Azure Active Directory Conditional Access Policies

What is Conditional Access?

Azure Active Directory Conditional Access is a feature that helps businesses improve both cybersecurity and compliance. By applying such policies, organizations will refine the authentication process reducing the risk of unauthorized access.

Usually, it is the legitimate account owner typing in the username and password pair. Once logged in, the user can access all the data, applications, and business resources he/she has been granted permissions for. But sometimes, it is the attacker who tries to login with the user’s credentials, putting your organization at risk.

To reduce this risk, organizations can put additional authentication measures in place, such as multi-factor authentication (MFA) requiring the user to type the unique code sent to their mobile device, a fingerprint, etc.

This strategy is efficient. Microsoft reports that 99.9% of organization account compromise could be stopped simply by using the MFA security feature. The problem is that sometimes MFA can be insufficient, like when it is a privileged administrator accessing highly sensitive resources. In such a case, additional evidence that the authentication request is legitimate is recommended.

The Conditional Access feature helps organizations strengthen the authentication protocol. For instance, you can create a policy that requires the administrator, so not the regular users, to complete the MFA step.

You can utilize variables like the user’s location and the type of authentication protocol being used. For instance, you can block all requests that come from certain countries, allow all requests from your headquarters location, and require MFA for all the rest.

Conditional Access Policies

When creating Conditional Access policies there are several basic actions you should take, such as:

  • Verify the user’s identity during sign-in.
  • Verify the security of the device used for the connection.
  • Require MFA for users, inclusive of any administrators.
  • Implement Geo-blocking
  • Disable legacy protocols that don’t support MFA (POP, IMAP, SMTP, ActiveSync.

Improving MFA

While multi-factor authentication contributes to a more secure account, burdening users with MFA challenges is not always the best approach. If users are required to go through MFA requests each time they open their accounts, they can fall into the trap of approving challenges without verifying the legitimacy of each request. Unfortunately, this could mean that someone accidentally accepts a sign-in request generated by a hacker. Therefore, user experience is extremely important when implementing Conditional Access policies.

So, instead of challenging a user with MFA at each login, create a strategy that combines signals to verify the identity of the user, as for instance, the user’s known location. By using multiple signals before requesting MFA, this will drastically reduce the number of requests the user receives.

Business Data Protection

Conditional Access supports many features besides multi-factor authentication. Some organizations ignore the fact that anybody can install Outlook or OneDrive on a personal device, and then copy mailbox and data to that device. So, when an employee leaves, the company has no control over any data copied to these personal devices. Ensuring that users can copy business data only to company devices is crucial for compliance and security purposes.

Less is More

When the organization wants to change a policy, or the responsible team needs to investigate a sign-in, a high number of conditional access policies can make the task very challenging. Therefore, you should think about the bigger picture since the beginning of this process and combine as many conditions as possible into one policy.

Try to group policies based on different signals, such as: the type of data, type of user, and the ownership of the device.

When it comes to type of data, access to SharePoint should be stricter compared to Microsoft To-Do, which does not contain as much sensitive data.

Based on the type of user, administrator accounts need stricter policies than regular users.

The ownership of the device is very important because there is a big difference between the management of personal and corporate devices. Personal devices should not be trusted with as much data as corporate devices. The latter category usually has adequate security controls in place.

Documentation is Necessary

As the number of active policies increases, documentation becomes important. It should include details of the configuration and a description of each policy. This will help you revert the policy to the original state and remind you why it was implemented in the first place. While this might not be necessary for smaller organizations, it is mandatory for enterprises.

Besides documenting policies, be sure to document exclusions and not just mentioning the ones that are active, but more importantly: who added the exclusions and why. This way you can review the exclusions and decide whether they are still useful.

In addition to implementing multi-factor authentication in an intuitive way, Conditional Access policies can limit what files users can access or download, in certain scenarios, improving the security of your organization.

Benefits Of Using A Password Manager

We all want our sensitive data to be protected, yet some users often rely on weak passwords because memorizing complex passwords is painful. This approach is dangerous.

Unless you want to constantly safeguard a hard copy list of all your passwords, you should consider setting up a password manager. Such a solution can help you easily oversee and handle all your login credentials for any online account and maintain proper password security.

These solutions are also very handy when it comes to auto filling fields and syncing your data across PCs, Macs, iPhones, Android-powered devices, etc.

What is a Password Manager?

A password manager is basically an encrypted vault that securely stores login information used to access applications and accounts. Besides keeping your identity, credentials, and sensitive data safe, some password managers utilize a password generator to create strong, unique passwords every time. All passwords are stored in an encrypted database and locked behind a master password.

With all the recent cyber incidents, having a unique password for each account you use means that if one gets hacked, your stolen password can’t be used on other accounts. You are basically using multiple passwords to create your own security features.

A 2017 report from LastPass found that people had to remember 191 different passwords, on average, just related to their work.

While technology usually makes our lives easier, new websites and applications we sign up for involve new passwords we have to remember. It is almost impossible to remember all of them. A 2021 Last Past survey reveals that 80% of respondents were concerned about changing passwords frequently, but 48% of them stated that they won’t change their password unless it is required.

By using large lists of stolen passwords bought off the dark web, hackers can brute force their way into other websites or use old passwords to extort users. According to the 2019 Verizon Data Breach Investigations report, 80% of data breaches are caused by compromised, weak, or reused passwords.

What are the benefits of using a password manager?

Firstly, you don’t have to remember all those passwords. A password manager can securely keep them for you. Once your usernames and passwords have been entered into the vault, your master password is the only one you must remember. Entering the master password unlocks the vault, so you can then retrieve whatever password you need.  Add more security to your vault by two-factor authentication. A strong password combined with a two-step verification protocol provides the most protection.

If you choose a cloud-based password manager, then you can access your password vault from any device, anywhere.

Some password managers can securely keep more than username/password pairs. Sensitive information such as shipping addresses and credit card information can be protected too. With just one master password or a fingerprint, the user can access them and autofill web forms.

They can generate new passwords for you. Typically, you will be prompted to choose if you would like the password manager to create a password whenever you create a new account with a website or application.

They can alert you to a phishing site. Spam emails are deceptive, as they look like they are coming from a legitimate sender. Links included within such emails send the recipients to malicious websites designed to steal their sensitive data. Browser-based password managers will not auto-complete the username and password fields because they won’t recognize the website as the one tied to the password and thus protecting your data from a potential exploit.

Password managers save time. In addition to storing your passwords, some password managers also auto-fill credentials allowing you to quickly access your accounts.

There are password managers that can sync across different operating systems. For instance, if you are a Windows user at home and a Mac user at work, you will be able to quickly access your passwords regardless of which platform you are on.

Password managers help protect against identity theft. By using a unique password for every account, you are essentially improving the security of each account. If one of your accounts gets hacked, attackers won’t be able to get into any of the others.

Many robust password managers can assist in collaboration.  This feature allows you to share passwords securely, between employees or external clients.

Types of password managers

Desktop-based password managers store passwords on your device (Mac, laptop, etc.) in an encrypted vault. Usually, the user cannot access those passwords from any other device.

Cloud-based password managers store encrypted passwords on the service provider’s network. The service provider is responsible for the security of your passwords. The main benefit of cloud-based password managers is that the user can access their password vault from any device that is connected to the Internet.

Protect your data like a professional and use a password manager to keep your credentials safe and secure.

How to mitigate the risk of a ransomware attack in 2022

As you probably know, malware is a malicious software (file or code) which can:

  • lock a device or make it unusable;
  • take control of certain devices to attack the organization;
  • steal, delete, or encrypt sensitive data.

Ransomware is a type of malware that prevents the users from accessing their devices or certain files. Ransomware most likely will spread to other machines within the network, as happened with the WannaCry malware.

Usually, the victim is asked to contact the hacker via an anonymous email address or follow instructions on an obscure web page, to make a payment. To unlock the device or for being able to access the encrypted data, the payment is usually requested in a cryptocurrency.

However, even if the ransom is paid, there is absolutely no guarantee that the user will get access to the device, or the files.

Sometimes, malware may look like ransomware, but after the ransom is paid the files may not be decrypted. For this reason, it is crucial to always keep offline backups of your most important files.

Organizations must proactively protect their assets against these complex cyberattacks. Strong defenses and a resilient cyber security posture require not only technical measures but also ransomware-relevant business continuity planning.

Here are a few aspects that should be considered in order to protect your organization and its assets.

Maintain multiple versions of file not just basic backups.

Companies will need to utilize systems that can create snapshots several times a day or maintain multiple versions of file created over the course of the day, to enable a quick restoration process to a specific moment. In the unfortunate case of a cyberattack, this effort considerably minimizes the productivity loss. Also, the IT security personnel will need to routinely test the backups to ensure the data is restorable and to determine the time it takes to restore. This way the organization will estimate the downtime it will need to handle in the case of a successful ransomware attack.

Use the principle of least privilege.

Limiting the file access rights to the minimum level of permissions that users need to perform their work is extremely important. This measure will reduce the number of files that could be encrypted in the event of a ransomware attack.

Limit the risk of initial attack vectors.

Ransomware attackers need access to your system to damage it. They obtain access through phishing schemes, unpatched software, and employee password reuse. Organizations should aim to reduce the likelihood of ransomware attacks by implementing and maintaining strong vulnerability management programs, reducing their attack surface, and providing security training programs for all personnel.

Plan for an attack, even if you think it is unlikely.

Even though they were not the intended targets, there are numerous examples of companies that have been indirectly hit by malware.

Develop an internal and external communication strategy. It is important that the right information reaches the right recipients in a timely manner.

Determine how you will respond to the ransom demand and the threat of your organization’s data being published.

Ensure that your incident management plan and supporting resources are available in case your network is compromised.

Improve your incident management plan. This will help clarify the roles and responsibilities of staff and third parties and prioritize system recovery.

Use Endpoint Detection & Response (EDR)

Nowadays, attacks are expanding beyond local machines trying to block entire systems. Botnets and IoT networks can be used to increase ransomware’s affects.

Modern antivirus solutions can identify and block new types of malware. However, hackers are constantly adapting their methods. Many types of malware are untraceable by standard solutions, such as polymorphic malware which is a type of malware that constantly changes its identifiable features to avoid detection, or fileless malware, etc.

Under these circumstances, to improve cybersecurity, an IT department should implement an integrated endpoint security solution. EDR security integrates the collection, correlation, and analysis of endpoint data, as well as alerting and responding to imminent threats.

Companies must be prepared for these increasingly sophisticated types of attacks. By hiring a professional team and taking the necessary steps, you will be able to protect your IT infrastructure from modern ransomware attacks.

Managed Detection and Response

A Managed Detection and Response (MDR) security solution is a high-level 24/7/365 security control that includes a range of security activities including cloud-managed security for organizations that cannot maintain their own security operations center (SOC). MDR services combine threat intelligence, advanced analytics, and human expertise in incident investigation and response deployed at the host and network levels to help keep your organization secure.

Relevant analytics, threat intelligence, and forensic data are passed to professional analysts, who classify alerts and determine the appropriate response to reduce the effects and risk of incidents. Then, through a combination of human abilities and machine capabilities, the threat is removed, and the affected endpoint is restored to its original state.

EDR or MDR?

Though Endpoint Detection and Response (EDR) solution provides you with the platform to investigate and remediate threats, it still requires human intervention. An MDR solution provides a certified team of cybersecurity professionals that will handle monitoring, incident response and remediation services to help keep your business secure. Endpoint detection and response is part of the tool set used by MDR providers.

EDR records and stores behaviors, and events on endpoints and may trigger rules-based automated responses. When a suspicious situation is identified, it is sent to the IT security team for human investigation. EDR gives security teams the ability to use more than just indicators of compromise (IoC) or signatures to understand what is happening within their networks.

Over time, the EDR tools have become more and more complex, incorporating modern technologies such as machine learning, behavioral analysis, and the ability to integrate with other complex solutions.

MDR Fundamentals

 

Managed Prioritization

Prioritization helps organizations that struggle daily with large volumes of alerts to determine which one should be addressed first. Managed prioritization, also known as “managed EDR”, applies a set of automated rules and human inspection to differentiate between false positives and true threats.

Threat Discovering

Behind every threat is a person who analyzes the options and decides how to avoid being caught by their targets’ countermeasures. While machines are increasingly smart, the human mind is still needed to add the missing element that no automated detection system can provide. Threat hunters with skills and expertise identify and alert on the most advanced threats in order to catch what the layers of automated protection can’t.

Managed Investigation

Managed investigation services help businesses understand threats faster by providing security alerts with additional context. Therefore, organizations can clearly understand what happened, when it happened, what was affected, and how far the attacker went. With that information at hand, they can plan and execute an effective response.

Guided Response

The guided response provides actionable advice on the best way to isolate and remediate a specific threat. Organizations are advised on activities such as whether to remove an endpoint from the network, how to eliminate a threat or recover from a cyberattack.

Recovery & Remediation

The last phase in incident response is remediation. This step is crucial as the organization’s reputation is at stake. Managed remediation will restore systems to their pre-attack state by removing malware, cleaning the registries, removing any unauthorized access and persistence mechanisms. Also, during the remediation phase, the IT security personnel will ensure that further compromise is prevented.

 

Conclusion

In-house security teams may lack the resources and the time to fully utilize their EDR systems, which can leave an organization even less secure than it was before it implemented an EDR solution. MDR solves the problem by introducing human expertise, specific processes, and threat intelligence.

MDR is designed to help organizations acquire enterprise-grade protection while avoiding the costs of building and maintaining a security operations center or hiring enterprise-level security staff.

For more information, please check our IT security services page.

Windows 11: Performance, Security, Requirements

Beyond a reorganized start menu and a sleek taskbar, Windows 11 also offers several new features that will definitely catch the eye of the user.

The newest version of the most popular operating system has been optimized for hybrid working, where employees split their working time between the office and home, with new options designed to allow users to multitask and pick up from where they left.

According to Microsoft, Windows 11 also sets new standards for performance and security, which will help organizations optimize their productivity and protect employees against modern cyberthreats.

Improved Collaboration & Productivity

One of Microsoft’s main goals was to deliver a new level of interoperability with collaboration platform Teams. Therefore, in Windows 11, users can launch Teams chats and meetings by single clicking the icon that holds a front position in the taskbar.

Microsoft has launched a series of features, such as “Snap Layouts” and “Snap Groups, that help users increase their productivity. The former feature gives users a higher range of display options when working across multiple windows or applications.

The “Snap Groups“ feature can be used to restore all windows to their previous location and orientation, making it easy for users to resume the work from a previous point.

These new features are designed to help users better organize their windows to see what is needed but in a cleaner layout.

Performance & Security

As expected, the Microsoft Windows team has focused during the product development process on both performance and security.

Although the company has not provided hard evidence yet, it stated that Windows 11 authentication service “Windows Hello” loads faster compared to previous versions.

The new operating system reportedly uses less energy too, which translates into longer battery life.

Separately, Microsoft highlighted Windows 11’s security credentials, with new protections added at chip and cloud level to ensure organization assets remain secure no matter where the users are located.

With security being at the core of the operating system, Microsoft has also introduced a new set of hardware requirements for Windows 11. For instance, all Windows 11-compatible CPUs must feature an embedded TPM and support secure boot, virtualization-based security (VBS), etc.

However, while these requirements will shield users against certain cyberattacks, they are expected to create hassles for some organizations.

Hardware requirements

Windows 11 brings a significant change in supported CPUs since the release of Windows 8. A lot of CPUs are not officially supported. If you want to use the latest operating system, your computer should be equipped with an Intel Core 8th-generation processor or newer or an AMD Ryzen 2000 processor or newer. The 8th-generation Intel processors arrived in late 2017, and Ryzen 2000 chips arrived in 2018. So, if your computer is more than four years old, there is a good chance that it is not supported by Windows 11.

Another hardware requirement for Windows 11 is a piece of technology named Trusted Platform Module, also known as TPM.

TPM chips perform cryptographic operations that provide security by verifying the authenticity of a system at launch. They also include features that protect systems from tampering.

Windows 11 will require all machines to feature TPM 2.0 support built into the CPU or an additional chip connected to the motherboard.

NOTE: To check if your device has a compatible Trusted Platform Module just go to Start > Settings and type “Device security” and check your “Security processor” to make sure it provides additional encryption for your device.

A recent report from device audit organization Lansweeper reveals that only 44% of workstations are eligible to receive the automatic Windows 11 upgrade.

The situation looks worse when it comes to virtual machine workstations, because only 0.23% of them have TPM 2.0 enabled. And as for the hypervisors, only a few are currently able to meet the necessary requirements to run the latest OS version.

Ready for upgrade?

Microsoft has been consistent across the various Windows management tools, such as Endpoint Manager and Windows Update for Business, so everything feels familiar to administrators.

Although Windows 11 have undergone extensive testing, both in the development process and during early-access, bugs have been reported.

At one point, Windows 11 impacted the speed of storage drives (SSDs, hard drives). Microsoft, though, has since issued a fix in the latest Windows 11 cumulative update.

Another problem relates to memory leaks. Reportedly Windows 11 could take up extra RAM when the user opens multiple instances of the File Explorer. However, this isn’t a problem every user is having, but according to official reports, the issue is currently under investigation.

Windows 11 supports new ways of working and further improves workstation security. IT teams and business executives will need to decide whether these benefits are worth the inevitable hassles that early adopters face.

Endpoint Detection & Response

Endpoint Detection & Response (EDR) is a complex endpoint security system that combines real-time monitoring and collection of endpoint data with rules-based automated response and analysis capabilities.

The main functions of an EDR security solution are:

  • To monitor and collect data from endpoints that could indicate a threat;
  • To analyze this data to identify threat patterns;
  • To automatically respond to identified threats to remove or contain them, and notify the IT security team;
  • Forensics and analysis tool to research identified threats and search for any suspicious behavior.

Adoption

The EDR adoption will only increase over the next few years. According to Stratistics MRC’s Endpoint Detection & Response: Global Market Outlook (2017-2026), sales of EDR solutions, both on-premises and cloud-based are expected to reach $7.27 billion by 2026, with an annual growth rate of about 25%.

One of the factors pivoting the EDR adoption is the rise in the number of connected endpoints. Another important factor is the increased sophistication and complexity of modern cyberattacks, which usually focus on endpoints as some of them are easier targets for breaching networks.  Insurance carriers are also beginning to require an EDR solution to be able to provide cyber insurance.

Endpoint Attacks

The average IT department has thousands of endpoints under management. These endpoints are desktops, servers, laptops, tablets, smartphones, smart watches, and digital assistants.

The SANS Endpoint Protection and Response Survey reveals that 44% of IT teams manage between five thousand and five hundred thousand endpoints. Each of these endpoints is susceptible to become an open door for cyberattacks. Endpoint visibility is therefore crucial.

Modern antivirus solutions can identify and block many new types of malware. However, cybercriminals are constantly adapting their methods. Many types of malware are untraceable by standard solutions. For instance, polymorphic malware which is a type of malware that constantly changes its identifiable features to avoid detection, or fileless malware, a recent development that operates in the computer’s memory and avoids malware signature scanners.

To improve cybersecurity, an IT department may implement several endpoint security solutions, as well as other security applications, over time. However, multiple self-sufficient security tools can overcomplicate the threat detection and prevention process, especially if they overlap and produce similar effects. The better approach is an integrated endpoint security solution.

EDR Security: Components

EDR security integrates the collection, correlation, and analysis of endpoint data, as well as alerting and responding to imminent threats.

EDR tools have three major components:

Data collection software agents. These agents handle endpoint monitoring and collect relevant data about certain processes, connections, and data transfers.

Automated response. Pre-configured rules in an EDR system can identify known types of security threats and can trigger automatic responses, such as logging off the user or alerting a team member.

Analysis and forensics. An endpoint detection and response solution can incorporate real-time analytics, for fast diagnosis of threats, and forensics tools, for threat hunting or conducting post-attack analyses.

Forensics tools enable IT security personnel to investigate breaches to better understand how an exploit managed to penetrate security. The IT security staff also uses forensics tools to identify threats within the system, such as malware or other exploits that might pass undetected to an endpoint.

EDR Capabilities

New features and services are expanding EDR systems’ capabilities to detect and investigate threats.

Threat intelligence services provide organizations with large pools of information on current threats and their characteristics. That collective intelligence helps increase an EDR’s ability to identify exploits, especially multi-layered and zero-day attacks.

In addition, new investigative capabilities in some EDR solutions leverage artificial intelligence and machine learning to automate the investigative process. These capabilities will allow the EDR solutions to learn more about the baseline behavior of an organization, and it will use this information, along with a variety of other threat intelligence sources, to defend the organizations’ systems.

Information such as IP addresses and registry keys change frequently. However, identifying patterns and characteristics that remain unchanged is therefore crucial. An EDR solution can use the common behavior to identify threats that may have been altered in other ways.

IT security teams face steadily more complex cyberattacks, as well as increased diversity in the number and types of endpoints accessing networks, so an advanced solution to deal with this situation is recommended, and sometimes required.

Traditional Antivirus & Next-Generation Antivirus

Traditional antivirus solutions have obvious limitations, especially in a world of constantly evolving threats. Thanks to the power of AI and machine learning, next-gen antivirus is a brilliant way to overcome these limitations.

Let’s find out what are the differences between the two.

Traditional Antivirus Software

The majority of antivirus (AV) or malware prevention solutions operate using huge databases of malware signatures as reference lists. Signature-based software is present in firewalls, email security platforms, and AV programs.

NOTE! Simply put, a signature is a unique set of data within the software that differentiates it from other software or viruses.

When a malicious file is downloaded to a device, a signature-based security solution will check that file’s identifying information against the database of malware signatures looking for a match. If there is a match to an existing threat or family of threats, the file will be blocked, prevented from executing its malicious action.

When new malware emerges and is documented by cybersecurity experts, its signature will be added to a specific database. Subsequently, AV software providers create and release a signature database update to ensure that the new threat can be detected and blocked. Sometimes, these updates are released several times per day.

Traditional AV Drawbacks

There is an average of 450,000 new instances of malware registered every single day. That’s a lot of signature database updates to keep up with.

While some AV vendors update their programs throughout the day, others release scheduled daily, weekly, or monthly software updates to keep the process simple for their users.

But convenience comes at the risk of real-time protection. Especially between update intervals, those AV programs are missing new malware signatures from their database, so they are completely unprotected against new or more advanced threats.

According to SentinelOne, we are trending towards cross-platform threats, and we should expect the availability of highly critical vulnerabilities such as log4j, which have exposed countless environments, to make even more headlines in 2022.

Sophisticated attackers have found ways around traditional AV defenses by hiding behind seemingly innocent actions, such as opening a file that contains a link to a malicious script.

Furthermore, how many users fail to keep their AV solutions secure due to the hassle of frequent updates? It’s easy to see updates as a low-priority inconvenience, and many users don’t realize the risk they take by not keeping their AV solutions updated.

Not only do signature-based solutions remain ineffective against zero-day threats, but efficacy decreases in the unfortunate case of user error.

Traditional AV solutions often provide a false sense of security to organizations that rely on them. According to CrowdStrike, a staggering 39% of malicious software goes undetected by traditional antivirus.

Next-Gen Antivirus Solutions

Like traditional antivirus software, the next gen antivirus (NGAV) also refers to a library of known threats, but unlike traditional antivirus protection, it can also identify threats on its own.

Today’s next-generation antivirus solutions use advanced technologies like behavior analysis, artificial intelligence, or machine learning to detect threats based on their intention rather than looking for a match to a known signature.

Next-gen AV can analyze the intentions of malicious files and determine when something is suspicious. According to CrowdStrike, these next-gen AV solutions are estimated to be about 99% effective against advanced threats, compared to signature-based solutions’ average of 60% efficacy.

In the case of zero-day vulnerabilities, the next-gen antivirus has the ability to learn on its own, being able to manage, detect, and respond to brand new threats that have not yet been recognized by the cybersecurity community.

This ability to detect and respond to new threats is what sets next gen antivirus protection apart from traditional forms of protection.

Besides recognizing unknown threats, next gen antivirus solutions can also roll the system back to a secure state, providing an extra layer of protection against malware and other similar threats.

Traditional antivirus software will only quarantine the threats, but the rollback process is manual. By automating the process, next gen antivirus solutions reduce the amount of time it takes to identify and respond to cyberattacks.

Organizations that rely entirely on signature-based detection should supplement or replace their detection capabilities with automated ML-based solutions that can prevent most types of malicious executable files.

Interested in making the jump from 60% to 99% effectiveness with a more dependable malware prevention solution, backed by expert security analysts? If yes, the StratusPointIT team is here and ready to help you overcome your IT security obstacles.

The CMMC Domains

As mentioned in a previous blog, the CMMC program refers to a set of cybersecurity requirements certain organizations must obey to protect controlled unclassified information that is shared by the Department of Defense with its contractors and subcontractors.

The extensive list of requirements, including those related to security awareness and training, are summarized below, grouped within 17 domains.

Access Control

This domain focuses on controlling who and what can access your systems, as well as who has remote system access, and on the limitations of their roles.

Asset Management

This domain requires organizations to locate, identify, and log inventory of their assets.

Audit & Accountability

This domain requires companies to have processes in place for tracking users who access Controlled Unclassified Information (CUI) and to perform audits of those logs to ensure they are held accountable for their behavior.

Awareness & Training

This domain requires that you have training programs in place for your staff and conduct regular security awareness activities.

Configuration Management

This domain requires companies to establish configuration standards in order to determine how efficient the systems are. It is necessary to conduct audits to accurately measure the posture of your systems.

Identification & Authentication

This domain ensures the proper roles within your organization have the right level of access and are identifiable for reporting purposes.

Incident Response

For this domain, an Incident Response Plan is mandatory. Your organization needs to be able to detect and report security events, develop, and implement responses to incidents, perform post-incident assessments and test the response to measure your system’s readiness in the event of a cyber-attack.

Maintenance

This domain requires organizations to have maintenance solutions in place to keep their systems operational. As with all scenarios, sensitive data must be protected in these instances.

Media Protection

This domain highlights the risks associated with removable media, such as digital storage devices or paper, and how your organization can protect against such risks. For this domain, your organization will need to prove it has its media identified and appropriately marked for simplified access. Also, it is required to provide evidence of a media protection protocol, a sanitation protocol, etc.

Personnel Security

Your staff will have to be properly screened and have background checks run. Also, you will need to provide evidence that your CUI is protected even when members of your staff leave the organization or get transferred.

Physical Protection

Your organization needs to provide evidence of physical security surrounding its assets. As expected, cybersecurity measures aren’t adequate if unauthorized physical access to your equipment is allowed.

Recovery

This CMMC domain requires that you keep and log backups of media necessary to your organization. These need to be logged for restoring damaged systems and to mitigate the effects of a cyberattack.

Risk Management

This domain describes the ongoing need to anticipate risks to your data and systems and remediate them in a timely manner using regular risk assessments and vulnerability scanning.

Security Assessment

For security assessments, your organization will need to create and maintain a security plan, define and manage controls, and periodically analyze its defensive capabilities, improving them when possible.

Situational Awareness

This domain specifies how an organization must look for and handle cyber threats that arise from various sources. A threat monitoring system is required. This helps supplement other domains and keeps the organization secure in the unfortunate event of a cyber incident.

System and Communication Protection

This CMMC domain includes a list of safe communication practices. You will need to provide evidence your organization has control of its communications at system boundaries.

System and Information integrity

This domain requires your organization to identify and manage flaws within the system, identify vulnerabilities and malicious actions, implement email security solutions, and monitor the network to maintain the integrity of the system

StratusPointIT can provide expert assistance and recommendations. For more information, please feel free to reach out.

CMMC Compliance 2021

Who needs to comply?

By 2026, all contractors of the Department of Defense must comply with CMMC (Cybersecurity Maturity Model Certification) except commercial off-the-shelf software providers. This is mandatory for all subcontractors and every supplier the prime contractor works with across their entire supply chain.

Each contract will specify the CMMC level that each contractor must meet, so contractors on the same contract may have different CMMC requirements.

Differences Between CMMC & NIST 800-171

CMMC level 3 is based on NIST 800-171 compliance, which included the cybersecurity standards for Defense Industrial Base (DIB) contractors prior to CMMC.

Contractors must also meet all security controls in NIST SP 800-171 or provide a Plan of Actions and Milestones (POA&M) for compliance. A POA&M describes the specific measures that a DIB contractor will take to correct the deficiencies discovered during the security assessment.

NOTE! The shift from self-assessments to independent third-party assessments for cybersecurity compliance is one of the most important differences between NIST 800-171 and CMMC.

CMMC Third Party Assessment Organizations (C3PAOs) will now conduct these assessments.

CMMC adds 20 more new security requirements to Level 3 in addition to the 110 requirements already detailed in NIST 800-171. CMMC requires subjects to meet both sets of requirements for good cybersecurity practices.

CMMC and NIST SP 800-171 regulations will coexist until the Department of Defense completes the CMMC roll-out. The number of DoD contractors subject to CMMC will increase over the next few years, while the number of defense contractors requiring NIST SP 800-171 compliance will only decrease.

The CMMC Levels

The CMMC level that the Department of Defense requires of its contractors depends mostly on the sensitivity of the data these contractors will have access to.

CMMC Level 1

Level 1 requires companies to perform specified practices that focus on the protection of Federal Contract Information (FCI). So, level 1 only includes practices that meet the basic requirements as stipulated in 48 CFR 52.204-21.

CMMC Level 2

Level 2 practices are also known as intermediate cyber hygiene practices. They consist of a subcategory of the requirements specified by NIST SP 800-171. Level 2 practices focus on protecting controlled unclassified information (CUI).

NOTE! Controlled unclassified information is government owned information that requires protection consistent with applicable laws and regulations.

CMMC Level 3

Level 3 requires the organization to establish and maintain a plan to manage the activities needed to implement cybersecurity good practices. This plan can include information on a variety of specific topics, including goals, missions, projects, training, etc.

The cybersecurity practices at this level are considered good cyber hygiene practices and focus on the protection of CUI. Also, they include all security requirements that NIST SP 800-171 specifies, as well as other 20 security practices added specifically for CMMC level 3 to mitigate threats.

Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204 – 7012 adds few extra requirements, as for instance, how to report security incidents and strengthen the supply chain.

CMMC Level 4

Level 4 requires an organization to periodically review the effectiveness of its security practices. It also requires organizations to regularly inform upper management of the status of their information systems.

Level 4 practices are considered proactive and focus on the protection of CUI from advanced persistent threats (APTs). They also include a subset of other requirements from the draft of NIST SP 800-172 and other documents. These practices will only improve an organization’s ability to detect and respond to security threats.

CMMC Level 5

Level 5 certification implies that the contractor meets all level 1 – 4 requirements.

Level 5 requires 171 security controls and helps companies optimize their processes to ensure a standardized implementation across the entire organization. Practices at this level focus on CUI protection from advanced persistent threats. These advanced practices will increase the sophistication and depth of the organization’s cybersecurity capabilities.

CMMC 2.0

On November 4th, 2021, the Department of Defense announced “CMMC 2.0” to maintain the program’s goal of protecting sensitive data, while simplifying the CMMC standard and providing clarity on cybersecurity regulatory, policy, and contracting requirements. The standard will move forward with just 3 levels instead of 5 – foundational, advanced, and expert.

NOTE! CMMC 2.0 will allow all companies at Level 1 (Foundational) and a subset of companies at Level 2 (Advanced) to prove compliance through self-assessments similar to NIST 800-171 requirements. Level 3 (Expert) organizations will be assessed every three years by Defense Industrial Base Cybersecurity Assessment Center (DIBAC) assessors.

CMMC 2.0

Under CMMC 2.0, the level 2 will be divided into Critical to National Security Information and Controlled Unclassified Information. Is not yet clear what companies can perform self-attestation and which ones require a C3PAO. The rulemaking process is still ongoing therefore, CMMC 2.0 will not be enforced right away. Organizations will be required to comply once the forthcoming rules go into effect.

StratusPointIT will provide your organization with guidance to achieve the necessary compliance level. Contact us today for more relevant information.

Biotech