What if we told you that starting the path towards CMMC compliance doesn’t require thousands of dollars in shiny new hardware?
Introduction & Totem Top 10
The Cybersecurity Maturity Model Certification (CMMC) is beginning to pick up steam, which means that many Department of Defense (DoD) contractors have set out on their journey towards protecting Controlled Unclassified Information (CUI) through CMMC compliance. Unfortunately, the large number of requirements outlined in the CMMC have left many small businesses feeling overwhelmed and unsure where to turn. If you are in this position, let us just say this: take a deep breath. It’s going to be alright. There are those who may try to convince you that you must drop everything you are doing and go invest in their expensive new hardware; that their method is the ONLY WAY you can win in the end. Instead, we are going to show you that your company may already have everything you need as you pursue CMMC compliance. To do this, we will outline the top 10 safeguards that we at Totem Technologies recommend for you as you look to establish an effective cybersecurity plan and become CMMC-compliant.
Before we dive into the meat and potatoes, we’ll need to preface this article with a couple things. First, this list is not just our opinion; it is derived from several of the industry’s leading and most respected organizations:
- The United States National Security Agency (NSA) “Top 10 Mitigations”
- The Australian Cyber Security Centre (ACSC) “Essential Eight”
- The Centers for Internet Security (CIS) “Basic Six”
We created this list by weight-ranking the top cybersecurity safeguards from each of these organizations. We then added in a little of our own “Totem taste” by including best practices that we know have been important to us as a small business. At the end of this article, there will be a CMMC compliance checklist available for download that you can use to implement these top 10 safeguards and hit the ground running.
Second, we won’t analyze each safeguard in detail, but rather highlight some of the changes that have been made since the release of our Totem Top 5 in the CMMC and expand upon the new controls added. You may be intrigued by how these safeguards are rapidly changing!
Finally, the Totem Top 10:
|1||Know Your Assets|
|2||Train Your Users|
|4||Patch Software and Operating Systems|
|5||Restrict Administrative Privileges|
|6||Harden System Components|
|7||Segment Your Network|
|8||Backup Your Data and Test Restoration|
|9||Enable Multi-Factor Authentication (MFA)|
|10||Collect and Analyze Event Logs|
Software Whitelisting Moves UP!
If you’ve read our Totem Top 5, you’ll likely notice that software whitelisting increased in ranking (from 5 to 3). Software whitelisting, also known as application whitelisting, or application control, follows a ‘deny-everything, allow-by-exception’ approach, meaning that it requires defining precisely what software will be allowed to run on an operating system (OS), and then configuring an application on the OS to explicitly allow only that defined software to execute. Windows OS has a native whitelisting application called AppLocker, however there are other 3rd party applications, such as McAfee Application Control, that can be installed and engaged as well. Additionally, many endpoint management and protection software suites such as Crowdstrike include whitelisting features.
The implications of failing to properly configure a software whitelist are enormous. Consider, for example, a phishing attack in which an adversary sends a Microsoft Word document containing malicious code to a victim employee. In this attack, the malicious code aims to take advantage of an unpatched Word installation to execute a command to download and install a keylogger. With a properly configured software whitelist in place, the keylogger would have been prevented from installing, adding yet another layer to this company’s defense-in-depth.
With this in mind, it’s reasonable to see why software whitelisting received a higher ranking. If your small business is on the road to becoming CMMC-compliant but you have yet to implement software whitelisting, now is the time to start!
#7 Network Segmentation
The National Institute of Standards and Technology (NIST) defines network segmentation as “splitting a network into sub-networks…by creating separate areas on the network which are protected by firewalls configured to reject unnecessary traffic. Network segmentation minimizes the harm of malware and other threats by isolating it to a limited part of the network.” Network segmentation is an effective method for preventing attackers from moving laterally through your network, because it adds many more layers for them to overcome, strengthening your defense-in-depth strategy. There are two general standards which apply to network segmentation:
- Isolation – No logical access. This means that a virtual “air gap” exists between the two assets, making them blind to one another. For example, consider a company that uses a secure door access system. They can achieve network segmentation by isolating the system from the rest of the network through only allowing Internet traffic from the third-party alarm company itself.
- Controlled Access – Logical access is permitted. Although there isn’t necessarily an “air gap” in this case, network segmentation can still be achieved but only when access among respective assets is restricted using defined parameters. For example, you may isolate all your printers to their own subnet, where only workstations permitted to access through TCP/IP port filtering can utilize them.
Practically speaking, consider an example where an organization has segmented their network by placing the human resources (HR) and finance departments on their own respective subnets. If an attacker gains access to a HR associate’s computer yet seeks to obtain the sensitive information on a finance associate’s device, with the proper network monitoring in place, the attacker would trip an alarm by attempting to move across the network to their target subnet. Win!
There are a number of different ways to achieve network segmentation, so be sure to work closely with your day-to-day IT staff or Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) to determine the best method for your small business.
#8: Backup and Test Restoration
Nobody enjoys planning for worst-case scenarios. Sometimes it’s easier just to assume that the risk either doesn’t apply or is too insignificant to worry about. In some instances, this is true, but the reality is that small businesses are responsible for mitigating risk just as large organizations are. The DoD certainly demands this for all government contractors handling CUI, which is why it is essential that your small business have a recovery plan in place should disaster strike.
Your recovery plan should show that you are protecting critical data, configurations, and logs, and that you are able to continue operations in case of an unexpected event. It should also demonstrate that you are backing up and encrypting your data so that it can be stored safely offsite. There are many ways that you can begin backing up your data, but if you have yet to do this, a good place to start is to use Windows Backup. Keep in mind that this plan will require periodic testing and evaluation, so ensure that you are tailoring this plan as your own environment changes.
#9: Enable Multi-Factor Authentication
Honestly, we’re surprised that multi-factor authentication (MFA) isn’t ranked higher (probably would’ve made our top 5). If you’ve read our Multi-Factor Authentication for Small Business blog, you likely understand that MFA is one of the most effective security safeguards that you can implement in your environment when handling CUI. Or any sensitive information for that matter. In fact, if you’ve been following the news lately, Colonial Pipeline could have prevented the ransomware attack on their systems had they used MFA, since the attackers’ successful compromise was traced to a virtual private network (VPN) that did not have MFA enabled. All the attackers needed was a legitimate username and password, and they were in. A clear example of the opposite of defense-in-depth.
In order to authenticate yourself to a system, you must present an authentication factor. Authentication factors can be broken down into three categories:
- Knowledge factors – something you know, such as a password, PIN, or the answer to a security question
- Possession factors – something you have, such as a smartphone, security token, smart card, or PKI certificate
- Inherence factors – something you are, a biometric factor such as a fingerprint, a facial scan, a voiceprint, or a retina/iris scan
Given this, multi-factor authentication occurs when you require users authenticate themselves using multiple factors. Note that asking a user to provide both a password and the answer to a security question would NOT be an example of MFA, since both are examples of something you know, and it doesn’t branch outside of its individual factor.
The CMMC has clear requirements for MFA, so be sure that your small business is using MFA to help secure its systems and protect CUI. To get started, check out some of the most widely used MFA tools: DUO, Microsoft Authenticator, and Yubico (YubiKey).
#10: Event Log Analysis
In the event that suspicious activity is detected across your network, your cybersecurity plan must contain a method for collecting, managing and analyzing event logs. This information is crucial for identifying attackers and tracking their activities within your systems. Without a properly configured log analysis procedure, attackers that find their way into your network may remain hidden for extensive periods of time. This is clearly a risk to your small business, which is why the DoD is requiring its contractors implement event log analysis to become CMMC-compliant. There are a number of helpful tools out there at little to no cost that can be used for event log analysis. One that we recommend is Security Onion.
Why Start with the Totem Top 10 Cybersecurity Safeguards for NIST 800-171 / CMMC Compliance?
To do business with the US Department of Defense (DoD), contractors and DoD supply chain members will have to implement many safeguards to protect the DoD’s Controlled Unclassified Information (CUI) processed, stored, and/or transmitted by contractor-owned IT systems. The National Institutes of Standards and Technology (NIST) 800-171 standards list many of those required safeguards, and these standards are incorporated and expanded upon by the DoD Cybersecurity Maturity Model Certification (CMMC).
Contractors and suppliers that want to do business with the DoD must obtain a CMMC certification to propose to or execute DoD contracts. Essentially the CMMC certification is a supply chain member’s “license to operate” with the DoD. For the hundreds of thousands of small businesses in the DoD’s supply chain, obtaining a CMMC certification is an extremely important milestone. For many of us, that milestone can seem like it’s on a distant horizon, or even worse, a mirage.
Mr. Jeff Dalton, one of the CMMC Accreditation Body board members, posted on LinkedIn that, philosophically, supply chain members shouldn’t worry about “passing” a CMMC assessment, but should instead concentrate on building a cybersecurity program that bests protects CUI, and this approach will naturally result in a certification. The Totem Top 10 is the perfect path to start building a cybersecurity program to best protect any data, so you may want to start there. Let’s explore how the Totem Top 10 align with the 800-171 Controls and CMMC Practices.
The table below shows each of the Totem Top 10 and the associated 800-171 Controls / CMMC Practices. You’ll be able to download the Totem Top 10 cybersecurity safeguards CMMC compliance checklist at the end of this article.
|Totem Top 10||NIST 800-171 Control ID||CMMC Practice ID||Control Family / Practice Domain||Control / Practice Text||FAR 17 / CMMC Level 1?|
|Know Your Assets||3.4.1||CM.2.061||Configuration Management||Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.||No|
|3.4.3||CM.2.065||Configuration Management||Track, review, approve, or disapprove, and log changes to organizational systems.||No|
|3.4.7||CM.3.068||Configuration Management||Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.||No|
|3.4.9||CM.2.063||Configuration Management||Control and monitor user-installed software.||No|
|Train Your Users||3.2.1||AT.2.056||Awareness and Training||Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.||No|
|3.2.2||AT.2.057||Awareness and Training||Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.||No|
|3.2.3||AT.3.058||Awareness and Training||Provide security awareness training on recognizing and reporting potential indicators of insider threat.||No|
|Whitelist Software||3.4.8||CM.3.069||Configuration Management||Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.||No|
|Patch Software and Operating Systems||3.11.3||RM.2.143||Risk Management||Remediate vulnerabilities in accordance with risk assessments.||No|
|3.14.1||SI.1.210||System and Information Integrity||Identify, report, and correct information system flaws in a timely manner.||Yes|
|Restrict Administrative Privileges||3.1.5||AC.2.007||Access Control||Employ the principle of least privilege, including for specific security functions and privileged accounts.||No|
|3.1.6||AC.2.008||Access Control||Use non-privileged accounts or roles when accessing non-security functions.||No|
|3.1.7||AC.3.018||Access Control||Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.||No|
|3.1.15||AC.3.021||Access Control||Authorize remote execution of privileged commands and remote access to security-relevant information.||No|
|Harden System Components||3.4.2||CM.2.064||Configuration Management||Establish and enforce security configuration settings for information technology products employed in organizational systems.||No|
|Segment Your Network||3.1.16||AC.2.011||Access Control||Authorize wireless access prior to allowing such connections.||No|
|3.1.3||AC.2.016||Access Control||Control the flow of CUI in accordance with approved authorizations.||No|
|3.13.1||SC.1.175||System & Communication||Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems.||Yes|
|3.13.5||SC.1.176||System & Communication||Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.||Yes|
|Backup Your Data and Test Restoration||RE.2.137||Recovery||Regularly perform and test data backups.||No|
|3.8.9||RE.2.138||Recovery||Protect the confidentiality of backup CUI at storage locations.||No|
|RE.3.139||Recovery||Regularly perform complete, comprehensive, and resilient data backups, as organizationally defined.||No|
|Enable Multi-Factor Authentication||3.5.3||IA.3.083||Identification & Authentication||Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.||No|
|3.7.5||MA.2.113||Maintenance||Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.||No|
|Collect and Analyze Event Logs||3.3.1||AU.2.042||Audit & Accountability||Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.||No|
|AU.2.044||Audit & Accountability||Review audit logs.||No|
|3.3.3||AU.3.045||Audit & Accountability||Review and update logged events.||No|
|3.3.4||AU.3.046||Audit & Accountability||Alert in the event of an audit logging process failure.||No|
|AU.3.048||Audit & Accountability||Collect audit information (e.g., logs) into one or more central repositories.||No|
|3.3.8||AU.3.049||Audit & Accountability||Protect audit information and audit logging tools from unauthorized access, modification, and deletion.||No|
|3.3.9||AU.3.050||Audit & Accountability||Limit management of audit logging functionality to a subset of privileged users.||No|
|3.3.5||AU.3.051||Audit & Accountability||Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.||No|
|3.3.6||AU.3.052||Audit & Accountability||Provide audit record reduction and report generation to support on-demand analysis and reporting.||No|
As you can see, the Totem Top 10 encompasses 38 controls in the NIST 800-171 and CMMC. And most of the Configuration Management family/domain is included in this list, aligning nicely with our assertion that cybersecurity starts and ends with configuration management.
Also, note that some of the related CMMC Practices in the table don’t have an associated 800-171 Control; this is because the CMMC Level 3 adds in 20 additional Practices above and beyond the 110 in the 800-171 standard.
If you are struggling with where to begin in the development of your organization’s cybersecurity program, you have a couple of possible routes:
- Begin with the FAR 17 Controls and immediately move toward compliance with CMMC Level 1
- Begin with the 38 Controls associated with the Totem Top 10 and immediately move toward best protecting CUI
Either route you choose puts you on a good path to compliance and passing the CMMC. Now you can really take a deep breath!
Does your top 10 look a little different from ours? If so, let us know. We would love to hear from you!
Good luck out there!
-Nathan Cross, Cybersecurity Engineer