Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CMMC Operations Report

by Cody Dumont
October 14, 2020

CMMC Operations Report Screenshot

The Cybersecurity Maturity Model Certification (CMMC) was developed to create a framework to assess an organization's implementation of cybersecurity practices evenly across the defense industrial base.  Using NIST 800-53 and NIST 800-171 as the baseline, the primary objective of CMMC is to consolidate the two security catalogs into a single measurable framework. Over the next 5 years, starting in June 2020, organizations that create Government off-the-shelf (GOTS) products, handle Federal Contract Information (FCI), or Controlled Unclassified Information (CUI) will need to show compliance at 1 of the 5 levels. Only Cyber 3rd Party Accreditation Organizations (C3PAO) will be able to certify an organization as compliant or not. Tenable.sc provides on-prem solutions for assessing Cyber Exposure practices and maps these practices to known assessment regulations such as NIST, CSF, and others. This report provides the operation teams with detailed needed to assess the current state of the network.

The first step in achieving any level of compliance with CMMC begins with an understanding of the current environment. The CISO must be able to understand the current state of patch management, system hardening, and different methods of system classification. This report focuses on a few key domains in CMMC, they are: Risk Management (RM), Security Assessment (CA), Media Protection (MP), and Configuration Management (CM). Each of these domains are starting points into other domains, for example the CM domain is a requirement before assessments into Identification & Authentication (IA) & System & Information Integrity (SI). The CM domain is the basis for hardening standards that are outlined by Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs), or the Center for Internet Security (CIS) Benchmarks. Both sets of hardening guidelines are auditable using the Tenable Audit files, and provide the foundation for good system configuration and hardening. Once these standards are widely deployed in the network, the risk managers can begin to evaluate other CMMC domains such as the aforementioned IS or SI. For example, the IA domain requires, "Enforce a minimum password complexity and change of characters when new passwords are created." While CM requires organizations to "establish and enforce security configuration settings for information technology products employed in organizational systems." These two controls work together and provide the CISO with tools needed to measure and discuss the current status of risk with other contributors.

This report starts by providing an executive summary of the vulnerability and compliance status using Tenable.sc. Then each chapter breaks out into more operational details allowing the CISO, risk managers, and IT managers to clearly develop a plan of action and work toward achieving different maturity levels. A key aspect to mitigating risk is to understand the current likelihood of a vulnerability being exploited by adversaries. Tenable created the Vulnerability Priority Rating (VPR) to help add current threat intelligence to the risk analysis process. At the heart of VPR is a series of machine learning models working together to forecast threats. Specifically, the threat forecast seeks to answer the question: What is the appropriate level of near-term threat for a vulnerability based on the latest available data?

As the CISO and IT managers also work together to establish the hardening standards that are appropriate for the organization. These configuration settings will most likely be different for each organization, and Tenable provides audit files for a majority of the CIS Benchmarks and DISA STIGs. In both cases Tenable.sc uses a field called Cross Reference to connect the NIST 800-53, to NIST 800-171, and to other standards such as the Cybersecurity Framework. The CMMC cross links all these widely accepted standards together and provides organizations with a well-established baseline to begin reducing risk. As CMMC maturity levels are achieved, the more mature the security practices become. This report helps to pull this configuration data together in a detailed view to aid in the improvement of compliance planning.

The report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the Tenable.sc Feed under the category Compliance and Configuration Assessment. The report requirements are:

  • Tenable.sc 5.14.1
  • Nessus 8.10.1
  • Tenable Audit Files

Tenable.sc Continuous View (CV) is the market-defining On-Prem Cyber Exposure Platform. Tenable.sc CV provides the ability to continuously assess the implementation of cybersecurity practices and institutionalization of cybersecurity processes. Regardless of the maturity model the organization is measuring against, Tenable.sc provides the essential information to report accurate and reliable metrics.

This report contains:

Executive Summary: The Executive Summary chapter summarizes the operational status of the organization's efforts to achieve CMMC compliance. The chapter provides a trend comparison of the compliance checks and current vulnerabilities compared to resurfaced vulnerabilities. In additions there are matrices that provide summary counts on current, mitigated, configuration checks, and vulnerability detection methods.

Risk Management: This chapter provides the operations team with detailed information about the most critical risks identified on the network. Tenable.sc tracks the life time of the vulnerability and records when vulnerabilities are discovered, when patches are issued, and when vulnerabilities are mitigated.  This chapter provides details to support vulnerability management service level agreement, and tracking mitigation efforts and provides focus on the most vulnerable hosts.  

Anti-Virus Vulnerability Details: CMMC requires organizations to maintain anti-virus and anti-malware solutions.  This chapter provides a summary view of how the organization is progressing with managing the anti-virus and anti-malware solutions.  

Configuration Compliance Details: The CMMC relies heavy on several audit standards such as NIST 800-53, NIST 800-171, and CSF.  This chapter provides several different views into the compliance configuration checks and with asset classification.

Systems By Detection Method: Tracking system detection methods is helpful when understanding where assets are located and how other systems may interact with said systems.  This chapter breaks out systems detected methods and sensor type. Focusing on active and passive detections, the chapter then highlights the direction in which communications are observed. 

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training