The Cybersecurity Maturity Model Certification (CMMC) from the US Department of Defense (DoD) addresses the longstanding issue of widespread data theft across the 300,000-plus companies in its global supply chain. CMMC describes 171 cybersecurity controls, called practices, that are mandated to reduce risk to Controlled Unclassified Information (CUI) whenever it moves outside US federal government systems.
To help make its practices easier to understand and implement, CMMC organizes them into 17 domains. Each practice also falls under one of 43 capabilities. From fundamental to more advanced, each practice comes into play at one of the CMMC’s five maturity levels (Level 1 through Level 5).
The largest of the CMMC domains with 27 practices spanning all five CMMC maturity levels, the CMMC System and Communications Protection (SC) domain practices are meant to ensure that your company is “actively identifying, managing, and controlling all system and communications channels that store or transmit CUI.”
Even SMBs often have complex IT environments with many connected networks, systems and devices to support their operations by moving, storing and/or processing data—nearly all of which create cyber risk and thus need to be secured. To do so, you need to know what’s in your environment and have a comprehensive range of solutions and procedures in place to protect data and control how it is handled. End-to-end data encryption is a prominent example.
What are the CMMC System and Communications Protection Domain Practices?
The System and Communications Protection domain defines practices from the “basic cyber hygiene” maturity level (CMMC Level 1) up to the “advanced/progressive” level (CMMC Level 5). This includes two practices each at levels 1 and 2, fifteen practices at Level 3, five more at Level 4 and three at Level 5.
These 27 practices fall into either of two capabilities:
- Define security requirements for systems and communications
- Control communications at system boundaries
System and Communications Protection is one of only six domains that come into play at CMMC Level 1. Its two Level 1 practices setup basic network safeguards to segregate “external” (i.e., publicly accessible) from “internal” systems and data:
- 1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems.
This control requires you to setup firewalls, web proxys, gateways, and other protections so you can monitor, control and protect the flow of data passing between “internal” and “external” environments. Traffic sent over the internet or over commercial telecommunications lines pose specific risks that need to be managed as part of this control.
- 1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
This practice requires you to segregate publicly accessible systems from your internal systems (where CUI resides) by putting them on separate subnetworks. This applies both to your on-premises networks and to cloud-based networks. Many SMBs will want to partner with web hosting companies that offer integrated security, as a DIY approach can take significant expertise and resources.
The two System and Communications Protection domain practices at CMMC Level 2 implement critical device protections on organizational networks:
- 2.178 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
This practice requires you to configure cameras, microphones, networked whiteboards and other “collaborative computing devices” so they cannot be activated remotely. Further, users need to get a notification (like a blinking light or on-screen text) when such devices are activated. This helps prevent misuse of remote employees’ collaborative tools by unauthorized users trying to listen in on meetings or view what people are working on. Note that this does not apply to “dedicated video conferencing systems,” as these rely on active participants and are less vulnerable to remote activation.
- 2.179 Use encrypted sessions for the management of network devices.
The tools and processes you use to manage network devices need to be secured so that attackers don’t co-opt them to undermine your network security at its core. Most importantly, when someone connects to a network device, they must use an encrypted session (e.g., SSH). That way even if the device or network is compromised the attacker won’t be able to steal the authentication credentials.
The fifteen System and Communications Protection domain controls at CMMC Level 3 help form the foundation of protecting CUI on organizational networks:
- 3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
This practice mandates that you use only cryptography validated through the NIST Cryptographic Module Validation Program (CMVP) to protect CUI.
- 3.180 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
Implementing this control means applying security engineering to systems you are developing or upgrading, including legacy systems to the extent possible. Examples include building security testing and validation into the software design and development lifecycle (SDLC), training developers on secure development techniques, and performing threat modeling to identify risks and vulnerabilities.
- 3.181 Separate user functionality from system management functionality.
This practice directs you to separate user and management functions on your systems, typically by access/authentication controls or logical segregation. This reduces the attack surface on management interfaces.
- 3.182 Prevent unauthorized and unintended information transfer via shared system resources.
Also called residual information protection, this control is designed to ensure that data related to the actions of prior users/roles is not available to any current or subsequent users/roles. Mainly this applies to resources like cache memory, main memory, hard drives, registers, etc. When these objects are reused, no residual data should exist there. This most often involves leveraging data leakage protection and/or hardening features of third-party software.
- 3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
This whitelisting practice allows only authorized traffic to transit or leave your network, via approved ports and network paths. In particular, this prevents unauthorized outbound traffic (potentially containing exfiltrated CUI, etc.) from your internal network to the internet. Additionally, whitelisting inbound network traffic will help to prevent unauthorized connections from external sources to your network. This control should be implemented at the external boundary as well as key internal points of a system.
- 3.184 Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
This control explicitly disallows the risky practice of split tunneling; that is, accessing both internal and external resources at the same time. Most orgs will accomplish this by controlling remote connections, such as to printers and file servers, from remote devices like smartphones or tablets.
- 3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
This practice is a big deal for many defense industrial base (DIB) firms, because it means you need a CMVP-validated, end-to-end encrypted email and file sharing platform (e.g., Microsoft GCC High) or overlay solution (e.g., PreVeil) to transmit CUI. Popular commercial SaaS email platforms like Microsoft 365 and Google G Suite do not comply with SC.3.185.
- 3.186 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
This requirement involves terminating network connections after communications sessions have ended or been inactive for a predetermined period, to prevent session hijacking or shoulder surfing attacks.
- 3.187 Establish and manage cryptographic keys for cryptography employed in organizational systems.
This control requires you to implement best-practice cryptographic key management to prevent keys’ unauthorized access or loss. As your use of cryptography increases, most companies will need to implement automation via third-party tools.
- 3.188 Control and monitor the use of mobile code.
- 3.189 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
VoIP introduces security concerns like eavesdropping on calls and impersonating users with ID spoofing. This control requires you to restrict your use of VoIP, such as by establishing and enforcing policy for users’ approved usage of VoIP. This includes monitoring of VoIP traffic for detection of unauthorized use of the technology.
- 3.190 Protect the authenticity of communications sessions.
This practice may encompass multiple layers of controls, including encrypting web sessions with SSL, using multifactor authentication to block credential theft, and so on. Your goal is to disable some of the ubiquitous attacks on communication sessions, like man-in-the-middle attacks, session hijacking and injection attacks.
- 3.191 Protect the confidentiality of CUI at rest.
Data is said to be “at rest” whenever it is not being processed or transmitted. In practice, implementing this control will often involve data encryption on storage devices. However, other technical approaches are possible and/or needed.
- 3.192 Implement Domain Name System (DNS) filtering services.
Third-party DNS filtering tools (e.g., from firewall or antivirus vendors) are widely available to automatically protect users and systems from accessing malicious content in their web browsers or email clients. Usually, some combination of whitelisting and blacklisting of DNS entries is involved, per your policy and plan. The goal is to reduce your vulnerability to the enormous and ever-growing array of social engineering attacks, phishing, website spoofing, etc.
- 3.193 Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).
Every company should have and enforce a policy that restricts employees from publishing CUI and other sensitive data on public websites like Facebook, LinkedIn or other social media sites or forums—including industry forums. This control links with related controls like security awareness training.
CMMC Level 4 includes five System and Communications Protection controls, which focus on thwarting APTs and reducing your overall attack surface:
- 4.197 Employ physical and logical isolation techniques in the system and security architecture and/or where deemed appropriate by the organization.
This practice is about architecting your environment with boundary protections (routers, firewalls, etc.) to reduce the potential for unauthorized movement of CUI. In so doing, you can also reduce your attack surface and focus your highest-security efforts on smaller subsets of your data.
- 4.228 Isolate administration of organizationally defined high-value critical network infrastructure components and servers.
To fulfill this practice, you’ll need to identify the critical elements of your environment that are used to handle CUI, and then physically or logically (e.g., with access control lists) isolate the management function for these elements separate from the rest of your network.
- 4.199 Utilize threat intelligence to proactively block DNS requests from reaching malicious domains.
Threat intelligence can tell you about known, malicious domain names. By ingesting this data via firewalls or DNS servers to block internal DNS requests for those domains, you can thwart a whole spectrum of attacks like watering hole attacks.
- 4.202 Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing Internet network boundaries or other organizationally defined boundaries.
Because traditional controls are becoming less effective against today’s attacks, CMMC Level 4 mandates more advanced protections like sandboxing to test and block malicious executables.
- 4.229 Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization.
This control requires you to implement the capability to allow or block access to websites (gambling, pornography, social media sites, known malicious sites, etc.) based on your policy.
At CMMC Level 5 you are required to implement three proactive System and Communications Protection controls to block attack vectors and provide forensics for threat hunting if an attack is suspected:
- 5.198 Configure monitoring systems to record packets passing through the organization’s Internet network boundaries and other organizational-defined boundaries.
For most organizations, achieving this practice with its associated analysis capability will require sophisticated automation and dedicated staff (either employees or third-party; e.g., a managed services provider). Otherwise, the data storage volume required and the cyber risk involved could do more harm than good to your security posture.
- 5.230 Enforce port and protocol compliance.
This control prevents attackers from using ports or protocols maliciously. Many organizations can enforce protocol compliance for data crossing a network boundary with a properly configured firewall or intrusion detection/prevention (IDS/IPS) tool.
- 5.208 Employ organizationally defined and tailored boundary protections in addition to commercially available solutions.
This control is about going beyond standard settings and approaches by turning knowledge of your own environment to your advantage with custom protections hackers haven’t seen before. This makes your systems harder to crack and might convince a befuddled attacker to move on to an easier target.
What does it take to comply with the CMMC System and Communications Protection Domain controls?
The System and Communications Protection domain practices could prove a challenge to SMBs in the DIB. Even at CMMC Level 1 you need to deploy and correctly configure basic perimeter security, such as a firewall, between your internal network and the internet.
At Level 2, in addition to the controls themselves, you’ll also need policies to support monitoring, controlling and protecting your communications at key external and internal boundaries, and to only use secure protocols to manage network infrastructure components.
Level 3 compliance requires not just the controls and policies but also a formal plan that explains how you implement end-to-end encryption and other overarching protections for CUI. For many organizations, Level 3 compliance will drive significant changes, including possibly migrating your email platform from Microsoft 365 to Microsoft’s GCC High cloud.
Complying with levels 4 or 5 requirements for this domain means holistically integrating and “orchestrating” diverse controls for protecting CUI. This effort will benefit from a strategic, risk-centric view of your overall cybersecurity program and posture.
Looking at a diverse domain like System and Communications Protection illustrates how important it is to understand your current security controls and plan your DoD compliance effort holistically, versus implementing new tools or controls piecemeal. You want to avoid making significant investments, only to fall short of compliance with your DoD contract(s).
As a Registered Provider Organization (RPO) for DIB orgs that need to achieve CMMC certification and/or NIST 800-171 compliance, as well as comply with other DoD contract requirements like Traffic in Arms Regulations (ITAR), Pivot Point Security can provide the expertise and staffing resources you need to get your program on track and ensure its success. Contact us to explore how we can help you define and attain your security and compliance objectives.