Last Updated on October 23, 2022
Does My DIB Org Need a SIEM for CMMC Compliance?
The US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) is back on the front burner for defense suppliers, and questions about compliance, timing, costs, etc., abound.
On a recent episode of The Virtual CISO Podcast, host John Verry debriefed Pivot Point Security’s resident CMMC expert, George Perezdiaz, in a rapid-fire, “top questions” session that’s perfect for business leaders concerned about CMMC. A question that looms large for many defense industrial base (DIB) orgs due to cost, training, and implementation impacts is whether CMMC directly or effectively requires a security information event management (SIEM) solution for compliance.
How you achieve “SIEM-like” capabilities is up to you
As George points out, several of the requirements in CMMC’s Audit and Accountability (AU) practice recommend—but do not explicitly require—a SIEM tool.
“There’s nothing in NIST 800-171 or DFARS that says you need a SIEM, as long as you can achieve the objective of those requirements,” George asserts. “You can do the correlation, do the monitoring, to help you achieve those continuous monitoring, rapid response and reporting requirements without a SIEM.”
“[A SIEM] might be the path of least resistance,” notes host John Verry. “But you could take a Kiwi syslog server and then from a correlation perspective write some Python scripts that sit on top of that and alert you when things go on, and that combination is going to work. Or some people have used Graylog. You need the SIEM capabilities, but you don’t necessarily need a SIEM.”
But while a SIEM tools isn’t required for CMMC certification, using one can streamline and simplify a lot of the challenging data collection and number crunching you’ll need to do. Why build what you can buy?
Also, FYI for DIB orgs with high-value CUI assets that will need to comply with CMMC Level 3: there is one control related to threat hunting in NIST 800-172 that mandates a SIEM solution.
Understanding your data flows is essential
Several times in this podcast, John and George both reiterate how important it is to understand your CUI environment and data flows before you make investment decisions either way.
“Until you really understand how the CUI flows to you, through and in your systems, you don’t know which logs from which applications and which systems need to actually be talking to your SIEM,” John emphasizes. “If you got down to a point where there are only three systems, then you probably don’t need a full-featured SIEM, right? A Kiwi syslog server is going to work great.”
Many orgs end up logging data they don’t need for CMMC, and/or failing to log critical data for systems that interact with CUI.
To hear the complete CMMC Q&A podcast with George Perezdiaz, click here.
Is your company ready for a CMMC 2.0 certification assessment? Why not, the DoD is asking: CMMC 2.0: DoD Emphasizes “Nothing Has Changed” (So Why Aren’t You Ready?)