Achieve CMMC Maturity with Verve

What is CMMC Maturity?

The Cybersecurity Maturity Model Certification (CMMC) is the U.S. Department of Defense’s acquisition standard for ensuring the defense industrial base supply chain and “controlled unclassified information” is secure from potential cyber attack. Launched in early 2020, the certification builds on NIST 800-171 which was the DOD’s primary cyber standard in the past. 

CMMC differs from the prior model in 3 key ways: 

  1. Establishes a maturity model that enables suppliers to grow in their rating over time as they implement more controls
  2. A robust third-party audit and certification process, rather than the self-assessment and assertion-based approach used in the prior 800-171 (DFARS) standard
  3. A more comprehensive and integrated group of controls that not only aligns with 800-171, but even more broadly to NIST 800-53

CMMC applies to Controlled Unclassified Information (CUI). CUI is defined by DOD as: CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. DOD has created a taxonomy of included information here https://www.archives.gov/cui.

Importantly, these security standards apply to both IT and OT systems as CUI can be present on both sides. In addition, attackers may leverage IT to access OT and vice versa. Therefore, maturity will have to cover IT and OT. 

There is also discussion by the GSA that it too will adopt CMMC. As GSA stated in its recent STARS III contract: “STARS III contractors should begin preparing for CMMC… (GSA) reserves the right to survey 8(a) STARS III awardees from time-to-time in order to identify and to publicly list each industry partner’s CMMC level and ISO certifications.”

Time is of the essence. DOD plans to issue 15 “pathfinder” contracts during FY2021 and fully implement the rest by 2022. The accreditation process with assessors ensuring controls are in place to issue certificates may take up to six months. The time is now to begin preparing for the defense industrial base. 

The Maturity Model

The CMMC defined 5 levels of maturity as outlined in the chart below.

 

 

As shown above, the levels begin with “basic cyber hygiene” and proceed through an advanced Level 5 called “advanced/progressive” that includes 40 controls and practices beyond what NIST 800-171 called for. In total, in Level 5 CMMC includes 173 sub-controls. 

The purpose of the levels approach is that a small manufacturer may not have the resources to achieve Level 5 immediately – or ever. Different contracts will require differing levels of maturity certification. In addition, the level requirements will increase over time as the defense industrial base becomes more mature in its cyber security efforts.

Verve partnership with DOD’s cyber security hub

In 2018 Verve partnered with MxD, the DOD’s cybersecurity hub for manufacturing. DOD designated MxD, a public-private national lab based in Chicago, as the center for cybersecurity in manufacturing. Verve has partnered with MxD to define the necessary capabilities, education, tools, etc. necessary to improve the ICS cyber security of the Defense Industrial Base.

IT-OT testbed deployment from office to plant floor:

As part of our joint effort, Verve deployed the Verve Security Center across MxD’s office and plant networks to act as a testbed and demonstration platform. MxD has the largest manufacturing testbed of all the national labs. It has both the most modern digital manufacturing and traditional manufacturing equipment on the plant floor.

MxD wanted to understand first-hand how to become CMMC compliant, so they leveraged the Verve platform to provide the visibility and remediation necessary.

Verve client support:

Due to our partnership, our clients take advantage of the depth of knowledge and resources at MxD to see solutions in action as well as garner insights of the most effective approaches to achieve CMMC compliance.

Identify
Protect
Detect
Respond
Recover
  • 100% hardware and software asset inventory
  • Configuration baselines
  • Network connectivity and rules
  • Vulnerability assessment
  • End-to-end patch management
  • Secure configuration
  • Anti-malware/whitelisting
  • Network segmentation
  • Identity management
  • Host intrusion detection and log management
  • Configuration change management
  • Network traffic anomalies
  • Performance anomaly detection
  • OT/ICS Alarm management
  • Incident response across all endpoint and network info
  • Software management
  • Configuration management
  • Backup and restore all systems
  • Recovery procedures and processes
Identify
  • 100% hardware and software asset inventory
  • Configuration baselines
  • Network connectivity and rules
  • Vulnerability assessment
Protect
  • End-to-end patch management
  • Secure configuration
  • Anti-malware/whitelisting
  • Network segmentation
  • Identity management
Detect
  • Host intrusion detection and log management
  • Configuration change management
  • Network traffic anomalies
  • Performance anomaly detection
  • OT/ICS Alarm management
Respond
  • Incident response across all endpoint and network info
  • Software management
  • Configuration management
Recover
  • Backup and restore all systems
  • Recovery procedures and processes

Enhance Your ICS Security Program Webinar

Verve Industrial aggregated information from ten years of vulnerability assessments across industries ranging from power, pharmaceuticals, CPG manufacturing, water utilities, and oil & gas. Several common themes emerged from the findings, but the most apparent takeaway was the growing need for integrated risk management in ICS security.

In this on-demand webinar, we’ll share:

  • Key findings and commonalities from three years of ICS risk assessments
  • Insight into new vulnerabilities and today’s threat landscape (such as Ripple20, ransomware, VPN)
  • Practical ways to manage and prioritize risks in your OT environment
  • Recommendations for allocating cyber security budget for long-term benefits

Our Customer Success

“We did a complete competitive analysis and chose Verve. It has allowed us to double our maturity in 18 months.”

Cyber Compliance & Security Specialist, Power Company

Achieve CMMC Maturity

Speak with one of our manufacturing cybersecurity to help you get ahead of CMMC maturity accreditation

Book a Call