December 7: DMARC and other specs dropped from CMMC 1.0 have been sent to NIST to be included in future revisions of NIST SP 800-171, which CMMC is based upon.
December 6: CMMC 2.0 documents are starting to be released. You can find them here.
On Nov. 4 the DoD published Strategic Direction for Cybersecurity Maturity Model Certification (CMMC) Program after a nine-month internal review by senior staffers. The changes are significant, and DoD is unveiling CMMC 2.0 for the defense industrial base with more emphasis on self-assessment.
The following was published September 20, 2021.
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework being developed by the Department of Defense (DoD) to protect defense contractors from cyber threats. CMMC measures cybersecurity maturity with five levels consisting of security controls, practices and continual improvement to stop the theft of intellectual property, proprietary information and credentials that threaten economic and national security.
When an organization sets out to achieve a particular CMMC level, it must also meet the preceding lower levels. And because most data breaches and network exploits begin with phishing emails, email forgery protections are included in the CMMC model beginning at Level 3.
According to the DoD, “The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.” CMMC is heavily based on DFARS 252.204-7012, which requires federal contractors to adhere to baseline security practices defined in NIST SP 800-171.
Though there are current resource barriers for many small to medium sized businesses relative to achieving CMMC certification, DoD’s goal is for it to be “cost-effective and affordable for small businesses to implement at the lower CMMC levels.” Unlike the current DFARS provision, which is rooted in honor-based self-reporting, CMMC requires that accredited Third Party Assessment Organizations conduct on-site assessments and deliver CMMC certificates to companies.
In a recent FCW article, Matt Travis, CEO for the Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB), reported that “training and IT access to the Defense Department’s Enterprise Mission Assurance Support Service (eMASS), which will house CMMC data, still needs to be finalized for the third-party organizations that will be charged with conducting cyber assessments.” There are currently four approved C3PAOs for CMMC assessments, though they don’t yet have access to eMASS. In addition, the CMMC program is being reviewed by the DoD before its official release. There are several moving parts, but the CMMC AB is confident that the model is in the final review stages.
Email Forgery Protections with DMARC
SI.3.219: Implement email forgery protections
DISCUSSION FROM SOURCE: CMMC
Protecting your environment from harmful emails is one of the best ways to reduce the risk of viruses and malware from entering your network. Email attacks are one of the primary attack vectors in use by threat actors today because of their simplicity and effectiveness for circumventing an organization’s perimeter defenses. Implementing advanced email protections can help mitigate these email-based threats from penetrating an organization’s defenses and landing in the inbox of organizational end users.
Implement email protections in addition to basic spam protections. Some potential advanced email protections include Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). SPF uses DNS to show which servers are allowed to send email for a given domain. DKIM uses asymmetric cryptography to verify the authenticity of an email message and provide assurance of the legitimacy of the email to the recipient. DMARC allows organizations to deploy a combination of DKIM and SPF to further enhance their electronic mail infrastructure by adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
As the email administrator for your organization, you want to add additional protections to ensure you are blocking as many unwanted and harmful emails as possible. You configure a DMARC policy that enables both SPF and DKIM on your domain. You configure an SPF text entry in your DNS configuration so that you explicitly authorize the servers that can send email as well as ensuring relevant outbound emails are signed using DKIM.
- CIS Controls v7.1 7.8
- NIST CSF v1.1 PR.DS-2
- CERT RMM v1.2 KIM:SG4.SP1
- NIST SP 800-53 Rev 4 SC-8
Laura Rodgers, a cybersecurity compliance expert at the North Carolina Military Business Center, says that “the biggest cybersecurity risk for most organizations is their people—employees clicking on unsafe email links and downloading treacherous attachments, inadvertently providing sensitive information to bad actors. Unfortunately, the practices in CMMC Level 1 do not adequately address those risks. The most effective way for an organization that does business with the government to protect national security, and themselves, is to focus their time and money on the industry standards that reduce cyber risks.
Several sections of the CMMC framework contain controls that reduce “people” risk. I recommend that organizations consider implementing all the “people” risk practices in CMMC Levels 1, 2, and 3—even if they are only required to comply with the practices in CMMC Level 1.”
Compliance with CMMC does not equal 100% protection from cyber threats, so the model, beginning at Level 3, was designed to embed resilience into a company’s cybersecurity program. It helps an organization recover from an attack as quickly and effectively as possible and drives business continuity.
As DMARC continues to grow as a recommended and, in some cases, required control, let us know if you need any assistance to safeguard your domains from abuse. You can also register for a free trial here and our support team will help you on your journey to securing your email domains.
Editor’s Note: Because the CMMC framework is in development and review, we will be updating this article as needed.
Want to continue the conversation? Head over to the dmarcian Forum