If there's one thing that hasn't been slowed down due to the pandemic, it's the Defense Department's new cybersecurity regulation. In fact, just last week, one of the major milestones passed for the model to become a requirement.
In this post, we'll look at what the Cybersecurity Maturity Model Certification (CMMC) is, what it covers, and how solving asset management is a critical component of CMMC maturity progression.
What is the CMMC?
Many companies and defense contractors have recently begun certification efforts for the CMMC standard. This framework consists of five certification levels that assess the maturity of a company’s cybersecurity program.
The five levels are tiered. Level one consists of basic cyber hygiene practices, while level five consists of processes and capabilities to detect and respond to advanced persistent threats (APTs).
These five levels are assessed across 43 capabilities that span 17 security domains, including: access control, asset management, audit and accountability, awareness and training, configuration management, identification and authentication, incident response, and more.
FedScoop writes, "300,000 companies in the defense industrial base will be required to get a certification for each of their networks, with exceptions for some suppliers of commercial-off-the-shelf goods. All contracts must meet CMMC requirements by 2025, DOD officials have said."
Why Does the CMMC Exist?
The Department of Defense does business with hundreds of thousands of companies. This means that sharing data and network access with these companies can introduce third-party cyber risk at a scale that’s difficult to manage.
In past years, companies and contractors doing business with the DoD were responsible for certifying their own security programs.
Now that the CMMC’s in place, companies and contractors will undergo third-party assessments to evaluate their maturity according to its framework. While this process has only begun, companies and contractors can prepare by mapping their capabilities to the domains outlined in the CMMC framework.
Eventually, all DoD contractors — small and large — will have to obtain CMMC certification.
How Axonius Strengthens CMMC Compliance
The Axonius Cybersecurity Asset Management platform gives organizations a comprehensive asset inventory. But the platform doesn’t just identify assets — it enables better security risk management that delivers a high level of maturity across many of the CMMC security domains.
Here’s a brief summary of how Axonius can help strengthen CMMC compliance:
Access control: Axonius helps security teams establish and control internal and remote system access by correlating user privileges associated with hardware assets. Security teams can report on abuse and misuse of administrative credentials. They can also report on surface tools that should only be on administrator machines.
Asset management: Axonius provides an always up-to-date, comprehensive view of all hardware assets connected to an organization's network. The platform automatically identifies unmanaged and IoT devices — as well as ephemeral devices, like cloud containers and virtual machines. Extensive traits and characteristics are fetched and indexed for each hardware device, including OS, installed software, vulnerable software, installed security patches, agent versions, and more.
Configuration management: Axonius ensures that security controls are working properly and that all assets, new and old, are covered by security solutions in dynamic IT environments.
Incident response: Security analysts use Axonius to correlate alerts with rich context around devices and users for incident response. Based on set conditions, Axonius can automatically create tickets, notify teams, isolate devices from the network, or deploy files and commands remotely.
Identification and authentication: Axonius continuously identifies users not enrolled in identify access management and multifactor authentication platforms, as well as users with bad password practices.
Risk management: Axonius identifies and manages risk by finding devices missing security controls, users exhibiting poor security practices, and cloud assets that are misconfigured and not meeting best practices. Assets that present risk are identified on a continuous basis and can be mitigated programmatically by taking actions like deploying files and commands, isolating devices from the network, and disabling users when applicable.
Security assessment: Axonius makes it easy to track how a security plan is actually implemented. Dashboards are customizable and updated continuously to provide metrics such as:
- Devices missing security controls
- Devices missing vulnerability scans
- Devices with high or critical CVEs