Supporting your CMMC initiatives with Sumo Logic
- 2. What are we going to talk about? • Overview of the Cybsersecurity Maturity Model Certification (CMMC) o Its history o Its direction o Who it impacts o The gap that it fills • Demonstrate how CloudHesive uses Sumo Logic to: o Address customer's needs in preparing for their CMMC audit from the perspective of a gap analysis o Generating evidence during the initial audit o Demonstration of ongoing compliance
- 3. (A brief) United States Government Refresher • United States Government o Executive Branch • Department of Defense o Office of the Under Secretary of Defense for Acquisition and Sustainment • Carnegie Mellon University/Johns Hopkins University • Developed the Program • Defense Industrial Base/Defense Supply Chain o Contractors – 100,000 of them, generating 768 Billion USD (3.2% of GDP) Annually • Their Subcontractors o Eventually phased into the Program • CMMC AB -> Cyber AB o Oversees the Program
- 4. What data may be (sub)contractors obligated to protect? • (F)ederal (C)ontract (I)nformation o Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments • (C)ontrolled (U)nclassified (I)nformation o Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls
- 5. CMMC Timeline • In 2016 DFARS 7012 clause goes into in effect requiring all contract holders to self assess to meeting the security requirements of NIST-SP-800-171 • In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to transition from a mechanism of self-attestation of an organization's basic cyber hygiene which was used to govern the Defense Industrial Base • In 2019 interim rule authorizing the inclusion of CMMC in procurement contracts, Defense Federal Acquisition Regulation Supplement (DFARS) 2019-D041, was published on September 29, 2020, with an effective date of November 30, 2020 • On December 8, 2020, the CMMC Accreditation Board and the Department of Defense released an updated timeline that has the model fully implemented by September 2021 • On November 4, 2021, the Department of Defense announced the release of CMMC 2.0 • In March 2023, Final Rule Making will be complete • On 60 days after March 2023, CMMC requirements will be included in new contracts
- 6. CMMC Ecosystem • Cyber (A)ccredidation (B)ody (formerly CMMC AB) o (O)rganization (S)eeking (C)ertification o (R)egistered (P)ractitioner (O)rganizations • (R)egistered (P)ractitioners • (R)egistered (P)racitioners - Advanced o (C)ertified (3)rd (P)arty (A)ssessment (O)rganizations • (C)ertified (C)MMC (P)rofessionals • (C)ertified (C)MMC (A)ssessors • (Provisional (A)ssessors • (C)MMC (Q)uality (A)ssurance (P)rofessional o (L)icensed (T)raining (P)roviders • (C)ertified (C)MMC (I)nstructors • (P)rovisional (I)nstructor o (L)icensed (P)ublishing (P)artners
- 7. CMMC 1.0 vs. CMMC 2.0 • Streamlined Model o Focused on the most critical requirements: Streamlines the model from 5 to 3 compliance levels o Aligned with widely accepted standards: Uses National Institute of Standards and Technology (NIST) cybersecurity standards • Reliable Assessments o Reduced assessment costs: Allows all companies at Level 1 (Foundational), and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments o Higher accountability: Increases oversight of professional and ethical standards of third-party assessors • Flexible Implementation o Spirit of collaboration: Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification o Added flexibility and speed: Allows waivers to CMMC requirements under certain limited circumstances
- 8. CMMC 2.0 Level 2 Summary • Access Control (AC) • Awareness & Training (AT) • Audit & Accountability (AU) • Configuration Management (CM) • Identification & Authentication (IA) • Incident Response (IR) • Maintenance (MA) • Media Protection (MP) • Personnel Security (PS) • Physical Protection (PE) • Risk Assessment (RA) • Security Assessment (CA) • System and Communications Protection (SC) • System and Information Integrity (SI)
- 9. Preparing for Audit • Organizational Readiness o History o Current state o Sustainability of the current state
- 10. Sample Artifacts • (S)ystem (S)ecurity (P)lan • (P)lan (O)f (A)ctions & (M)ilestones • Self Assessment with SIPR Score • (S)ystem (D)esign (D)ocument • General o Policies o Procedures o Diagrams o Configuration Settings o Mechanisms o Operational Logs o Audit Logs o Monitoring o Locations o Strategies
- 11. Sample Policies • Access control policy • Audit and accountability policy • Configuration management policy • Identification and Authentication policy • Incident response policy • Personnel security policy • Risk management policy • Security awareness and training policy • Security planning policy • System and communications protection policy • System and information integrity policy • System maintenance policy • Third party hosting policy • Vendor management policy
- 12. Sample Processes • Access/Firewall Review • Audit Log Review • Backup/Restore Testing • Configuration/Change Review • Credential Rotation/Credential Audit • Incident Response Testing • Monitoring Review • Patching • Personnel (Training, Background Check) Review • Policy Review • Risk Review • Vendor Review • Vulnerability/Penetration Testing
- 13. Organizations in the DIB have a challenge • What do many of these organizations own from a tech perspective? o Not much • Computers, Files, E-Mail… o Simple needs (somewhere to work, store, retrieve, process, transmit) to deliver product • What infrastructure do they have to support these requirements? o Not much • Physical sites, People, Computers… o Operationally Capable (e.g., delivering a product), but may not be Cyber Capable • Where can they get help? o CMMC Ecosystem o People Considerations o (C)loud (S)ervice (P)roviders
- 14. AWS (CSP) Shared Responsibility Model
- 15. Third Party Solutions • Virtual Desktop (AWS) • Directory Service (AWS) • Endpoint Security Package • Vulnerability Management Package • NGFW, DLP (AWS) • E-Mail, Collaboration Suite • Monitoring Platform (Sumo Logic) • Governance, Risk and Compliance Platform • Training Platform • Background Check Platform
- 16. Organizations in the DIB have a solution to their challenge
- 17. Organizations in the DIB Become Responsible For • Data generation, processing, storage, retrieval o Understand the flow • Scope Reduction o Use an enclave • If the data can’t leave, it’s secure o Descope where possible – organization, people, domains, access • If the data can’t be accessed, it’s secure • People Considerations o Employees o Contractors o Vendors • Software Considerations o Vary based on COTS versus Custom
- 19. Continuous Monitoring with Sumo Logic • We have all these sources of data we are responsible for – Events and States o Data derived from the third-party solutions • We need to be able to tell current state and review historically o To support the sample processes • We need to be able to react to the high priority items o Push versus Pull • We need to demonstrate we are doing this o It’s part of the process
- 20. Windows and Other Events
- 21. Cloud Events
- 22. AWS Events
- 23. Event Response
- 24. Conclusion • In conclusion, leveraging a Cloud Service Provider, and Managed Services Provider can help to reduce your organizational burden in preparing for and maintaining CMMC defined controls. • A significant component to maintaining these controls is monitoring and response, in which Sumo Logic can be used to funnel these various sources of data and state, correlate, query and reduce for human consumption at a planned and unplanned levels of priority.