Last updated on September 1st, 2023 at 05:08 pm
The Cybersecurity Maturity Model Certification (CMMC) sets a new minimum bar to hit if you want a shot at doing business with the Department of Defense (DoD). That means that CMMC compliance is likely at the top of your cybersecurity list and you’ve probably already done at least a little research.
As you may have noticed, one of the more difficult controls those pursuing CMMC Level 3 and up must meet is keeping a detailed log of all devices. Some levels even require 24/7 monitoring of these logs. Talk about a herculean task!
In this on-demand webinar, Darren Cathey, Sales Engineer at LogRhythm, and Scott McDaniel, Vice President of Technology at Simple Helix, go beyond understanding CMMC! They discuss:
• A quick overview of the CMMC standard
• How LogRhythm’s set of out-of-the-box content can help you move through compliance before the 2026 deadline
• How to make keeping track of your log files easy
Watch this fireside chat today and discover the less arduous path to CMMC compliance that has resulted in a perfect DCMA High Audit Score of 110 for a Simple Helix customer!
Transcript: Conquering CMMC
Natalie Omiecinski: All right. Hello, and thank you for joining us for today’s webinar, Conquering CMMC; Tackling the Most Difficult CMMC Controls. My name is Natalie Omiecinski and I’m LogRhythm’s digital marketing specialist. I’m going to pass things over to our fine presenters today, Darren Cathey and Scott McDaniel, in just a minute. But first, I have a few housekeeping items I want to run through.
There are a couple of things for you to keep in mind throughout the broadcast. First, everyone is muted to ensure audio quality. With that said, we’re here to answer any questions that you have, so if there’s anything you’d like to ask our panelists related to today’s topic, please feel free to send questions through the chat at any time. We’ve built time in specifically for Q&A at the end of the presentation, but again, you’re welcome to submit questions at any time.
Lastly, I’d like to direct your attention to the attachment section of this broadcast. We’ve included several additional free resources for you to download, so please check them out and we hope that they are useful to you. Our agenda today is pretty straightforward. We’re going to have our speakers introduce themselves. They’ll get into the meat of the presentation talking about CMMC compliance, and they’ll discuss ways that LogRhythm and Simple Helix can help. Then we’ll dive into Q&A. With that, I’ll pass it over to our presenters today to introduce themselves. Darren, would you like to kick us off?
Darren Cathey: Great. Yes. Thank you, Natalie. Can you hear me okay?
Natalie Omiecinski: Yeah.
Darren Cathey: Terrific. Terrific. So welcome everybody. My name is Darren Cathey, Senior Systems Engineer with LogRhythm, and I’ve actually been here about two and a half years now. I have to update my slide. But I started my career as a programmer, worked up through marketing, technical marketing, technical sales, sales, and have done some management, both at large companies, small companies, and you can see the list at the top there, but a wide variety of experience. And I have to say LogRhythm is definitely an interesting experience because we cover so much of the security world and a lot of the compliances as well. So I’m really happy to be here with Scott from one of our great partners, Simple Helix, talking to you about CMMC today. Scott?
Scott McDaniel: Yeah, so my name’s Scott McDaniel, so I’m Vice President of Technology here at Simple Helix. Started out in my career as an electrical engineer. Ended up in the IT side of the house and have been always on the infrastructure aspect of IT, so more on the disaster recovery, now into the compliance space of IT, but have been doing this now for 20 plus years. And then eventually got to a place with a major telecommunications company that needed to be ISO 27001. Worked and went through that process with that telecommunications company to find out that ISO 27001 is very similar to the NIST 800-171 standard, which has then evolved into CMMC, which has led to my transition to come over here to Simple Helix.
So Simple Helix, we’re — our core business is a data center business, and then we also have an extensive SOC and managed services business that have grown out from the data center and with a ton of experience and expertise centered around the new cyber compliance. And we do that with the medical side along with on the government side.
So to kick the presentation off today, we do have an agenda and we’re going to walk through why it is that we need to do CMMC, why did it come about? What is the evolution of it? Try to describe a little bit about what it actually is and what you, as a business, have to do in order to become compliant with it. We’re also going to talk about how you can take this big elephant and break it down and explain the structure of it. And then eventually, Darren is going to come back into the conversation and we’re going to talk a bit about how LogRhythm fits into this entire puzzle, and then how LogRhythm can also make the logging a little bit easier for the meeting the CMMC requirements and some things there.
And then we want to also answer questions at the end, but I’m also going to encourage you to ask questions as we go. So the way that we’ll move forward through these slides is that when I’m speaking, Darren will be looking for those questions and Darren’s going to interrupt me to ask those questions so we get those answered as we’re in that particular topic. And then vice versa, once Darren starts talking more on his portion of it, I’ll be looking for those questions. So please don’t be bashful to ask the questions as we go.
All right, so to kick this off, why CMMC? Why is this becoming a thing? Why are we, as businesses, having to become CMMC compliant? And the answer behind that is that cyber attack and cyber espionage is growing at an expanding, very expounding rate to the tune that it will become a $6 trillion industry this year. And because of that, the footprint of it is just getting so big that the DOD recognizes that while they’ve done a lot to protect the US government and the DOD, we as the contractors and subcontractors, we’re left vulnerable and we need to do something against this growing cyber attack.
The next leg of it is that when you are cyber attacked and the bad guys get your technology or your intellectual property, then that ultimately leads to the loss of human lives. The reason that the DOD exists is that it is a battlefield and technology is a competitive advantage. If the bad guys get the technology, they can use that against us and we incur human loss. And so nobody wants that, and especially within the realm of the work that we all are doing.
As I mentioned, the DOD has done a lot to protect the Pentagon, they’ve done a lot to protect the federal agencies. When we look at where are the cyber attacks actually getting in and where is the data loss actually happening, it’s happening in the DIB. And so as this has matured within the DOD, the DOD has recognized that this maturity needs to get out into the DIB. We need the contractors and subcontractors to come on board with it. And so now the CMMC encourages basically everybody to do better.
So with that in mind, there is that external pressure happening on your business that says, “Yeah, you got to go meet a cybersecurity compliance effort, but you yourself should be wanting to become CMMC compliant too.” And the reason that you would want to do this, even if there wasn’t this external pressure to do it, is that at the end of the day, you need to safeguard your intellectual property. That technology that you’re developing, the work that you pour into coming up with this stuff, it’s imperative to your business and obviously you shouldn’t want anybody else getting that.
CMMC compliance, or really any cybersecurity compliance standard, what it helps do is it helps prevent a bad thing from happening. So on the slide, I say, “Insurance is great, but prevention’s even better.” And so what I’m trying to say there is that, well, if you think about your home, okay, it’s great that you have insurance that would help fix things if your house caught on fire. But what’s better than that? What’s better is not getting your house to catch on fire in the first place. So we do things to prevent those things from happening. Cybersecurity should be treated the same way. Prevention is the best answer. So if there are ways that we can train our employees, if there are ways that we can monitor, if there are things that we can do to lock down the environment to prevent the bad guys from getting in, that’s a much better answer than saying, “Yeah, I’m just going to become a victim and I’ll deal with it after the fact.”
And then dealing with after the fact, if you get some sort of thing that encrypts your files and they want you to pay a ransom. I recently worked with an organization where there were about 35 to 40 employees. They got ransomware. They, ultimately, didn’t do any sort of preventive work, so they had to pay the ransom. The ransom that they ended up paying was $600,000 just to get their intellectual property back because they hadn’t done the right thing. It also became a news story. So now there’s a loss of reputation for that business because now, hey, now they made it in the news. Nobody wants to be in the news.
They also got lawsuits brought upon them because they were unable to fulfill orders. They were unable to meet obligations. There’s all this collateral damage that came from this ransomware attack that ultimately led to suppliers and customers coming back saying, “Hey, you guys didn’t deliver, and we need to have some sort of remediation against that because you guys didn’t deliver on time,” and things like that.
So that’s all to say that, hey, an ounce of prevention is a whole lot better than a pound of cleanup after the fact. So then, okay, hopefully I got your attention. Hopefully you’re going, “Yeah, I do want to do this. I need to do this. I’m starting to feel that external pressure, but I also feel the pressure on the inside.” So what is-
Darren Cathey: Hey Scott.
Scott McDaniel: Yeah.
Darren Cathey: Real quick, we have a question about what does DIB mean and is this defense industrial base?
Scott McDaniel: Yeah, so the DIB or the DIB, that is indeed the defense industrial base. So today, CMMC is focused on the defense industrial base. Going off script a little bit, there is a forecast that CMMC will become a government-wide standard. So it won’t just be a DOD thing, it’ll become federal agencies, FAA, and the postal service and things like that will all adopt it and then even possibly at a much later date, even get into the state level as the cybersecurity standard that we in the United States would rally behind to say that our businesses are compliant.
Darren Cathey: Thanks, Scott. And there was one other comment about a problem with one of the downloads, and we are checking into that for the person who posted that. So thank you for that. And I’ll turn it back to you, Scott.
Scott McDaniel: All right. Yeah. So what is CMMC? CMMC is a cyber compliance model that is designed to protect controlled unclassified information or what we’ll abbreviate as CUI going forward. And so this is DOD’s attempt to bring a cyber compliance standard into the defense industrial base or into the commercial sector, that is derived from work that they have done internally at the DOD.
Now, for some of you, you may have been familiar with the previous cyber compliance model, which is DFARS clause 252.204-7012, and that relies on the NIST 800-171 standard for the list of controls. Eventually, the DFARS 7012 will eventually be retired and CMMC will take its place. And the way that that’ll form up is that in contract you’ll see DFARS clause 252.204-7021, and 7021 relies on the CMMC standard.
And in terms of a timeline, the official full cut over where 7012 is retired and 7021 is now the full new standard, that occurs in 2026. So between today and 2026 is all transitional period, which means that you will have contracts that may require 7012, newer ones will probably require 7021, which basically means between today and 2026, you have to do both.
The ultimate end game of these standards is that, and especially with CMMC, the end game is that we want the defense industrial base or you as a subcontractor or prime contractor to be cyber secure with a third party audit. So with 7012, that was something that you could do internally within your business and… Something you could do internally in your business, you could self attest and say, “Yeah, I did all the checkboxes.” With CMMC, they’re now bringing in a third party auditor to help bring this, to have extra credibility behind it. And so from that perspective, an auditor or an assessor will come in and assess your organization and you will actually get a CMMC certificate upon passing the assessment.
So I saw a question pop in. Is there any connection to 800-53? So yes, there absolutely is. So 800-5353, or what you would also hear it called is FedRAMP, so you would hear that as the FedRAMP standard, it is the parent to both the NIST 800-171 and CMMC standards. So a good way to think about it is, think about it in terms of number of controls. So the 800-53, there’s approximately 270 controls in that standard. NIST 800-171 was a pair down or a reduction of those controls to 110 controls. And then with CMMC being an evolutionary step, and we’re about to break into it, but CMMC’s broken into levels. But if we pick the middle level, CMMC level three is 130 controls. But for all practical purposes, the 110 from NIST 800-171, the 130 and CMMC, all those controls would be found inside of 800-53.
So as I mentioned, CMMC is the next evolutionary step. So CMMC is better than NIST 800-171 and a couple key areas. So the first step, or the first reason why it’s better, is that CMMC is not going to be retroactive going backwards into existing contracts that you are already on. So let’s just say you got a new contract that was awarded to you six months ago. It says you need to be DFARS 7012, which is against the 800-171. For the duration of that contract, it will stay NIST 800-171. So there is no, “Hey, I got to go back in the history and become CMMC compliant because of an old contract.” It only shows up on new contracts.
The second reason why CMMC is exciting is because a lot of us have poured a lot of energy into becoming the NIST 800-171 compliant, which has 110 controls. All 110 of those controls still exist inside CMMC level three. So all that investment that you made in the past still carries forward and therefore, is not wasted time or energy. So there is no loss of investment because of this new standard. It is a continuous move forward.
As I already mentioned, we’re in this transition period, so CMMC, it’s not just a, “Hey today or yesterday you did it in NIST 800-171, tomorrow you do CMMC.” There is a transitional period. So as you go and start bidding on contracts, you’ll get to see that hey, this contract is going to require a CMMC requirement either in the RFI or the RFP, and therefore, you get to choose and you get some time to react to go get CMMC compliant as opposed to maybe getting into it and then having to very quickly try to get compliant because you already made a commitment. So there’s a great advantage that you now get to control your destiny with becoming compliant as you work through this transition period.
Now, when you get into the CMMC standard itself, one of the great improvements is that they took all 100… So at the highest level, CMMC level five, there’s actually 170 controls, but they’ve broken them into five levels. And we’re going to talk about the five levels a little bit more, but as opposed to NIST 800-171, which was an all or nothing compliance model, now there’s some more fine grain control over which controls you may or may not have to meet.
So what I mean by that is, hey, maybe you’re a nuts and bolt supplier. There’s not a lot of intellectual property in a nut or a bolt, so maybe you have to just meet CMMC level one. But as you get more technically advanced in the contract, maybe you’re doing some sort of AI work or machine learning work around satellite images. Well, satellite images are going to be CUI, so those satellite images are going to have to be protected. You’re going to be making some intellectual property on how to process those images. So that’s probably going to drive you more towards a CMMC level three. And so now we’ve getting away from this one size fits all, to a, “Hey, let’s match the level of cyber compliance complexity to the complexity of the contract itself.”
So with that, we got some questions coming in. So one person asks, “I’m seeing new government contracts and CMMC sections are not appearing. Do we have a disconnect on this from the people who are writing the contracts and the other sections of government that want CMMC to be implemented?” So maybe the answer to that is maybe not quite exactly like that. What’s more likely happening is that what they’re really doing is they’re rolling CMMC with a finite number of contracts, and it’s probably that the contracts that you’re going after aren’t one of those select few to be CMMC. So like here in the Q1… Well, fiscal year, Q1 and Q2, calendar year Q1 and going into Q2, they’re releasing 75 contracts that’ll have a CMMC level one or a level three in them. So if you think about the thousands and thousands of contracts, the ability to get one of those 75 is really low, but it is happening.
The other part of it is that COVID happened. So the third party assessors, their training got delayed all the way back in the April and May of last year. So April and May of last year actually became like August and September of last year. So you’re looking at maybe a six-month delay. And so that whole delay has carried forward. And so the rollout is happening a little bit slower, but that’s a result of COVID as opposed to, hey, the actual CMMC rollout getting delayed.
Let’s see. So one of the other questions is, “So for procurement, what should we look for in third party providers?” All right, yeah, we’ll get to that here in a little bit. And then, “Do they have a user end certification that can be taken for CMMC like a Cisco or a CompTIA?” Yes and no. So at the end of the day, it’ll be the CMMC advisory board who will have the authority to certify people. There will be people that will become assessors, so they will become known as C3PAs, and they work for an organization that is third party assessed. So that becomes a C3PAO, for organization.
And then folks like Darren and myself who, we aren’t actually interested in being assessors, we don’t want to go do the audit, but we want to be certified against the standard and say that yes, we are actual certified individuals. What we do is we become registered practitioners, and then our organizations would get that certification of an RPO. So for myself, I’m working through the process of becoming a registered practitioner, but I have no interest in becoming an assessor myself, so I’ll have that option available.
All right, so let’s move on. So yeah, so common questions that I personally hear when I’m working with folks like yourself, is who must comply with CMMC? Very quick answer. At the end of the day, everybody that is working in the defense industrial base, you will have to become some level of certification. Realistically, the way that forms up is that everybody at a bare minimum will have to be a CMMC level one. Portions of us that do engineering type work, you could expect to be a CMMC level three. Only the primes, the major primes, the Lockheed Martins and the Raytheons of the world, those will be at level five, but they’re expecting only 10% of the defense industrial base having to be at level five.
Who enforces CMMC? This one, ultimately, is done externally from the government. So there’s the CMMC advisory board, and then you’ll have a certified third party assessor do your certification process.
How long does certification last? So it varies depending on the level. So level one is an audit every three years. As you move up to CMMC level three, that becomes an annual audit. And then the annual audit continues through levels four and five.
What if we’re not CMMC certified? So one of the… This is a change that occurred actually last June. So originally, you couldn’t even bid on a contract that required CMMC unless you had your CMMC certificate at the time you submitted for the RFP. In June, that actually changed. So now you can see the RFP, you can bid on the RFP, but you must be holding a certificate at time of award. So what we’re advising customers is that you want to start on your CMMC journey before you get there because if the contract gets fast-tracked, you may only have three months, and three months is a very small window of time to go from not being CMMC certified, to doing a technical implementation, to also getting that auditor scheduled to come in to actually get your certificate.
And then when will certification be required? I just covered that. So certification’s required at the time that the contract would be awarded.
So then some of the questions that this brought up, which is… So one of the questions was, “Okay, well DFARS 252.204-7012 relies on NIST 800-171 as the premise behind it. Then what is the transition for CMMC?” So CMMC, what they did was a heavily used NIST 800-171, but they also went and grabbed and cherry picked controls from ISO 27,001, a couple of the AR standards, some of quite a few other locations to come together. And then that ultimately becomes the DFARS 252.204-7021. And so 7021 is the CMMC standard, just like 7012 is using NIST 800-171.
Let’s see what some of these other questions popping in. Is it possible to be DFARS… Oh, that one just moved on me. Where did that go? Is it possible to be DFARS, NIST, or CMMC compliant on a cloud network such as Google or Amazon? So the answer to that is it is possible. So for us at Simple Helix, we are seeing a large number of our customers that are going to a cloud-only solution, and that’s a result of COVID. So hey, we were anywhere from a 10 to a 50 person company, we got displaced and worked from home, and now we’re learning that maybe we don’t need the office space.
But when you do go to the cloud, you have to be careful about what cloud solutions you use because those cloud solutions will have to be FedRAMP certified. And then even then, things like O365, just because you went to the cloud doesn’t mean that it in itself is compliant. It may have to be configured. So things like what we do at Simple Helix is, yeah, we get you into the right O365 environment and we will perform the labor to do the extra configuration that ultimately makes it compliant.
Let’s see here. All of these questions, I’ll get back to at the end because I want to get through some of the structure part of it. So I’ve already made… And I’m going to go quick through this part. I’ve already made reference to the five levels of CMMC compliance. So at the most basic level, like I said, everybody would have to do at least a bare minimum of CMMC level one. That’s 17 practices. As you move up to level two, 17 goes to 72. The sweet spot for most of us is going to be CMMC level three. So that’s 130 controls. So if you are already doing your NIST 800-171, you already did 110 of the 130. So for you, the idea is that this should only be an incremental net add of 20 controls. And then as you progress up to four and five, the number of controls rises, with the maximum number being 171.
So when you talk about, okay, well what are the things that I have to do from an organization, from an IT perspective, around the different levels? What we at Simple Helix will say is, “Okay, well CMMC level one, it has an idea that you have to have some spam filtering in place, users have to have secure passwords, and you need some antivirus in place.” And so we have solutions that go address those. Again, as you move up in the layers, they’re additive. So all 17 controls from the past, plus the new controls to get you up to 72 total controls. So that’s where we say, “Hey, this is all the previous things that you needed from level one.”
The net add for level two is the concept of offsite and offline backups. So this is a fundamental change for CMMC in the sense that in the past, you only had to do a backup. They didn’t prescribe or define that the backups had to be offsite, so you could be doing, take, backups and keeping them within your office space. There wasn’t any restriction there. Now there is. There’s a restriction that your backups must be outside of the same place where the server and the data lives and it needs to be completely offline. So the idea there with the offline is that, hey, I go in at midnight, I run the backup, I completely disconnect so that if ransomware came in at eight in the morning and encrypted everybody’s files, I could still go to last night’s backup and still have unencrypted files, so I could do a restoration without paying the ransomware.
As you move into level three, this is where the LogRhythm portion starts coming into the equation, and I’m going to let Darren start talking about this here in just a second. But at level three, there’s the concept that you now need to be actually capturing log files. Those log files need to be centrally located, and we got to be able to start correlating. So let’s just say you have two different people, they’re trying to hack into their username, that’s why we want to be able to see that hey, two people are getting attacked at the same time and it probably is coming from the same place so that we can then go take protective steps as needed. But here at CMMC level three, the requirement is around. You have to have the tools in place and you’ve got to be able to correlate the events.
As you move into levels four and five, that correlation effort turns from being retroactive into proactive, in the sense that hey, LogRhythm now needs to start sending alerts to somebody. And then at level five, that progresses even further into the fact that we now need a SOC service that is monitoring in a 24 by 7 manner in the sense that, hey, when an alert happens, there is always somebody there immediately available to react to it. So your SOC services become really important at CMMC level five.
So I’ve spent quite a bit of time running through just the high overview. Darren, how about you jump in and start talking about the framework and the domains and those parts, and then where LogRhythm starts fitting into that.
Darren Cathey: Great. Thanks, Scott. I appreciate it. Lots of great questions in the chat. We’ll make sure that we leave some room at the end to get to everybody’s questions as well, but good interaction so far. So we definitely appreciate that.
So yeah, the important thing to know about the CMMC model is that it’s really not just another set of controls or practices, but rather, it really is a maturity model. So while you, you’ve got your domains or categories of capabilities, you also have those five levels of maturity that you got to meet across, not only practices, but also the processes. And to me, a level in the words of the CMMC, “Companies must demonstrate,” and I quote, “Requisite institutionalization of the processes and implementation of practices for a certain level in all proceeding levels to get certification.” So it becomes second nature that you’re doing these proper standards or best practices.
So quick bit of terminology here. Domains are things like access controls, asset management, or audit and accountability capabilities. Let’s take access control as an example. That might include things like establishing system access requirements or controlling internal and remote system access, maybe limiting data access, authorized users, and processes.
And then processes reference the maturity level. And those processes include performance, you’re just performing them, they’re documented, you’re managing them actively, you’re reviewing them actively, and then you’re optimizing for best practice.
And then finally, the practices are the actual controls in place to fulfill that level of maturity. An example of a process would be to limit system access to authorized users only or limit use of supportable storage devices on external systems. And to do these practices, you have to be doing the log management and you have to be monitoring for these types of activities.
So today, with the current version 1.02, there’s about 17 domains with 43 capabilities, five processes with five levels, and then 171 practices or controls. So as Scott mentioned, it’s really not something to be taken lightly, but definitely something to prepare for and get ready for the assessments. There’s a limited number of certified assessors right now. There’s a large number of members in the DIB community, so it’s obviously going to take some time to work through all of those different companies.
So let’s move on to how LogRhythm is supporting customers with CMMC requirements. And LogRhythm distributes content in the form of what we call knowledge modules. And these modules can range from certain threat categories, user threat, host threat, et cetera, network threats, to different compliance regulations. And so we began working on our CMMC module early last year, and we’re able to leverage other modules we had created for NIST and DFARS already.
And then we created this great mapping from CMMC to DFARS and NIST controls for reference for our customers. And this is actually available on our company website for download. It’s in an Excel format. You’ve got filters on the column, so it’s easy to zero in on what you need if you’re looking for a certain CMMC level, plus it gives a great visual as to what’s covered at each one of the practice levels. So you can see the main domain on the left, the level which you can filter on, the controls, the description, and then how it relates to the other controls and the other standards.
And so I mentioned a little bit about our knowledge modules or our content packages, and we provide a ton of different modules. Again, user network or endpoint type of threats, to phishing, to retail, and of course compliance. And on the right is just the list of the compliance modules that we provide out of the box. Unlike some of our competitors, they’re not separately priced, but the batteries are actually included with the product. You get all of them. And then introducing our newest compliance module for CMMC, this module includes all the mappings to the existing compliance modules. A lot is already contained in our consolidated compliance framework and which correlation rules or investigations or reports are applicable to each control and practice. And then we provide great documentation, deployment guide, user guide, so it’s an easy configuration and setup and use.
So let’s take a look at a little bit of the content in these modules. We can start with the requirements section of the CMMC module, where, on the left, you see the actual control, and then next to that you see the rules, the alerts, the investigations, and reports that are actually going to help you satisfy that controller practice. As mentioned earlier, you’ll see the preface for CCF, or common compliance framework, that a lot of CMMC is based on, just packaged into a model for CMMC specifically.
And here’s the same type of information only organized by actual correlation rules. And so it provides a description of the rule and what controls and practices it helps support. One unique differentiator for LogRhythm is the common metadata fields we use to enhance log data and identification. And so these include a common classification, which may be something like authentication failure, and a common event, which may be something like authentication failure due to a bad username or a bad password.
The advantage this gives us is that we can provide correlation rules out of the box using these common metadata fields without having to worry about what the underlying device actually is. So we don’t have to care whether it’s a Windows box or a Linux box or a Cisco firewall or a power firewall. We just know it’s an authentication failure. Those metadata fields are added as we process logs in real time. And as a result, we’ve got over 1600 correlation rules that are available out of the box, ready to enable as you see fit. And this provides our customers and our partners a faster time to value, and a faster time to implementation of certain modules like CMMC, because it’s all content available out of the box.
And finally, here’s similar information by report, so which report helps with which controls and practices. And as Scott may have mentioned earlier, you’re going to have to prove that you’ve addressed the different practices within your environment. And so having these reports readily available is going to save you a great deal of time and effort in certification and audits. Remember the CCF access failure summary report. We’ll see a sample of that here shortly.
And so just like we have, we support over 1000 different log sources, we have over 1600 correlation rules. Reporting’s no different. We literally have hundreds of reports that are available out of the box. And so what you’re looking at on the screen is a good sampling of the common compliance framework reports applying to CMMC that are provided. And I promise you a sample report for that access failure summary, you can put your own logo on there. We don’t need the free advertising. So a wealth of reference documentation capability is in our CMMC module that either DIB companies or third party implementers can take advantage of to help get to certification quicker and more efficiently.
And so LogRhythm has great content based around CMMC and helping companies implement the specific practices, but really, it’s a log management platform, or the SIEM, that meets the basic requirement for log management and monitoring. So let’s talk a little about what that platform is and some of the capabilities provided. I think one of LogRhythm’s key differentiators is the combination of a leading next generation SIEM, along with that broad set of content, including CMMC, helps them meet key compliance requirements, plus it helps them run a more efficient SOC.
And at the heart of LogRhythm is a separate group within LogRhythm called LogRhythm Labs. And they’re best described by their vision. So they research and deliver world-class security compliance, intelligent, and operational risk content to protect our customers from damaging cyber threats, meet their compliance needs, and reduce their operational risk. And this is really key. It’s all that content, the research into the new threats that are popping up all over the place, the correlation rules to detect those threats, and then how you go about mitigating those threats within your environment. And of course, keeping up with all the compliance directives as well, MITRE ATT&CK and CMMC, all of that content has to be created and maintained over time.
Sorry about that. From a platform perspective, LogRhythm’s NextGen SIEM platform, as I said, provides log ingestion for over 1000 different log sources. That gives you that unprecedented visibility in what’s going on in your environment. On top of that, we’ve got our strong correlation capabilities that feed into both scenario-based and behavioral-based analytics. Again, out of the box, based on those common metadata fields we’re enhancing the log data with. And then that’s topped off with SOAR capabilities built into the platform, case management, playbooks and automated response. And this serves to create this seamless workflow geared to reducing the time it takes to detect threats within your system and then reducing the time it takes to respond to threats within your system. And then all wrapped around the rich set of content we provide, including CMMC.
And then you take Simple Helix, who can use all of this content and help our customers get to CMMC certification quicker and more efficiently. So Scott, at this point, maybe you can describe how does Simple Helix help companies achieve CMMC?
Scott McDaniel: Yeah, so obviously, LogRhythm is a very critical piece in our way of getting an organization to that CMMC compliance. And so where we fit in on this is that we like to be the technical implementers. So LogRhythm is the tool where we fit in as then saying, “Okay, well maybe you don’t want to keep up with the weekly log reports. You don’t want to have to keep up with going through and finding out what are the security vulnerabilities that maybe need to go get addressed on a firewall or somebody’s laptop or desktop,” things like that.
So we layer in the managed services. And so with that in mind, here in this particular slide, you can see a picture of our security operations center, which we combined a network operations center and a security operations center into the same facility, because behind the wall there on that big screen is our tier three data center. So if you need to maybe get some server equipment out of your office space and get it into a much more secure, much more redundant facility, while we can accommodate that. And then switching back to the LogRhythm around it, we can carry and we can offer packages around CMMC level three, CMMC level four, and CMMC level five.
So with that, we do have quite a few extra questions that did come in, and of course, I had some questions that came in and I wanted to get through the rest of the content. So Darren, you mind if I just took a brief moment and went back and circled through a couple of those?
Darren Cathey: Yeah, absolutely. And there was one good one in there about LogRhythm correlation rules. Is there any review of somebody’s SIEMS correlation rules by a government agency so they can get certified as an approved rule? Have you heard of anything like that?
Scott McDaniel: I have not yet. Where I’ve been in that process has just been around that C3PAO or the RPO programs. So as far as being able to get more granular than that, I have not heard of that yet.
Darren Cathey: I haven’t either, but it’s a great question.
Scott McDaniel: Yeah, absolutely. And then one of the other questions that came up, one person said, “Hey, can you repeat how long a certificate lasts for the level one and two, but then also going up into level three?” So from that perspective, in the early days of the CMMC standards, as we were coming through versions 0.6 and 0.8, there was a concept that there would be a different level of duration or expiration around how long a certificate lasts.
So in the early days, it was like, okay, yeah, A CMMC level one will be good for three years, CMMC level three will be good for a year. I just went and double checked my facts real quick, and it is right now, that they’re saying across the board, expect it to be the certificate lasts for three years. So they look like they’ve removed the, hey, something happens for different levels. The official guidance right off the DOD website right now is that regardless of the level, the certificate’s good for three years.
Let’s see. So then there was another question in there about what are some of the gaps or the gap controls between the NIST 800-171 up into the CMMC? What are the 20 new controls? That’s actually easier to define. I actually have a spreadsheet where I can show you that, so you can see the specific 20 controls. That would be better described in a spreadsheet than to talk through it.
But then also, well, what if I relate it back up to the NIST 800-53? And again, that goes back. That spreadsheet’s going to be a whole lot bigger because, like I mentioned, the NIST 800-53, it’s 230 plus controls, where CMMC is 171 at the most. So the delta there is just bigger.
For procurement, what should we look for in third party providers? So as you’re out there shopping for the likes of Simple Helix and others, obviously you want to ask questions about how they’ve done CMMC implementations or NIST 800-171. So for me personally, we worked with an organization that went through a NIST 800-171 audit with the DCMA. And so that was a high level audit. We learned quite a bit from it.
What I can tell you is that company came out the other side and they are submitting a perfect 110 score into the SPRS website. Realized that their audit had to… The DCMA audit was triggered by something other than having to do the SPRS interim scoring card. But you definitely want to ask questions around that. You want to see if they’re planning to become a certified third party assessor or becoming a registered practitioner organization and then asking for any demonstration of previous work around it.
As you look for cloud providers, your O365, or maybe you’re doing something with Autodesk in the cloud, those solution providers, they will have to be FedRAMP certified around their cloud offering, and that’ll be something that you’ll need to look for. So as you go through, maybe you put your ERP in the cloud or maybe your HR functionality in the cloud, those will have to be FedRAMP certified, which some of the major players in those space, they already are.
Here’s a great question. What level would a university that does some DOD research need to meet? So I actually like this question because not only does my answer apply to a university, but it would also apply to a commercial organization that is predominantly commercial with maybe a little arm of the business in the DOD space. And so the answer is you got to sculpt and understand who is and who is not touching CUI. And so from that concept, you’ll hear folks say, “Well, we created an enclave for those that do the space.”
So I’ll give a small example of how this can be addressed. So I was working with a company, they were all commercial. They were about 30, 35 employees at the time. They got on a small business government contract to do some machine learning. So their intent was that they would have two engineers work through the machine learning. And of course, the CEO of the business goes, “Oh my gosh, my whole business has to be NIST 800-171, and all 35 of us are going to have to become compliant, and this is going to be really expensive. And all I really wanted was that incremental business for those two software engineers.”
And so scoping, scoping, scoping, scoping is the key word in that you got to scope and go, “No, no, we’re going to create a system security plan. It’s going to be focused around, in this case, the two engineers.” And so we started creating a solution that… Basically, what ended up happening in this particular case is we ended up setting a Linux PC up inside a room inside a room, so there was two physical door locks, with an extra firewall, and basically those two engineers had to go work on that small contract in that room, and the data didn’t leave the room.
And so there are ways that you can scope what is and what isn’t out of bounds. And that becomes very important because the whole university doesn’t have to go get compliant. It’s the department, maybe it’s the research, the staff and the students that are part of that contract, they will have to have a space to do that, and that space will need to be compliant, but not the whole university has to go there.
And Darren, if there are ones in here that you want to answer, why, jump in.
Darren Cathey: No, there’s a couple in there though. One was, “Please note that those auditors are only trained to assess level one, nothing for level three yet.” And then an associated question, how can a company get certified if there are no certified auditors? Is that true that there’s only auditors for level one right now?
Scott McDaniel: So there are auditors that… So there’s about 65 auditors that, what I would call, a wave one that did get certified against CMMC level three, but at this time, I’m not aware of them actually doing a CMMC level three audit yet. But there’s only 65 of them in the whole country. Now, there are others that are going through the training process right now. I don’t have any visibility into knowing how many individuals are in that training class, but the idea is that the highest level that you’ll be able to go get certified in 2021 as they become available throughout this year, will be level three. That will be the absolute highest.
So I know I’ve worked with folks that have come to Simple Helix and they go, “Yeah, I’m gung ho. I want to go be a CMMC level five.” And we turn around and go, “Well, that’s great, but nobody can certify you against that. So why would you incur that expense and the ongoing support and maintenance of it if you can’t even get certified for another whole year?” But going to CMMC level three is something that you should be able to get certified against by the conclusion of this year.
Darren Cathey: Got it. Another good question, where can one get training and certification to become a CMMC registered practitioner?
Scott McDaniel: Okay, so that one, you would go to the CMMC advisory board, so that’s cmmc-ab.org. And when you go to that website, they have the path towards doing it. So like myself, I’m in there going through that process right now. So for a company to become an RPO, there has to be at least one registered practitioner. So you have to go and answer the questions and pass basically a test to become a registered practitioner that then lets the organization advance into the RPO program. So when it comes to the RPO portion of it, that’s relatively new, and so there’s a finite number of folks that have already made it through it. And of course, the rest of us, we’re working to get through there as quick as possible.
Darren Cathey: Great. There’s a number of other questions out there. I’ll let you pick your favorite. Natalie, how are we doing on time?
Natalie Omiecinski: We’re doing good. We can extend the session by a few minutes if needed, if there are some must hit questions. Otherwise, we’ll get these questions into the hands of people who can answer them and they can reach out to you directly as well.
Scott McDaniel: Okay. Yeah, so I’m just scanning through the questions. All right, so here’s another one. Everyone always talks about Microsoft O365 and O365 GCC High. Are there alternatives out there? So I will say yes, there are. And the way that… I will say that when it comes to looking at the CMMC standard, it’s not prescriptive. So they don’t tell you, you have to go use O365 in a certain way. It just says that you have got to come up with a way to meet the intent of the control. And so from that perspective, let’s go have a conversation around that because you do have options, and sometimes you can solve the control through either educating your employees, or you can solve it with a technical solution, or maybe you do both. And it depends…
There’s a lot of things that go into making that decision. Do you trust your employees to actually follow process? Do you want to change the culture of your business because of this new technology getting introduced? There’s all sorts of variables, and so you have to work your way through that to get to the right answer for you and your business. But yeah, there are multiple ways of doing that and would love an opportunity to talk about some alternative options around it.
For the purpose of this conversation, the one thing that you absolutely need to do CMMC level three is that SIEM solution. So that one, you can’t get away from, and so LogRhythm would obviously be the great fit there.
All right. I think that I see some other… Let’s see. Oh, one person asked, “Repeat the link for the CMMC advisory board.” So yeah, cmmc-ab.org. So yeah, just think of the abbreviation for CMMC-, advisory board, .org, and that’ll get you there.
All right. Yeah, I think we’ll take the rest of the questions offline and make sure that we follow up with the folks that asked those questions. So with that, Natalie, I’ll turn it back over to you.
Natalie Omiecinski: Wonderful. Thanks again everyone for joining today’s webinar. We hope it was valuable. There was great participation. We will follow up on any questions that are outstanding here. If you have any additional questions that you would like to chat with us about later in your day, please feel free to either email us at email@example.com, or you can connect with us on social media as well.
As a final reminder, please make sure to check out the attachment section of this page for some extra resources. They’ll remain available even once we bring the webcast to a close. And we’ll also send additional resources in some follow-up communications with you all as well. But that’s everything I had. Thank you Darren and Scott. And everybody have a great day.
Darren Cathey: Thanks, Natalie.
Scott McDaniel: Yep, thank you.