How to Implement Controls and Manage Compliance

By Brett Powers • September 1, 2021

As a defense contractor, you are eager to get your company compliant with the Cybersecurity Maturity Model Certification (CMMC). You’ve assessed your organization for CMMC readiness, documented your system security plan (SSP), formulated your plans of actions and milestones (POAMs)–and now it’s time to get it all done and implement any outstanding controls. How do you start? And what should you know before you dive in?

Where to start in securing your environment

If you are at the implementation stage, then you know there are 130 controls required to protect controlled unclassified information (CUI). Addressing all of these security measures can seem like a daunting task, as your organization must meet all 130 controls to be CMMC compliant. Let’s discuss the controls by general category.

 

Security Monitoring Controls

Security Information and Event Management (SIEM)

Regular review of logs is a key part of not only CMMC and NIST SP 800-171, as well as a general best practice. However, aggregating and reviewing the massive volume of logs is not practical to accomplish with manual processes.

Recommended tools: Microsoft Sentinel or Splunk

These tools can take in large amounts of data, and correlate that data–and then based on analytic alerts enabled inside of that SIEM environment, it will escalate events of interest to you. This allows you and your analysts to narrow your focus down in determining if there really is an incident in your environment.

 

Vulnerability Scanning

Vulnerability and patch management strategy is an essential requirement to meet CMMC. Unpatched vulnerabilities are often utilized by threat actors to exploit systems, leading to ransomware and data theft.

Recommended tools: Tenable and Qualys

These solutions are run in client environments to determine what vulnerabilities exist, and what patches are needed in the environment.

 

IT Infrastructure Controls

IT Infrastructure refers to all of your company’s hardware and software, both on-premise and in the cloud. Many companies struggle implementing controls in environments where CUI is stored on-premise and they have older unsupported hardware and software which puts CUI at risk.

The shadow IT, meaning the different individuals inside organizations spinning up servers in AWS or Azure or Google cloud, on top of what is happening in your environment, may need to be addressed under CMMC as well, if they handle CUI.

 

Policy and Administrative Controls

One of the key points in gaining CMMC compliance is ensuring that your controls have maturity. A POAM and SSP are both great tools to help you get there. Having documents including policies, plans, and standards explaining what the control is and how the company achieves each control is important.

Make sure you are capturing what technology you’re putting in place and the processes of implementing and managing that technology. Also create documentation about how to perform a specific function in the environment, including an incident response, vulnerability management, and risk management plans. Be mindful that these plans need to be understood, actively used, and approved across the organization.

 

Enclave Strategy

As your organization works to implement these controls, it might make sense to consider strategies to help you gain compliance, like creating an enclave. This is a way for companies to secure CUI without re-architecting their entire environment.

By embracing cloud infrastructure, companies can quickly stand up and secure CUI through several methods.

  • External CUI Communication – There may be times where you’re working with a partner on CUI. You may not want them to have access to your environment, and you may want to have a very secure enclave with controls, so that it is very clear who is accessing that documentation. In this scenario, set up a host in a SharePoint environment in a GCC environment.
  • Hybrid Cloud – This is where you’re allowing for segmented data that utilizes your existing Active Directory authentication structure, but also has an area inside the cloud that allows for segmentation and data storage. You have controls around that data to secure it, and individuals who don’t have clearance internally cannot get to access that data.
  • Private Cloud – This approach has an entirely separate cloud infrastructure for hosting CUI, including controls around servers and desktops, encompassing everything that resides in the cloud tenant. This strategy reduces the control burden on users who don’t need access to CUI. This is a great option to ensure that CUI data is protected.

 

Helpful Resources

Securing your infrastructure can be an intensive process as every environment is different. Microsoft has released a great tool mapping their products to CMMC, so you can easily visualize what tools will help you meet CMMC Level 3 compliance. 

Download Microsoft mapping tool 

 

No matter what stage your organization is at in working to gain CMMC compliance, the team at CyberSheath can help. From assessments and creation of SSP and POAMs to remediation and compliance management–we have the knowledge, skills, and experience to help your organization get it done. Contact us today.

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO

CMMC CON 2022 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.