduling a CMMC assessment.
◦ Who will perform CMMC assessments?◦ Only CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by
the CMMC AB will perform CMMC assessments.
◦ How often does my organization need to be reassessed?◦ In general, a CMMC certificate will be valid for 3 years.
◦ What if my organization cannot afford to be certified?◦ The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts
that require CMMC you may be disqualified from participating if your organization is not certified.
18
AUDITOR CERTIFICATION
19
CMMC-AB Credentialled Professionals Hierarchy
20
CMMC-AB Credentials◦ CMMC-AB Certified Professional (CP)
◦ Baseline course for all CMMC professionals will take.◦ Pre-requisite for other CMMC-AB certifications.◦ Cannot certify an contractor’s network for CMMC, but they can advise and help remediate prior to an audit.
◦ CMMC-AB Certified Assessor Maturity Level 1 (CA1)◦ Requires a test.◦ Allows assessment of systems up to Level 1.
◦ CMMC-AB Certified Assessor Maturity Level 3 (CA3)◦ Requires more experience and will be more difficult to obtain.◦ Can certify organizations for CMMC Level 1 , 2, or 3.
◦ CMMC-AB Certified Assessor Maturity Level 5 (CA5)◦ Must have achieved all lower levels.◦ Intent is to have many professionals at lower levels and fewer at higher levels.◦ Training/certification cost will increase as the levels increase.◦ Can certify organizations for CMMC Level 1 , 2, 3, 4, or 5.
21
Resources◦ Official presentation to introduce CMMC: https://www.ndia.org/-/media/sites/policy-issues/cmmc-
brief.pdf
◦ Official homepage for CMMC: https://www.acq.osd.mil/cmmc/index.html
◦ Official homepage of the CMMC Accreditation Body: https://www.cmmcab.org/
◦ CMMC Audit Preparation: https://www.cmmcaudit.org/
22
23
HYPE OR HELP?