The CMMC is an acronym that stands for the “Cybersecurity Maturity Model Certification”. As our past article and whitepapers have covered extensively, it is essentially where the Defense Industrial Base and their subcontractors have to achieve a certain level of certification before they are allowed to bid for work-related contracts. We are now in the third possible iteration of this, called the Early Draft “CMMC 2.1”. In this article, we examine in more detail some of the changes that have been proposed in this newer version and most of these changes are for Level 3. NOTE: This is an early draft; once the final documents are released, those changes in the latest documents will become the new CMMC 2.1 standard.
What Is New In The Early Draft CMMC 2.1?
Here are some of the changes that have been proposed to supersede the CMMC 2.0. Note these impact certain Maturity Levels and Domains:
- Access Control (AC):
There are two proposed updates:- AC.L3-3.1.21: This states that stronger levels of encryption must be used when it comes to managing network devices. Not only must the data be encrypted, but any type of communications (whether it is hard wired or wireless) must also be encrypted as well. There can be no Plaintext messages sent under any circumstances.
- AC.L3-3.1.22: Tighter controls must be put into place when it comes to accessing the CUI and FCI datasets using remote protocols (such as RDP).
NOTE: This directly impacts Maturity Level 3.
- Audit and Accountability (AU):
The changes proposed to this Domain reflect the updates that have been made to the NIST 800-171 Special Publication. This document forms the backbone for iterations of the CMMC, from Version 1 to Version 2 to the anticipated Version 2.1. This includes the following:- AU.L2-3.2.5: This mandates that any auditing tools used by any entity must be protected as much as possible, which includes unauthorized access, deletion, and modifications.
- AU.L3-3.2.9: Any audited events must get more careful scrutiny.
NOTE: This directly impacts Maturity Levels 2 and 3.
- Awareness and Training (AT):
The proposed change here includes the following:- AT.L3-3.3.6: The goal here is to provide further security training into Insider Threats, and how to make all employees aware of them, and the proper channels to use when reporting a possible breach.
- Configuration Management (CM):
The proposed updates are to the following:- CM.L3-3.4.9: This deals primarily with Threat Hunting, especially focusing on those variants which are lurking inside the IT and Network Infrastructure. But this takes things one step further by adding tools which increase the detection of them, which will result in a quicker response rate in terms of mitigation.
NOTE: This directly impacts Maturity Level 3.
- CM.L3-3.4.9: This deals primarily with Threat Hunting, especially focusing on those variants which are lurking inside the IT and Network Infrastructure. But this takes things one step further by adding tools which increase the detection of them, which will result in a quicker response rate in terms of mitigation.
- Identification and Authentication (IA):
The proposed changes here are:
- IA.L3-3.5.11: This mandates the usage of MFA to those employee accounts that are deemed to be non-privileged in nature. This is designed to increase the overall security of the Cyber environment.
NOTE: This directly impacts Maturity Level 3.
- IA.L3-3.5.11: This mandates the usage of MFA to those employee accounts that are deemed to be non-privileged in nature. This is designed to increase the overall security of the Cyber environment.
- Incident Response (IR):
The proposed updates here include:
- IR.L3-3.6.9: This mandates the creation of a specific Cyber Incident Response team. But the goal here is to not just respond, but to also have other functionalities such as investigations, conducting forensics exams, and having the ability to enhance or put in new controls in order to prevent future security breaches from happening.
- IR.L3-3.6.10: The Incident Response Plan must be tested on a regular basis, and updated accordingly.
NOTE: This directly impacts Maturity Level 3.
- Maintenance (MA):
The projected change here is:
- MA.L3-3.7.5: This requires that all devices and storage mechanisms must be purged of all data before it can be destroyed or even reused. The proper procedures have to be followed in order to ensure the total eradication of information and data.
NOTE: This directly impacts Maturity Level 3.
- MA.L3-3.7.5: This requires that all devices and storage mechanisms must be purged of all data before it can be destroyed or even reused. The proper procedures have to be followed in order to ensure the total eradication of information and data.
- Media Protection (MP):
The suggested update here is:
- MP.L3-3.8.8: This requires that any and all devices that specifically contain CUI data must have tight access controls associated with them, in an effort to prevent data leakage, whether intentional or not.
NOTE: This directly impacts Maturity Level 3.
- MP.L3-3.8.8: This requires that any and all devices that specifically contain CUI data must have tight access controls associated with them, in an effort to prevent data leakage, whether intentional or not.
- Personnel Security (PS):
The recommended enhancement here is:
- PS.L3-3.9.4: This strictly mandates and enforces that only fully authenticated employees can enter the place of a Defense Contractor, or their respective Subcontractors.
NOTE: This directly impacts Maturity Level 3.
- PS.L3-3.9.4: This strictly mandates and enforces that only fully authenticated employees can enter the place of a Defense Contractor, or their respective Subcontractors.
- Physical Protection (PE):
The planned change here includes the following:- PE.L3-3.10.5: This requires all forms of wireless devices must have the highest levels of protection on them. This includes the following: wireless access points, laptops, tablets, mobile phones, and other mobile devices.
NOTE: This directly impacts Maturity Level 3.
- PE.L3-3.10.5: This requires all forms of wireless devices must have the highest levels of protection on them. This includes the following: wireless access points, laptops, tablets, mobile phones, and other mobile devices.
- Recovery (RE):
There are two proposed enhancements here:- RE.L3-3.11.4: This requires that incremental backups must be made of all CUI, FCI, and other related datasets on a regular basis.
- RE.L3-3.11.5: This requires that full backups must be made of all CUI, FCI, and other related datasets on a regular basis.
NOTE: This directly impacts Maturity Level 3.
- Risk Management (RM):
There are two recommended updates here:
- RM.L3-3.12.7: This requires that risk assessments must be done on a regular basis, using the appropriate framework or methodology. This is in an effort to properly calculate the risk tolerance, and to deploy the appropriate controls.
- RM.L3-3.12.8: This stipulates that when the risk assessment has been conducted, the appropriate plan must be enforced to mitigate the calculated risk as much as possible.
NOTE: This directly impacts Maturity Level 3.
- Security Assessment (CA):
There are two proposed requirements:
- CA.L3-3.13.5: This stipulates the use of proper tools to continuously monitor any vulnerabilities that may exist in the IT and Network Infrastructures. This includes such items as Penetration Testing and Vulnerability Scanning.
- CA.L3-3.13.6: This enforces the above, in that any vulnerabilities found must be remediated quickly.
NOTE: This directly impacts Maturity Level 3.
- Situational Awareness (SA):
There are two updates, which are as follows:- SA.L3-3.14.1: This requires that the proper feeds be used when it comes to collecting any intel about Cyber threats or variants.
- SA.L3-3.14.2: This stipulates that any intel received must be shared with the appropriate stakeholders.
NOTE: This directly impacts Maturity Level 3.
- System and Communications Protection (SC):
This has four proposed updates:
- SC.L3-3.15.9: This requires that the highest levels of encryption must be used when it comes to the management of network devices and other peripherals.
- SC.L3-3.15.10: On a theoretical basis all forms of network traffic must be denied, and only the approved data packets can move forward to their destinations.
- SC.L3-3.15.11: This mandates the total elimination of creating simultaneous network connections, and accessing resources in the external environment (unless it has been approved).
- SC.L3-3.15.12: The principles of Cryptography must be used when it comes to protecting the CUI datasets.
Conclusions
It is important to note that these updates and changes are still tentative; nothing has been approved yet. This is an exhaustive list, and if you have any questions or concerns, please contact us.