Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CMMC - Compliance Policy Overview

by Cody Dumont
June 23, 2020

CMMC - Compliance Policy Overview Screenshot

The Cybersecurity Maturity Model Certification (CMMC) was developed to create a framework to assess an organization's implementation of cybersecurity practices evenly across the defense industrial base. Using NIST 800-53 and NIST 800-171 as the baseline, the primary objective of CMMC is to consolidate the two security catalogs into a single measurable framework. Over the next 5 years, starting in June 2020, organizations that create Government Off-The-Shelf (GOTS) products, handle Federal Contract Information (FCI), or Controlled Unclassified Information (CUI) will need to show compliance at 1 of the 5 levels.  Only Certified 3rd Party Assessment Organizations (C3PAO) will be able to certify an organization as compliant or not. Tenable.sc provides on-prem solutions for assessing regulations such as NIST, CSF, and others.  

This dashboard provides C-Level executives with a high-level understanding of their current risk and level of compliance. Compliance with CMMC requires operational changes to include cybersecurity practices. Tenable.sc provides organizations a view into Cyber Exposure practices through the Cyber Exposure Life Cycle. Each step in the life cycle builds upon the previous providing the knowledge of the current risk status. Focusing on device hardening and Vulnerability Management (VM), this dashboard provides the CISO with an understanding of the current risk levels.  

By combining the VM metrics and device hardening metrics into the same view, the CISO and Risk Managers are able to effectively communicate and track the current state of vulnerabilities and compliance over time. The data displayed on the left side of the dashboard provides the current state of discovered risks (both in VM and configuration hardening). The trend data on the right provides executives with a method to track changes over time, determine if scanning strategies are efficient, and also monitor for vulnerabilities that were previously mitigated. 

During the vulnerability scanning process Nessus is able to scan for missing patches, vulnerable services, and misconfigurations.  Risk Managers are able to use the Vulnerability Priority Rating (VPR) to direct risk mitigation efforts and at the same time, review hardening efforts against NIST 800-53, NIST 800-171, and the Cyber Security Framework (CSF).  As the CISO leads the organization through the maturity levels of CMMC, Tenable.sc provides the data metrics needed to verify the implementation of cybersecurity practices.  

The dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment.

The dashboard requirements are:

  • Tenable.sc 5.12.0
  • Nessus 8.9.0
  • Compliance Data

Tenable.sc Continuous View (CV) is the market-defining On-Prem Cyber Exposure Platform. Tenable.sc CV provides the ability to continuously Assess the implementation of cybersecurity practices and institutionalization of cybersecurity processes. Regardless of the Maturity model the organization is measuring against, Tenable.sc provides the essential information to report accurate and reliable metrics.

Components

CMMC - Compliance Summary: This component displays a summary of several audit standards (NIST 800-53, NIST 800-171, CSF), providing a host count, and ratio bars for each severity level. CMMC focuses on NIST 800-53 and NIST 800-171, at the same time Cyber Security Framework (CSF) is cross mapped with several other standards to provide a more holistic account of security compliance tracking. The three columns with ratio bars provide a ratio of total audit checks to a specified status of the check. Checks that have passed are green, failed checks are red, and checks which require manual verification are in orange.

VPR Summary - CVSS to VPR Heat Map: This component provides a correlation between CVSSv3 scores and VPR scoring for the vulnerabilities present in the organization. The CVSSv3 scores are the traditional method of analyzing risk, while VPR is a new method based on data science analysis and threat modeling. Each cell is comprised of a combination of cross-mapping of CVSS & VPR scoring.  Using a heat map approach, the filters begin in the left upper corner with vulnerabilities with the least risk. Moving to the right and lower down the matrix the colors change darker from yellow to red as the risk levels increase. Customers should mitigate risks in the lower right corners, and then work towards the upper left cells.

Executive Vulnerability Metrics - Vulnerability Mitigation: This component contains a matrix displaying mitigated vulnerability ages. The columns identify new hosts (within the past 24 hours), and vulnerabilities from low to critical severities. The rows are labeled by the number of days the vulnerabilities have existed within the environment from the first discovery date, sorted by less than 7, 30, 90 days, and greater than 90 days.

Executive Vulnerability Metrics - Vulnerability Trend: This component presents a trend chart of both current and previously mitigated vulnerabilities over the last seven days. Information presented within this component can provide organizations with a comprehensive view into how often systems are being scanned, patched, and rescanned. Current vulnerabilities are identified and set to the “Never Mitigated” filter. When a vulnerability moves from the mitigated section to the active section, the mitigation status is set to "Previously Mitigated.” Previously Mitigated or recurring vulnerabilities can be the result of systems not being restarted after a patch was applied, virtual systems reverting to previous snapshots, and services that were disabled or failed to restart. Organizations can use this component to focus efforts on remediating both current and previously mitigated vulnerabilities.

CMMC Compliance Summary - 25 Day Trend: This component provides a 25-day trend analysis for compliance standards that are required as part of CMMC compliance checks.  The data points are calculated using the 'Days Since Observation' set to 'within the last day'. Thus, each data point only calculates the new compliance checks observed daily. The resulting graph more accurately depicts the change in compliance over the period of 25 days. The graph uses NIST 800-53 and NIST 800-171 audit checks as CMMC is built on those standards.