The US Department of Defense (DoD) published the Cyber Maturity Model Certification (CMMC) framework to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). Every prime and subcontractor on a supply chain needs to be audited and certified by the CMMC model. This requires special adjustments made by the companies involved in this supply chain.
The CMMC model measures cybersecurity with five different levels. The different levels demonstrate a progressive practice range of cyber hygiene. Each level’s requirements are based upon the lower levels, so that eventually level 5 must implement levels 1-4 requirements in addition to its unique requirements.
Starting from Level 2, the CMMC model requires active configuration management and hardening actions. The following table summarizes CMMC hardening requirements:
Practice Number | Practice Description | Level Required |
CM.2.o61 | Establish and maintain baseline configuration and inventories of organizational systems throughout the respective system development life cycle. | Level 2-5 |
CM.2.062 | Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. | Level 2-5 |
CM.2.064 | Establish and enforce security configuration settings for information technology products employed in organizational systems | Level 2-5 |
CM.2.066 | Analyze the security impact of changes prior to implementation | Level 2-5 |
CM.3.068 | Restrict, disable, or prevent the use of non-essential programs, functions, ports, protocols, and services | Level 3-5 |
These required practices sum up the entire hardening process. In addition, organizations Level 3 and up must implement NIST 800-171 requirements, which also requires establishing and maintain security configuration settings for IT systems. The ideal scenario is to have your infrastructure comply with gold-standard benchmarks, such as the CIS Benchmarks. But this task imposes great challenges to most organizations.
Implementing such a robust policy in your infrastructure requires a long process of testing what will be the impact of each policy rule on your network. Each environment, machine role, and version should have its own policy adjusted to its unique security and functionality needs.
In addition, maintaining your infrastructure hardened can be a huge task, since it constantly changes with new machines and applications being installed. It is not uncommon to see organizations, 6 months post an exhausting hardening project, with a bad compliance posture since they didn’t develop the right procedures to address the dynamic nature of their infrastructure.
Today, we know that the best solution for all these challenges is to automate the entire hardening process, from the testing stage to maintenance.
CHS is an automated hardening solution designed to address the needs of IT Operations and Security teams. It significantly reduces operational costs and eliminates the risk of production downtime by indicating the impact of a security baseline change directly on the production environment. CHS saves the need for testing changes in a lab environment before pushing them to production.
CHS will help you achieve CMMC compliance by automatically implementing your desired policies, built to address CMMC requirements and comply with all the practices mentioned above.