Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Cybersecurity Maturity Model Certification (CMMC)Everything you need to know about assessments, assessors and getting certified
What is the CMMC framework?The Department of Defense (DoD) supply chain and the Defense Industrial Base (DIB) it supports are continuously under threat by malicious actors. The theft of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) doesn’t just stifle innovation and undercut U.S. technical advantages, it significantly increases the risk to national security.
To reduce this risk, the DoD released the CMMC framework, which is intended to assess and enhance the cybersecurity posture of the more than 300,000 companies that contribute towards the research, engineering, development, acquisition, production, delivery, sustainment and operation of DoD systems, networks, installations, capabilities and services.
Inside the CMMC requirementsAlthough the CMMC framework is new, many of the security requirements within it are not. Of the 171 practices included in CMMC, 110 of them are specified in NIST SP 800-171 Rev. 2. Additional practices and processes are drawn from other standards, references and sources, such as:
» NIST SP 800-53
» Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”
» Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2
CMMC builds upon existing regulation (DFARS 252.204-7012) by adding a certification program to verify the implementation of processes and practices across five cybersecurity maturity levels.
Pre-RegisterBecome a CMMC Certified Professional!
CMMC timelineWhen will you be affected?
Infosec approved as one of the first CMMC-AB Licensed
Partner Publishers (LPP)
Infosec approved as one of the first CMMC-AB Licensed
Training Partners (LTP)
Infosec launches Certified CMMC Assessor Level 5 (CCA-5) training
CMMC version 1.0 released
Beta versions of CCP, CCA-1 and CCA-3 exams available
Infosec launches Certified CMMC Professional (CCP) training
CMMC Accreditation Body (CMMC-AB) selects 72
candidates for Provisional Assessor program
CMMC exam development begins
Phased rollout continues until all DoD contracts
require CMMC certification
JAN 2020
AUG 2020
SEPT 2020
APR 2021
JAN 2021
OCT 2021
DEC 2021
2022-2025
JAN 2022
First Certified CMMC Instructors (CCI) start training
Full release of CCP, CCA-1 and CCA-3 exams
Infosec launches Certified CMMC Assessor Level 1
(CCA-1) training
TBD
Beta versions of CCA-5 exam available
Infosec launches Certified CMMC Assessor Level 3 (CCA-3) training
Pre-RegisterBecome a CMMC Certified Professional!
Understanding the 5 CMMC maturity levelsThe CMMC framework contains five maturity levels, with Level 5 being the highest. The processes and practices required for each level are aligned around:
» Level 1: Safeguarding Federal Contract Information (FCI)
» Level 2: Transitioning towards protecting Controlled Unclassified Information (CUI)
» Level 3: Protecting CUI
» Levels 4-5: Protecting CUI and reducing the risk of Advanced Persistent Threats (APTs)
Organizations must demonstrate both the institutionalization of processes and the implementation of practices to achieve a certification level. For example, if an organization demonstrates Level 3 practices but only Level 2 processes, they will be classified overall as Level 2.
CMMC by the numbers
Graphic adapted from CMMC-AB.
PROCESSES PRACTICES
Optimizing
Reviewed
Managed
Documented
Performed
Advanced / progressive
Proactive
Good cyber hygiene
Intermediate cyber hygiene
Basic cyber hygieneLevel 1
Level 2
Level 3
Level 4
Level 5 5 levels
Level 1: 0 processes, 17 practices
Level 2: 2 processes, 55 practices
Level 3: 1 process, 58 practices
Level 4: 1 process, 26 practices
Level 5: 1 process, 15 practices
CMMC levels are cumulative. To achieve Level 5, an organization must demonstrate all 5
processes and 171 practices included in the framework.
5 processes
171 practices across 17 domains
(e.g., access control, incident response)
Pre-RegisterBecome a CMMC Certified Professional!
CMMC Professionals (CCP) The Certified CMMC Professional (CCP) is the first step in the CMMC career path. In addition to being a prerequisite for Certified CMMC Assessor (CCA) or Certified CMMC Instructor (CCI), it also certifies you as a valuable resource for consulting agencies, CMMC Third-Party Assessor Organizations (C3PAOs) and organizations needing CMMC support and guidance.
How to become a Certified CMMC Professional
Ready to get certified?CCP requirements
» College degree in a technical field or other equivalent experience (including military), or at least two years in cyber or information technology
» Get CMMC-AB approval of your submitted application
» Complete CCP training from an LTP (Licensed Training Provider), such as Infosec
CCP benefits
» Participate as an assessment team member under the supervision of a CCA
» Work towards becoming a CCA or CCI
» Validate your training and understanding of the CMMC for clients and employers
» Use the CCP logo and be listed in the CMMC-AB Marketplace
Check out our Certified CMMC Professional training page to learn more.
CCP Training
1
5
6 7
4
2
3Verify you meet prerequisites Apply online to become a CCP
Get application evaluated and approved
Become a Certified CMMC Professional (CPP)
Sign code of professional conduct
Attend CCP training from a Licensed Training Provider
Take and pass the CCP exam
Pre-RegisterBecome a CMMC Certified Professional!
CMMC Assessor (CCA)Certified CMMC Professionals (CCP) can apply to become a Certified CMMC Assessor Level 1 (CCA-1) the first of three assessor levels (1, 3, 5) available on the CMMC Assessor career path.
1. Certified CMMC Assessor Level 1 (CCA-1)
2. Certified CMMC Assessor Level 3 (CCA-3)
3. Certified CMMC Assessor Level 5 (CCA-5)
Ready to get certified?CCA-1 requirements
» Earn your CCP
» Be a U.S. Person (Green card is acceptable); U.S. citizenship is required to participate as a team member on maturity level 2 (ML-2) assessments
» Have or gain a favorably adjudicated Tier 3 background check; or possess a NAC (National Agency Check), DHS Suitability credential or other DoD accepted clearance (required to participate on ML-2 or higher assessment teams)
CCA-1 benefits
» Conduct CMMC maturity level 1 (ML-1) assessments
» Supervise CCPs in the conduct of ML-1 assessments
» After completing 3 assessments
» Use the CMMC CCA-1 logo
» Get listed in the CMMC-AB Marketplace
Check out our Certified CMMC Assessor Level 1 (CCA-1)training page to learn more.
CCA-1 Training
1
109
2
8
3
4
6
7
Verify you meet prerequisites
Apply online to become a CCA-1
Pass background check (or meet other requirements)
5
Take and pass the CCA-1 exam
Pay CCA-1 annual certification fee and sign license agreement
Schedule CMMC-AB staff to observe your first assessment
Conduct first assessment (under contract with C3PAO)
CMMC-AB observer reports on your performance
Become a Certified CMMC Assessor Level 1 (CCA-1)
Attend CCA-1 training from a Licensed Training Provider
Pre-RegisterBecome a CMMC Certified Professional!
Organizations seeking certification (OSC)CMMC is being incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS), and by 2025 all suppliers will need a certification in order to bid on contracts. Contractors can achieve a CMMC level for their entire enterprise network or for a particular segment or enclave, depending where the protected information is handled and stored. CMMC-AB estimates the certification process will take at least six months.
How to get your organization CMMC certified
Want to learn more about CMMC?Enroll in Infosec’s Certified CMMC Professional (CCP) Boot Camp to get a comprehensive overview of the CMMC requirements as well as practical recommendations and tools for achieving CMMC certification for your organization.
Keep an eye on the Infosec CMMC page for the latest CMMC updates, announcements and training resources — and be one of the first organizations to get certified!
Identify scope (organization, segment or enclave)
Identify desired maturity level to bid on contracts
Pre-assess using Registered Provider Organization (RPO) or CMMC Third-Party Assessor Organization (C3PAO) (optional)
Close any identified gaps
Schedule and complete assessment with C3PAO
Resolve any findings (if any) within 90 days
CMMC-AB reviews the submitted assessment
If approved, get a 3-year CMMC certification
1 2
3
45
7 8
6
CMMC Resources
Pre-RegisterBecome a CMMC Certified Professional!
CMMC resourcesThe CMMC assessment process is outlined in guides available on the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) website:
» CMMC Level 1 Assessment Guide (editable)
» CMMC Level 3 Assessment Guide (editable)
» CMMC Level 5 Assessment Guide (coming soon)
Other resources
» CMMC Model v1.02, its appendices and appendices in tabular form
» CMMC Model Errata v1.0
» CMMC Glossary (editable)
CMMC assessment overviewCertification provides assurance of practices and processesCertified Assessors use the same assessment methods for each contractor. Once a contractor is assessed and certified at a level, other entities (e.g., government sponsors and prime contractors looking to hire subcontractors) have assurance the certified contractor meets CMMC practices and processes.
Methodology the same regardless of sizeThe CMMC assessment methodology follows a data-centric security process that applies the practices equally, regardless of the contractor’s size, constraints or complexity. All CMMC levels are achievable by small, medium and large contractors.
Assessment scope pre-determined by OSC and C3PAOPrior to a CMMC assessment, the contractor must define the scope for the assessment that represents the boundary for which the CMMC certificate will be issued. Additional guidance on assessment scope will be available in the next version of the CMMC Assessment Guides.
Pre-RegisterBecome a CMMC Certified Professional!
CMMC assessment criteria and methodologyThe CMMC assessment procedure is defined in NIST SP 800-171A Section 2.11 and includes:
» Assessment objects: Things a Certified Assessor will investigate » Assessment actions: How Certified Assessor will investigate those objects » Assessment objectives: Determination statement related to the CMMC practice or
process being assessed
SpecificationsDocument-based artifacts (e.g., policies, procedures, security plans, security requirements,
functional specifications, architectural designs) associated
with a system.
MechanismsThe specific hardware, software
or firmware safeguards employed within a system.
Activities The protection-related actions
supporting a system that involve people (e.g., conducting system backup operations, exercising
a contingency plan and monitoring network traffic).
IndividualsOr groups of individuals, are people applying the
specifications, mechanisms or activities described above.
CMMC assessment objects
Pre-RegisterBecome a CMMC Certified Professional!
CMMC assessment actionsCertified Assessors must select at least two of the three following actions as they collect evidence for each assessment objective:
» Interviews tell the Certified Assessor what the contractor staff believe to be true.
» Documentation provides evidence of intent.
» Testing demonstrates what has or has not been done.
InterviewThe Certified Assessor has discussions
with individuals within an organization to understand if a practice or process has been
addressed.
Interviews of applicable staff (possibly at different organizational levels) determine if:
» CMMC practices or processes are implemented
» If adequate resourcing, training and planning have occurred for individuals to perform the practices
ExamineThe Certified Assessor can review, inspect,
observe, study or analyze assessment objects (documents, mechanisms or activities).
Documents need to be in their final forms (drafts are not eligible) and include:
» Policy, process and procedure documents » Training materials » Plans and planning documents » System-level, network and data flow
diagrams
Test The Certified Assessor will determine which
practices or objectives within a practice need demonstration or testing. Not all practices
will require testing.
For example:
» Contractor staff may talk about how users are identified
» Documentation may provide details on how users are identified
» Seeing a demonstration of identifying users provides evidence that the practice is met
Pre-RegisterBecome a CMMC Certified Professional!
Inherited practicesA contractor can inherit practice or process objectives. A practice or process objective that is inherited is met because adequate evidence is provided that the enterprise or another entity, such as an External Service Provider (ESP), performs the practice or process objective.
For each practice or process objective that is inherited, the Certified Assessor includes statements that indicate how they were evaluated and from whom they are inherited.
If the contractor cannot demonstrate adequate evidence for all assessment objectives, through either contractor evidence or evidence of inheritance, the contractor will receive a NOT MET for the practice or process.
Assessment findingsThe assessment of a CMMC practice or process results in one of three possible findings: MET, NOT MET, or NOT APPLICABLE.
MET: The contractor successfully meets the practice or process. For each practice or process marked MET, the Certified Assessor includes statements that indicate the response conforms to the objectives and documents the appropriate evidence to support the response.
NOT MET: The contractor has not met the practice or process. For each practice or process marked NOT MET, the Certified Assessor includes statements that explain why and documents the appropriate evidence that the contractor does not conform to the objectives.
NOT APPLICABLE (N/A): The practice or process does not apply. For each practice or process marked N/A, the Certified Assessor includes a statement that explains why the practice or process does not apply to the contractor. For example, SC.1.176 might be N/A if there are no publicly accessible systems
Pre-RegisterBecome a CMMC Certified Professional!
CMMC Level 1Processes: PerformedLevel 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
Practices: Basic cyber hygieneLevel 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”).
Level 1 practices
Access control » Limit information system access to authorized users, processes acting
on behalf of authorized users or devices (including other information systems).
» Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
» Verify and control/limit connections to and use of external information systems.
» Control information posted or processed on publicly accessible information systems.
Identification and authentication » Identify information system users, processes acting on behalf of users or
devices. » Authenticate (or verify) the identities of those users, processes or devices,
as a prerequisite to allowing access to organizational information systems.
Media protection » Sanitize or destroy information system media containing Federal Contract
Information before disposal or release for reuse.
Physical protection » Limit physical access to organizational information systems, equipment
and the respective operating environments to authorized individuals. » Escort visitors and monitor visitor activity. » Maintain audit logs of physical access. » Control and manage physical device access.
System and communications protection
» Monitor, control and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
» Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
System and information integrity » Identify, report and correct information and information system flaws in a
timely manner. » Provide protection from malicious code at appropriate locations within
organizational information systems. » Update malicious code protection mechanisms when new releases are
available. » Perform periodic scans of the information system and real-time scans of
files from external sources as files are downloaded, opened or executed.
Pre-RegisterBecome a CMMC Certified Professional!
CMMC Level 2Processes: DocumentedLevel 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented.
Practices: Intermediate cyber hygieneLevel 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level represents a transitional stage, a subset of practices reference the protection of CUI.
Level 2 practices
Access control » Provide privacy and security notices consistent with applicable CUI rules. » Limit use of portable storage devices on external systems. » Employ the principle of least privilege, including for specific security
functions and privileged accounts. » Use non-privileged accounts or roles when accessing nonsecurity
functions. » Limit unsuccessful logon attempts. » Use session lock with pattern-hiding displays to prevent access and
viewing of data after a period of inactivity. » Authorize wireless access prior to allowing such connections. » Monitor and control remote access sessions. » Route remote access via managed access control points. » Control the flow of CUI in accordance with approved authorizations
Audit and accountability » Ensure that the actions of individual system users can be uniquely traced
to those users so they can be held accountable for their actions. » Create and retain system audit logs and records to the extent needed to
enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity.
» Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
» Review audit logs.
Awareness and training » Ensure that managers, system administrators and users of organizational
systems are made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of those systems.
» Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
Configuration management » Establish and maintain baseline configurations and inventories of
organizational systems (including hardware, software, firmware and documentation) throughout the respective system development life cycles.
» Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
» Control and monitor user-installed software. » Establish and enforce security configuration settings for information
technology products employed in organizational systems. » Track, review, approve or disapprove, and log changes to organizational
systems. » Analyze the security impact of changes prior to implementation.
Identification and authentication » Enforce a minimum password complexity and change of characters when
new passwords are created. » Prohibit password reuse for a specified number of generations. » Allow temporary password use for system logons with an immediate
Pre-RegisterBecome a CMMC Certified Professional!
change to a permanent password. » Store and transmit only cryptographically-protected passwords. » Obscure feedback of authentication information.
Incident response » Establish an operational incident-handling capability for organizational
systems that includes preparation, detection, analysis, containment, recovery and user response activities.
» Detect and report events. » Analyze and triage events to support event resolution and incident
declaration. » Develop and implement responses to declared incidents according to
pre-defined procedures. » Perform root cause analysis on incidents to determine underlying
causes.
Maintenance » Perform maintenance on organizational systems. » Provide controls on the tools, techniques, mechanisms and personnel
used to conduct system maintenance. » Require multifactor authentication to establish nonlocal maintenance
sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
» Supervise the maintenance activities of personnel without required access authorization.
Media protection » Protect (i.e., physically control and securely store) system media
containing CUI, both paper and digital. » Limit access to CUI on system media to authorized users. » Control the use of removable media on system components.
Personnel security » Screen individuals prior to authorizing access to organizational systems
containing CUI. » Ensure that organizational systems containing CUI are protected during
and after personnel actions such as terminations and transfers.
Physical protection
» Protect and monitor the physical facility and support infrastructure for organizational systems.
Recovery » Regularly perform and test data back-ups. » Protect the confidentiality of backup CUI at storage locations.
Risk management » Periodically assess the risk to organizational operations (including
mission, functions, image or reputation), organizational assets and individuals, resulting from the operation of organizational systems and the associated processing, storage or transmission of CUI.
» Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
» Remediate vulnerabilities in accordance with risk assessments.
Security assessment » Develop, document and periodically update system security plans that
describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
» Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
» Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
System and communications protection » Prohibit remote activation of collaborative computing devices and
provide indication of devices in use to users present at the device. » Use encrypted sessions for the management of network devices.
System and information integrity » Monitor system security alerts and advisories and take action in
response. » Monitor organizational systems, including inbound and outbound
communications traffic, to detect attacks and indicators of potential attacks.
» Identify unauthorized use of organizational systems.
Pre-RegisterBecome a CMMC Certified Professional!
CMMC Level 3Processes: ManagedLevel 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training and involvement of relevant stakeholders.
Practices: Good cyber hygiene Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats. It is noted that DFARS clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”) specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting.
Level 3 practices
Access control » Separate the duties of individuals to reduce the risk of malevolent activity
without collusion. » Prevent non-privileged users from executing privileged functions and
capture the execution of such functions in audit logs. » Terminate (automatically) user sessions after a defined condition. » Protect wireless access using authentication and encryption. » Control connection of mobile devices. » Employ cryptographic mechanisms to protect the confidentiality of
remote access sessions. » Authorize remote execution of privileged commands and remote access
to security-relevant information. » Encrypt CUI on mobile devices and mobile computing platforms.
Asset management » Define procedures for the handling of CUI data.
Audit and accountability » Review and update logged events. » Alert in the event of an audit logging process failure. » Collect audit information (e.g., logs) into one or more central repositories. » Protect audit information and audit logging tools from unauthorized
access, modification and deletion. » Limit management of audit logging functionality to a subset of privileged
users. » Correlate audit record review, analysis and reporting processes for
investigation and response to indications of unlawful, unauthorized, suspicious or unusual activity.
» Provide audit record reduction and report generation to support on-demand analysis and reporting.
Awareness and training » Provide security awareness training on recognizing and reporting
potential indicators of insider threat.
Configuration management » Define, document, approve and enforce physical and logical access
restrictions associated with changes to organizational systems. » Restrict, disable or prevent the use of nonessential programs, functions,
ports, protocols and services. » Apply deny-by-exception (blacklisting) policy to prevent the use of
unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
Identification and authentication » Use multifactor authentication for local and network access to privileged
accounts and for network access to non-privileged accounts. » Employ replay-resistant authentication mechanisms for network access
to privileged and non-privileged accounts. » Prevent the reuse of identifiers for a defined period. » Disable identifiers after a defined period of inactivity.
Incident response » Track, document and report incidents to designated officials and/or
authorities both internal and external to the organization.
Pre-RegisterBecome a CMMC Certified Professional!
» Test the organizational incident response capability.
Maintenance » Ensure equipment removed for off-site maintenance is sanitized of any
CUI. » Check media containing diagnostic and test programs for malicious code
before the media are used in organizational systems.
Media protection » Mark media with necessary CUI markings and distribution limitations. » Prohibit the use of portable storage devices when such devices have no
identifiable owner. » Control access to media containing CUI and maintain accountability for
media during transport outside of controlled areas. » Implement cryptographic mechanisms to protect the confidentiality of
CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Physical protection » Enforce safeguarding measures for CUI at alternate work sites.
Recovery » Regularly perform complete, comprehensive and resilient data back-ups
as organizationally defined.
Risk management » Periodically perform risk assessments to identify and prioritize
risks according to the defined risk categories, risk sources and risk measurement criteria.
» Develop and implement risk mitigation plans. » Manage non-vendor-supported products (e.g., end of life) separately and
restrict as necessary to reduce risk.
Security assessment » Monitor security controls on an ongoing basis to ensure the continued
effectiveness of the controls. » Employ a security assessment of enterprise software that has been
developed internally, for internal use and that has been organizationally defined as an area of risk.
Situational awareness » Receive and respond to cyber threat intelligence from information
sharing forums and sources and communicate to stakeholders.
System and communications protection » Employ FIPS-validated cryptography when used to protect the
confidentiality of CUI.
» Employ architectural designs, software development techniques and systems engineering principles that promote effective information security within organizational systems.
» Separate user functionality from system management functionality. » Prevent unauthorized and unintended information transfer via shared
system resources. » Deny network communications traffic by default and allow network
communications traffic by exception (i.e., deny all, permit by exception). » Prevent remote devices from simultaneously establishing non-remote
connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
» Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
» Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
» Establish and manage cryptographic keys for cryptography employed in organizational systems.
» Control and monitor the use of mobile code. » Control and monitor the use of Voice over Internet Protocol (VoIP)
technologies. » Protect the authenticity of communications sessions. » Protect the confidentiality of CUI at rest. » Implement Domain Name System (DNS) filtering services. » Implement a policy restricting the publication of CUI on externally owned,
publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).
System and information integrity » Employ spam protection mechanisms at information system access entry
and exit points. » Implement email forgery protections. » Utilize sandboxing to detect or block potentially malicious email.
Pre-RegisterBecome a CMMC Certified Professional!
CMMC Level 4Processes: ReviewedLevel 4 requires that an organization review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
Practices: ProactiveLevel 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures (TTPs) used by APTs.
Level 4 practices
Access control » AC.Control information flows between security domains on connected
systems. » Periodically review and update CUI program access permissions. » Restrict remote network access based on organizationally defined risk
factors such as time of day, location of access, physical location, network connection state and measured properties of the current user and role.
Asset management » Employ a capability to discover and identify systems with specific
component attributes (e.g., firmware level, OS type) within your inventory.
Audit and accountability » Automate analysis of audit logs to identify and act on critical indicators
(TTPs) and/or organizationally defined suspicious activity. » Review audit information for broad activity in addition to per-machine
activity.
Awareness and training » Provide awareness training focused on recognizing and responding
to threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
» Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.
Configuration management » Employ application whitelisting and an application vetting process for
systems identified by the organization.
Incident response » Use knowledge of attacker tactics, techniques and procedures in incident
response planning and execution. » Establish and maintain a security operations center capability that
facilitates a 24/7 responsecapability.
Risk management » Catalog and periodically update threat profiles and adversary TTPs. » Employ threat intelligence to inform the development of the system and
security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
» Perform scans for unauthorized ports available across perimeter network boundaries over the organization’s internet network boundaries and other organizationally defined boundaries.
» Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain.
Security assessment » Create, maintain and leverage a security strategy and roadmap for
organizational cybersecurity improvement. » Conduct penetration testing periodically, leveraging automated scanning
tools and ad hoc tests using human experts. » Periodically perform red teaming against organizational assets in order to
validate defensivecapabilities.
Pre-RegisterBecome a CMMC Certified Professional!
Situational awareness » Establish and maintain a cyber threat hunting capability to search for
indicators of compromise in organizational systems and detect, track and disrupt threats that evade existing controls.
» Design network and system security capabilities to leverage, integrate and share indicators of compromise.
System and communications protection » Employ physical and logical isolation techniques in the system and security
architecture and/or where deemed appropriate by the organization. » Isolate administration of organizationally defined high-value critical network
infrastructure components and servers. » Utilize threat intelligence to proactively block DNS requests from reaching
malicious domains. » Employ mechanisms to analyze executable code and scripts (e.g., sandbox)
traversing internet network boundaries or other organizationally defined boundaries.
» Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization.
System and information integrity » Use threat indicator information relevant to the information and systems
being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.
Pre-RegisterBecome a CMMC Certified Professional!
CMMC Level 5Processes: OptimizingLevel 5 requires an organization to standardize and optimize process implementation across the organization.
Practices: Advanced / progressiveLevel 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.
Level 5 practices
Access control » Identify and mitigate risk associated with unidentified wireless access
points connected to the network.
Audit and accountability » Identify assets not reporting audit logs and assure appropriate
organizationally defined systems are logging.
Configuration management » Verify the integrity and correctness of security critical or essential
software as defined by the organization (e.g., roots of trust, formal verification or cryptographic signatures)
Incident response » In response to cyber incidents, utilize forensic data gathering across
impacted systems, ensuring the secure transfer and protection of forensic data.
» Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns.
» Establish and maintain a cyber incident response team that can investigate an issue physically or virtually at any location within 24 hours.
» Perform unannounced operational exercises to demonstrate technical and procedural responses.
Recovery » Ensure information processing facilities meet organizationally defined
information security continuity, redundancy and availability requirements
Risk management » Utilize an exception process for non-whitelisted software that includes
mitigation techniques.
» Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.
System and communications protection » Configure monitoring systems to record packets passing through the
organization’s internet network boundaries and other organizationally defined boundaries.
» Enforce port and protocol compliance. » Employ organizationally defined and tailored boundary protections in
addition to commercially available solutions.
System and information integrity » Analyze system behavior to detect and mitigate execution of normal
system commands and scripts that indicate malicious actions. » Monitor individuals and system components on an ongoing basis for
anomalous or suspicious behavior
Pre-RegisterBecome a CMMC Certified Professional!
About InfosecAt Infosec, we believe knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with certifications and skills training. We also empower all employees with security awareness training to stay cybersafe at work and home. Driven by smart people wanting to do good, Infosec educates entire organizations to defend themselves from cybercrime. It’s what we do every day — equipping everyone with the latest security skills and confidence to be safe online.
Learn more at infosecinstitute.com.
Additional resourcesInfosec CMMC training resources
» CMMC resource hub » Certified CMMC Professional (CCP) Boot Camp » Certified CMMC Assessor Level 1 (CCA-1) Boot Camp
Other useful resources » Cybersecurity Maturity Model Certification » Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)
©2021 Infosec, Inc. All rights reserved.