Welcome back to part 14 of “What you need to know about CMMC”. I’m Bob Hanley from Sabre Systems and today we will continue our discussions on the 17 CMMC domains as we help you and your efforts to be CMMC ready. If you remember, we discussed systems and communication protections last time. Today we’re going to discuss system and information integrity or SI for short and remember CMMC is about protecting controlled, unclassified information or CUI which includes limited distribution (lim-dis) and FOUO (For Official Use Only).
So, where are we in our journey through these CMMC domains? Let me catch up – we’ve already had 13 domains reviewed on my previous blogs so if you’ve missed any of them please go back and get caught up. All of these domains connect, and they relate to each other so they are complementary. So, it is important to look at them all in the context as one group of 17 domains. As we move on think in those terms and get that overall understanding of these domains within that context.
As a refresher CMMC (Cybersecurity Maturity Model Certification) has five levels with five being the most stringent. Contractors and subcontractors will all need to have a minimum level one, but prime contractors will need a minimum level three. SI has four level 1, three level 2 and three level 3 practices that we’re going to discuss today.
The SI domain contains 13 overall practices. Today we will address only the first three CMMC levels which encompasses 10 practices, while focusing on these four capabilities: identifying and managing information system flaws, identifying malicious content, performing network and system monitoring, and implementing advanced email protections.
So, let’s look at the four level 1 requirements. The first practice requires you to identify, report and correct information and information system clause in a timely manner which makes sense. Software vendors typically release patches, service packs, hot fixes, etc. and want to make sure that your software is up to date. When your software is not up to date, you expose yourself to increased vulnerabilities to a cyber-attack so please please keep your software up to date. You must develop a policy that requires checking vendor websites for flaw notifications every week or sooner. The policy should require that those flaws be assessed for severity and patched on end user computers at least once a week and on servers at least once a month. You should configure this system to check for updates weekly or daily depending upon the criticality of the software and you should review available updates and implement the applicable ones according to your defined schedule. Not ensuring your software patches are applied can increase your cyber vulnerabilities.
Second level 1 practice requires you to provide protection from malicious code at appropriate locations within organizational information systems. You must make it a top priority to protect your company’s information from viruses, spyware, etc. I think we all are aware that as I’m doing this vlog the Colonial Pipeline ransomware attack is on the news. So, think in those terms – no matter how big or how small you are, you could be a target to a cyber-attack so be prepared. Anyway, part of that solution is to install boundary protections and anti-malware software to protect your systems. Think beyond off-the-shelf products since you’re also protecting CUI and they may need better protection. So, going to a typical uh electronic store and buying software packages off the shelf may be good for your home systems, etc., but when you’re talking in CUI and protecting intellectual property, your business functions and capabilities, etc. you definitely want to have better cyber protection boundary protection uh protection in depth etc. on your computers.
The third level 1 practice requires you to update malicious code protection mechanisms when new releases are available. You should install anti-malware software to protect your computers from malicious code knowing that malware evolves rapidly. You need to configure the software to automatically check for malware definition updates every day and update as needed. If you own a home laptop computer which I’m sure you do, you know that you have virus protection on your computer, you have firewalls and you have a monitoring system built into your software that does check for that and helps to push patches to your system as well. You need to make sure you have that with a higher level of sophistication for your business or company. Again, not updating your software routinely will increase your cyber risk.
The last level 1 practice requires you to perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded opened or executed. Work with your company’s email provider to enable enhanced protections that will scan all attachments to identify and quarantine those that may be harmful prior to users opening them. The worst possible thing you can do is not have the training in place for your staff and your team to make sure that they do not arbitrarily click on attachments from unknown sources, suspected sources, etc. and then inadvertently allow some malicious code to be inserted into your computer system. So please please please make sure you get the training and put in those protections on your email within your organization. In addition you should configure antivirus software on each computer to scan for malicious code every day. The software also scans files that are downloaded or copied from removable media, such as a USB drive. Most government computers don’t allow you to connect USB drives. A lot of people in companies and industries don’t allow that as well, but smaller companies probably do not have those same restrictions and USBs uh are frequently used to move data from one device to another so this software will quarantine any suspicious file and notifies your security team when that happens.
Now let’s move on to the three level 2 practices. The first practice requires you to monitor system security alerts and advisories and take action in response. You must monitor security advisories every week review the alert emails and online subscription service alerts to determine which ones apply to your organization and system, create a list of the applicable alerts and research what steps you need to take to address them then you should be generating a plan to review the alerts with your change management group so that the work is scheduled and performed.
The second level 2 practice requires you to monitor organizational systems including inbound and outbound communication traffic to detect attacks and indicators of potential attacks. So, look for known indicators of an attack or any anonymous activity within your systems and communication traffic because these indicators can show up in a variety of places on your network. You should create a list of places to check every week. These include the office firewall logs, audit logs on the file server where CUI is stored and the connection log for your VPN or Virtual Private Network gateway. Conduct additional reviews when you find an indicator or something that does not perform as expected.
The last level two practice involves employing spam protection mechanisms at information system access entry and exit points. So, ensure that everyone using an organizational system is authorized to do so and conforms to your documented authorized use policy. If you remember on some of the previous domains we talked about the requirement the need for you to develop your corporate policies and so that’s what I’m referencing here. Make sure you use an application that monitors user activity and records the information for later analysis, review the data from this application for signs of activity that does not conform to the acceptable user policy. There are times when you might get an alert from your intrusion detection system, also known as IDS, that one of your users is connecting to a server that may be a high-risk domain. Not necessarily a cause for alarm, but you do need to investigate that to determine that it’s not an unauthorized connection attempt. If it is, add the domain to your list of block domains to prevent future connections in uh and head off a potential attack from a non-trusted source.
So let’s move on to level 3. The first level 3 practice requires employing spam protection mechanisms at your information system access entry and exit points. Monitor for any significant increase in the amount of spam entering your network. You should implement a filtering capability to reduce the number of unsolicited emails that reach your users inboxes and to block potentially harmful emails including phishing emails and attachments from reaching your end users. Create a spam mailbox to which users can forward spam emails that make it through the filter.
Periodically review that spam mailbox and use those to prevent and improve your rules for filtering out spam in the future. Add outbound spam protection since your email servers could be blocked by other organizations. Implement these outbound protections that will allow you to trace potential spam email originating on your network to a specific user and machine. Keep in mind if you work with the federal government their spam blocking rules could inadvertently block you as a defense industrial base or DIB member from accessing their networks. The government networks frequently block DIB emails so be aware that your spam block rules may be impacted as well.
The second level 3 practice is about implementing email forgery protections. Add protections to ensure you are blocking as many unwanted and harmful emails as possible. Configure a DMARC policy that enables both SPF and DKIM on your domain. Configure an SPF entry in your DNS configuration so that you explicitly authorize the servers that can send email as well as ensuring relevant outbound emails are assigned using DKIM. So that was a lot of acronyms and i’m going to pause for a second while you’re looking those up to figure out what they actually are… no just kidding I will tell you what those are:
So DMARC is the domain based message authentication reporting and conformance. SPF is sender policy framework. DNS is domain name system and DKIM is domain keys identified mail. So see you didn’t have to look it up.
The last level three practice requires utilizing sandboxing to detect or block potentially malicious email. Verify all attachments and url links in company emails set up an isolated environment in which all email attachments and hyperlinks are executed before they are transmitted or transmitted to the end user. This gets back to the comment I made earlier where you get phishing emails. It says click here, unfortunately people click at not realizing it may be an unauthorized center and then they inadvertently have compromised their computer with malicious code being inserted, etc. So use the email sandbox to observe what happens when the attachment or link opens. By testing these files in a sandbox you are able to prevent the entry of malicious content through email attachments or URL links. Once delivered to the end users, you can test the files and determine them to be safe. An email that is not determined to be safe is blocked from being delivered to the end user. Keep in mind that phishing emails can also be detected just by looking at the email address. It may look like a legitimate email address until you click on it and you see that it is not really from a trusted sender. I have seen that any number of times – periodically I’ll get emails from Bank of America that says I need to log in and change my password but when you actually click on the sender’s name Bank of America, it comes up with a long list of an email address that you know is not uh authentic and definitely probably not even from the United States. So easiest way check on that, click on that email and see what it says and that’s a pretty quick indicator as to whether or not it comes from a legitimate source.
So those are the 10 practices and requirements for SI. By applying these practices you will improve your system and information integrity. If you’ve already been doing that you’re already closing in on your CMMC compliance gaps and you’re getting prepared to be CMMC certified. These are things that you should already be doing: fund your CMMC program I can’t stress that enough in these times of cyber-attacks being reported on the news daily, if not weekly that you should be investing in your company, your organization, your business to protect it from potential cyber-attacks; become familiar with CMMC in general and NIST SP 800-171 and 800-53. In our next review we will discuss CMMC practices for access control or AC. I’m looking forward to seeing you then and hopefully you already start applying some of these practices that I talked about today and the ones in the previous vlogs that I hope you’ll either catch up on if you haven’t seen or have already been applying some of the recommendations I’ve made previously.
Again thanks for joining me today and I’m looking forward to meeting with you in our next vlog get together on CMMC. Thank you, I’m Bob Hanley from Sabre Systems. Have a great day!