Cybersecurity Maturity Model Certification
UPDATES:
December 26, 2023: The Department of Defense published for comment a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 program.
December 7, 2022: DMARC and other specs dropped from CMMC 1.0 have been sent to NIST to be included in future revisions of NIST SP 800-171, which CMMC is based upon.
For more recent updates, you can visit the Department of Defense Chief Information Officer webpage.
The following was published September 20, 2021.
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework being developed by the Department of Defense (DoD) to protect defense contractors from cyber threats. CMMC measures cybersecurity maturity with five levels consisting of security controls, practices and continual improvement to stop the theft of intellectual property, proprietary information and credentials that threaten economic and national security.
When an organization sets out to achieve a particular CMMC level, it must also meet the preceding lower levels. And because most data breaches and network exploits begin with phishing emails, email forgery protections are included in the CMMC model beginning at Level 3.
According to the DoD, “The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.” CMMC is heavily based on DFARS 252.204-7012, which requires federal contractors to adhere to baseline security practices defined in NIST SP 800-171.
Though there are current resource barriers for many small to medium sized businesses relative to achieving CMMC certification, DoD’s goal is for it to be “cost-effective and affordable for small businesses to implement at the lower CMMC levels.” Unlike the current DFARS provision, which is rooted in honor-based self-reporting, CMMC requires that accredited Third Party Assessment Organizations conduct on-site assessments and deliver CMMC certificates to companies.
In an FCW article, Matt Travis, CEO for the Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB), reported that “training and IT access to the Defense Department’s Enterprise Mission Assurance Support Service (eMASS), which will house CMMC data, still needs to be finalized for the third-party organizations that will be charged with conducting cyber assessments.” There are currently four approved C3PAOs for CMMC assessments, though they don’t yet have access to eMASS. In addition, the CMMC program is being reviewed by the DoD before its official release. There are several moving parts, but the CMMC AB is confident that the model is in the final review stages.Currently, DMARC, SPF, and DKIM come into play at CMMC Level 3. The following is excerpted from the CMMC Appendices document:
SI.3.219: Implement email forgery protections
DISCUSSION FROM SOURCE: CMMC
Protecting your environment from harmful emails is one of the best ways to reduce the risk of viruses and malware from entering your network. Email attacks are one of the primary attack vectors in use by threat actors today because of their simplicity and effectiveness for circumventing an organization’s perimeter defenses. Implementing advanced email protections can help mitigate these email-based threats from penetrating an organization’s defenses and landing in the inbox of organizational end users.
CMMC CLARIFICATION
Implement email protections in addition to basic spam protections. Some potential advanced email protections include Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). SPF uses DNS to show which servers are allowed to send email for a given domain. DKIM uses asymmetric cryptography to verify the authenticity of an email message and provide assurance of the legitimacy of the email to the recipient. DMARC allows organizations to deploy a combination of DKIM and SPF to further enhance their electronic mail infrastructure by adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
Example
As the email administrator for your organization, you want to add additional protections to ensure you are blocking as many unwanted and harmful emails as possible. You configure a DMARC policy that enables both SPF and DKIM on your domain. You configure an SPF text entry in your DNS configuration so that you explicitly authorize the servers that can send email as well as ensuring relevant outbound emails are signed using DKIM.
The biggest cybersecurity risk for most organizations is their people—employees clicking on unsafe email links and downloading treacherous attachments, inadvertently providing sensitive information to bad actors. Unfortunately, the practices in CMMC Level 1 do not adequately address those risks. The most effective way for an organization that does business with the government to protect national security, and themselves, is to focus their time and money on the industry standards that reduce cyber risks.
Several sections of the CMMC framework contain controls that reduce “people” risk. I recommend that organizations consider implementing all the “people” risk practices in CMMC Levels 1, 2, and 3—even if they are only required to comply with the practices in CMMC Level 1.
Laura Rodgers, cybersecurity compliance expert at the North Carolina Military Business Center
Compliance with CMMC does not equal 100% protection from cyber threats, so the model, beginning at Level 3, was designed to embed resilience into a company’s cybersecurity program. It helps an organization recover from an attack as quickly and effectively as possible and drives business continuity.
As DMARC continues to grow as a recommended and, in some cases, required control, let us know if you need any assistance to safeguard your domains from abuse.
You can register for a free trial and our support team will help you on your journey to securing your email domains.
Want to continue the conversation? Head over to the dmarcian Forum.
