by Cody Dumont
October 14, 2020
The Cybersecurity Maturity Model Certification (CMMC) was developed to create a framework to assess an organization's implementation of cybersecurity practices evenly across the defense industrial base. Using NIST 800-53 and NIST 800-171 as the baseline, the primary objective of CMMC is to consolidate the two security catalogs into a single measurable framework. Over the next 5 years, starting in June 2020, organizations that create Government off-the-shelf (GOTS) products, handle Federal Contract Information (FCI), or Controlled Unclassified Information (CUI) will need to show compliance at 1 of the 5 levels. Only Cyber 3rd Party Accreditation Organizations (C3PAO) will be able to certify an organization as compliant or not. Tenable.sc provides on-prem solutions for assessing Cyber Exposure practices and maps these practices to known assessment regulations such as NIST, CSF, and others. This report provides the operation teams with detailed needed to assess the current state of the network.
The first step in achieving any level of compliance with CMMC begins with an understanding of the current environment. The CISO must be able to understand the current state of patch management, system hardening, and different methods of system classification. This report focuses on a few key domains in CMMC, they are: Risk Management (RM), Security Assessment (CA), Media Protection (MP), and Configuration Management (CM). Each of these domains are starting points into other domains, for example the CM domain is a requirement before assessments into Identification & Authentication (IA) & System & Information Integrity (SI). The CM domain is the basis for hardening standards that are outlined by Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs), or the Center for Internet Security (CIS) Benchmarks. Both sets of hardening guidelines are auditable using the Tenable Audit files, and provide the foundation for good system configuration and hardening. Once these standards are widely deployed in the network, the risk managers can begin to evaluate other CMMC domains such as the aforementioned IS or SI. For example, the IA domain requires, "Enforce a minimum password complexity and change of characters when new passwords are created." While CM requires organizations to "establish and enforce security configuration settings for information technology products employed in organizational systems." These two controls work together and provide the CISO with tools needed to measure and discuss the current status of risk with other contributors.
This report starts by providing an executive summary of the vulnerability and compliance status using Tenable.sc. Then each chapter breaks out into more operational details allowing the CISO, risk managers, and IT managers to clearly develop a plan of action and work toward achieving different maturity levels. A key aspect to mitigating risk is to understand the current likelihood of a vulnerability being exploited by adversaries. Tenable created the Vulnerability Priority Rating (VPR) to help add current threat intelligence to the risk analysis process. At the heart of VPR is a series of machine learning models working together to forecast threats. Specifically, the threat forecast seeks to answer the question: What is the appropriate level of near-term threat for a vulnerability based on the latest available data?
As the CISO and IT managers also work together to establish the hardening standards that are appropriate for the organization. These configuration settings will most likely be different for each organization, and Tenable provides audit files for a majority of the CIS Benchmarks and DISA STIGs. In both cases Tenable.sc uses a field called Cross Reference to connect the NIST 800-53, to NIST 800-171, and to other standards such as the Cybersecurity Framework. The CMMC cross links all these widely accepted standards together and provides organizations with a well-established baseline to begin reducing risk. As CMMC maturity levels are achieved, the more mature the security practices become. This report helps to pull this configuration data together in a detailed view to aid in the improvement of compliance planning.
The report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the Tenable.sc Feed under the category Compliance and Configuration Assessment. The report requirements are:
- Tenable.sc 5.14.1
- Nessus 8.10.1
- Tenable Audit Files
Tenable.sc Continuous View (CV) is the market-defining On-Prem Cyber Exposure Platform. Tenable.sc CV provides the ability to continuously assess the implementation of cybersecurity practices and institutionalization of cybersecurity processes. Regardless of the maturity model the organization is measuring against, Tenable.sc provides the essential information to report accurate and reliable metrics.
This report contains:
Executive Summary: The Executive Summary chapter summarizes the operational status of the organization's efforts to achieve CMMC compliance. The chapter provides a trend comparison of the compliance checks and current vulnerabilities compared to resurfaced vulnerabilities. In additions there are matrices that provide summary counts on current, mitigated, configuration checks, and vulnerability detection methods.
Risk Management: This chapter provides the operations team with detailed information about the most critical risks identified on the network. Tenable.sc tracks the life time of the vulnerability and records when vulnerabilities are discovered, when patches are issued, and when vulnerabilities are mitigated. This chapter provides details to support vulnerability management service level agreement, and tracking mitigation efforts and provides focus on the most vulnerable hosts.
Anti-Virus Vulnerability Details: CMMC requires organizations to maintain anti-virus and anti-malware solutions. This chapter provides a summary view of how the organization is progressing with managing the anti-virus and anti-malware solutions.
Configuration Compliance Details: The CMMC relies heavy on several audit standards such as NIST 800-53, NIST 800-171, and CSF. This chapter provides several different views into the compliance configuration checks and with asset classification.
Systems By Detection Method: Tracking system detection methods is helpful when understanding where assets are located and how other systems may interact with said systems. This chapter breaks out systems detected methods and sensor type. Focusing on active and passive detections, the chapter then highlights the direction in which communications are observed.