- 100% hardware and software asset inventory
- Configuration baselines
- Network connectivity and rules
- Vulnerability assessment
Achieve CMMC Maturity with Verve
What is CMMC Maturity?
The Cybersecurity Maturity Model Certification (CMMC) is the U.S. Department of Defense’s acquisition standard for ensuring the defense industrial base supply chain and “controlled unclassified information” is secure from potential cyber attack. Launched in early 2020, the certification builds on NIST 800-171 which was the DOD’s primary cyber standard in the past.
CMMC differs from the prior model in 3 key ways:
- Establishes a maturity model that enables suppliers to grow in their rating over time as they implement more controls
- A robust third-party audit and certification process, rather than the self-assessment and assertion-based approach used in the prior 800-171 (DFARS) standard
- A more comprehensive and integrated group of controls that not only aligns with 800-171, but even more broadly to NIST 800-53
CMMC applies to Controlled Unclassified Information (CUI). CUI is defined by DOD as: CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. DOD has created a taxonomy of included information here https://www.archives.gov/cui.
Importantly, these security standards apply to both IT and OT systems as CUI can be present on both sides. In addition, attackers may leverage IT to access OT and vice versa. Therefore, maturity will have to cover IT and OT.
There is also discussion by the GSA that it too will adopt CMMC. As GSA stated in its recent STARS III contract: “STARS III contractors should begin preparing for CMMC… (GSA) reserves the right to survey 8(a) STARS III awardees from time-to-time in order to identify and to publicly list each industry partner’s CMMC level and ISO certifications.”
Time is of the essence. DOD plans to issue 15 “pathfinder” contracts during FY2021 and fully implement the rest by 2022. The accreditation process with assessors ensuring controls are in place to issue certificates may take up to six months. The time is now to begin preparing for the defense industrial base.
The Maturity Model
The CMMC defined 5 levels of maturity as outlined in the chart below.
As shown above, the levels begin with “basic cyber hygiene” and proceed through an advanced Level 5 called “advanced/progressive” that includes 40 controls and practices beyond what NIST 800-171 called for. In total, in Level 5 CMMC includes 173 sub-controls.
The purpose of the levels approach is that a small manufacturer may not have the resources to achieve Level 5 immediately – or ever. Different contracts will require differing levels of maturity certification. In addition, the level requirements will increase over time as the defense industrial base becomes more mature in its cyber security efforts.
Achieving CMMC Security Maturity with Verve
Verve partnership with DOD’s cyber security hub
In 2018 Verve partnered with MxD, the DOD’s cybersecurity hub for manufacturing. DOD designated MxD, a public-private national lab based in Chicago, as the center for cybersecurity in manufacturing. Verve has partnered with MxD to define the necessary capabilities, education, tools, etc. necessary to improve the ICS cyber security of the Defense Industrial Base.
IT-OT testbed deployment from office to plant floor:
As part of our joint effort, Verve deployed the Verve Security Center across MxD’s office and plant networks to act as a testbed and demonstration platform. MxD has the largest manufacturing testbed of all the national labs. It has both the most modern digital manufacturing and traditional manufacturing equipment on the plant floor.
MxD wanted to understand first-hand how to become CMMC compliant, so they leveraged the Verve platform to provide the visibility and remediation necessary.
Verve client support:
Due to our partnership, our clients take advantage of the depth of knowledge and resources at MxD to see solutions in action as well as garner insights of the most effective approaches to achieve CMMC compliance.
- End-to-end patch management
- Secure configuration
- Network segmentation
- Identity management
- Host intrusion detection and log management
- Configuration change management
- Network traffic anomalies
- Performance anomaly detection
- OT/ICS Alarm management
- Incident response across all endpoint and network info
- Software management
- Configuration management
- Backup and restore all systems
- Recovery procedures and processes
Enhance Your ICS Security Program Webinar
Verve Industrial aggregated information from ten years of vulnerability assessments across industries ranging from power, pharmaceuticals, CPG manufacturing, water utilities, and oil & gas. Several common themes emerged from the findings, but the most apparent takeaway was the growing need for integrated risk management in ICS security.
In this on-demand webinar, we’ll share:
- Key findings and commonalities from three years of ICS risk assessments
- Insight into new vulnerabilities and today’s threat landscape (such as Ripple20, ransomware, VPN)
- Practical ways to manage and prioritize risks in your OT environment
- Recommendations for allocating cyber security budget for long-term benefits
Our Customer Success
“We did a complete competitive analysis and chose Verve. It has allowed us to double our maturity in 18 months.”
Cyber Compliance & Security Specialist, Power Company
Cyber Security Maturity Resources
Although CMMC is new, Verve has deep experience in the core sub-controls involved in CMMC. Check out our resources on cyber security standards compliance.