The Cybersecurity Maturity Model Certification (CMMC) standard is the US Department of Defense (DoD)’s answer to the problem of rampant data exfiltration across the 300,000-plus companies in the defense industrial base (DIB). CMMC defines 171 cybersecurity controls, called practices, required to safeguard Controlled Unclassified Information (CUI) when it is transited, stored and/or processed outside US government information systems.
To help organize its practices, CMMC defines 17 domains. It further relates each practice to one of 43 capabilities. Each practice also applies to one of the CMMC’s five maturity levels.
To help address the relentless threat of cyber attack, the CMMC Situational Awareness (SA) domain practices focuses on providing DIB firms’ management and risk assessment teams with a Common Operating Picture (COP)—a command and control capability that gives you situational awareness to support risk-based decision-making about cyber threats. The goal is to effectively monitor internal systems for threats.
What are the CMMC Situational Awareness Domain Practices?
The Security Assessment domain includes three practices: one at CMMC Level 3 and two at Level 4. All are concerned with building threat intelligence to better address current threats. This is underscored by the domain’s sole capability, the goal of which is self-explanatory: Implement threat monitoring.
The one Situational Awareness practice at CMMC Level 3 is about obtaining, sharing and leveraging cyber threat intelligence:
- 3.169 Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders.
This practice requires you to tap external sources for cyber threat intelligence to inform your situational awareness activity. Suggested sources include US-CERT, industry associations, the MITRE ATT&CK knowledgebase, your vendors and the US government.
The two Situational Awareness practices at CMMC Level 4 are about developing a threat hunting capability:
- 4.171 Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track and disrupt threats that evade existing controls.
Unlike many traditional “perimeter” controls like firewalls, intrusion detection and antivirus solutions, threat hunting is a proactive mode of defense where you actively search your environment for Advanced Persistent Threats (APTs). This hopefully enables you to track and disrupt sophisticated attackers sooner in their attack sequence and to improve the effectiveness of your response. It can even help you ferret out attacks that may have persisted within your systems for months or years. Some of the threats that “tip off” attacks include large amounts of data being transited out from the network, attempts to run malware, unauthorized login attempts to access sensitive data, or application logins from unknown IP addresses in non-US domains.
- 4.173 Design network and system security capabilities to leverage, integrate, and share indicators of compromise.
Designing your security architecture to rapidly share indicators of compromise (IoCs)—the forensic evidence of intrusions—across your systems improves your ability to block attacks. The more automation here (think dashboards and alerts), the faster you can respond. Integrating threat data (e.g., logs) across systems also gives your threat hunting team more data and patterns of activity to work with.
What is needed to comply with the CMMC Situational Awareness Domain controls?
At CMMC levels 3 and above, organizations really need to be thinking proactively about protecting CUI and other sensitive data as a matter of national security. With Situational Awareness practices, that means going beyond defending your network from blatant attacks to gathering the data needed to monitor your environment and detect emerging APTs, as well as latent threats that have already gained a foothold on your systems.
Your Situational Awareness efforts can (and should) be supported with technology. But they also require expert human resources, whether FTEs or third-party. In other words, significant investments.
Threat monitoring and threat hunting are advanced cybersecurity capabilities that many companies will be challenged to successfully implement with current staff. Further, the Situational Awareness practices rely on integration across controls—and that takes planning as well as technical know-how.
As a Registered Provider Organization (RPO) for DIB companies looking to achieve CMMC certification and/or NIST 800-171 compliance, Pivot Point Security specializes in helping you assess your current state, define your desired state and make a best-practice plan to bridge the gap. Contact us to talk over how we can help you achieve your security and compliance goals.