Click here to view the latest CMMC documentation for a specific set of resources to send to a Client team:
Clarity employs an internal and external team to help deliver a level 4 or level 5 CSMM protection upon request for Client teams. This can include ongoing and SLA backed pro-active hardening and patching, ongoing support, detection, and response. The below document includes details of some of the options the Clarity team can bring to bear to help execute on this. Please note that these options are a very high-level overview of just a few of the options available for configuring a CMMC level that matches your business’s needs.
\
The below diagram shows a CMMC Maturity Process Progression as outlined by the USDOD https://www.acq.osd.mil/cmmc/docs/CMMC_v1.0_Public_Briefing_20200131_v2.pdf document.
\
The below diagram shows a CMMC Maturity Practice Progression as outlined by the USDOD https://www.acq.osd.mil/cmmc/docs/CMMC_v1.0_Public_Briefing_20200131_v2.pdf document.
\
The Clarity team partners with enterprise hosting partners to help establish and follow blueprints (step by step guides) that have been validated by the enterprise hosting partners to meet or exceed specific levels of CMMC requirements.
https://devblogs.microsoft.com/azuregov/cmmc-with-microsoft-azure-access-control-1-of-10/
What is Cybersecurity Maturity Model Certification (CMMC)?
The Defense Industrial Base (DIB) is charged with implementing Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. DFARS requires organizations supporting the Department of Defense (DoD) to implement NIST SP 800-171 and FedRAMP Moderate Impact level controls. DoD has mandated CMMC with periodic assessments in order to strengthen cybersecurity across the DIB. CMMC builds upon DFARS 7012 by verifying an organization’s readiness to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) such as International Traffic in Arms Regulation (ITAR) and Export Administration Regulations (EAR) export-controlled data.
CMMC extends beyond the parent organization into sub-contractors, partners, and suppliers. The framework is intended to enforce critical thinking approaches for comprehensive security. The CMMC framework specifies 5 levels of maturity measurement from Maturity Level 1 (Basic Cyber Hygiene) to Maturity Level 5 (Proactive & Advanced Cyber Practice). The Certification levels will be determined through audits from independent, third-party assessment organizations (C3PAO).
What preparation is required for CMMC alignment to access control management?
It’s important to understand that compliance is a shared responsibility between the customer and the Cloud Services Provider (CSP). The graphic on the left demonstrates the CSP responsibility in respective cloud models (On-Prem, IaaS, PaaS, SaaS) with dark blue aligning with customer responsibility and light blue aligning with CSP responsibility. For example, CMMC requirements such as Physical Protection (PE) for limiting physical access (C028) is managed by the CSP. Establishment of respective policies and procedures are the customer’s responsibility. It’s important to note that this blog series is aligned with setting the foundation of controls for CMMC Maturity Levels 1 & 2. Once C3PAOs are identified by the CMMC Accreditation Body, customers are advised to work with their respective C3PAO for guidance on comprehensive alignment of controls, audit and certification.
Customer Policy Responsibilities
The administrative controls for the CMMC Access Control Maturity Capability (AC-MC) are listed here. These controls fall within the customer’s responsibility. This starts with establishing a policy that includes access control (ML1) and progresses to reviewing and measuring access control activities for effectiveness (ML5). These controls should be formally created, documented in the System Security Plan (SSP) and implemented within the organization.
\
This section outlines the security measures to be taken immediately as a requirement for the initial launch of the platform. Scheduling of work and acknowledgment of the invoice will be needed to execute a CMMC SLA.
Clarity proposes that all server settings be audited for compliance with Azure CMMC recommendations.
https://azure.microsoft.com/en-us/blog/new-azure-blueprint-simplifies-compliance-with-nist-sp-800-53/ https://devblogs.microsoft.com/azuregov/azure-blueprint-for-nist-sp-800-171-r2-is-now-available-in-azure-government-and-commercial-clouds/
Clarity proposes full hardening of the application to ensure compliance capability
In order to validate initial security hardening, Clarity requires that Clarity is given time to perform purposeful attempts to bypass or ‘hack’ system security settings using common system exploitation methods.
This section outlines the security measures to be taken as a continuous endeavor. Security audits can be scheduled to be performed quarterly. The scope of work contained will be directly related to the results of each audit.
Clarity recommends ongoing reporting, auditing, and resolution planning. Specifically, but not limited to, reporting on all CMMC related required activities that occur within the system, auditing for required and recommended areas of interaction with the system, and resolving any potential risk areas before they become an actual issue from a security or other perspective.
Clarity requires that issues and risk areas arising from continuous auditing are resolved through further hardening.
Clarity requires that Clarity is given time to perform purposeful attempts to bypass or ‘hack’ system security settings using common system exploitation methods.