The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) model is expected to go into effect in the fall of 2020 – and, potentially giving the program more weight, the CMMC and FedRAMP program offices are discussing reciprocity.
What does this mean? With more than 300,000 estimated suppliers to the DoD, the Department is only as strong as its weakest link. Many contractors lack the needed basic cyber hygiene processes, and do not have the necessary visibility into their full network. Achieving a consistent level of cyber hygiene – a set of practices for managing the most common and pervasive cybersecurity risks – is critical.
The CMMC model will measure cybersecurity against five levels. The program aims to drive assurance throughout the supply chain – and standardize security across the DoD community.
Each level includes a set of processes and practices, ranging from “performed” at Level 1 to “optimized” at Level 5. Contractors will be required not only to demonstrate the institutionalization of the practice, but also the implementation of all practices required for a specified level and all preceding levels, on an ongoing basis.
A trained, accredited third-party organization called a Controlled Third Party Assessment Organization (C3PAO) will audit each contractor, validating compliance against a series of cybersecurity requirements and best practices, and assigning a cybersecurity maturity level for the contractor.
Despite the model’s name, this is not a check-the-box compliance exercise. The process provides a way to improve the alignment of cybersecurity practices with the type and sensitivity of information, and associated threats.
Roadblocks to basic cyber hygiene
Often, contractors address individual cybersecurity vulnerabilities by implementing a complex patchwork of point products that don’t integrate, are difficult to manage and keep patched, and can’t give the IT leadership team a full view of the threats. As contractors continue to implement various point products to resolve individual problems, they increase complexity, cost, and risk – and can’t achieve the visibility, control, and accountability needed to manage risk and meet CMMC requirements.
Contractors need the capability to track and report network security status in near-real time, in line with CMMC requirements. It is not enough to identify risks and vulnerabilities, but contractors must also prioritize them across the environment, and take action to respond and remediate in real time.
How Tanium helps
Tanium gives customers real-time data about their IT systems allowing them to identify and prioritize risks across their environment. Customers can then in the same console, pivot and take action to respond and remediate these risks in real time. The Tanium Platform queries the environment – millions of endpoints at one time – and creates an instant dashboard of the enterprise security posture. This delivers accurate data in real time, so you can fix issues, make changes quickly and reduce risk. Tanium also enables continuous monitoring for compliance against the established benchmarks, empowering security decision makers to reduce risk even further.
Tanium’s Unified Endpoint Management (UEM) and Unified Endpoint Security (UES) solutions help reduce complexity, improve efficiency and close the gaps between operations and security teams, with a single platform to understand their environment and prepare them for future CMMC audits, as well as new threats and attacks.
Tanium is not a C3PAO assessor – but we provide customers with high-fidelity insight into the cyber hygiene required for CMMC compliance. A few examples of assessment areas where we help include:
Asset discovery and reporting
Tanium provides robust asset discovery and reporting. With the rise of the Internet of Things (IoT) and Bring Your Own Device (BYOD), there is an increased risk of unknown devices on the network. When we run our discovery and asset tools in an organization’s environment, we often identify an additional 12 to 20 percent of unknown devices.
Comprehensive threat monitoring
Tanium’s unified endpoint management and security provides comprehensive threat monitoring with detailed incident analysis through a single platform to help identify, isolate, and mitigate threats – and validate when they have been remediated.
Visibility, control and compliance: Preparing for CMMC
While the auditing timeline is still in flux, C3PAO auditors will likely begin evaluations later this year. Tanium can help prepare and address cyber hygiene proactively, and stand up a CMMC-compliant IT infrastructure.
While evaluating your organization’s CMMC audit preparedness, start by considering the following questions:
How many computers do you have on your network? And are they authorized to be there?
- What applications are installed? And are they all up to date?
- What are users doing? And is it authorized?
- How comfortable are you with your patch/vulnerability/risk posture?
- Have you recently been breached or had an outage that could have been prevented?
To learn more about how Tanium is working with the DoD and the DoD contractor community, please visit the Community Post.