Companies seeking out lucrative contracts with the US Department of Defense (DoD) need to bolster their cybersecurity to protect our servicemen and citizens, abroad and domestically. To do so, they need to achieve compliance with the Cybersecurity Model Maturity Certification (CMMC), a framework published by the Office of the Under Secretary of Defense for Acquisition and Sustainment, also known as OUSD(A&S). Employing network security monitoring best practices is a crucial component of CMMC compliance and, ultimately, working with the DoD.
Network Security Monitoring Under CMMC
The CMMC covers a wide range of cybersecurity controls, including everything from physical protections and training to granular specifications for device settings and configurations. Across these controls, network security monitoring services are essential, being concentrated in the most extensive “domain” and thus having the most dedicated security controls.
In this article, we’ll break down everything you need to know, including:
- CMMC “System and Communications Protections” controls
- Other pertinent CMMC controls across all other domains
- Broader best practices for network security monitoring
But first, let’s start with a quick overview of the entire CMMC framework:
Understanding the Overall CMMC Framework
The OUSD(A&S) developed the CMMC to simplify cybersecurity requirements for potential DoD contractors, combining several other frameworks into one omnibus system. It’s aimed primarily at securing two types of information prevalent in the Defense Industrial Base (DIB) sector:
- Federal Contract Information (FCI) – Data on or about contracts, which is not strictly classified but protected by Federal Acquisition Regulation (FAR) Clause 52.203-21
- Controlled Unclassified Information (CUI) – Other miscellaneous unclassified data, like technical use and maintenance manuals, protected by Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 and National Institute for Standards and Technology (NIST) Special Publication 800-171 (SP 800-171)
To protect this information, the CMMC breaks down into 17 security domains based on analogous “Requirement Families” in NIST SP 800-171. These domains comprise 43 capabilities and 171 practices, or granular controls. However, the defining characteristic of the CMMC is that it allows for stepwise adoption across five maturity levels.
System and Communications Protections
While there are practices related to network security monitoring scattered across various CMMC domains, most of them are concentrated in the System and Communications Protection domain, which is dedicated to network security. In short, understanding CMMC requirements for network security monitoring services requires understanding what the SC domain comprises.
System and Communications have the most controls of any maturity level, with 27 — Access Control comes in a close second, with 26. Unlike many other domains in the CMMC, SC has controls added at each level, so let’s break down all the controls by level.
Assess your cybersecurity
Level 1 SC Protections
Just two SC controls are required at maturity level 1:
- SC.1.175 – Monitoring, control, and protect communications, ingoing and outgoing, at external and internal boundaries of organizational networks and information systems
- SC.1.176 – Implement independent subnetworks, separated logically or physically, for any publicly accessible system components across information systems and networks
Including these practices, maturity level 1 comprises 17 total controls to implement.
Level 2 SC Protections
Again, just two SC controls are added at maturity level 2:
- SC.2.178 – Disable or disallow the remote activation of collaborative computing systems and indicate collaborators of status (and location of devices in use on the network)
- SC.2.179 – Encrypt all information and use encrypted sessions and other methods of encryption across all network device management processes, maintaining privacy
Including these practices, maturity level two adds 55 controls, for a running total of 72.
Level 3 SC Protections
A huge step up, there are 15 SC controls added at maturity level 3:
- SC.3.177 – When using encryption measures to preserve the confidentiality of CUI on network communications, utilize cryptography up to FIPS-validated standards
- SC.3.180 – Design network architecture, software development, and overall system engineering to promote effective information security across all networks and systems
- SC.3.181 – Separate regular users’ access and functionality from use cases and functionalities related to network maintenance and overall system management
- SC.3.182 – Monitor for and prevent unintended and unauthorized uses of the network, including the especially risky transfer of sensitive information via shared system resources
- SC.3.183 – Utilize a deny all, permit by exception (aka “whitelist”) approach for all network communications traffic, monitoring closely for authorized use purposes
- SC.3.184 – Prevent remote devices from establishing non-remote connections with both organizational systems and external networks simultaneously (aka “split tunneling”)
- SC.3.185 – Use cryptography, in the absence of physical safeguards, to prevent all unauthorized access to CUI on networks, especially during transmission transportation
- SC.3.186 – Terminate network connections for communications sessions immediately upon a given session’s end or after an organizationally defined period of inactivity
- SC.3.187 – Establish, maintain, and monitor for proper use of cryptographic keys for all encrypted communications across all organizational networks and systems
- SC.3.188 – Monitor and control the use of mobile code(s) across networks and systems
- SC.3.189 – Monitor and control use of Voice over Internet Protocol (VoIP) technology
- SC.3.190 – Monitor for and protect the authenticity of network communications sessions
- SC.3.191 – Protect the confidentiality of CUI “at rest” in storage or elsewhere on networks
- SC.3.192 – Use Domain Name System (DNS) filtering for network communications
- SC.3.193 – Strictly enforce a policy restricting CUI publication on external, publicly accessible networks, media, and platforms (e.g., Facebook, personal blogs, etc.)
Including all these practices, maturity level 3 adds 58 controls for a running total of 130.
Level 4 SC Protections
A much more manageable five SC practices are added at maturity level 4:
- SC.4.197 – Use logical and physical isolation measures on organizational systems and networks to protect information deemed necessary by the organization
- SC.4.228 – Isolate administrative methods for network infrastructure, especially for components and servers deemed by the organization to be most valuable and critical
- SC.4.199 – Monitor for and use threat intelligence to proactively block illegitimate DNS requests on the network, such as those originating from or related to malicious domains
- SC.4.202 – Monitor for and analyze executable code and scripts on the network that traverse select boundaries externally or internally, as defined by the organization
- SC.4.229 – Use a URL categorization system to filter out websites not allowed by the organization, following an allow all, deny by exception (aka “blacklist”) approach
Including these practices, maturity level 4 adds 26 controls for a running total of 156.
Level 5 SC Protections
Finally, at maturity level 5, the last three SC controls are added:
- SC.5.198 – Configure network security monitoring to record packets entering and exiting network boundaries, as well as other protected boundaries defined by the organization
- SC.5.230 – Monitor for and enforce strict network and systems security in compliance with local, state, national, and international rules, regulations, and laws related to ports
- SC.5.208 – Protect network and other select boundaries, as defined by the organization, with both internally developed services and commercially available solutions
Including these practices, maturity level 5 adds 15 controls, for a final total of 171.
Relevant CMMC Controls in Other Domains
As noted above, System and Communications Protection is the most concentrated CMMC security domain concerning network monitoring. But there are also controls scattered across other domains at various levels. The seven most pertinent such controls break down as follows:
- AC.4.032 – Monitor for and restrict access to networks based upon risks defined by the organization, including time, location, connection status, and other user characteristics
- AC.5.024 – Monitor for, identify and mitigate risks related to the connection of unidentified or otherwise suspect wireless access points connecting to organizational networks
- IA.3.083 – Use multi-factor authentication (MFA) for access to both local and the network for privileged accounts and all network access for non-privileged accounts
- IA.3.084 – Use “replay-resistant” authentication methods that resist unauthorized and fraudulent access to privileged and non-privileged accounts on organizational networks
- MA.2.113 – Require MFA for nonlocal sessions related to maintenance and terminate these sessions immediately at their end and after a determined period of absence
- RM.4.151 – Monitor and scan for unauthorized ports across the internal perimeter and network boundaries, as well as other boundaries as defined by the organization
- SA.4.173 – Design capabilities for systems’ and networks’ security to efficiently leverage, integrate, share, and mitigate indicators of compromise
Combined with the 27 controls above, there are 34 total CMMC controls that directly relate to network security monitoring, about one-fifth of all 171, making it an essential element of compliance.
How to Achieve Full CMMC Compliance
To achieve certification at any given maturity level of the CMMC, an organization needs to implement all practices to include those required for that level. Also, the organization must implement the given level’s “process maturity” goal, which indexes the extent of institutionalization of practices (scaling up from just “performed” at level 1 to “optimizing” at level 5).
But just having these measures in place is not enough; an organization also needs to seek out external verification of their practice implementation and maturity from a Certified Third-Party Assessment Organization (C3PAO). The CMMC Accreditation Body (CMMC-AB) determines which organizations are fit to be C3PAOs and facilitate your work with the DoD.
The easiest way to achieve full CMMC certification is to work with a C3PAO whose CMMC services help guide you throughout the entire process.
Other Network Security Monitoring Best Practices
Complying with the 34 CMMC controls directly related to network security monitoring will go a long way toward safeguarding your networks. But compliance is never the end of cybersecurity; it’s just a starting point.
Other best practices to consider include:
- Analyze for all protocols, including seemingly outdated systems (NetBIOS, etc.)
- Monitor virtual local area networks (VLANs) separately from other networks
- Strike an ideal balance in the frequency of audit logs (not too many or too few)
- Utilize an intrusion detection system (IDS) “behind” firewalls for efficiency
- Monitor all layers of networks, including oft-neglected data link layers
- Deploy multiple and overlapping antivirus and antimalware services
- Utilize free and open source (FOSS) packet-capturing mechanisms
- Secure storage of data obtained from network security monitoring
- Measure network performance before implementing monitoring
As these practices illustrate, the CMMC model for network security monitoring is not the only approach. And across all required and recommended practices, it can be a complicated process.
Challenges Impacting Network Security Monitoring
Challenges inherent to the implementation controls also compound according to several other factors of a given company, including:
- The relative size of the company, including growth over time
- Number and characteristics of personnel, clients, and stakeholders
- Amount, size, and nature of company network(s) to be monitored
- Volume and diversity of devices and access points for the network(s)
- Nature and amount of data processed across the monitored network(s)
Given these challenges, one of the best ways to ensure compliance and robust security across all network monitoring endeavors is through professional managed IT services.
Professional Compliance and Cybersecurity
Here at RSI Security, we know how important it is to keep your company’s networks safe — especially if you’re looking to work with the DoD. We also know that network security is best when integrated across a robust cybersecurity architecture that includes all other cyber-defense elements, like comprehensive vulnerability management and incident management.
Our talented team of experts is happy to help. We’ve provided cybersecurity solutions to companies of all sizes, in all industries, for over a decade. To see just how simple and powerful your integrated network security monitoring best practices can be, contact RSI Security today!