Last Updated on June 29, 2021
The Cybersecurity Maturity Model Certification (CMMC) standard defines the information security controls needed to protect Controlled Unclassified Information (CUI) on US Department of Defense (DoD) contracts. It organizes those controls—called practices—into 17 domains. For additional structure, it also aligns its 171 total practices into 43 capabilities. Each practice also relates to one of the CMMC’s five maturity levels.
The CMMC Risk Management (RM) domain practices support the process of effectively identifying and evaluating/ranking the risks that your business faces. This includes risk assessment and vulnerability assessment processes within your environment, as well as vendor/third-party or supply chain risks. It covers risks to operations as well as to data and other assets stemming from threats like unauthorized access, exfiltration, modification or destruction.
Some of the vulnerabilities that can create risk include:
- Mistakes made by people, such as accidentally deleting data
- Intentional actions by attackers, such as insider threats, fraud and hacking
- Failure of systems/technology to function as intended
- Poorly designed applications, business processes, etc.
- External events like natural disasters, public infrastructure failures and supply chain disruption
While an organization cannot eliminate cybersecurity risk completely, it can manage and mitigate most risks by making sound, well-informed decisions and plans around them. As the CMMC points out, “the totality of the CMMC practices serve to manage risk. Practices captured here [in the Risk Management Domain specifically] include specific risk mitigation focused practices such as risk identification and planning.”
What are the CMMC Risk Management Domain Practices?
The Risk Management domain includes 12 practices: 3 at Level 2, 3 at Level 3, 4 at Level 4 and 2 at Level 5. This domain also defines 3 capabilities:
- Identify and evaluate risk
- Manage risk
- Manage supply chain risk
The three Risk Management practices at CMMC Level 2 form the basics of a cybersecurity risk assessment program to protect CUI:
- 2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
This practice requires you to periodically assess risk, either formally or informally. Formal risk assessment procedures are documented and use established criteria. Note that “clearly defined system boundaries are a prerequisite for effective risk assessments.” You can examine risk at a variety of levels, from the organizational level to the system level to the mission/business process level.
- 2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
This practice mandates that you regularly perform vulnerability assessment/scanning for all the system components (including web applications and other software) that are in scope for your CMMC certification. This ensures that you can quickly and effectively identify and address potential weaknesses that put CUI at risk. Areas to evaluate include patch scanning, scanning for misconfigurations and scanning for improper ports, protocols, etc. The more complex your environment, the more effort this control requires.
- 2.143 Remediate vulnerabilities in accordance with risk assessments.
The intent of this control is to ensure that you act on the findings of your risk assessments and vulnerability assessments. The goal is to remediate vulnerabilities in a prioritized manner “with consideration of the related assessment of risk” and the level of effort/cost required. If you choose to “accept” or otherwise not address a risk, you should document the reasoning behind this decision.
The three Risk Management practices at CMMC Level 3 refine the basic risk assessment process:
- 3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.
This Level 3 practice amplifies the related Level 2 practice (RM.2.141) by mandating that you include “defined risk categories, identified sources of risk, and specific risk measurement criteria” in your risk assessments. You need to assess and prioritize identified risks based on these factors.
- 3.146 Develop and implement risk mitigation plans.
This control requires you act to address risks that exceed your predefined acceptable risk threshold. That means developing and documenting “response strategies,” which could themselves be information security controls or plans. Another factor in this equation is “residual risk” that will remain after you execute your plans. CMMC suggests details for what risk mitigation plans could include; e.g., how the threat will be reduced, the actions to be taken to reduce risk, staff responsible for the plan, etc.
- 3.147 Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.
Unsupported products no longer receive security patches and thus are at increasing risk of attack. Therefore, CMMC requires you to manage those products separately from your supported products to help reduce that risk. Some recommended steps include: determining the excess risk exposure; using extended support; isolating the system via air-gapping, firewalls, VLAN separation, etc.; and upgrading, replacing or retiring the non-supported system.
The four Risk Management practices at CMMC Level 4 extend your risk management process to cover Advanced Persistent Threats (APTs) and supply chain risk:
- 4.148 Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain.
Supply risk grows along with dependence on vendors. Threats run the gamut from counterfeiting to tampering to malware insertion to poor engineering or production practices on a vendor’s part. As CMMC notes, “Managing supply chain risk is a complex, multifaceted undertaking requiring a coordinated effort across an organization building trust relationships and communicating with both internal and external stakeholders.” For more information, see NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.
- 4.149 Catalog and periodically update threat profiles and adversary TTPs.
This practice requires you to include adversary tactics, techniques and procedures (TTPs) in your risk management and incident response capabilities. Studying how attackers’ TTPs can be used against you is a key preliminary step to help you train and prepare.
- 4.150 Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
Threat intelligence (e.g., data from a threat feed service) is another way to understand potential attackers and their TTPs. This control directs you to use threat intelligence to plan threat hunting and other defensive strategies.
- 4.151 Perform scans for unauthorized ports available across perimeter network boundaries over the organization’s Internet network boundaries and other organizationally defined boundaries.
In line with RM.4.149 and RM.4.150, this control requires you to periodically scan your network boundaries to eliminate unauthorized ports that could be used to create malicious connections. The intent is to “…validate the implementation of the enterprise security architecture that restricts connections at trusted network boundaries.”
The two Risk Management practices at CMMC Level 5 further extend your risk management process to include whitelisting software and regularly analyzing your own security posture:
- 5.152 Utilize an exception process for non-whitelisted software that includes mitigation techniques.
Whitelisting enables you to lock down your environment so that only authorized software can run on servers and endpoints. But this approach alone is usually too restrictive to be practical. This control sets up a process for smoothly adding to the whitelist or creating exceptions so that individuals can quickly get authorization to run software they legitimately need to do their jobs, without authorizing the software to run organization wide.
- 5.155 Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.
APTs are constantly changing, and this control dictates that your risk assessment and overall threat awareness posture regularly update as well. Are threats still being mitigated effectively? What changes are needed? These and many other questions need to be answered periodically to keep cyber risk in check.
What is needed to comply with the CMMC Risk Assessment Domain controls?
For firms that don’t currently perform risk management, this domain defines some challenging controls even at CMMC Level 2. Any company that needs to handle CUI as part of its contract—and thus achieve CMMC Level 3 certification—will likely need to acquire software for vulnerability scanning, along with establishing new policies and procedures (and employee responsibilities) for assessing risk.
Beyond Level 3, this domain requires sophisticated approaches to reducing vulnerabilities and managing risk from APTs. The good news across the board with the Risk Assessment domain controls is that they go beyond simply improving your security posture to helping you develop a “security culture” that is always organically focused on security and hence becoming increasingly secure.
Risk assessment is a significant challenge, especially if you lack experience with it. Pivot Point Security specializes in helping SMBs assess their cyber security and compliance risk. Contact us to talk about how we can help transfer this expertise and mindset to your team.