Continuous monitoring and 32 CFR Part 170 Key Takeaways: Difference between pages

From Cooey Wiki
(Difference between pages)
VisualWikitext
No edit summary
 
 
Line 1: Line 1:
Continuous monitoring is a cybersecurity practice that involves the ongoing, real-time assessment and analysis of an organization's systems, networks, and data to identify potential vulnerabilities, threats, or unauthorized access. The goal of continuous monitoring is to maintain visibility into the security posture of an organization at all times, allowing for faster detection and response to cybersecurity incidents.
== Introduction ==
On October 15, 2024 32 CFR Part 170 also known as the "CMMC Final Rule" is published to the Federal Register. Effective 60 days later, the CMMC program is in effect.


=== Key Components of Continuous Monitoring: ===
Below are some key considerations, changes, and details to know with this rule's publication. This page's intent is to capture key differences, address changes between the draft rule and final published version.


'''Real-Time Data Collection:'''
Link to the PDF: https://public-inspection.federalregister.gov/2024-22905.pdf


Continuous monitoring tools gather data from various points across an organization's infrastructure, including networks, servers, endpoints, and cloud environments. This data typically includes system logs, user activities, network traffic, and application behaviors.
Link to the FAR: https://www.federalregister.gov/public-inspection/2024-22905/cybersecurity-maturity-model-certification-program


'''Security Information and Event Management ([[SIEM]]):'''
== Timelines ==
The Final Rule codifies that Joint Surveillance Voluntary Assessments (JSVAs) will equate to a CMMC Level 2 certification, assuming the organization received a perfect 110 score.


SIEM systems play a crucial role in continuous monitoring by aggregating, analyzing, and correlating data from multiple sources in real time. SIEM tools can identify anomalies, generate alerts, and help security teams detect potential security incidents early on.
DoD projects a 7-year timeline with a 4-year phased roll-out, initially.


'''Threat Detection:'''
In FY2025, DoD will primarily be requiring self-assessments.  There will be approximately 500 expected third-party certifications required on contracts the first year.


Continuous monitoring systems use advanced techniques like machine learning, behavior analysis, and threat intelligence to detect abnormal activities, such as unauthorized access attempts, data exfiltration, or malware infections. These tools can recognize patterns that may indicate malicious behavior and can flag them for further investigation.
CMMC self-assessments must have a score of 88 or more to "pass" and be compliant.  The Affirming Official (formerly a "Senior Official" will need to affirm that the reporting is accurate.  Affirming this score carries personal criminal fraud risk, and affirmations may be verified in a third party assessment later.


'''Vulnerability Management:'''
In FY2026, that 500 grows to about 2500 and by FY2027, about 9000.  By FY2028, DoD anticipates 16,000 third-party certifications needed a year.


Monitoring tools continuously assess systems for vulnerabilities, such as unpatched software, configuration weaknesses, or misconfigurations that attackers could exploit. This allows organizations to proactively address vulnerabilities before they can be exploited by bad actors.
By the end of the rollout, the numbers projected by DoD are 4,000 self-assessed and 76,000 assessed by a Certified Third Party Assessment Organization (C3PAO).


'''Compliance Monitoring:'''
Many DIB contractors (and sub-contractors) can expect to be required to self-assessment, per contract and purchase order flow-down requirements.


Continuous monitoring helps organizations ensure they are compliant with regulatory requirements and industry standards (e.g., NIST, CMMC, PCI-DSS, HIPAA). It tracks the organization's adherence to security policies and procedures and alerts on any deviations.
It's important to note that DoD has the discretion to delay the certification requirement to an option period instead of the condition of "upon contract award."  While it's not expected this will be taken advantage of often, this does give DoD flexibility on specific programs that may have unique challenges to supply chain partners becoming certified.


'''Automated Alerts and Responses:'''
Additionally:


When an abnormal activity or potential threat is detected, continuous monitoring systems generate alerts to notify the security team. In some cases, these systems can take automated actions, such as isolating a compromised system, blocking malicious traffic, or updating firewall rules to mitigate risks in real time.
''"The CMMC Program’s assessment phase-in plan, as described in § 170.3, does not preclude entities from immediately seeking a CMMC certification assessment prior to the 48 CFR part 204 CMMC Acquisition rule being finalized and the clause being added to new or existing DoD contracts."''


=== Benefits of Continuous Monitoring:===  
== Security Protection Data ==
When Cloud Service Providers (CSPs) only handle security protection data (SPD), and not CUI, the application or service would be treated like a security protection asset (SPA).


'''Faster Threat Detection and Response:'''
== Security Protection Assets ==
The Final Rule now suggests that Security Protection Assets (SPAs) will be assessed against security requirements that are "relevant to the capabilities provided."


Continuous monitoring enables security teams to detect potential threats as soon as they arise, rather than waiting for periodic audits or reviews. Early detection allows for quicker mitigation, reducing the potential impact of a cyber incident.
''"If an OSA utilizes an ESP, including a Cloud Service Provider (CSP), that does not process, store, or transmit CUI, the ESP does not require its own CMMC assessment. The services provided by the ESP are assessed as part of the OSC’s assessment as Security Protection Assets."''


'''Improved Security Posture:'''
== External Service Providers ==
The Final Rule clarifies the difference between Cloud Service Providers (CSPs), External Service Providers (ESPs), and Managed Service Providers (MSPs).


By constantly scanning the environment for vulnerabilities and threats, continuous monitoring helps maintain a strong and resilient security posture. Organizations can quickly identify and patch vulnerabilities, apply security updates, and respond to suspicious activities.
The requirement for ESPs (regardless of the services it provides) to be CMMC-Certified is no longer a requirement. However, an MSP, acting as an ESP, may choose to become CMMC-Certified.


'''Real-Time Visibility:'''
The Final Rule suggests that Organizations Seeking Certification (OSC) may inherit controls for External Service Providers (ESPs) in scope when the ESP is CMMC-Certified.


Continuous monitoring provides organizations with ongoing visibility into their security environment. This visibility is crucial for detecting changes or anomalies in system configurations, user activities, and network traffic, which can help in preventing attacks before they succeed.
== Managed Service Providers ==
The Final Rule clarifies that Managed Service Providers (MSPs) do not need FedRAMP Moderate to support an Organization Seeking Certification (OSC).


'''Compliance Assurance:'''
The Rule also allows MSPs to get CMMC certified to avoid being re-assessed for every client.


Many regulations and security frameworks require organizations to demonstrate that they are actively monitoring and protecting sensitive data. Continuous monitoring helps organizations meet these requirements and provides audit trails that show compliance.
== FedRAMP & Equivalency ==
FedRAMP Moderate is required when CUI is stored, processed, or transmitted.


'''Reduced Dwell Time:'''
There is still some question on the commentary and verbiage, but there is clarity in that a CSP only handles security protection data (SPD), and not CUI, therefore, the application or service would be treated like a security protection asset (SPA).


"Dwell time" refers to the amount of time an attacker remains undetected within a system. Continuous monitoring significantly reduces dwell time by providing real-time alerts, which can lead to quicker detection and response.
== Virtual Desktop Infrastructure ==
Virtual Desktop Infrastructure (VDI) language was added to remove the endpoint from scope if the endpoint is not processing, storing, or transmitting CUI.


=== Implementation of Continuous Monitoring:===
Assuming appropriate technical controls prevent data transfer, the "dumb client" (or the computer you open the virtual desktop from) can be kept out of scope.


'''Asset Identification and Prioritization:'''
== Assessors and the Training Community ==
The minimum number of assessors per third-party assessment has been expanded from 2 to 3.  Additionally, at Lead CMMC Certified Assessor (CCA) is required and at least one other CCA.  This will likely increase the projected costs of assessments.


Identify all critical assets, including hardware, software, networks, and data. Prioritize these assets based on their sensitivity, importance to operations, and potential impact if compromised.
CMMC instructors are now prohibited to also consult. Additional clarification is expected on this.
 
'''Establish Baselines:'''
 
Define normal behavior for your systems and users, such as typical network traffic patterns and system usage. This baseline will be used to detect anomalies that could indicate potential security incidents.
 
'''Select Monitoring Tools:'''
 
Deploy monitoring tools such as SIEM systems, intrusion detection/prevention systems (IDS/IPS), endpoint detection and response (EDR), and vulnerability scanners. These tools provide the real-time data and analysis needed for effective monitoring.
 
'''Develop Incident Response Procedures:'''
 
Ensure there are clear processes in place for responding to alerts generated by continuous monitoring tools. This includes steps for investigating the alerts, containing any threats, and remediating vulnerabilities.
 
'''Automation and Integration:'''
 
Integrate continuous monitoring with other security tools and platforms, such as firewalls, encryption systems, and access control mechanisms. Use automation where possible to handle routine tasks and respond to low-level threats without human intervention.
 
'''Regular Reviews and Updates:'''
 
Continuous monitoring systems should be regularly reviewed and updated to ensure they are detecting the latest threats and vulnerabilities. This includes updating SIEM rules, applying software patches, and fine-tuning alert thresholds to reduce false positives.
 
=== Examples of Continuous Monitoring Use Cases:===
 
'''Financial Services:'''
 
In financial institutions, continuous monitoring can detect unauthorized access to sensitive customer data, such as personal banking information. It can also monitor for suspicious transactions that could indicate fraud or money laundering activities.
 
'''Healthcare:'''
 
Hospitals and healthcare providers use continuous monitoring to protect patient data and comply with HIPAA regulations. The systems can detect unauthorized access to electronic health records (EHR) and protect against ransomware attacks.
 
'''Government and Defense Contractors:'''
 
Contractors handling Controlled Unclassified Information (CUI) for government agencies use continuous monitoring to meet regulatory requirements like [[NIST 800-171]] and the Cybersecurity Maturity Model Certification (CMMC). Monitoring helps prevent nation-state attacks and data exfiltration.
 
=== Key Standards Supporting Continuous Monitoring:===
 
[https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-137.pdf NIST 800-137]: This NIST publication provides guidance on implementing continuous monitoring as part of an organization's overall risk management strategy. It outlines processes for assessing security controls and managing security risks in real time.
CMMC: The Cybersecurity Maturity Model Certification (CMMC) requires continuous monitoring as part of its higher-level (Level 3 and above) maturity requirements for protecting CUI.
 
=== Conclusion:===
 
Continuous monitoring is a vital component of a robust cybersecurity strategy. By continuously assessing systems and networks for vulnerabilities, threats, and anomalous activities, organizations can stay ahead of potential cyberattacks and quickly respond to security incidents, ensuring the ongoing protection of sensitive data and critical systems.

Revision as of 23:00, 12 October 2024

Introduction

On October 15, 2024 32 CFR Part 170 also known as the "CMMC Final Rule" is published to the Federal Register. Effective 60 days later, the CMMC program is in effect.

Below are some key considerations, changes, and details to know with this rule's publication. This page's intent is to capture key differences, address changes between the draft rule and final published version.

Link to the PDF: https://public-inspection.federalregister.gov/2024-22905.pdf

Link to the FAR: https://www.federalregister.gov/public-inspection/2024-22905/cybersecurity-maturity-model-certification-program

Timelines

The Final Rule codifies that Joint Surveillance Voluntary Assessments (JSVAs) will equate to a CMMC Level 2 certification, assuming the organization received a perfect 110 score.

DoD projects a 7-year timeline with a 4-year phased roll-out, initially.

In FY2025, DoD will primarily be requiring self-assessments. There will be approximately 500 expected third-party certifications required on contracts the first year.

CMMC self-assessments must have a score of 88 or more to "pass" and be compliant. The Affirming Official (formerly a "Senior Official" will need to affirm that the reporting is accurate. Affirming this score carries personal criminal fraud risk, and affirmations may be verified in a third party assessment later.

In FY2026, that 500 grows to about 2500 and by FY2027, about 9000. By FY2028, DoD anticipates 16,000 third-party certifications needed a year.

By the end of the rollout, the numbers projected by DoD are 4,000 self-assessed and 76,000 assessed by a Certified Third Party Assessment Organization (C3PAO).

Many DIB contractors (and sub-contractors) can expect to be required to self-assessment, per contract and purchase order flow-down requirements.

It's important to note that DoD has the discretion to delay the certification requirement to an option period instead of the condition of "upon contract award." While it's not expected this will be taken advantage of often, this does give DoD flexibility on specific programs that may have unique challenges to supply chain partners becoming certified.

Additionally:

"The CMMC Program’s assessment phase-in plan, as described in § 170.3, does not preclude entities from immediately seeking a CMMC certification assessment prior to the 48 CFR part 204 CMMC Acquisition rule being finalized and the clause being added to new or existing DoD contracts."

Security Protection Data

When Cloud Service Providers (CSPs) only handle security protection data (SPD), and not CUI, the application or service would be treated like a security protection asset (SPA).

Security Protection Assets

The Final Rule now suggests that Security Protection Assets (SPAs) will be assessed against security requirements that are "relevant to the capabilities provided."

"If an OSA utilizes an ESP, including a Cloud Service Provider (CSP), that does not process, store, or transmit CUI, the ESP does not require its own CMMC assessment. The services provided by the ESP are assessed as part of the OSC’s assessment as Security Protection Assets."

External Service Providers

The Final Rule clarifies the difference between Cloud Service Providers (CSPs), External Service Providers (ESPs), and Managed Service Providers (MSPs).

The requirement for ESPs (regardless of the services it provides) to be CMMC-Certified is no longer a requirement. However, an MSP, acting as an ESP, may choose to become CMMC-Certified.

The Final Rule suggests that Organizations Seeking Certification (OSC) may inherit controls for External Service Providers (ESPs) in scope when the ESP is CMMC-Certified.

Managed Service Providers

The Final Rule clarifies that Managed Service Providers (MSPs) do not need FedRAMP Moderate to support an Organization Seeking Certification (OSC).

The Rule also allows MSPs to get CMMC certified to avoid being re-assessed for every client.

FedRAMP & Equivalency

FedRAMP Moderate is required when CUI is stored, processed, or transmitted.

There is still some question on the commentary and verbiage, but there is clarity in that a CSP only handles security protection data (SPD), and not CUI, therefore, the application or service would be treated like a security protection asset (SPA).

Virtual Desktop Infrastructure

Virtual Desktop Infrastructure (VDI) language was added to remove the endpoint from scope if the endpoint is not processing, storing, or transmitting CUI.

Assuming appropriate technical controls prevent data transfer, the "dumb client" (or the computer you open the virtual desktop from) can be kept out of scope.

Assessors and the Training Community

The minimum number of assessors per third-party assessment has been expanded from 2 to 3. Additionally, at Lead CMMC Certified Assessor (CCA) is required and at least one other CCA. This will likely increase the projected costs of assessments.

CMMC instructors are now prohibited to also consult. Additional clarification is expected on this.

Retrieved from "https://cooey.wiki/index.php?title=Continuous_monitoring&oldid=97"