Last Updated on October 4, 2022
The Cybersecurity Maturity Model Certification (CMMC) is needed to combat widespread data exfiltration within the US Department of Defense (DoD)’s massive global supply chain. The 171 CMMC controls, called practices, focus on reducing risk to Controlled Unclassified Information (CUI) anytime it is outside US federal government systems.
To make its practices easier to understand and implement, CMMC categorizes them into 17 domains. Each practice also relates to one of 43 CMMC capabilities, and is required starting at one of the standard’s five maturity levels (Level 1 through Level 5).
The CMMC System and Information Integrity (SI) domain has 13 practices spanning all five CMMC maturity levels from “basic cyber hygiene” (CMMC Level 1) up to “advanced/progressive” (CMMC Level 5). Its goal is to ensure that assets in your IT environment that contain or process CUI, from laptops to applications to file shares, are “continuously monitored to detect violations of the authorized security state.” Because it is such a common attack vector, CMMC calls out email specifically as needing constant monitoring and protection to “detect malicious activity.”
The controls and processes to achieve the 13 System and Information Integrity practices range from “security 101” activities like running antivirus software and patching your supported third-party software to employing special email protections like anti-spam and attachment sandboxing to highly advanced analytics to detect suspicious insider behavior patterns.
What are the CMMC System and Information Integrity Domain Practices?
The System and Information Integrity domain defines 13 practices: 4 at Level 1, 3 at Level 2, 3 at Level 3, 1 at Level 4 and 2 at Level 5. These 13 practices relate to 4 capabilities:
- Identify and manage information system flaws
- Identify malicious content
- Perform network and system monitoring
- Implement advanced email protections
System and Information Integrity is one of just six CMMC domains that specify practices at CMMC Level 1. Its four Level 1 practices define basic data protection controls as part of the “basic cyber hygiene” that every organization needs:
- 1.210 Identify, report, and correct information and information system flaws in a timely manner.
The main thrust of this control is keeping up with vendors’ software updates. Staying current with security fixes and applying them ASAP is key to mitigating vulnerabilities associated with announced defects in commercial software, which hackers frequently target.
- 1.211 Provide protection from malicious code at appropriate locations within organizational information systems.
The key takeaway with this control is to make sure you have anti-malware software running on your endpoints and servers, so that you can scan for malicious files and keep malware from executing on your systems. For example, you can potentially configure your firewall to help detect malware.
- 1.212 Update malicious code protection mechanisms when new releases are available.
This important control simply requires you to keep malware/antivirus definitions up-to-date so that it can be effective against newer malware.
- 1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
You can probably use your antivirus/antimalware software to comply with this practice, assuming it can perform system scans and automatically scan files before downloading them, copying them from an external drive, etc.
The three System and Information Integrity domain practices at CMMC Level 2 emphasize monitoring your systems to detect threats:
- 2.214 Monitor system security alerts and advisories and take action in response.
To comply with this practice, you’ll need to subscribe to one or more third-party security alert/advisory feeds. Of course, you’ll also need to show that you consistently review these alerts and take action if any of them apply to your environment.
- SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
This practice does not require you to put an intrusion detection system (IDS) in place but it may be a good idea. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Many firewall solutions offer an IDS component, and open-source options are also available. [CL1]
- 2.217 Identify unauthorized use of organizational systems.
To meet this requirement you’ll first have to analyze your environment and business activities so you can create an “acceptable use” policy that defines approved users, roles, permissions, etc. as well as unapproved uses of your systems. Then you’ll need to setup monitoring tools (hopefully largely automated) to sift through your logs, IDS output, anti-malware, web content filters, etc. to detect unapproved activity.
The three System and Information Integrity domain controls at CMMC Level 3 define specific protections to block threats delivered via email:
- 3.218 Employ spam protection mechanisms at information system access entry and exit points.
This practice mandates that you implement an email spam filter for both inbound and outbound email.
- 3.219 Implement email forgery protections.
As many SMBs will have hosted email solutions, to comply with this practice you may only need to turn on, configure or otherwise make use of your email provider’s email spoofing protections. If you run your own on-premises email server, you’ll need to implement a compatible anti-forgery solution to help ensure email integrity.
- 3.220 Utilize sandboxing to detect and block potentially malicious email.
Sandboxing is key to email security, because it enables you to safely quarantine, test and “detonate” potentially malicious attachments. Leading cloud-based email platforms like Microsoft 365 offer this service. If you host your own email server, you can utilize a proven third-party solution from among multiple offerings.
CMMC Level 4 defines a single System and Information Integrity control for blocking Advanced Persistent Threats (APTs):
- 4.221 Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.
This control directs you to advance your knowledge of adversaries’ tactics, techniques and procedures (TTPs) by participating in one or more Information Sharing and Analysis Centers (ISACs) for your industry. You can also get TTP data from commercial sources, which may be easier to integrate with your automated analysis tools. Several other practices at CMMC Level 4 (e.g., AU.4.053, AT.4.060, IR.4.100, RM.4.149) also relate to leveraging TTP insights.
CMMC Level 5 includes two System and Information Integrity controls to proactively monitor for suspicious activity in your environment:
- 5.222 Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions.
This practice requires you to put tools in place to quickly spot potential attacks by detecting activity that is outside of normal operating procedures, before a threat has a chance to ramp up. User/Entity Behavior Analytics (UEBA) and Endpoint Detection and Response (EDR) are examples of emerging technologies that empower a proactive monitoring approach.
- 5.223 Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.
Similar to SI.5.222, this control directs you to first establish what constitutes normal/permissible user behavior in your environment, and then take steps to automatically identify potential anomalies. This could include unusual communications between systems, unauthorized/unusual data exports or file transfers, attempts to contact external systems, attempts to connect to potentially malicious external addresses, and so on. Monitoring for suspect behavior could involve applying statistical analysis, UEBA and/or artificial intelligence/machine learning to data about user activities. The goal is to identify suspicious patterns—including the activities of a malicious insider—versus just alerting on specific events.
What is needed to meet the CMMC System and Information Integrity Domain requirements?
For DIB SMBs that don’t yet have formal cybersecurity programs, the System and Information Integrity domain practices may force you to finally take some “basic yet significant” steps even at Level 1 that will greatly improve your current security posture. These steps include installing and using anti-virus and putting a patch management scheme in place.
Moving up to CMMC Level 3, the minimum requirement for handling CUI, you’ll need to add some layers of monitoring, plus make sure your email environment is well protected from typical threats like spamming, email spoofing and weaponized attachments. At levels 4 and 5, you’ll need highly mature capabilities to help hunt APTs and detect attacks by a skilled insider.
The System and Information Integrity domain practices aren’t intended to stand alone, but to dovetail with the rest of the CMMC practices within each maturity level. Whatever your CMMC certification goals, you need to conceptualize and plan for them holistically, versus implementing point solutions that could leave you with both security and compliance gaps.
As a Registered Provider Organization (RPO) for DIB companies that seeking CMMC certification and/or NIST 800-171 compliance, Pivot Point Security can provide on-demand strategic expertise and tactical resources you need to succeed. Contact us to start a conversation with a CMMC expert.