CMMC Version 1.02
As well as the significant economic cost of malicious cyber activity (estimated in excess of $57b per annum), the aggregate loss of controlled unclassified information (CUI) from the Defense Industrial Base (DIB) is a known risk to US national security. As a result, in January 2020, the Department of Defense (DoD) introduced a new procedure to certify approximately 300,000 defense contractors in its supply chain have adequate cybersecurity controls in place to protect the DoD’s information.
All contractors and subcontractors that handle federal contract information (FCI) and CUI will be subject to CMMC. The DoD clarifies what CMMC Maturity Levels are required in the request for information (RFI), and awardees must prove the required Level by the time of award. Subcontractors may not need to meet the same CMMC Level required by the prime contractor – the DoD will clarify which parts of a contract require which CMMC Levels.
Accurately Assess CMMC Compliance with Nipper
Audits: Firewalls | Switches | Routers
Saving significant time and resources for internal assessors, RPOs and cybersecurity service providers, Nipper is easy to configure for CMMC assessments and integrates with SIEM and GRC tools for a network-wide view of compliance.
The CMMC Model contains 5 Levels:
• Level 1 | Basic Cyber Hygiene (17 security controls)
• Level 2 | Intermediate Cyber Hygiene (46 security controls)
• Level 3 | Good Cyber Hygiene (47 security controls)
• Level 4 | Proactive (26 security controls)
• Level 5 | Advanced / Progressive (4 security controls)
The CMMC model consists of 17 Domains, which in turn consist of a set of processes and security practices across the different Levels. Drawing heavily on existing safeguarding and security requirements, most notably NIST 800-171 which is the basis for 110 out of CMMC’s 171 controls.
Automate CMMC assessments across 9 Domains
The non-profit Accreditation Body (AB) is responsible for managing, operating and sustaining the CMMC program, including training, evaluating and accrediting Certified Third Party Assessment Organizations (C3PAOs). These C3PAOs will perform independent assessments of contractors’ CMMC implementation and provide reports to the AB, which then issues CMMC certifications that last for 3 years.
Defense contractors’ internal audit teams and others providing CMMC assessment services, including Registered Party Organizations (RPOs), can leverage Titania Nipper’s accurate auditing capability to assess compliance with 42 CMMC security practices, providing artifacts that evidence compliance within 9 domains:
•Access Controls (AC)
•Asset Management (AM)
•Audit & Accountability (AU)
•Configuration Management (CM)
•Identification & Authentication (IA)
•Risk Management (RM)
•Security Assessments (CA)
•System & Communications Protection (SC)
•System & Information Integrity (SI)
Why automate CMMC assessments with Titania Nipper?
Titania Nipper is in service with all four arms of the DoD, where it is trusted to automate the configuration audits of core network devices against DISA STIG and CIS benchmarks to prove compliance with Risk Management Frameworks such as DISA RMF, NIST CSF and NIST 800-53 and NIST 800-171. Taking just minutes to set up and generate reports, Nipper’s proven accuracy advantage is estimated to save the DoD up to 3 hours per device by not investigating false positives reported by other compliance tools.
As CMMC v1.02 security practice checks build on the above frameworks and controls, CMMC auditors and assessors are expected to save significant time and resources by automating their compliance checks using Nipper. The software also identifies otherwise-missed false negatives and includes recommendations and specific command line fixes for any issues found, helping to reduce internal teams’ mean time to remediate.