CMMC certification will soon be required for most military contractors, and achieving it will be a challenge across the board. One of the best ways to prepare for your certification audit is mapping over security controls from other regulatory frameworks you’re already subject to.
Are you prepared for CMMC certification? Schedule a consultation to find out!
Mapping Controls for CMMC Certification
Organizations that work with the Department of Defense (DoD) will need to comply with the Cybersecurity Maturity Model Certification (CMMC) standard sooner rather than later. Doing so may be challenging, but mapping over protections from other regulations can make it easier.
If you’re preparing for CMMC compliance certification, some crossover considerations include:
- How CMMC relates to National Institute of Standards and Technology (NIST) controls
- What mapping from the ubiquitous Payment Card Industry (PCI) requirements looks like
- How to streamline compliance needs with the comprehensive HITRUST CSF framework
Working with a compliance advisor who specializes in DoD compliance will help you implement the controls you need and prepare for CMMC certification—and other regulatory requirements.
NIST SP 800 171 and 172 and CMMC
CMMC security is based heavily on two other frameworks regulating government agencies’ data security practices: NIST’s Special Publications (SP) 800-171 and 800-172. These documents apply to many organizations that work with or in close proximity to government agencies and regularly come into contact with Controlled Unclassified Information (CUI). With respect to CMMC certification, they make up the core of controls organizations need to implement.
Namely, CMMC Level 1 requires implementing a subset of NIST SP 800-171’s 110 Basic and Derived Requirements, and CMMC Level 2 requires implementing all of them. Then, Level 3 will require an as-yet-undetermined number of Enhanced Requirements from NIST SP 800-172.
In practice, CMMC certification is a mapping from NIST to CMMC. And mapping from other frameworks to prepare for CMMC certification means mapping onto NIST Requirements.
CMMC Security Requirements from NIST
In CMMC assessments, there are 14 Domains of Practices, developed from the Requirement Families and Requirements in NIST SP 800-171 and 800-172. They break down as follows:
- Access Control (AC) – Controls that restrict access to sensitive data environments, including four AC Practices at CMMC Level 1 and 18 AC Practices at CMMC Level 2.
- Awareness and Training (AT) – Controls mandating content and intervals for staff cybersecurity training, with no Practices at Level 1 and three Practices at Level 2.
- Audit and Accountability (AU) – Controls governing regularity and severity of audits, along with responsibilities for findings, with no Practices at Level 1 and nine at Level 2.
- Configuration Management (CM) – Controls that stipulate baseline security settings across all software and hardware, with no Practices at Level 1 and nine at Level 2.
- Identification and Authentication (IA) – Controls for identity and access management (IAM) and account management, with two Practices at Level 1 and nine at Level 2.
- Incident Response (IR) – Controls for responding to, quarantining, resolving, and recovering from incidents in real-time, with no Practices at Level 1 and three at Level 2
- Maintenance (MA) – Controls for secure oversight and management of software and hardware throughout their lifecycles, with no Practices at Level 1 and six at Level 2.
- Media Protection (MP) – Controls dictating specific practices for onboarding, using, marking, and disposing of media, with one Practice at Level 1 and eight at Level 2.
- Personnel Security (PS) – Controls for securely screening, onboarding, managing, and moving staff, including termination, with no Practices at Level 1 and two at Level 2.
- Physical Protection (PE) – Controls for securing physical devices and workstations, along with their environments, with four Practices at Level 1 and two at Level 2.
- Risk Assessment (RA) – Controls mandating risk and vulnerability assessments, along with threat remediation tactics, with no Practices at Level 1 and three at Level 2.
- Security Assessment (CA) – Controls that specify guardrails for assessing the efficacy of security controls with respect to CUI, with no Practices at Level 1 and four at Level 2.
- System and Communications Protection (SC) – Controls to ensure secure communication channels, with two Practices at Level 1 and 14 at Level 2.
- System and Information Integrity (SI) – Controls for identifying, remediating, and minimizing vulnerabilities and attacks, with four Practices at Level 1 and three at Level 2.
Beyond the parameters for CMMC Level 1 and CMMC Level 2 Assessments, the requirements for CMMC Level 3 are not yet confirmed. However, there are 35 Enhanced Requirements in SP 800-172, so CMMC certification at Level 3 will likely require up to 145 total Practices.
Mapping PCI DSS to CMMC Controls
The PCI Data Security Standard (DSS) applies to almost all organizations that process credit card payments or come into contact with cardholder data (CHD). The DSS is governed by the PCI Security Standards Council (SSC), whose individual members (i.e., Visa, Mastercard, etc.) enforce the DSS with fines and other penalties for non-compliance, like discontinuing service.
Like CMMC, there are different assessment tiers that dictate the specific requirements for PCI compliance. However, unlike CMMC, these levels refer to the specific auditing and reporting required, not the actual controls that need to be installed. Every organization that needs to be PCI compliant installs the same controls—which, in turn, can be mapped onto CMMC controls.
How the PCI DSS Requirements Compare
The PCI DSS places a significant focus on network security, reducing the potential for unauthorized access to CHD. Many of these protections can also work to protect CUI.
Here are the PCI Requirements and the CMMC Domains they most closely map onto:
- 1: Install and Maintain Network Security Controls – All Domains
- 2: Apply Secure Configurations to All System Components – CM
- 3: Protect Stored Account Data – CM, MA, MP
- 4: Encrypt CHD for Transmission over Open, Public Networks – SC, SI
- 5: Protect All Systems and Networks from Malicious Software – CM, MA
- 6: Develop and Maintain Secure Systems and Software – All Domains
- 7: Restrict Access to Components by Business Need to Know – AC, IA
- 8: Identify Users and Authenticate Access to System Components – AC, IA
- 9: Restrict Physical Access to CHD – MP, PE
- 10: Log and Monitor Access to System Components and CHD – AU
- 11: Test Security of Systems and Networks Regularly – AU, SA, CA
- 12: Support Information Security with Policies and Programs – All Domains
There is much crossover between the PCI DSS and CMMC frameworks. Given how widely applicable the former is, many organizations are well-positioned to map onto CMMC controls.
HITRUST Assessments and CMMC
Another compliance framework that is widespread and growing in popularity, if for different reasons than PCI DSS, is the HITRUST CSF. Maintained by the HITRUST Alliance, the CSF is a comprehensive document and assessment protocol that is designed specifically for mapping controls across regulatory contexts to meet their respective needs as efficiently as possible.
HITRUST is not mandatory in most contexts. Instead, it is a tool organizations can use to meet regulations they’re obligated to comply with due to local laws or industry standards. HITRUST assessments allow organizations to “assess once, report many”—or, in other words, streamline their CMMC compliance and certification across various other regulations.
Understanding HITRUST Control Categories
Unlike the PCI DSS and CMMC frameworks, the HITRUST CSF is agnostic to the kind of data protected. Its controls are designed for maximum flexibility across any and all environments.
Here are the 14 Control Categories and the Domains they most closely relate to:
- 00: Information Security Management Program – All Domains
- 01: Access Control – AC, IA
- 02: Human Resources Security – PS
- 03: Risk Management – RA, CA
- 04: Security Policy – All Domains
- 05: Organization of Information Security – SI, AU, AT
- 06: Compliance – All Domains
- 07: Asset Management – SI, MP
- 08: Physical and Environmental Security – PE, MP
- 09: Communications and Operations Management – SC, SI
- 10: Information Systems Acquisition, Development, and Maintenance – SI
- 11: Information Security Information Management – SI
- 12: Business Continuity Management – SC, SI
- 13: Privacy Practices – IA, RA, CA
HITRUST assessments are gaining popularity across industries because of their ability to prepare organizations for a wide variety of regulatory contexts. If you anticipate needing CMMC certification alongside PCI, HIPAA, and various other compliance frameworks, try HITRUST.
Streamline Your CMMC Certification
Organizations that work with the DoD—or plan to—need to prepare for CMMC certification as soon as possible. If you’re already complying with other regulations, like PCI DSS, there’s a good chance that mapping will help you meet the CMMC security requirements efficiently.
RSI Security has helped countless organizations prepare for CMMC certification. We believe discipline creates freedom; mapping and implementing controls now enables long-term growth.
To learn more about mapping controls for CMMC certification, contact RSI Security today!