Understanding CMMC Compliance Using FileCloud

April 15, 2021

This post was originally published on April 15, 2021 and updated to discuss CMMC 2.0 changes on April 13, 2022.  What is CMMC? CMMC is a certification standard used by the US Government to audit third-party compliance with NIST SP 800-171. DoD third-party organizations have been required to comply with NIST 800-171 since January 1, […]

CMMC

This post was originally published on April 15, 2021 and updated to discuss CMMC 2.0 changes on April 13, 2022. 

What is CMMC?

CMMC is a certification standard used by the US Government to audit third-party compliance with NIST SP 800-171. DoD third-party organizations have been required to comply with NIST 800-171 since January 1, 2018. However, the U.S. Department of Defense (DoD) has struggled with a low rate of NIST 800-171 compliance across the Defense Industrial Base. 

CMMC was created in January 2020 to address that systemic issue of non-compliance by both primaries and their subs. Furthermore, CMMC was intended to fill a gap in 3rd-party auditing capabilities to support NIST 800-171 compliance requirements, which was not available prior. 

 The first iteration of CMMC (also referred to as CMMC 1.0) was designed with an "assessments framework" in mind. This framework was modeled on five levels of maturity, which are covered in detail below. This is the current operating level of CMMC compliance. CMMC 2.0 has been developed in response to an internal review following public commentary regarding the September 2020 “CMMC 1.0” interim rule.

Following the internal review, the DoD published an Advance Notice of Proposed Rulemaking (ANPRM) on November 17, 2021. The proposed changes comprise CMMC 2.0 and will take effect after the rulemaking process is completed (anywhere from 9 to 24 months from November 2021.) For more information on CMMC 2.0 requirements, check out our blog post.

However, since CMMC 1.0 is still in effect as an interim rule, here is everything you need to know about the requirements and how FileCloud can help meet them. (You can also download our CMMC white paper here.)

Why is CMMC important?

The Center for Strategic and International Studies estimates that the total global cost of cybercrime was is approaching $1 trillion, as of the survey conducted in 2020. The DoD is enforcing a risk-management approach to improve cybersecurity measures of third-party partners by asking them to obtain the Cybersecurity Maturity Model Certification (CMMC). This certification is designed to improve the protection of Controlled Unclassified Information (CUI) and Federal Contract information (FCI), and the certification applies to DoD contractors.

CMMC measures an organization’s approach to protect FCI and CUI. CUI is information that requires protection or audit controls according to federal law, regulations, and government policies. FCI is information provided by or generated by the government under a contract to develop or deliver a product or service to the government, not intended for public release.

Key Takeaways for CMMC

Five Levels of Maturity

Depending on your company and the business you conduct with the DoD will decide which level (1–5) you need.

5 levels of CMMC

 

17 Domains of Security Requirements

The CMMC model consists of 17 domains, 14 of which are derived from the Federal Information Processing Standards (FIPS) Publication 200 and NIST 800-171

  1. Access Control
  2. Asset Management
  3. Audit and Accountability
  4. Awareness and Training
  5. Configuration Management
  6. Identification and Authentication
  7. Incident Response
  8. Maintenance
  9. Media Protection
  10. Personnel Security
  11. Physical Protection
  12. Recovery
  13. Risk Management
  14. Security Assessment
  15. Situational Awareness
  16. System and Communication Protection
  17. System and Information Integrity

FileCloud identifies loopholes in critical security controls according to your desired CMMC maturity level for each of the 17 domains and creates clear instructions for both improving your security position and meeting CMMC requirements. We will go through several domains and let you know how FileCloud helps you comply.

Access Control - FileCloud supports integration with Active Directory, LDAP, and SSO. In addition, FileCloud integrates your Network Shares with NTFS permissions to provide you with better access control of the data your users are allowed to view, upload, download, share, sync, or manage. Within FileCloud you can create users and groups and assign permissions and policies to them to allow or prevent them from accessing your data. FileCloud also supports DLP and granular folder permissions.

Asset Management - FileCloud’s Centralized Device Management allows you to view all the devices that have access to FileCloud using our mobile and desktop clients. FileCloud also includes functionality for creating reports of these devices to aid you in creating your inventory report.

Audit and Accountability -FileCloud’s auditing capabilities enable you to review who, when, where, and what is involved each time FileCloud is accessed. FileCloud also supports SIEM (blah) integration. FileCloud’s data governance capabilities allow you to apply multiple retention rules to avoid the deletion of auditable records you want to store in FileCloud.

Awareness and Training -To complement your internal employee training, FileCloud provides you with extensive information about applying best security practices while using FileCloud.  FileCloud also offers end–user training.

Configuration Management- FileCloud contains multiple configuration capabilities including but not limited to centralized device management, content classification, DLP, global policies, specific device configuration policies, Customization, Data Governance, user password enforcement, private sharing permissions, granular folder level permissions, etc.

Identification and Authentication-Besides FileCloud’s proprietary user authentication, FileCloud supports integration with Active Directory, LDAP, and SSO. FileCloud also supports Duo Security integration and 2FA.

Incident Response-FileCloud’s data governance dashboard displays potential rule violations such as DLP violations or retention policy violations. FileCloud workflows enable you to automate report generation, device approval, and other tasks.

Maintenance- Using FileCloud workflows, administrators have the ability to perform automatic maintenance tasks within FileCloud, for example, deleting files after a specified amount of time or disabling users who have not accessed FileCloud in a specific amount of time. FileCloud also supports automatic audit log trimming and exporting to a location defined by the administrator.

Media Protection-FileCloud’s antivirus integration via ClamAV or ICAP protocol enables you to verify the integrity of files as they are uploaded. FileCloud’s DLP provides you with granular control over your data. FileCloud supports in–transit encryption via HTTPS/SSL.

Personnel Security-FileCloud’s smart classification and DLP enable you to classify your data based on DLP rules that deny or allow downloads or sharing.

Recovery- The FileCloud Server Backup tool creates backs up your data automatically.

Conclusion

For your organizations to be CMMC Compliant, they must implement encrypted file sharing solutions. The end-user is responsible for utilizing suitable FileCloud capabilities as well as managing and maintaining the environment where FileCloud is being hosted to ensure the CMMC requirements are being met.

FileCloud is the commercial of the shelf software solution that helps businesses securely share, manage, and govern enterprise content. FileCloud software provides the necessary capabilities for organizations to obtain CMMC compliance.

 

References

Accellion CMMC Compliance Guide. (n.d.). ACCELLION. Retrieved 2021, from https://www.accellion.com/sites/default/files/resources/wp-accellion-cmmc-compliance-guide.pdf

Carey, B. (2020, May 11). Prepare for CYBERSECURITY Maturity Model certification (cmmc). Retrieved April 06, 2021, from https://blog.rapid7.com/2020/04/15/preparing-for-the-cybersecurity-maturity-model-certification-cmmc-part-1-practice-and-process/

Center for Strategic and International Studies (CSIS) & www.mcafee.com. (2018, February). Economic Impact of Cybercrime— No Slowing Down. Retrieved April 6, 2021, from https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/economic-impact-cybercrime.pdf

Cybersecurity Maturity Model Certification (CMMC) (Vol. 1). (2020). Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory LLC.

DoD Cybersecurity Audits are Coming: Here's how to prepare. (2021). Retrieved April 06, 2021, from https://www.sysarc.com/services/managed-security-services/cybersecurity-maturity-model-certification-cmmc-guide-for-dod-contractors/

 

 

 

 

 

 

By Team FileCloud