"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Supporting your CMMC initiatives with Sumo Logic
1.
2. What are we going to talk about?
• Overview of the Cybsersecurity Maturity Model Certification (CMMC)
o Its history
o Its direction
o Who it impacts
o The gap that it fills
• Demonstrate how CloudHesive uses Sumo Logic to:
o Address customer's needs in preparing for their CMMC audit from the perspective of
a gap analysis
o Generating evidence during the initial audit
o Demonstration of ongoing compliance
3. (A brief) United States Government Refresher
• United States Government
o Executive Branch
• Department of Defense
o Office of the Under Secretary of Defense for Acquisition and Sustainment
• Carnegie Mellon University/Johns Hopkins University
• Developed the Program
• Defense Industrial Base/Defense Supply Chain
o Contractors – 100,000 of them, generating 768 Billion USD (3.2% of GDP) Annually
• Their Subcontractors
o Eventually phased into the Program
• CMMC AB -> Cyber AB
o Oversees the Program
4. What data may be (sub)contractors obligated to protect?
• (F)ederal (C)ontract (I)nformation
o Federal contract information means information, not intended for public release,
that is provided by or generated for the Government under a contract to develop or
deliver a product or service to the Government, but not including information
provided by the Government to the public (such as on public websites) or simple
transactional information, such as necessary to process payments
• (C)ontrolled (U)nclassified (I)nformation
o Information the Government creates or possesses, or that an entity creates or
possesses for or on behalf of the Government, that a law, regulation, or
Government-wide policy requires or permits an agency to handle using
safeguarding or dissemination controls
5. CMMC Timeline
• In 2016 DFARS 7012 clause goes into in effect requiring all contract holders to self assess to meeting the security
requirements of NIST-SP-800-171
• In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC)
to transition from a mechanism of self-attestation of an organization's basic cyber hygiene which was used to govern
the Defense Industrial Base
• In 2019 interim rule authorizing the inclusion of CMMC in procurement contracts, Defense Federal Acquisition
Regulation Supplement (DFARS) 2019-D041, was published on September 29, 2020, with an effective date of
November 30, 2020
• On December 8, 2020, the CMMC Accreditation Board and the Department of Defense released an updated timeline
that has the model fully implemented by September 2021
• On November 4, 2021, the Department of Defense announced the release of CMMC 2.0
• In March 2023, Final Rule Making will be complete
• On 60 days after March 2023, CMMC requirements will be included in new contracts
7. CMMC 1.0 vs. CMMC 2.0
• Streamlined Model
o Focused on the most critical requirements: Streamlines the model from 5 to 3 compliance levels
o Aligned with widely accepted standards: Uses National Institute of Standards and Technology (NIST)
cybersecurity standards
• Reliable Assessments
o Reduced assessment costs: Allows all companies at Level 1 (Foundational), and a subset of
companies at Level 2 (Advanced) to demonstrate compliance through self-assessments
o Higher accountability: Increases oversight of professional and ethical standards of third-party
assessors
• Flexible Implementation
o Spirit of collaboration: Allows companies, under certain limited circumstances, to make Plans of
Action & Milestones (POA&Ms) to achieve certification
o Added flexibility and speed: Allows waivers to CMMC requirements under certain limited
circumstances
8. CMMC 2.0 Level 2 Summary
• Access Control (AC)
• Awareness & Training (AT)
• Audit & Accountability (AU)
• Configuration Management (CM)
• Identification & Authentication (IA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Personnel Security (PS)
• Physical Protection (PE)
• Risk Assessment (RA)
• Security Assessment (CA)
• System and Communications Protection (SC)
• System and Information Integrity (SI)
9. Preparing for Audit
• Organizational Readiness
o History
o Current state
o Sustainability of the current state
10. Sample Artifacts
• (S)ystem (S)ecurity (P)lan
• (P)lan (O)f (A)ctions & (M)ilestones
• Self Assessment with SIPR Score
• (S)ystem (D)esign (D)ocument
• General
o Policies
o Procedures
o Diagrams
o Configuration Settings
o Mechanisms
o Operational Logs
o Audit Logs
o Monitoring
o Locations
o Strategies
11. Sample Policies
• Access control policy
• Audit and accountability policy
• Configuration management policy
• Identification and Authentication policy
• Incident response policy
• Personnel security policy
• Risk management policy
• Security awareness and training policy
• Security planning policy
• System and communications protection policy
• System and information integrity policy
• System maintenance policy
• Third party hosting policy
• Vendor management policy
13. Organizations in the DIB have a challenge
• What do many of these organizations own from a tech perspective?
o Not much
• Computers, Files, E-Mail…
o Simple needs (somewhere to work, store, retrieve, process, transmit) to deliver product
• What infrastructure do they have to support these requirements?
o Not much
• Physical sites, People, Computers…
o Operationally Capable (e.g., delivering a product), but may not be Cyber Capable
• Where can they get help?
o CMMC Ecosystem
o People Considerations
o (C)loud (S)ervice (P)roviders
17. Organizations in the DIB Become Responsible For
• Data generation, processing, storage, retrieval
o Understand the flow
• Scope Reduction
o Use an enclave
• If the data can’t leave, it’s secure
o Descope where possible – organization, people, domains, access
• If the data can’t be accessed, it’s secure
• People Considerations
o Employees
o Contractors
o Vendors
• Software Considerations
o Vary based on COTS versus Custom
19. Continuous Monitoring with Sumo Logic
• We have all these sources of data we are responsible for – Events and States
o Data derived from the third-party solutions
• We need to be able to tell current state and review historically
o To support the sample processes
• We need to be able to react to the high priority items
o Push versus Pull
• We need to demonstrate we are doing this
o It’s part of the process
24. Conclusion
• In conclusion, leveraging a Cloud Service Provider, and Managed Services Provider
can help to reduce your organizational burden in preparing for and maintaining
CMMC defined controls.
• A significant component to maintaining these controls is monitoring and response,
in which Sumo Logic can be used to funnel these various sources of data and state,
correlate, query and reduce for human consumption at a planned and unplanned
levels of priority.