calcom logo decorative circle decorative circle decorative circle
Free Demo

CMMC Compliance


The US Department of Defense (DoD) published the Cyber Maturity Model Certification (CMMC) framework to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). Every prime and subcontractor on a supply chain needs to be audited and certified by the CMMC model. This requires special adjustments made by the companies involved in this supply chain.

 The CMMC model measures cybersecurity with five different levels. The different levels demonstrate a progressive practice range of cyber hygiene. Each level’s requirements are based upon the lower levels, so that eventually level 5 must implement levels 1-4 requirements in addition to its unique requirements.

cmmc levels processes and practices

Starting from Level 2, the CMMC model requires active configuration management and hardening actions. The following table summarizes CMMC hardening requirements:

Practice Number Practice Description Level Required
CM.2.o61 Establish and maintain baseline configuration and inventories of organizational systems throughout the respective system development life cycle. Level 2-5
CM.2.062 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.  Level 2-5
CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems Level 2-5
CM.2.066 Analyze the security impact of changes prior to implementation Level 2-5
CM.3.068 Restrict, disable, or prevent the use of non-essential programs, functions, ports, protocols, and services Level 3-5


These required practices sum up the entire hardening process. In addition, organizations Level 3 and up must implement NIST 800-171 requirements, which also requires establishing and maintain security configuration settings for IT systems. The ideal scenario is to have your infrastructure comply with gold-standard benchmarks, such as the CIS Benchmarks. But this task imposes great challenges to most organizations.

Implementing such a robust policy in your infrastructure requires a long process of testing what will be the impact of each policy rule on your network. Each environment, machine role, and version should have its own policy adjusted to its unique security and functionality needs.

In addition, maintaining your infrastructure hardened can be a huge task, since it constantly changes with new machines and applications being installed. It is not uncommon to see organizations, 6 months post an exhausting hardening project, with a bad compliance posture since they didn’t develop the right procedures to address the dynamic nature of their infrastructure.

Today, we know that the best solution for all these challenges is to automate the entire hardening process, from the testing stage to maintenance.

THE solutions

CHS is an automated hardening solution designed to address the needs of IT Operations and Security teams. It significantly reduces operational costs and eliminates the risk of production downtime by indicating the impact of a security baseline change directly on the production environment. CHS saves the need for testing changes in a lab environment before pushing them to production.

CHS will help you achieve CMMC compliance by automatically implementing your desired policies, built to address CMMC requirements and comply with all the practices mentioned above.


  • Deploy the required security policy without affecting the production environment
  • Reduce the costs and resources required for implementing secure configurations and achieving compliance
  • Manage the entire infrastructure hardening process from a single point of control
  • Avoid configuration drifts and repeated hardening processes