What Level of CMMC Requires Security Information and Event Management (SIEM)?

By Casey Lang • March 30, 2021

As your organization works to determine the meaning and application of the various levels of the newly enacted Cybersecurity Maturity Model Certification (CMMC), questions arise. One particular issue surrounds the issue of SIEM as it pertains to the first level of CMMC. The short answer to whether it is required or not is: it’s complicated.

A Closer Look at Level 1 SIEM Requirements

The key word in the assessment guide and in the CMMC practice for Systems and Communication Protection (SC) found at SC.1.175 is ‘Monitor.’ This practice requirement is heavily focused on perimeter and boundary defense, meaning that your cyber boundaries must be controlled, protected, and monitored.

What it means to your company – Chances are, you already have a firewall. Consequently, the most common compliance issue the CyberSheath team sees with this particular requirement is a lack of proactive monitoring. In CMMC level 1, you only need to address the one SC requirement–boundary protection and control services, such as firewall, intrusion detection system (IDS), intrusion prevention system (IPS), and web proxy if it exists.

How CyberSheath can help – At CyberSheath, we monitor your IT infrastructure with Azure Sentinel. Level 1 monitoring is cost-effective as there is less activity required, with less log integration, less log consumption, and less Azure Sentinel cost.

For Level 1, the monitoring cost is mostly based on storage, and excludes licensing, deployment, and management of Microsoft Defender or the Log Analytics Agent, since only the boundary and perimeter devices need to be monitored. Also, typically Level 1 does include government community cloud (GCC) requirements, as there is no controlled unclassified information (CUI) to contend with, only federal contact information (FCI). The result is commercial Microsoft services are appropriate for the SIEM requirements of Level 1.

Requirements Shift as You Advance to Level 3

As your organization moves to higher levels of CMMC, more controls need to be enacted around monitoring users including detecting unauthorized use of accounts, responding to support incidents, tracking log correlation requirements, and more.

At Level 3, your organization needs the right log sources to support the investigative process, such as endpoint protection, perimeter monitoring, authentication logs, and other security tools. As you can see, the resources needed to achieve Level 3 are more advanced, and also carry higher Azure Sentinel data costs.

Another Consideration for SIEM Requirements

The System and Information Integrity control family requires the ability to detect malware, and update signatures, at appropriate locations. The assessment guide specifies items like the ability to detect malware on the network (IDS/IPS) and on endpoints (Anti-Virus/endpoint detection and response (EDR)).

If your company wants to use basic, built-in Windows Defender, this can meet a Level 1 requirement. However, if your organization wants to license Microsoft Endpoint Defender to solve for this, you have the opportunity to easily integrate with Sentinel for monitoring on Commercial licensing at a fairly low cost. While not a necessity for CMMC level 1, this solution is good to have and also better prepares you should you seek CMMC Level 3 in the future.

Need Help?

As your organization moves to become compliant with any level of CMMC, challenges can arise.  Join Eric Noonan and Carl Herberger, VP of Security Services, on Wednesday, April 21st, 2021 at 9:00am (PST) | 12:00pm (EST), for “CMMC – How It Started. How It’s Going,” when they will talk through five common pain points experienced by organizations tackling DoD regulations.

No matter where you are on your path to compliance – calculating your assessment scores, navigating SPRS, implementing the controls, or writing you SSP – this webinar will accelerate your journey. Register Now.

 

Webinar CMMC - How It Started. How It's Going.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC - How It Started. How It's Going. Join Us for a Live Webinar April 21, 2021 at 12:00 pm EST.