No items found.

CMMC for OT: Working with the DoD as an Industrial Organization

November 28, 2023

The Cybersecurity Maturity Model Certification (CMMC) evaluates the cybersecurity practices of DoD contractor organizations and the maturity of their processes. The Department of Defense (DoD) introduced CMMC to bolster the protection of Controlled Unclassified Information (CUI) within the supply chain.

If you're looking to offer industrial operations and critical infrastructure services to the Department of Defense, compliance with CMMC requirements is essential. As CMMC 2.0 approaches, Industrial Defender can assist you in evaluating your compliance with those requirements.

CMMC Requirements

CMMC originally had five levels of maturity, but with the introduction of CMMC 2.0 they are being streamlined to three. What level do you need? The DoD will specify the required CMMC level when soliciting a contract. Some opportunities will allow organizations to conduct their own self-assessment, while others will require a "CMMC Third Party Assessment Organization (C3PAO)." Self-assessments will be sufficient to meet CMMC Level 1 requirements.

In any case, conducting a self-assessment is vital for preparation for CMMC 2.0 and potentially partnering with the DoD.

Level 1

At Level 1, CMMC establishes 17 specific practices to exhibit basic cyber hygiene. CMMC Practices for Level 1 Include:

1. Access Control (AC): Limit system access to authorized users and functions.

2. Identification and Authentication (IA): Identify system users.

3. Media Protection (MP): Sanitize or destroy system media before disposal or reuse.

4. Physical Protection (PE):

  • Limit physical access to authorized individuals.
  • Escort visitors and monitor their activity.
  • Maintain physical access logs.
  • Control and manage physical access devices.

5. System and Communications Protection (SC):

  • Monitor and control communications at system boundaries.
  • Separate public and internal network components.

6. System and Information Integrity (SI):

  • Identify, report, and correct system flaws promptly.
  • Protect against malicious code.
  • Update malicious code protection mechanisms.
  • Periodically scan the system and monitor files from external sources.

Levels 2-3

The "Advanced" level (Level 2) aligns with the NIST SP 800-171 standards. The "Expert" level (Level 3), which is still in development, will be grounded on select NIST SP 800-172 requirements. Although the depth of implementation increases at higher levels, the general categories of requirements and controls remain consistent.

Advanced and Expert Level practices, per NIST SP 800-171 and 800-172, include:

  1. Access Control (AC): Limit and control system access based on roles and authenticated users.
  2. Awareness and Training (AT): Train personnel and ensure they're aware of security risks.
  3. Audit and Accountability (AU): Create, protect, and review audit logs.
  4. Security Assessment (SA): Periodically assess security controls, fix issues, and monitor results.
  5. Configuration Management (CM): Establish and maintain consistent system configurations.
  6. Incident Response (IR): Have plans for responding to security incidents.
  7. Maintenance (MA): Perform routine maintenance and ensure tools are trustworthy.
  8. Media Protection (MP): Protect and control digital and physical media.
  9. Physical Protection (PE): Guard facilities and protect systems from physical threats.
  10. Personnel Security (PS): Ensure trustworthiness of individuals with system access. Screen as needed.
  11. Risk Assessment (RA): Periodically assess risks and take action based on findings.
  12. Security Assessment (SA): Determine system vulnerabilities and define controls.
  13. System and Communications Protection (SC): Safeguard system communications and ensure integrity.
  14. System and Information Integrity (SI): Monitor, detect, and handle system flaws and malicious content.

Efficient Self-Assessment for Industrial Organizations

The CMMC is crucial for industrial operators and infrastructure providers who supply goods or services to the DoD This includes manufacturers who produce parts, equipment, or materials for defense-related products or systems, as they must adhere to CMMC standards. Likewise, maritime and shipbuilding industries, engaged in constructing and maintaining naval vessels and related components for the DoD, are also encompassed within the CMMC compliance framework. Additionally, energy and utility companies that supply energy or manage utilities vital for defense installations and operations are required to comply. Moreover, a wide range of Operational Technology (OT) oriented organizations fall under this spectrum. Industrial Defender, with its domain expertise in OT security and compliance, stands ready to assist the industrial sector in meeting CMMC requirements effectively.

Assessing all the aspects of CMMC compliance can be overwhelming, particularly in OT environments that would be disrupted by traditional IT-oriented scanning methods.

As the leading provider of comprehensive configuration data and OT asset information, Industrial Defender assesses the state of your systems in a safe, effective manner for industrial operations. This data is essential for a thorough assessment of CMMC security controls. With efficient and precise data collection, coupled with management of that data within a unified platform, Industrial Defender can readily produce a CMMC compliance report out of the box. This not only saves time and manual effort but also facilitates compliance over time.

In addition to the full framework assessment, the Industrial Defender platform delivers several of the critical security controls directly. Let's delve into key practice areas and the corresponding capabilities of the Industrial Defender platform.

Addressing Core CMMC Security Controls with Industrial Defender

Access Control, Identification, Authentication

Industrial Defender monitors authentication activity for compliance with cybersecurity policies. It collects user configurations for assets and applications, noting deviations from or adherence to policy. The system uses role-based and asset-based access controls. Additionally, Industrial Defender maintains asset owner contact information and observes authentication activity for anomalies.

System and Information Integrity

This is a core strength of Industrial Defender as the leader in configuration and change management (CCM) for OT. More than just capturing snapshots of configurations, Industrial Defender performs ongoing collection, analysis, and comparison of configuration data, aiming to ensure long-term system integrity, security, and compliance. It offers teams crucial context about changes, detailing who made what alterations and when, thereby aiding in preempting system disruptions or potential breaches. By setting a secure system baseline, CCM highlights deviations, allowing for swift risk mitigation.

Risk Assessment and Security Assessment

Industrial Defender platform enables risk management, including supply chain and external dependencies, by systematically collecting and monitoring asset details, including software inventory and firmware. It identifies vulnerabilities in software, firmware, and operating systems, verifying patch authenticity and availability. Its extensive inventory capabilities, encompassing the detection of custom vendor installations, assist organizations in making knowledgeable decisions, especially when assessing supplier vulnerabilities and supply chain defects. The platform integrates with Foxguard’s patch management solutions, consistently updates asset risk scores, and streamlines the vulnerability assessment, presenting essential vulnerability data for prioritization.

Audit and Accountability

Industrial Defender monitors OT and IT systems using host-based agents, remote log monitoring, and passive network traffic observation. Events are normalized for analysis and correlation across the environment. Its scanning methods encompass a broad library of rules and allow for custom additions, with log scanning defined on a per-asset basis. The system also tracks asset configuration changes, key performance indicators, removable media activity, and includes an event review system that uses unreviewed event durations as a risk factor.

Achieve CMMC Compliance

Industrial Defender excels in providing an unparalleled understanding of the OT environment, offering users an in-depth view of their assets and operational intricacies. Our expertise shines brightest in our ability to distill complex OT landscapes into clear, actionable insights. This deep knowledge, coupled with our commitment to streamlined compliance with security best practices like CMMC and NIST, ensures organizations are not only compliant but also have the tools and understanding to optimize and secure their operations. Our passion lies in empowering organizations to truly grasp their OT environment, bolstering their security postures to industry standards, and ensuring unwavering compliance.

If you’re ready to advance your CMMC program, schedule a time to meet with our team today: