As the threat landscape evolves, attackers are setting their sights on organizations that work closely with critical national infrastructure and governmental agencies. With over 300,000 companies supplying the U.S. Department of Defense (DoD), any breach could pose a significant threat to national security. Organizations – especially those involved in this sprawling supply chain – need to know exactly who is accessing and sharing confidential data while balancing availability with security.
To answer these security challenges, the U.S. DoD created the Cybersecurity Maturity Model Certification (CMMC) to help strengthen the security posture of contractors and federal agencies. In this article, you will learn about the CMMC framework and how Silverfort can help organizations align with its identity security requirements. We will focus on the CMMC 1.0 model since the CMMC 2.0 framework is expected to be released to the public by the end of 2024.
What is the CMMC Framework?
The CMMC framework was created by the U.S. DoD in 2020 and is based on the industry leading standards established by the National Institute of Standards and Technology (NIST). It was established to protect two key types of unclassified information disseminating throughout the Defense Industrial Base (DIB) and DoD supply chain:
- Federal Contract Information (FCI):
“Information provided by or generated for the government under contract not intended for public release”, as defined by the DoD.
- Controlled Unclassified Information (CUI):
“Information that requires security of dissemination controls pursuant to and consistent with laws, regulation and government-wide policies”, as defined by the DoD.
The CMMC framework consists of 5 certification levels that contractors within DIB sectors need to comply with for gaining bids on the next contracts:
Level 1: Basic Cyber Hygiene
This level focuses on implementing fundamental practices with 17 security controls, including basic security measures such as regular password updates, the use of antimalware solutions and safe browsing habits. The goal is to ensure companies put in place essential security controls to protect FCI from common threats.
Level 2: Intermediate Cyber Hygiene
As a transitional stage, this level introduces more advance cybersecurity practices with 110 controls derived from NIST SP 800-171. It covers security aspects such as access control, incident response and risk management. The goal is to start protecting CUI and to build a stronger security foundation for achieving higher levels of compliance.
Level 3: Good Cyber Hygiene
At this stage, organizations must implement a mature set of cybersecurity practices, comprising 130 controls that are designed to manage and mitigate higher risks related to CUI. The goal is to establish consistent, repeatable security processes to ensure effective security of CUI across all environments.
Level 4: Proactive Cyber Hygiene
With 156 security controls, this level emphasizes proactive cybersecurity measures, including the ability to detect and respond to sophisticated identity-related attacks like lateral movement and ransomware. The goal is to ensure continuous improvement in cybersecurity practices, enabling organizations to adapt to more evolving threats and maintain robust CUI security controls.
Level 5: Advanced/Progressive Cyber Hygiene
The highest level consists of 171 controls and focuses on the continuous optimization of cybersecurity practices, constant monitoring, and real-time threat mitigation. The goal is to provide top security level for sensitive information, ensuring organizations are fully equipped to prevent, detect and respond to APTs and other sophisticated threats.
Let’s focus on the identity security aspects of the CMMC framework.
The Identity Security Aspects of CMMC
With the frequency and complexity increase of cyberattacks targeting DIB contractors, securing access to sensitive data has never been more crucial for national security. One of the key elements of the CMMC framework is controlling access to classified systems and information by applying robust security controls. This includes implementing Multi-Factor Authentication (MFA), enforcing least privilege principles, and regularly monitoring user activities to prevent unauthorized access.
Effective identity security measures help organizations meet CMMC requirements, ultimately protecting their environments against insider threats and external cyberattacks. To address the importance of identity security, the CMMC framework provides the following guidelines to organizations:
Access Control (AC)
Organizations must establish security policies that limit access to all systems and resources to only authorized users, devices, and processes based on their roles:
- Organizations should define and manage security policies for user access permissions and authorizations following the least privilege.
- Organizations should manage all remote access authentications by routing them through secure access control points.
- Organizations should enforce user session controls, including session terminations and prevention of unauthorized execution of privileged functions.
Audit and Accountability (AU)
Organizations must ensure that all user actions on information systems are traceable and auditable to maintain accountability:
- Organizations should enable system audit logging with log protection from unauthorized system access and modifications to ensure user actions are traceable.
- Organizations should review and analyze audit logs regularly and automate alerts for suspicious or unauthorized activities.
- Organizations should limit audit logging management to privileged users and ensure logs are reviewed and updated systematically for accurate monitoring.
Identity and Authentication (IA)
Organizations must identify and authenticate users, devices, and processes to ensure only verified identities can access sensitive systems:
- Organizations should verify all types of users, including human, machine-to-machine, and non-human identities, to grant access to systems only to authorized users.
- Organizations should enable multi-factor authentication for privileged accounts and non-privileged network access.
- Organizations use replay-resistant authentication mechanisms to safeguard both privileged and non-privileged accounts from unauthorized access.
Incident Response (IR)
To cover the full incident lifecycle, including preparation, detection, analysis, and recovery, organizations must establish a robust incident-handling process:
- Organizations should perform root cause analysis and use forensic data to investigate incidents while protecting the integrity of that data.
- Organizations should combine manual and automated responses to quickly address and mitigate anomalous activities matching incident patterns.
System and Configuration Protection (SC)
Organizations must protect the integrity and authenticity of communication sessions and ensure that system management functions are isolated from user functions:
- Organizations should monitor and control network traffic by enforcing deny policies and protecting communication authenticity.
Organizations should apply boundary protections and enforce compliance with network protocols and port usage to secure system communications.
Become CMMC Compliant with Silverfort
1. Access Control (AC)
Silverfort enables administrators to assign access control policies to each user, defining which resources, devices, or services the user can access. These policies can be enforced in real time based on specific user roles, including privileged accounts, risk scenarios, and organizational security policies.
Silverfort’s access control policies can be applied to every authentication within the organizational environment. By enforcing pre-defined policies, alerting, MFA, or blocking access can be enabled to protect insecure authentication to critical resources.
2. Audit and Accountability (AU)
With Silverfort you can gain visibility into all authentication and access activities logs across all environments. With integrations with SIEM tools, Silverfort provides continuous monitoring and reviewing of all logged events, ensuring logs are regularly analyzed for anomalies or security incidents.
Silverfort enables administrators to customize and update the audit log policies, ensuring new types of events or threats are captured and the audit logs are in line with evolving security requirements.
3. Identity and Authentication (IA)
Silverfort authenticates every user’s identity by enforcing strong MFA across all systems, even those that don’t natively support modern authentication protocols. This ensures every user must verify their identity before accessing resources. By enforcing MFA and logging all user activities across all environments, Silverfort ensures no access is granted based on passwords alone, and users are required to authenticate through MFA to verify that they are who they claim to be.
Also, Silverfort provides an in-depth identity inventory that displays types of users and resources in the organization’s environment. This enables organizations to quickly detect and respond to malicious activities, including blocking access of any accounts that display anomalous behavior.
4. Incident Response (IR)
Silverfort assists with incident analysis by providing detailed logs of all authentication and access activities. This allows security teams to understand what occurred during an incident and determine the root cause. Using comprehensive data on user access requests and behaviors, Silverfort facilitates a comprehensive investigation and understanding of the events leading up to and during a security incident.
Silverfort’s real-time monitoring capabilities enable it to detect anomalies and suspicious activities, providing insights into the course of an incident. As a result of this detailed analysis, it is possible to pinpoint the exact nature and origin of the problem, thereby facilitating effective remediation and strengthening security overall.
5. System and Configuration Protection (SC)
Silverfort monitors every access event, including access to the external and internal boundaries of the information systems. It provides visibility to these access events and allows the configuration of policies to control and protect these communications with advanced access controls and secure authentication.
Want to learn more about how Silverfort can help you address the identity security aspects of the CMMC Framework? Download the whitepaper or schedule a call with one of our experts.