With the application process to become a Certified Third-Party Assessment Organizations (C3PAO) now open and the first RFIs that include a CMMC requirement expected to be published any day now, there is currently a great deal of interest in how to assess and demonstrate compliance with the Cybersecurity Maturity Model Certification (CMMC) framework…CMMC is high on the agenda of the defence industrial base, therefore, and with other sectors also tracking its rollout and implementation, the team here at Titania has been closely monitoring developments related to CMMC for some months now. We’ve now completed the mapping of our Nipper auditing capability to the new framework, which will deliver time-saving advantages to C3PAOs, pre-assessment service providers and internal assessors alike.
Many internal auditors and external assessors already use Nipper to check that firewalls, switches and routers comply with risk management frameworks – including PCI DSS, DISA RMF and NIST 800-171. For example, using Nipper to automate STIG checks to demonstrate compliance with DISA RMF saves network administrators an average of 3 hours per audit, per device. This is largely due to Nipper’s automation accuracy, which is proven to significantly reduce the number of false-positives reported and is known to save assessors valuable resources.
Nipper is now also getting positive feedback for its automation capability from the assessors we’re working with who intend to become accredited CMMC auditors or use it to provide pre-assessment services. But why?
Of the entire CMMC framework, 36 of its Security Practices relate to network devices and have at least some level of automatability – this equates to around 20% of the total CMMC framework.
Using a combination of reporting types, Nipper can automate the assessment of 33 of these CMMC Security Practice checks, most of which are Level 3 or above, and can provide artifacts that evidence compliance within these 8 domains:
• Access Controls (AC)
• Asset Management (AM)
• Audit & Accountability (AU)
• Configuration Management (CM)
• Identification & Authentication (IA)
• Risk Management (RM)
• Security Assessment (CA)
• System & Communications Protection (SC)
Additionally, because Nipper provides remediation advice and exact technical fixes when it identifies non-compliance with a CMMC security check, the software will be of further benefit to network administrators who are seeking assurance that their network adheres to the maturity level required to adequately protect CUI and FCI.
Whilst many of Nipper’s default settings are configured to assess CMMC, some adjustments will be required by an assessor/auditor. So, to make things even easier in the future and to further reduce the time it takes to audit compliance, Titania’s development team has added a dedicated ‘CMMC plug-in’ to the Nipper development roadmap – expected in Autumn 2020.
If you need to start accurately auditing network devices for CMMC compliance now – and want to save valuable time in the process – join me on our upcoming webinar, where we’ll be demonstrating how to configure and use Nipper to automate assessment of CMMC’s Security Practices.
Webinar: Save time & resources auditing CMMC security practices with Nipper
Presented by Matt Malarkey, General Manager – North America
Software demonstration by Edwin Bentley, Technical Sales Engineer
14:00 EDT on Tuesday 30th June, 2020