read
September 25, 2020

Part Two: The Cybersecurity Maturity Model Certification (CMMC) Explained in More Detail

In our first blog in this series, we introduced the new Cybersecurity Maturity Model Certification (CMMC) and described the five different levels of compliance. In this blog, we take a look at what is actually in each of these levels … and how ARIA Cybersecurity Solutions can help you achieve compliance.

In our first blog on the new Cybersecurity Maturity Model Certification (CMMC) regulation, we gave an overview of the CMMC’s main objective, which is to protect controlled unclassified information (CUI). Starting in fall 2020, CMMC will be required for all defense contractors in the defense industrial base and any other vendor or subcontractor performing work for the Department of Defense (DoD) or other federal agencies.

More specifically, that first blog highlighted the five different levels of CMMC compliance. It may be more challenging than you might expect: To hit a specific level’s requirements, any contractor must first meet the practices and processes of the level (or levels) that precede it. This model essentially creates an all-or-nothing approach if a vendor hopes to comply with all five levels of compliance. 

As a brief reminder, here is what is required at each of the five levels:

  1. Level 1: Safeguard federal contract information (FCI).
  2. Level 2: Serve as a transition step in cybersecurity maturity progression to protect CUI.
  3. Level 3: Protect CUI data.
  4. Level 4: Provide advanced and sophisticated cybersecurity practices.
  5. Level 5: Protect CUI and reduce the risk of advanced persistent threats (APTs). 

 

CMMC Compliance: More than Meets the Eye

Yet what is interesting is that, in the five levels described above, the DoD also lists a number of best practices any organization must follow (and achieve) in order to be compliant with that level. In keeping with the all-or-nothing approach mentioned earlier, it quickly adds up to many many cybersecurity best practices.

For example, Level 1 includes 17 practices. Yet by moving to Level 2, any organization will add an extra 55 practices, a number that quickly grows to 171 total practices by the time Level 5 compliance is achieved. See the chart below (taken from the official CMMC framework document) for more information on the specific number of practices per level. 





The CMMC then introduces another wrinkle: “Maturity Levels.” Each has five different levels of maturity, where 1 is considered “low” and 5 is the highest maturity and competence. These maturity levels evaluate and assess how well an organization is doing a particular security practice. 

Similar to the practices in the CMMC chart above, companies must also demonstrate that their maturity level grows as they ascend the five maturity levels. For example to achieve Level 1 compliance, these organizations must be able to perform each of the 17 practices at a Maturity Level of 1, which is considering “Performing.” Yet by the time they get to Level 5, they must be performing all 171 practices at a Maturity Level of 5 or “Optimizing.”

 

CMMC compliance starts now

CMMC officially goes into effect this fall, yet it will only impact a small selection of companies in this initial phase. Most vendors and organizations will need to be prepared for CMMC when their contract expires or as they enter into new contracts between now and 2026. 

If all of this seems daunting, there is some good news. ARIA Cybersecurity Solutions are designed to help you achieve compliance with a wide range of regulations, and more specifically, deliver the protection you need to comply with all that CMMC requires. 

 

ARIA ADR

The ARIA Advanced Detection and Response (ADR) solution is a single platform approach for enterprise-wide automated threat detection, containment, and remediation. This “SOC-in-a-box” combines all the functionality of the six industry standard cyber security tools normally found in an onsite security operations center (SOC), at a fraction of the cost. 

Due to this, it provides coverage of the entire threat surface—even the internal network. The traditional cyber security approach uses disparate tools, which have limited access to, or completely blind into, the entire enterprise. The increased network visibility provided by ARIA ADR is critical to find, stop and remediate the most harmful threats earlier in the kill chain—before significant damage can be done.

ARIA ADR finds cyber-threats quickly and accurately, by ingesting the comprehensive analytics generated from alerts, logs, and threat intelligence. Using artificial intelligence, ARIA ADR feeds this data through machine learning-based, predefined threat models. These models can identify the behaviors associated with the most harmful threats, like ransomware, malware, and DDoS, and enable the solution to automatically and quickly identify and stop all types of suspicious activities and correlate them to accurately produce valid alerts.

 

ARIA PI

The ARIA Packet Intelligence (PI) application is integrated with the ARIA ADR solution, yet it can also run independently to improve the performance and effectiveness of existing security tools like SIEMs or SOARs. The application deploys transparently in the network and detects and monitors all network traffic, including IoT devices, providing visibility into the entire enterprise - premises, data centers and cloud. 

The application classifies this data and generates NetFlow metadata for all packet traffic, which can be directed to existing security tools like SIEMs, IDS/IPS, NTA and more. All of this happens on the fly without impacting delivery to allow the monitoring of various IoT devices in network aggregation points that are usually one step back in the wireline network.


Discover how to achieve coverage across all five levels of CMMC compliance:

Download Checklist


About ARIA Cybersecurity Solutions

ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.

Tags: cybersecurity, data protection, intrusion detection