Last Updated on October 21, 2020
Complying with the US Department of Defense (DoD’s) Cybersecurity Maturity Model Certification (CMMC) means passing a certification audit. For many SMBs in the US Defense Industrial Base (DIB), especially those that will handle Controlled Unclassified Information (CUI), getting audit-ready will take significant effort.
To help SMB defense contractors move towards a CMMC Level 3 certification, Pivot Point Security’s CISO and Managing Partner, John Verry, recorded a “special edition” of The Virtual CISO Podcast on the six biggest issues for many SMBs seeking CMMC Level 3 compliance—including practical ways to address them.
This blog post covers logging and alerting issues. Our blog also features posts on the other key challenges for CMMC Level 3/NIST 800-171 compliance.
- Mobile Device Management
- Multifactor Authentication
- End-to-End Encryption
- Email Spam Protection and Sandboxing
- Logging and Alerting
How to Beat CMMC Level 3’s Logging and Alerting Encryption Requirements
At CMMC Level 3 you need to comprehensively capture, review and alert on audit logs. Within the CMMC’s Audit and Accountability (AU) practice there are about 14 explicit references to logging and alerting (e.g., AU.2.042, AU.2.044, AU.3.045, AU.3.046, etc.). John also figures there are well over 20 additional CMMC controls that auditing supports.
So does that mean you need a Security Information Event Management (SIEM) solution?
John frames the SIEM question in the context of the overall audit domain: “I would argue that auditing is one of the most important areas [of CMMC] for you to consider.”
“So we have explicit requirements like, ‘review and update logged events,’ and ‘create and retain audit logs and records to the extent needed to be able to enable the monitoring, analysis and investigation reporting of unlawful or unauthorized system activity’—and we’ve got a number of these,” John notes. “What’s important here is these requirements are to limit access [to CUI] and ensure that we’ve got appropriate segregation of function.”
John continues: “So when you start to look at the sum total of this… do I need a SIEM? No. Could I do this with Graylog, which is an open source log management tool. Could I do this with a Kiwi Syslog server and some Python scripting? Sure. Could I do this with Azure Sentinel if I’m in a Microsoft 365 environment? Potentially, because a lot of the events that we’re going to be monitoring for access to CUI are going to take place through that environment.”
“So do I need a SIEM?” John posits. “No. Will many organizations, as they get beyond, say, 50 people, probably be better off having a SIEM? I think the answer is probably yes, because it’s going to make each of those requirements simpler to account for.”
The SIEM question is really one of efficiency and effectiveness. You can either piece together a solution—which may take significant time and effort to manage—or purchase a more automated and efficient tool. It comes down to your budget, how much effort you’re expending on log management, and whether your ability to detect and respond to events is sufficient.
As John puts it: “Say I’m going to have to jump in and spend 30 minutes each day looking through logs to see if anything happened. Versus using a tool that costs me more, but it’s going to let me know dynamically when I need to do that. So that’s kind of where the tradeoffs are going to be there.”
“One of the nice things as well when you get into a SIEM solution or a good log management solution, very often… that can fill multiple parts of this void,” adds John. “We’re going to need to have mechanisms to track incidents and events through resolution and corrective actions learned, as an example. And very often these SIEM type solutions incorporate these kinds of capabilities. … If I do use a SIEM… more of those requirements are being done utilizing a single tool.”
If your business needs to comply with CMMC, you’ll be very glad you listened to this “special edition” of The Virtual CISO Podcast with John Verry.
To hear this show, and access many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.