The US Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC) version 1.0 on January 31, 2020. The CMMC is the Department of Defense’s (DoD) regulation designed to ensure that the Controlled Unclassified Information (CUI) resident in the Defense Industrial Base networks and systems are adequately protected by security controls and related processes. Most of the requirements are not unique to the CMMC. These requirements are published in other standards and frameworks such as NIST 800-171 and then cited for inclusion in the CMMC specifications. The CMMC is in response to the multitude of significant data breaches that have impacted defense information on contractors’ information systems and networks. All DoD contractors and most, if not all, of the defense supply chain will need to step up to CMMC certifications.
The CMMC Framework
The CMMC associates cybersecurity best practices and processes to five key maturity levels. These include a fundamental level of cyber hygiene at Level 1 and the most advanced and capable cyber hygiene required at Level 5. These levels build upon one another. To be certified at a higher level, the lower levels’ requirements must be met, and the additional necessary cybersecurity best practices must be operational. The framework organizes processes and practices into domains. These are then mapped across five levels. The framework aligns the practices to a set of capabilities within each of the domains.
CMMC Level 1
CMMC Level 1 includes best practices that must be implemented to protect Federal Contract Information (FCI). Requirements include, for example, the regular changing of passwords and the use of endpoint security software for virus detection; these are typical of CMCC level 1.
CMMC Level 2
CMMC Level 2 security practices require that a company provide additional capabilities to protect Controlled Unclassified Information (CUI) by implementing some of the requirements of the US Department of Commerce National Institute of Standards and Technology (NIST) publication 800-171.
CMMC Level 3
CMMC Level 3 defines a basic competency to protect organizational assets and CUI. CMMC level 3 certified organizations will meet all of the NIST 800-171 requirements, and other stipulated additional standards. CMMC level 3 compliance is now a substantial effort – it addresses all of NIST 800-171 and a few additional items.
CMMC Level 4
CMMC Level 4 requires companies to have implemented many processes for the review and measurement of their practices. They must also have additional practices designed to detect and respond to the tactics, techniques, and procedures (TTPs) of an advanced persistent threat (APT).
CMMC Level 5
CMMC Level 5 requires an organization to have standardized processes across the organization and enhanced practices that enable the most sophisticated capabilities to detect and respond to APTs. Process maturity requires that process implementation has been standardized across the organization. Generally, level 5 requires that defensive responses are performed using automation.
Foundational Security to Help Address CMMC Requirements
Foundational security using DNS, DHCP, IP Address Management (IPAM) and DNS security can be a vital part of providing the increased cyber resilience your organization will need to meet your organization’s CMMC level certification requirements.
Most defense contractors have a mix of on-premise and cloud-based resources. This has been further complicated by the recent move to increased remote access and the use of personal devices for network access. The classic perimeter defense is gone and the shift to technologies that support architectures such as Zero Trust and SASE have become compelling. DNS security provides a powerful control point that works equally well for any mix of distributed resources and users. BloxOne™ Threat Defense from Infoblox uses DNS as a security control point to provide foundational protection wherever the users and data reside, in data centers, HQ, branch, in the cloud and IoT.
BloxOne Threat Defense brings critical support for security orchestration, automation and response (SOAR) solutions, reduces the time for your security operations teams to investigate and remediate cyberthreats, and helps optimize the performance of the entire security ecosystem. This, in turn, can also reduce the total cost of enterprise threat defense and help achieve CMMC certification levels. BloxOne Threat Defense enables you to turn the core network services you rely on to run your enterprise into valuable security assets. These services, which include DNS, DHCP and IP address management (DDI), play a central role in all IP-based communications. With Infoblox, they become the foundational common denominator that enables your entire security stack to work better together to detect and anticipate threats sooner and stop them faster.
Read Our Solution Note
Request our new Solution Note on CMMC from your Infoblox Sales Team. This Solution Note provides detailed information on how Infoblox products and capabilities address specific CMMC controls. This Solution Note will be posted live to our website very shortly and will update this blog to include a direct link to the document when it is available.
If you want to know more about our products and services please reach out to us directly via https://info.infoblox.com/contact-form.