Additional Practices in CMMC Beyond NIST SP 800-171

Supply chain assaults are expanding at an alarming rate, which has severe ramifications for the Department of Defense. Defense contractors are expected to comply with new security measures described in the Cybersecurity Maturity Model Certification since November of last year. While NIST Special Publication 800-171 is the primary repository of security practices in the CMMC cybersecurity, the CMMC also contains 20 additional practices at levels 1-3. These 20 practices are meant to raise the security awareness of DoD contractors. 

Tailoring NIST for a Well-Rounded Security Program

NIST SP 800-171 divides security needs into two categories: fundamental and derived. NIST began with controls from the 800-53 moderate baseline and then customized them into three categories:

Uniquely federal (i.e., mainly under the control of the federal government) (FED)

Not directly connected to preserving CUI secrecy (NCO)

Nonfederal entities are expected to meet these requirements without more detail (NFO)

The DoD desired a model that would influence organizational behavior to be more security conscious and maintain the confidentiality of CUI data. The CMMC achieves these goals by adding 20 practices to those listed in NIST SP800-171 to guarantee that an organization implements a well-rounded security program and institutionalizes these practices through process maturity implementation.

DoD added these 20 practices to 9 of the 17 CMMC domains at levels 2-3. Seven of these practices were elevated to CMMC Level 2 and thirteen to Level 3.

These techniques can be classified into three types. Let’s take a deeper look at each of these practices, first by level and then by domain.

Fundamental principles that help DIB firms advance their cybersecurity initiatives. The first category includes core practices that were incorporated into the model to help DIB organizations enhance their cybersecurity capabilities. These are basic, no-cost procedures that serve as stepping stones for technological advancement inside the model.

AU.2.044—Check audit logs.
Several practices in 800-171 relate to audit log collection, but none expressly mandate audit log review, which is a core practice for auditing and transparency.

IR.2.093—Detection and reporting of cyber security occurrences.
Although 800-171 standards focus on developing an incident management mechanism, it does not directly address the process of detecting and reporting occurrences. Any observable occurrence in a network is referred to as an event. Because incidents usually begin with one or more activities, recognizing and reporting events is critical to incident response capabilities.

AM.3.036—Develop processes for dealing with CUI data.
The CMMC compliance is fundamentally concerned with data security. The National Institute of Standards and Technology (NIST) 800-171 provides specific CUI protection criteria; however, they are frequently indirect. The Media Protection domain provides certain data handling features; however, they are not expressive enough. This practice was introduced to the model to guarantee that processes for managing sensitive information are in place. Other practices, such as those in the realm of Media Protection, may be referred to in these procedures.

IR.2.096 – Prepare and carry out reactions to stated occurrences under pre-defined processes.
When reacting to events, the rate at which the response is implemented can significantly influence the incident’s containment. Pre-defined processes for more typical occurrences can assist save time and aid in reaction and closure efforts.…

Continue Reading