Cybersecurity Maturity Model Certification (CMMC)
Disclaimer: Organizations are not required as a matter of law to comply with this document, unless legislation, or a direction given under legislation or by some other lawful authority, compels them to comply. This document does not override any obligations imposed by legislation or law. Furthermore, if this document conflicts with legislation or law, the latter takes precedence.
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD (A&S)) developed the Cybersecurity Maturity Model Certification (CMMC) to assess and certify a company’s maturity of cybersecurity practices and processes. The objective and mandate of the CMMC is that Department of Defense (DoD) contractors obtain third-party certification to ensure appropriate levels of cybersecurity practices are in place to meet a “basic cyber hygiene” and to protect controlled unclassified information (CUI) residing on partner systems. The cybersecurity practices and CUI protection already exist in regulations like the Defense Federal Acquisition Regulation Supplement (DFARS) and NIST; however, those standards do not stipulate a third-party assessment to validate cybersecurity effectiveness and maturity nor do they provide certification. The CMMC has gone through multiple phases of public comment and is currently in what the OUSD (A&S) is calling CMMC 2.0.
CMMC builds upon established NIST special publications and DFAR regulations and is comprised of 14 capability domains that include 110+ practices or controls. The 14 capability domains are listed below.
- Access Control (AC)
- Awareness & Training (AT)
- Audit & Accountability (AU)
- Configuration Management (CM)
- Identification & Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Organizations seeking compliance and certification with the CMMC will be looking at one of three levels that measure technical control capacity in a few different ways. The lowest level of the certification (Level 1) requires entities to adhere to a sub-set of the 110+ controls (as prescribed by the OUSD (A&S)). The certification model and levels are briefly summarized below.
Each certification level requires additional control practices. For example, Level 2 practices are aligned with NIST SP 800-171, so in addition to the Level 1 practices, an entity seeking certification of Level 2 will need to demonstrate the Level 1 and Level 2 practices during their third-party assessment. The DoD will assess which CMMC level is appropriate for a particular contract and deliver that level in contract Sections L and M of the corresponding request for proposal (RFP). The DoD will use the assessment as a “go/no go” evaluative determination. The level of certification required in each contract will depend upon the amount of CUI and FCI a company will handle or process. Depending on the level of certification, either a self-assessment, independent third-party organizations (C3PAOs), or government-led groups, will evaluate a customer's environment for certification. A company will specify the level of the certification requested and will be certified at the appropriate CMMC level upon demonstrating appropriate control practices. In the case in which an organization does not meet its targeted level, it will be certified at the highest level for which it has achieved all applicable practices.
All contractors within the Defense Industrial Base (DIB) are required to comply with some level of CMMC, depending upon the amount of unclassified networks that handle, process, and/or store federal contract information (FCI) or CUI and as stipulated by their specific contract. Companies that solely produce Commercial-Off-The-Shelf (COTS) products will not be required to obtain a certification. For more detailed information on the CMMC, see the OUSD (A&S) website. The website provides the most current version of the CMMC regulation (2.0) and offers an overview with background on the CMMC and details on practices for each certification level.
The LogRhythm platform enables your organization to meet many CMMC practices by collecting, managing, and analyzing log data. LogRhythm AI Engine (AIE) rules, alarms, reports, investigations, and general SIEM functionality also help your organization satisfy certain control practices outlined by the CMMC.
LogRhythm understands that organizations may be at different points of compliance maturity, so the CMMC module gives organizations the flexibility to realize value at any point along that maturity scale. The CMMC module is focused on the control requirements traditionally used for best practice purposes. LogRhythm supports some CMMC recommendations and decreases the cost of meeting others through pre-built content and functionality. Using advanced LogRhythm functionality such as NetMon, TrueIdentity, SysMon, Threat Research content, and Case Management may enhance pre-built content to better support an organization's compliance efforts.
IT environments consist of heterogeneous devices, systems, and applications, all reporting log data. Millions of individual log entries can be generated daily, if not hourly. The task of organizing this information can be overwhelming. Additional recommendations to analyze and report on log data render manual processes or homegrown remedies inadequate and cost-prohibitive for many organizations. LogRhythm delivers log collection, archiving, and recovery across the entire IT infrastructure and automates the first level of log analysis. Log data is categorized, identified, and normalized for easy analysis and reporting. LogRhythm’s powerful alerting capabilities automatically identify the most critical issues and notify relevant personnel. The CMMC module and associated reporting package work out of the box with some level of customization available. Utilizing the CMMC module assists in building and maintaining a sound compliance program.