|
|
| Line 111: |
Line 111: |
| For some requirements, the assessor reviews documentation to determine if assessment objectives are met. Interviews with OSC staff may identify the documents uses. Documents need to be in their final forms; working papers (e.g., drafts) of documentation are not eligible to be submitted as evidence because they are not yet official and are still subject to change. | | For some requirements, the assessor reviews documentation to determine if assessment objectives are met. Interviews with OSC staff may identify the documents uses. Documents need to be in their final forms; working papers (e.g., drafts) of documentation are not eligible to be submitted as evidence because they are not yet official and are still subject to change. |
|
| |
|
| Common types of documents that can be used as evidence include: <br /> | | Common types of documents that can be used as evidence include: |
| * policy, process, and procedure documents; | | * policy, process, and procedure documents; |
| * training materials; | | * training materials; |
| Line 328: |
Line 328: |
|
| |
|
| == Risk Assessment (RA) == | | == Risk Assessment (RA) == |
| | === RA.L3-3.11.1e – Threat-Informed Risk Assessment === |
| | {|class="wikitable" |
| | |'''SECURITY REQUIREMENT''' |
| | |- |
| | |'''ASSESSMENT OBJECTIVES''' |
| | |- |
| | |[[Practice_RA.L3-3.11.1e_Details|More Practice Details...]] |
| | |} |
| | === RA.L3-3.11.2e – Threat Hunting === |
| | {|class="wikitable" |
| | |'''SECURITY REQUIREMENT''' |
| | |- |
| | |'''ASSESSMENT OBJECTIVES''' |
| | |- |
| | |[[Practice_RA.L3-3.11.2e_Details|More Practice Details...]] |
| | |} |
| | === RA.L3-3.11.3e – Advanced Risk Identification === |
| | {|class="wikitable" |
| | |'''SECURITY REQUIREMENT''' |
| | |- |
| | |'''ASSESSMENT OBJECTIVES''' |
| | |- |
| | |[[Practice_RA.L3-3.11.3e_Details|More Practice Details...]] |
| | |} |
| | === RA.L3-3.11.4e – Security Solution Rationale === |
| | {|class="wikitable" |
| | |'''SECURITY REQUIREMENT''' |
| | |- |
| | |'''ASSESSMENT OBJECTIVES''' |
| | |- |
| | |[[Practice_RA.L3-3.11.4e_Details|More Practice Details...]] |
| | |} |
| | === RA.L3-3.11.5e – Security Solution Effectiveness === |
| | {|class="wikitable" |
| | |'''SECURITY REQUIREMENT''' |
| | |- |
| | |'''ASSESSMENT OBJECTIVES''' |
| | |- |
| | |[[Practice_RA.L3-3.11.5e_Details|More Practice Details...]] |
| | |} |
| | === RA.L3-3.11.6e – Supply Chain Risk Response === |
| | {|class="wikitable" |
| | |'''SECURITY REQUIREMENT''' |
| | |- |
| | |'''ASSESSMENT OBJECTIVES''' |
| | |- |
| | |[[Practice_RA.L3-3.11.6e_Details|More Practice Details...]] |
| | |} |
| | === RA.L3-3.11.7e – Supply Chain Risk Plan === |
| | {|class="wikitable" |
| | |'''SECURITY REQUIREMENT''' |
| | |- |
| | |'''ASSESSMENT OBJECTIVES''' |
| | |- |
| | |[[Practice_RA.L3-3.11.7e_Details|More Practice Details...]] |
| | |} |
|
| |
|
| | == Security Assessment (CA) == |
| | === CA.L3-3.12.1e – Penetration Testing === |
| | {|class="wikitable" |
| | |'''SECURITY REQUIREMENT''' |
| | |- |
| | |'''ASSESSMENT OBJECTIVES''' |
| | |- |
| | |[[Practice_CA.L3-3.12.1e_Details|More Practice Details...]] |
| | |} |
|
| |
|
| | == System and Communications Protection (SC) == |
| | === SC.L3-3.13.4e – isolation === |
| | {|class="wikitable" |
| | |'''SECURITY REQUIREMENT''' |
| | |- |
| | |'''ASSESSMENT OBJECTIVES''' |
| | |- |
| | |[[Practice_SC.L3-3.13.4e_Details|More Practice Details...]] |
| | |} |
|
| |
|
| | | == System and Information Integrity (SI) == |
| | | === SI.L3-3.14.1e – Integrity Verification === |
| | | {|class="wikitable" |
| | | |'''SECURITY REQUIREMENT''' |
| | | |- |
|
| | |'''ASSESSMENT OBJECTIVES''' |
| | | |- |
| RA.L3-3.11.1e – Threat-Informed Risk Assessment
| | |[[Practice_SI.L3-3.14.1e_Details|More Practice Details...]] |
| | | |} |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| | === SI.L3-3.14.3e – Specialized Asset Security === |
| | | {|class="wikitable" |
| 48
| | |'''SECURITY REQUIREMENT''' |
| | | |- |
| ''' '''
| | |'''ASSESSMENT OBJECTIVES''' |
| | | |- |
| | | |[[Practice_SI.L3-3.14.3e_Details|More Practice Details...]] |
| '''RA.L3-3.11.1E – THREAT-INFORMED RISK ASSESSMENT '''
| | |} |
| | | === SI.L3-3.14.6e – Threat-Guided Intrusion Detection === |
| Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-
| | {|class="wikitable" |
| | | |'''SECURITY REQUIREMENT''' |
| provided sources, as part of a risk assessment to guide and inform the development of
| | |- |
| | | |'''ASSESSMENT OBJECTIVES''' |
| organizational systems, security architectures, selection of security solutions, monitoring,
| | |- |
| | | |[[Practice_SI.L3-3.14.6e_Details|More Practice Details...]] |
| threat hunting, and response and recovery activities.
| | |} |
| | |
| '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
| |
| | |
| Determine if: <br />
| |
| [ODP1] Sources of threat intelligence are defined;'' <br />
| |
| ''[a] A risk assessment methodology is identified; <br />
| |
| [b] Threat intelligence, at a minimum from open or commercial sources, and any
| |
| | |
| DoD-provided sources, are employed as part of a risk assessment to guide and inform the
| |
| | |
| development of organizational systems and security architectures;
| |
| | |
| [c] Threat intelligence, at a minimum from open or commercial sources, and any
| |
| | |
| DoD-provided sources, are employed as part of a risk assessment to guide and inform the
| |
| | |
| selection of security solutions;
| |
| | |
| [d] Threat intelligence, at a minimum from open or commercial sources, and any
| |
| | |
| DoD-provided sources, are employed as part of a risk assessment to guide and inform
| |
| | |
| system monitoring activities;
| |
| | |
| [e] Threat intelligence, at a minimum from open or commercial sources, and any
| |
| | |
| DoD-provided sources, are employed as part of a risk assessment to guide and inform
| |
| | |
| threat hunting activities; and
| |
| | |
| [f] Threat intelligence, at a minimum from open or commercial sources, and any
| |
| | |
| DoD-provided sources, are employed as part of a risk assessment to guide and inform
| |
| | |
| response and recovery activities.
| |
| | |
| '''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
| |
| | |
| '''Examine <br />
| |
| '''[SELECT FROM: Information security program plan; risk assessment policy; threat
| |
| | |
| awareness program documentation; procedures for the threat awareness program; security
| |
| | |
| planning policy and procedures; procedures addressing organizational assessments of risk;
| |
| | |
| threat hunting program documentation; procedures for the threat hunting program; risk
| |
| | |
| assessment results relevant to threat awareness; threat hunting results; list or other
| |
| | |
| documentation on the cross-organization, information-sharing capability; security plan; risk
| |
| | |
| assessment; risk assessment results; risk assessment reviews; risk assessment updates;
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.1e – Threat-Informed Risk Assessment
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 49
| |
| | |
| ''' '''
| |
| | |
| contingency planning policy; contingency plan; incident response policy; incident response
| |
| | |
| plan; other relevant documents or records].
| |
| | |
| '''Interview <br />
| |
| '''[SELECT FROM: Organizational personnel responsible for information security program
| |
| | |
| planning and plan implementation; organizational personnel responsible for the threat
| |
| | |
| awareness and threat hunting programs; organizational personnel responsible for risk
| |
| | |
| assessments; organizational personnel responsible for the cross-organization, information-
| |
| | |
| sharing capability; organizational personnel responsible for information security;
| |
| | |
| organizational personnel responsible for contingency planning; organizational personnel
| |
| | |
| responsible for incident response; personnel with whom threat awareness information is
| |
| | |
| shared by the organization].
| |
| | |
| '''Test <br />
| |
| '''[SELECT FROM: Mechanisms supporting and/or implementing the threat awareness
| |
| | |
| program; mechanisms supporting and/or implementing the cross-organization,
| |
| | |
| information-sharing capability; mechanisms supporting and/or implementing the threat
| |
| | |
| hunting program; mechanisms for conducting, documenting, reviewing, disseminating, and
| |
| | |
| updating risk assessments; mechanisms supporting and/or implementing contingency
| |
| | |
| plans; mechanisms supporting and/or implementing incident response plans].
| |
| | |
| '''DISCUSSION [NIST SP 800-172] '''
| |
| | |
| The constant evolution and increased sophistication of adversaries, especially the APT,
| |
| | |
| makes it more likely that adversaries can successfully compromise or breach organizational
| |
| | |
| systems. Accordingly, threat intelligence can be integrated into each step of the risk
| |
| | |
| management process throughout the system development life cycle. This risk management
| |
| | |
| process includes defining system security requirements, developing system and security
| |
| | |
| architectures, selecting security solutions, monitoring (including threat hunting), and
| |
| | |
| remediation efforts. <br />
| |
| [NIST SP 800-30] provides guidance on risk assessments. [NIST SP 800-39] provides
| |
| | |
| guidance on the risk management process. [NIST SP 800-160-1] provides guidance on
| |
| | |
| security architectures and systems security engineering. [NIST SP 800-150] provides
| |
| | |
| guidance on cyber threat information sharing.
| |
| | |
| '''FURTHER DISCUSSION '''
| |
| | |
| An organization consumes threat intelligence and improves their security posture based on
| |
| | |
| the intelligence relevant to that organization and/or a system(s). The organization can
| |
| | |
| obtain threat intelligence from open or commercial sources but must also use any
| |
| | |
| DoD-provided sources. Threat information can be received in high volumes from various
| |
| | |
| providers and must be processed and analyzed by the organization. It is the responsibility of
| |
| | |
| the organization to process the threat information in a manner that is useful and actionable
| |
| | |
| to their needs. Processing, analyzing, and extracting the intelligence from the threat feeds
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.1e – Threat-Informed Risk Assessment
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 50
| |
| | |
| ''' '''
| |
| | |
| and applying it to all organizational security engineering needs is the primary benefit of this
| |
| | |
| requirement. Note that more than one source is required to meet assessment objectives.
| |
| | |
| '''Example <br />
| |
| '''Your organization receives a commercial threat intelligence feed from FIRST and
| |
| | |
| government threat intelligence feeds from both USCERT and DoD/DC3 to help learn about
| |
| | |
| recent threats and any additional information the threat feeds provide [b,c,d,e,f]. Your
| |
| | |
| organization uses the threat intelligence for multiple purposes: <br />
| |
| •
| |
| | |
| To perform up-to-date risk assessments for the organization [a];
| |
| | |
| •
| |
| | |
| To add rules to the automated system put in place to identify threats (indicators of
| |
| | |
| compromise, or IOCs) on the organization’s network [e];
| |
| | |
| •
| |
| | |
| To guide the organization in making informed selections of security solutions [c];
| |
| | |
| •
| |
| | |
| To shape the way the organization performs system monitoring activities [d];
| |
| | |
| •
| |
| | |
| To manage the escalation process for identified incidents, handling specific events, and
| |
| | |
| performing recovery actions [f];
| |
| | |
| •
| |
| | |
| To provide additional information to the hunt team to identify threat activities [e];
| |
| | |
| •
| |
| | |
| To inform the development and design decisions for organizational systems and the
| |
| | |
| overall security architecture, as well as the network architecture [b,c];
| |
| | |
| •
| |
| | |
| To assist in decision-making regarding systems that are part of the primary network and
| |
| | |
| systems that are placed in special enclaves for additional protections [b]; and
| |
| | |
| •
| |
| | |
| To determine additional security measures based on current threat activities taking place
| |
| | |
| in similar industry networks [c,d,e,f].
| |
| | |
| '''Potential Assessment Considerations <br />
| |
| '''•
| |
| | |
| Does the organization detail how threat feed information is to be ingested, analyzed, and
| |
| | |
| used [a]?
| |
| | |
| •
| |
| | |
| Can the organization’s SOC or hunt teams discuss how they use the threat feed
| |
| | |
| information after it is processed [e,f]?
| |
| | |
| '''KEY REFERENCES '''
| |
| | |
| •
| |
| | |
| NIST SP 800-172 3.11.1e
| |
| | |
|
| |
| | |
|
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.2e – Threat Hunting
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 51
| |
| | |
| ''' '''
| |
| | |
| '''RA.L3-3.11.2E – THREAT HUNTING '''
| |
| | |
| Conduct cyber threat hunting activities on an on-going aperiodic basis or when indications
| |
| | |
| warrant, to search for indicators of compromise in organizational systems and detect, track,
| |
| | |
| and disrupt threats that evade existing controls.
| |
| | |
| '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
| |
| | |
| Determine if: <br />
| |
| [ODP4] Organizational systems to search for indicators of compromise are defined;'' <br />
| |
| ''[a] Indicators of compromise are identified; <br />
| |
| [b] Cyber threat hunting activities are conducted on an on-going aperiodic basis or when
| |
| | |
| indications warrant, to search for indicators of compromise in organizational systems;
| |
| | |
| and
| |
| | |
| [c] Cyber threat hunting activities are conducted on an on-going aperiodic basis or when
| |
| | |
| indications warrant, to detect, track, and disrupt threats that evade existing controls.
| |
| | |
| '''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
| |
| | |
| '''Examine <br />
| |
| '''[SELECT FROM: System and information integrity policy; policy and procedures addressing
| |
| | |
| system monitoring; threat hunting program documentation; procedures for the threat
| |
| | |
| hunting program; threat hunting results; system design documentation; security plan;
| |
| | |
| system monitoring tools and techniques documentation; security planning policy and
| |
| | |
| procedures; system configuration settings and associated documentation; system
| |
| | |
| monitoring logs or records; system audit records; other relevant documents or records].
| |
| | |
| '''Interview <br />
| |
| '''[SELECT FROM: Organizational personnel responsible for threat hunting program;
| |
| | |
| system/network administrators; organizational personnel responsible for information
| |
| | |
| security; system developers; organizational personnel installing, configuring, and/or
| |
| | |
| maintaining the system; organizational personnel responsible for monitoring the system
| |
| | |
| and/or network].
| |
| | |
| '''Test <br />
| |
| '''[SELECT FROM: Mechanisms supporting and/or implementing a threat hunting program;
| |
| | |
| mechanisms supporting and/or implementing a system monitoring capability; mechanisms
| |
| | |
| supporting and/or supporting and/or implementing incident response plans].
| |
| | |
| '''DISCUSSION [NIST SP 800-172] '''
| |
| | |
| Threat hunting is an active means of defense that contrasts with traditional protection
| |
| | |
| measures, such as firewalls, intrusion detection and prevention systems, quarantining
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.2e – Threat Hunting
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 52
| |
| | |
| ''' '''
| |
| | |
| malicious code in sandboxes, and Security Information and Event Management (SIEM)
| |
| | |
| technologies and systems. Cyber threat hunting involves proactively searching
| |
| | |
| organizational systems, networks, and infrastructure for advanced threats. The objective is
| |
| | |
| to track and disrupt cyber adversaries as early as possible in the attack sequence and to
| |
| | |
| measurably improve the speed and accuracy of organizational responses. Indicators of
| |
| | |
| compromise are forensic artifacts from intrusions that are identified on organizational
| |
| | |
| systems at the host or network level and can include unusual network traffic, unusual file
| |
| | |
| changes, and the presence of malicious code. <br />
| |
| Threat hunting teams use existing threat intelligence and may create new threat information,
| |
| | |
| which may be shared with peer organizations, Information Sharing and Analysis
| |
| | |
| Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant
| |
| | |
| government departments and agencies. Threat indicators, signatures, tactics, techniques,
| |
| | |
| procedures, and other indicators of compromise may be available via government and non-
| |
| | |
| government cooperatives, including Forum of Incident Response and Security Teams, United
| |
| | |
| States Computer Emergency Response Team, Defense Industrial Base Cybersecurity
| |
| | |
| Information Sharing Program, and CERT Coordination Center. <br />
| |
| [NIST SP 800-30] provides guidance on threat and risk assessments, risk analyses, and risk
| |
| | |
| modeling. [NIST SP 800-160-2] provides guidance on systems security engineering and
| |
| | |
| cyber resiliency. [NIST SP 800-150] provides guidance on cyber threat information sharing.
| |
| | |
| '''FURTHER DISCUSSION '''
| |
| | |
| For this requirement, threat hunting is conducted on an on-going aperiodic basis. On-going
| |
| | |
| aperiodic refers to activities that happen over and over but without an identifiable repeating
| |
| | |
| pattern over time. For threat hunting, on-going activities take place in an automated manner
| |
| | |
| (e.g., collecting logs, automated analysis, and alerts). Aperiodicity includes humans
| |
| | |
| performing the hunt activities, which take place on an as-needed or as-planned basis. <br />
| |
| APTs can penetrate an environment by means that defeat or avoid conventional monitoring
| |
| | |
| methods and alert triggers—for example, by using zero-day attacks. Zero-day attacks
| |
| | |
| become known only after the attack has happened and alerts are sent via threat intelligence
| |
| | |
| feeds based on expert analysis. Because of the nature of zero-day attacks, automated alerts
| |
| | |
| do not generally trigger when the event occurs but the activity is captured in system logs and
| |
| | |
| forwarded for analysis and retention by the SIEM. Threat intelligence information is typically
| |
| | |
| used by hunt teams to search SIEM systems, system event and security logs, and other
| |
| | |
| components to identify activity that has already taken place on an environment. The hunt
| |
| | |
| team will identify systems related to the event(s) and pass the case to Incident Response
| |
| | |
| team for action on the event(s). The hunt team will also use indicators to identify smaller
| |
| | |
| components of an attack and search for that activity, which may help uncover a broader
| |
| | |
| attack on the environment. <br />
| |
| Threat hunting can also look for anomalous behavior or activity based on an organization’s
| |
| | |
| normal pattern of activity. Understanding the roles and information flows within an
| |
| | |
| organization can help identify activity that might be indicative of adversary behavior before
| |
| | |
| the adversary completes their attack or mission.
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.2e – Threat Hunting
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 53
| |
| | |
| ''' '''
| |
| | |
| '''Example <br />
| |
| '''You are the lead for your organization’s cyber threat hunting team. You have local and
| |
| | |
| remote staff on the team to process threat intelligence. Your team is tied closely with the SOC
| |
| | |
| and IR teams. Through a DoD (DC3) intelligence feed, you receive knowledge of a recent
| |
| | |
| APT’s attacks on defense contractors. The intelligence feed provided the indicators of
| |
| | |
| compromise for a zero-day attack that most likely started within the past month. After
| |
| | |
| receiving the IOCs, you use a template for your organization to place the information in a
| |
| | |
| standard format your team understands. You then email the information to your team
| |
| | |
| members and place the information in your hunt team’s dashboard, which tracks all IOCs [a]. <br />
| |
| Your team starts by using the information to hunt for IOCs on the environment [b]. One of
| |
| | |
| your team members quickly responds, providing information from the SIEM that an HR
| |
| | |
| system’s logs show evidence that IOCs related to this threat occurred three days ago. The
| |
| | |
| team contacts the owner of the system as they take the system offline into a quarantined
| |
| | |
| environment. Your team pulls all logs from the system and clones the storage on the system.
| |
| | |
| Members go through the logs to look for other systems that may be part of the APT’s attack
| |
| | |
| [c]. While the team is cloning the storage system for evidence, you alert the IR team about
| |
| | |
| the issue. After full forensics of the system, your team has verified your company has been
| |
| | |
| hit by the APT, but nothing was taken and no additional attacks happened. You also alert DoD
| |
| | |
| (DC3) about the finding and discuss the matter with them. There is an after action report and
| |
| | |
| a briefing given to management to make them aware of the issue.
| |
| | |
| '''Potential Assessment Considerations <br />
| |
| '''•
| |
| | |
| Does the organization have a methodology for performing cyber threat hunting actions
| |
| | |
| [b,c]?
| |
| | |
| •
| |
| | |
| Has the organization defined all organizational systems within scope of cyber threat
| |
| | |
| hunting, including valid and approved documentation for any organization systems that
| |
| | |
| are not within scope [b,c]?
| |
| | |
| •
| |
| | |
| Has the organization identified a specific set of individuals to perform cyber threat
| |
| | |
| hunting [b,c]?
| |
| | |
| •
| |
| | |
| Does the threat hunting team have qualified staff members using the threat feed
| |
| | |
| information [b,c]?
| |
| | |
| •
| |
| | |
| Does the threat hunting team use combinations of events to determine suspicious
| |
| | |
| behaviors [b,c]?
| |
| | |
| •
| |
| | |
| Does the organization have a documented list of trusted threat feeds that are used by
| |
| | |
| their cyber hunt teams as the latest indicators of compromise during their efforts [a]?
| |
| | |
| •
| |
| | |
| Does the organization have a clear methodology for processing threat feed information
| |
| | |
| and turning it into actionable information they can use for their threat hunting approach
| |
| | |
| [a]?
| |
| | |
| '''KEY REFERENCES '''
| |
| | |
| •
| |
| | |
| NIST SP 800-172 3.11.2e
| |
| | |
|
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.3e – Advanced Risk Identification
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 54
| |
| | |
| ''' '''
| |
| | |
| '''RA.L3-3.11.3E – ADVANCED RISK IDENTIFICATION '''
| |
| | |
| Employ advanced automation and analytics capabilities in support of analysts to predict and
| |
| | |
| identify risks to organizations, systems, and system components.
| |
| | |
| '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
| |
| | |
| Determine if: <br />
| |
| [a] Advanced automation and analytics capabilities to predict and identify risks to
| |
| | |
| organizations, systems, and system components are identified;
| |
| | |
| [b] Analysts to predict and identify risks to organizations, systems, and system components
| |
| | |
| are identified; and
| |
| | |
| [c] Advanced automation and analytics capabilities are employed in support of analysts to
| |
| | |
| predict and identify risks to organizations, systems, and system components.
| |
| | |
| '''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
| |
| | |
| '''Examine <br />
| |
| '''[SELECT FROM: System and information integrity policy; risk assessment policy; security
| |
| | |
| planning policy and procedures; procedures addressing organizational assessments of risk;
| |
| | |
| procedures addressing system monitoring; enterprise architecture documentation; system
| |
| | |
| design documentation; system architecture and configuration documentation; system
| |
| | |
| monitoring tools and techniques documentation; system configuration settings and
| |
| | |
| associated documentation; system monitoring logs or records; system audit records;
| |
| | |
| security plan; risk assessment artifacts; risk assessment results; risk assessment reviews;
| |
| | |
| risk assessment updates; other relevant documents or records].
| |
| | |
| '''Interview <br />
| |
| '''[SELECT FROM: Organizational personnel responsible for information security;
| |
| | |
| organizational personnel responsible for risk assessments; risk analysts; system developers;
| |
| | |
| organizational personnel installing, configuring, and/or maintaining the system;
| |
| | |
| organizational personnel responsible for monitoring; system/network administrators].
| |
| | |
| '''Test <br />
| |
| '''[SELECT FROM: Automated mechanisms supporting and/or implementing risk analytics
| |
| | |
| capabilities; automated mechanisms supporting and/or implementing system monitoring
| |
| | |
| capability; automated mechanisms supporting and/or implementing the discovery,
| |
| | |
| collection, distribution, and use of indicators of compromise; automated mechanisms for
| |
| | |
| conducting, documenting, reviewing, disseminating, and updating risk assessments].
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.3e – Advanced Risk Identification
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 55
| |
| | |
| ''' '''
| |
| | |
| '''DISCUSSION [NIST SP 800-172] '''
| |
| | |
| A properly resourced Security Operations Center (SOC) or Computer Incident Response
| |
| | |
| Team (CIRT) may be overwhelmed by the volume of information generated by the
| |
| | |
| proliferation of security tools and appliances unless it employs advanced automation and
| |
| | |
| analytics to analyze the data. Advanced automation and predictive analytics capabilities are
| |
| | |
| typically supported by artificial intelligence concepts and machine learning. Examples
| |
| | |
| include Automated Workflow Operations, Automated Threat Discovery and Response
| |
| | |
| (which includes broad-based collection, context-based analysis, and adaptive response
| |
| | |
| capabilities), and machine-assisted decision tools. <br />
| |
| [NIST SP 800-30] provides guidance on risk assessments and risk analyses.
| |
| | |
| '''FURTHER DISCUSSION '''
| |
| | |
| Advanced automation includes tools to correlate and reduce the cyber data overload created
| |
| | |
| by defensive tools, making the data understandable to the analyst. Automation also allows
| |
| | |
| the defensive mechanisms to respond rapidly when adversary events are identified.
| |
| | |
| Examples of such capabilities are SIEM; Security Orchestration, Automation, and Response
| |
| | |
| (SOAR); and Extended Detection and Response (XDR) tools. An example of an automated
| |
| | |
| rapid response action is a security alert being pushed to the SIEM while the organization’s
| |
| | |
| SOAR solution communicates to the network firewall to block communications to the remote
| |
| | |
| system identified in the security alert. <br />
| |
| SIEM is primarily a log collection tool intended to support data storage and analysis. It
| |
| | |
| collects and sends alerts to security personnel for further investigation. SOAR is a software
| |
| | |
| stack that enables an organization to collect data about security threats and respond to
| |
| | |
| security events without human assistance in order to improve security operations.
| |
| | |
| Orchestration connects and integrates disparate internal and external tools. Automation, fed
| |
| | |
| by the data and alerts collected from security orchestration, ingests and analyzes data and
| |
| | |
| creates repeated, automated responses. SOAR incorporates these capabilities based on the
| |
| | |
| SIEM data and enables disparate security tools to coordinate with one another. SOAR can use
| |
| | |
| artificial intelligence to predict and respond to similar future threats, if such tools are
| |
| | |
| employed. <br />
| |
| XDR streamlines security data ingestion, analysis, prevention, and remediation workflows
| |
| | |
| across an organization’s entire security stack, providing a single console to view and act on
| |
| | |
| threat data. However, the presence of these tools by themselves does not necessarily provide
| |
| | |
| an advanced capability. It is essential that the security team employ critical thinking in
| |
| | |
| support of the intrusion detection and threat hunting processes.
| |
| | |
| '''Example <br />
| |
| '''You are responsible for information security in your organization. The organization holds
| |
| | |
| and processes CUI in an enterprise. To protect that data, you want to minimize phishing
| |
| | |
| attacks through the use of Security Orchestration and Automated Response (SOAR). Rather
| |
| | |
| than relying on analysts to manually inspect each inbound item, emails containing links
| |
| | |
| and/or attachments are processed by your automation playbook. Implementation of these
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.3e – Advanced Risk Identification
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 56
| |
| | |
| ''' '''
| |
| | |
| processes involves sending all email links and attachments to detonation chambers or
| |
| | |
| sandboxes prior to delivery to the recipient. When the email is received, SOAR extracts all
| |
| | |
| URL links and attachments from the content and sends them for analysis and testing [a]. The
| |
| | |
| domains in the URLs and the full URLs are processed against bad domain and URL lists. Next,
| |
| | |
| a browser in a sandbox downloads the URLs for malware testing. Lastly, any attachments are
| |
| | |
| sent to detonation chambers to identify if they attempt malicious activities. The hash of the
| |
| | |
| attachments is sent to services to identify if it is known malware [b]. If any one of the items
| |
| | |
| triggers a malware warning from the sandbox, detonation chamber, domain/URL validation
| |
| | |
| service, attachment hash check services, or AV software, an alert about the original email is
| |
| | |
| sent to team members with the recommendation to quarantine it. The team is given the
| |
| | |
| opportunity to select a “take action” button, which would have the SOAR solution take
| |
| | |
| actions to block that email and similar emails from being received by the organization [c].
| |
| | |
| '''Potential Assessment Considerations <br />
| |
| '''•
| |
| | |
| Has the organization implemented a security information and event management system
| |
| | |
| [a,c]?
| |
| | |
| •
| |
| | |
| Has the organization implemented security orchestration, automation, and response
| |
| | |
| tools [a,b,c]?
| |
| | |
| •
| |
| | |
| Does the organization use automated processing integrated with the SIEM system to
| |
| | |
| perform analytics [c]?
| |
| | |
| •
| |
| | |
| Can the organization demonstrate use of relevant threat data to inform detection
| |
| | |
| methods that in turn provide automated alerts/recommendations [c]?
| |
| | |
| •
| |
| | |
| Has the organization implemented an extended detection capability [c]?
| |
| | |
| •
| |
| | |
| Does the organization have the ability to merge traditional cyber data, such as network
| |
| | |
| packet captures (e.g., PCAP), or process logs with enrichment data, such as reputation or
| |
| | |
| categorization data [c]?
| |
| | |
| •
| |
| | |
| Can the organization provide examples of both basic and emerging analytics used to
| |
| | |
| analyze alert anomalies, e.g., both simple queries and unsupervised machine learning
| |
| | |
| algorithms that both improve their effectiveness and automatically filter, reduce, or
| |
| | |
| enrich alerting capabilities [c]?
| |
| | |
| '''KEY REFERENCES '''
| |
| | |
| •
| |
| | |
| NIST SP 800-172 3.11.3e
| |
| | |
|
| |
| | |
| ''' '''
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.4e – Security Solution Rationale
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 57
| |
| | |
| ''' '''
| |
| | |
| '''RA.L3-3.11.4E – SECURITY SOLUTION RATIONALE '''
| |
| | |
| Document or reference in the system security plan the security solution selected, the
| |
| | |
| rationale for the security solution, and the risk determination.
| |
| | |
| '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
| |
| | |
| Determine if: <br />
| |
| [a] The system security plan documents or references the security solution selected; <br />
| |
| [b] The system security plan documents or references the rationale for the security solution;
| |
| | |
| and
| |
| | |
| [c] The system security plan documents or references the risk determination.
| |
| | |
| '''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
| |
| | |
| '''Examine <br />
| |
| '''[SELECT FROM: system security plan; records of security plan reviews and updates; system
| |
| | |
| design documentation; security planning policy; procedures addressing security plan
| |
| | |
| development; procedures addressing security plan reviews and updates; enterprise
| |
| | |
| architecture documentation; enterprise security architecture documentation; system
| |
| | |
| interconnection security agreements and other information exchange agreements; other
| |
| | |
| relevant documents or records].
| |
| | |
| '''Interview <br />
| |
| '''[SELECT FROM: Organizational personnel responsible for information security;
| |
| | |
| organizational personnel responsible for developing, implementing, or approving system
| |
| | |
| interconnection and information exchange agreements; personnel managing the systems to
| |
| | |
| which the Interconnection Security Agreement/Information Exchange Agreement applies;
| |
| | |
| system developers; organizational personnel responsible for security planning and plan
| |
| | |
| implementation; organizational personnel responsible for boundary protection; system
| |
| | |
| developers; system/network administrators].
| |
| | |
| '''Test <br />
| |
| '''[SELECT FROM: Organizational processes for security plan development, review, update,
| |
| | |
| and approval].
| |
| | |
| '''DISCUSSION [NIST SP 800-172] '''
| |
| | |
| System security plans relate security requirements to a set of security controls and solutions.
| |
| | |
| The plans describe how the controls and solutions meet the security requirements. For the
| |
| | |
| enhanced security requirements selected when the APT is a concern, the security plan
| |
| | |
| provides traceability between threat and risk assessments and the risk-based selection of a
| |
| | |
| security solution, including discussion of relevant analyses of alternatives and rationale for
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.4e – Security Solution Rationale
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 58
| |
| | |
| ''' '''
| |
| | |
| key security-relevant architectural and design decisions. This level of detail is important as
| |
| | |
| the threat changes, requiring reassessment of the risk and the basis for previous security
| |
| | |
| decisions. <br />
| |
| When incorporating external service providers into the system security plan, organizations
| |
| | |
| state the type of service provided (e.g., software as a service, platform as a service), the point
| |
| | |
| and type of connections (including ports and protocols), the nature and type of the
| |
| | |
| information flows to and from the service provider, and the security controls implemented
| |
| | |
| by the service provider. For safety critical systems, organizations document situations for
| |
| | |
| which safety is the primary reason for not implementing a security solution (i.e., the solution
| |
| | |
| is appropriate to address the threat but causes a safety concern). <br />
| |
| [NIST SP 800-18] provides guidance on the development of system security plans.
| |
| | |
| '''FURTHER DISCUSSION '''
| |
| | |
| The System Security Plan (SSP) is a fundamental component of an organization’s security
| |
| | |
| posture. When solutions for implementing a requirement have differing levels of capabilities
| |
| | |
| associated with their implementation, it is essential that the plan specifically document the
| |
| | |
| rationale for the selected solution and what was acquired for the implementation. This
| |
| | |
| information allows the organization to monitor the environment for threat changes and
| |
| | |
| identify which solutions may no longer be applicable. While not required, it may also be
| |
| | |
| useful to document alternative solutions reviewed and differing levels of risk associated with
| |
| | |
| each alternative, as that information may facilitate future analyses when the threat changes.
| |
| | |
| In addition to the implementations required for Level 2 certification, which may not be risk
| |
| | |
| based, at Level 3, the SSP must carefully document the link between the assessed threat and
| |
| | |
| the risk-based selection of a security solution for the enhanced security requirements (i.e.,
| |
| | |
| all CMMC L3 requirements derived from NIST SP 800-172).
| |
| | |
| '''Example <br />
| |
| '''You are responsible for information security in your organization. Following CMMC
| |
| | |
| requirement RA.L3-3.11.1e – ''Threat Informed Risk Assessment'', your team uses threat
| |
| | |
| intelligence to complete a risk assessment and make a risk determination for all elements of
| |
| | |
| your enterprise. Based on that view of risk, your team decides that requirement
| |
| | |
| RA.L3-3.11.2e – ''Threat Hunting'' is a requirement that is very important in protecting your
| |
| | |
| organization’s use of CUI, and you have determined the solution selected could potentially
| |
| | |
| add risk. You want to detect an adversary as soon as possible when they breach the network
| |
| | |
| before any CUI can be exfiltrated. However, there are multiple threat hunting solutions, and
| |
| | |
| each solution has a different set of features that will provide different success rates in
| |
| | |
| identifying IOCs. <br />
| |
| As a result, some solutions increase the risk to the organization by being less capable in
| |
| | |
| detecting and tracking an adversary in your networks. To reduce risk, you evaluate five
| |
| | |
| threat hunting solutions and in each case determine the number of IOCs for which there is a
| |
| | |
| monitoring mechanism. You pick the solution that is cost effective, easy to operate, and
| |
| | |
| optimizes IOC detection for your enterprise; purchase, install, and train SOC personnel on its
| |
| | |
| use; and document the risk-based analysis of alternatives in the SSP. In creating that
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.4e – Security Solution Rationale
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 59
| |
| | |
| ''' '''
| |
| | |
| documentation in the SSP, you follow the guidance found in NIST SP 800-18, ''Guide for ''
| |
| | |
| ''Developing Security Plans for Federal Information Systems'' [a,b,c].
| |
| | |
| '''Potential Assessment Considerations <br />
| |
| '''•
| |
| | |
| Has the organization completed a risk assessment and made a risk determinations for
| |
| | |
| enterprise components that need to be protected [c]?
| |
| | |
| •
| |
| | |
| Can the organization identify what is being protected and explain why specific protection
| |
| | |
| solutions were selected [a,b]?
| |
| | |
| •
| |
| | |
| Have all the decisions been documented in the SSP [a,b,c]?
| |
| | |
| '''KEY REFERENCES '''
| |
| | |
| •
| |
| | |
| NIST SP 800-172 3.11.4e
| |
| | |
|
| |
| | |
| ''' '''
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.5e – Security Solution Effectiveness
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 60
| |
| | |
| ''' '''
| |
| | |
| '''RA.L3-3.11.5E – SECURITY SOLUTION EFFECTIVENESS '''
| |
| | |
| Assess the effectiveness of security solutions at least annually or upon receipt of relevant
| |
| | |
| cyber threat information, or in response to a relevant cyber incident, to address anticipated
| |
| | |
| risk to organizational systems and the organization based on current and accumulated threat
| |
| | |
| intelligence.
| |
| | |
| '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
| |
| | |
| Determine if: <br />
| |
| [a] Security solutions are identified; <br />
| |
| [b] Current and accumulated threat intelligence is identified; <br />
| |
| [c] Anticipated risk to organizational systems and the organization based on current and
| |
| | |
| accumulated threat intelligence is identified; and
| |
| | |
| [d] The effectiveness of security solutions is assessed at least annually or upon receipt of
| |
| | |
| relevant cyber threat information, or in response to a relevant cyber incident, to address
| |
| | |
| anticipated risk to organizational systems and the organization based on current and
| |
| | |
| accumulated threat intelligence.
| |
| | |
| '''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
| |
| | |
| '''Examine <br />
| |
| '''[SELECT FROM: Risk assessment policy; security planning policy and procedures; security
| |
| | |
| assessment policy and procedures; security assessment plans; security assessment results;
| |
| | |
| procedures addressing organizational assessments of risk; security plan; risk assessment;
| |
| | |
| risk assessment results; risk assessment reviews; risk assessment updates; threat
| |
| | |
| intelligence information; other relevant documents or records].
| |
| | |
| '''Interview <br />
| |
| '''[SELECT FROM: Organizational personnel responsible for security assessments;
| |
| | |
| organizational personnel responsible for risk assessments; organizational personnel
| |
| | |
| responsible for threat analysis; organizational personnel responsible for information
| |
| | |
| security].
| |
| | |
| '''Test <br />
| |
| '''[SELECT FROM: Mechanisms supporting, conducting, documenting, reviewing,
| |
| | |
| disseminating, and updating risk assessments; mechanisms supporting and/or
| |
| | |
| implementing security assessments].
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.5e – Security Solution Effectiveness
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 61
| |
| | |
| ''' '''
| |
| | |
| '''DISCUSSION [NIST SP 800-172] '''
| |
| | |
| Threat awareness and risk assessment of the organization are dynamic, continuous, and
| |
| | |
| inform system operations, security requirements for the system, and the security solutions
| |
| | |
| employed to meet those requirements. Threat intelligence (i.e., threat information that has
| |
| | |
| been aggregated, transformed, analyzed, interpreted, or enriched to help provide the
| |
| | |
| necessary context for decision making) is infused into the risk assessment processes and
| |
| | |
| information security operations of the organization to identify any changes required to
| |
| | |
| address the dynamic threat environment. <br />
| |
| [NIST SP 800-30] provides guidance on risk assessments, threat assessments, and risk
| |
| | |
| analyses.
| |
| | |
| '''FURTHER DISCUSSION '''
| |
| | |
| This requirement requires the organization to analyze threat intelligence and consider the
| |
| | |
| effectiveness of currently deployed cybersecurity solutions against existing, new, and
| |
| | |
| emerging threats. The goal is to understand the risk to the systems and the organization
| |
| | |
| based on threat intelligence and to make adjustments to security solutions to reduce the risk
| |
| | |
| to an acceptable level. Analysis of solutions should include analysis of operational system
| |
| | |
| settings of the deployed systems and not be solely a conceptual capability analysis. This
| |
| | |
| analysis includes verifying configuration settings are configured as desired by the
| |
| | |
| organization and have not been changed over time. <br />
| |
| Threat information can be thought of as raw data that may be limited in terms of evaluating
| |
| | |
| the effectiveness of controls across the enterprise. For example, knowledge of a threat that
| |
| | |
| has not been correlated with other threats may result in evaluation of an implementation
| |
| | |
| that only provides partial protection for one set of systems when, in fact, the emerging threat
| |
| | |
| is applicable to the entire enterprise. Large organizations may also have the resources to
| |
| | |
| aggregate, transform, analyze, correlate, interpret, and enrich information to support
| |
| | |
| decision-making about adequacy of existing security mechanisms and methods.
| |
| | |
| '''Example <br />
| |
| '''You are responsible for information security in your organization, which holds and
| |
| | |
| processes CUI. The organization subscribes to multiple threat intelligence sources [b]. In
| |
| | |
| order to assess the effectiveness of current security solutions, the security team analyzes any
| |
| | |
| new incidents reported in the threat feed. They identify weaknesses that were leveraged by
| |
| | |
| malicious actors and subsequently look for similar weaknesses in their own security
| |
| | |
| architecture[a,c]. This analysis is passed to the architecture team for engineering change
| |
| | |
| recommendations, including system patching guidance, new sensors, and associated alerts
| |
| | |
| that should be generated, and to identify ways to mitigate, transfer, or accept the risk
| |
| | |
| necessary to respond to events if they occur within their own organization [d].
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.5e – Security Solution Effectiveness
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 62
| |
| | |
| ''' '''
| |
| | |
| '''Potential Assessment Considerations <br />
| |
| '''•
| |
| | |
| Does the organization make adjustments during an incident or operational
| |
| | |
| improvements after an incident has occurred [d]?
| |
| | |
| •
| |
| | |
| Has the organization implemented an analytical process to assess the effectiveness of
| |
| | |
| security solutions against new or compiled threat intelligence [b,c,d]?
| |
| | |
| •
| |
| | |
| Has the organization implemented a process to identify if an operational security
| |
| | |
| solution fails to contribute to the protections needed against specific adversarial actions
| |
| | |
| based on new threat intelligence [a,b,c,d]?
| |
| | |
| '''KEY REFERENCES '''
| |
| | |
| •
| |
| | |
| NIST SP 800-172 3.11.5e
| |
| | |
|
| |
| | |
| ''' '''
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.6e – Supply Chain Risk Response
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 63
| |
| | |
| ''' '''
| |
| | |
| '''RA.L3-3.11.6E – SUPPLY CHAIN RISK RESPONSE '''
| |
| | |
| Assess, respond to, and monitor supply chain risks associated with organizational systems
| |
| | |
| and system components.
| |
| | |
| '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
| |
| | |
| Determine if: <br />
| |
| [a] Supply chain risks associated with organizational systems and system components are
| |
| | |
| identified;
| |
| | |
| [b] Supply chain risks associated with organizational systems and system components are
| |
| | |
| assessed;
| |
| | |
| [c] Supply chain risks associated with organizational systems and system components are
| |
| | |
| responded to; and
| |
| | |
| [d] Supply chain risks associated with organizational systems and system components are
| |
| | |
| monitored.
| |
| | |
| '''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
| |
| | |
| '''Examine <br />
| |
| '''[SELECT FROM: Risk assessment policy; procedures addressing organizational assessments
| |
| | |
| of risk; security planning policy and procedures; supply chain risk management plan;
| |
| | |
| security plan; risk assessment; risk assessment results; risk assessment reviews; risk
| |
| | |
| assessment updates; threat intelligence information; other relevant documents or records].
| |
| | |
| '''Interview <br />
| |
| '''[SELECT FROM: Organizational personnel responsible for information security;
| |
| | |
| organizational personnel responsible for risk assessments; organizational personnel
| |
| | |
| responsible for supply chain risk management].
| |
| | |
| '''Test <br />
| |
| '''[SELECT FROM: Mechanisms supporting, conducting, documenting, reviewing,
| |
| | |
| disseminating, and updating risk assessments].
| |
| | |
| '''DISCUSSION [NIST SP 800-172] '''
| |
| | |
| Supply chain events include disruption, use of defective components, insertion of
| |
| | |
| counterfeits, theft, malicious development practices, improper delivery practices, and
| |
| | |
| insertion of malicious code. These events can have a significant impact on a system and its
| |
| | |
| information and, therefore, can also adversely impact organizational operations (i.e.,
| |
| | |
| mission, functions, image, or reputation), organizational assets, individuals, other
| |
| | |
| organizations, and the Nation. The supply chain-related events may be unintentional or
| |
| | |
| malicious and can occur at any point during the system life cycle. An analysis of supply chain
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.6e – Supply Chain Risk Response
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 64
| |
| | |
| ''' '''
| |
| | |
| risk can help an organization identify systems or components for which additional supply
| |
| | |
| chain risk mitigations are required. <br />
| |
| [NIST SP 800-30] provides guidance on risk assessments, threat assessments, and risk
| |
| | |
| analyses. [NIST SP 800-161 Rev. 1] provides guidance on supply chain risk management.
| |
| | |
| '''FURTHER DISCUSSION '''
| |
| | |
| Organizations will have varying policies, definitions, and actions for this requirement. It is
| |
| | |
| important for a single organization to be consistent and to build a process that makes sense
| |
| | |
| for their organization, strategy, unique supply chain, and the technologies available to them.
| |
| | |
| '''Example ''' <br />
| |
| You are responsible for information security in your organization, which holds and
| |
| | |
| processes CUI. One of your responsibilities is to manage risk associated with your supply
| |
| | |
| chain that may provide an entry point for the adversary. First, you acquire threat information
| |
| | |
| by subscribing to reports that identify supply chain attacks in enough detail that you are able
| |
| | |
| to identify the risk points in your organization’s supply chain [a]. You create an organization-
| |
| | |
| defined prioritized list of risks the organization may encounter and determine the responses
| |
| | |
| to be implemented to mitigate those risks [b,c]. <br />
| |
| In addition to incident information, the intelligence provider also makes recommendations
| |
| | |
| for monitoring and auditing your supply chain. You assess, integrate, correlate, and analyze
| |
| | |
| this information so you can use it to acquire monitoring tools to help identify supply chain
| |
| | |
| events that could be an indicator of an incident. This monitoring tool provides visibility of
| |
| | |
| the entire attack surface, including your vendors’ security posture [d]. Second, you analyze
| |
| | |
| the incident information in the intelligence report to help identify defensive tools that will
| |
| | |
| help respond to each of those known supply chain attack techniques as soon as possible after
| |
| | |
| such an incident is detected, thus mitigating risk associated with known techniques.
| |
| | |
| '''Potential Assessment Considerations <br />
| |
| '''•
| |
| | |
| Has the organization prioritized risks to the supply chain [a,b]?
| |
| | |
| •
| |
| | |
| Does the organization have viable service-level agreements that describe and enable
| |
| | |
| responses to supply chain incidents [c,d]?
| |
| | |
| '''KEY REFERENCES '''
| |
| | |
| •
| |
| | |
| NIST SP 800-172 3.11.6e
| |
| | |
|
| |
| | |
| ''' '''
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.7e – Supply Chain Risk Plan
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 65
| |
| | |
| ''' '''
| |
| | |
| '''RA.L3-3.11.7E – SUPPLY CHAIN RISK PLAN '''
| |
| | |
| Develop a plan for managing supply chain risks associated with organizational systems and
| |
| | |
| system components; update the plan at least annually, and upon receipt of relevant cyber
| |
| | |
| threat information, or in response to a relevant cyber incident.
| |
| | |
| '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] ''' | |
| | |
| Determine if: <br />
| |
| [a] Supply chain risks associated with organizational systems and system components are
| |
| | |
| identified;
| |
| | |
| [b] Organizational systems and system components to include in a supply chain risk
| |
| | |
| management plan are identified;
| |
| | |
| [c] A plan for managing supply chain risks associated with organizational systems and
| |
| | |
| system components is developed; and
| |
| | |
| [d] The plan for managing supply chain risks is updated at least annually, and upon receipt
| |
| | |
| of relevant cyber threat information, or in response to a relevant cyber incident.
| |
| | |
| '''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
| |
| | |
| '''Examine <br />
| |
| '''[SELECT FROM: Risk assessment policy; supply chain risk management plan; security
| |
| | |
| planning policy and procedures; procedures addressing organizational assessments of risk;
| |
| | |
| security plan; risk assessment; risk assessment results; risk assessment reviews; risk
| |
| | |
| assessment updates; threat intelligence information; other relevant documents or records].
| |
| | |
| '''Interview <br />
| |
| '''[SELECT FROM: Organizational personnel responsible for information security;
| |
| | |
| organizational personnel responsible for risk assessments; organizational personnel
| |
| | |
| responsible for supply chain risk management].
| |
| | |
| '''Test <br />
| |
| '''[SELECT FROM: Automated mechanisms supporting, conducting, documenting, reviewing,
| |
| | |
| disseminating, and updating risk assessments].
| |
| | |
| '''DISCUSSION [NIST SP 800-172] '''
| |
| | |
| The growing dependence on products, systems, and services from external providers, along
| |
| | |
| with the nature of the relationships with those providers, present an increasing level of risk
| |
| | |
| to an organization. Threat actions that may increase risk include the insertion or use of
| |
| | |
| counterfeits, unauthorized production, tampering, theft, insertion of malicious software and
| |
| | |
| hardware, and poor manufacturing and development practices in the supply chain. Supply
| |
| | |
| chain risks can be endemic or systemic within a system element or component, a system, an
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| RA.L3-3.11.7e – Supply Chain Risk Plan
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 66
| |
| | |
| ''' '''
| |
| | |
| organization, a sector, or the Nation. Managing supply chain risk is a multifaceted
| |
| | |
| undertaking that requires a coordinated effort across an organization to build trust
| |
| | |
| relationships and communicate with both internal and external stakeholders. Supply chain
| |
| | |
| risk management (SCRM) activities involve identifying and assessing risks, determining
| |
| | |
| appropriate mitigating actions, developing SCRM plans to document selected mitigating
| |
| | |
| actions, and monitoring performance against plans. SCRM plans address requirements for
| |
| | |
| developing trustworthy, secure, and resilient systems and system components, including the
| |
| | |
| application of the security design principles implemented as part of life cycle-based systems
| |
| | |
| security engineering processes. <br />
| |
| [NIST SP 800-161 Rev. 1] provides guidance on supply chain risk management.
| |
| | |
| '''FURTHER DISCUSSION '''
| |
| | |
| An organization is required to have a supply chain risk management plan that assesses and
| |
| | |
| responds to the identified risks from those organizations that provide IT products or
| |
| | |
| services, including any cloud or other third-party services with a role in the operation of the
| |
| | |
| system. The organization should be cognizant of services outside the scope of the system but
| |
| | |
| required for the operation of the system as part of their plan. Since the cyber environment
| |
| | |
| changes rapidly and continuously, it is equally important for the organization to update the
| |
| | |
| plan in response to supply chain cyber incidents or emerging information.
| |
| | |
| '''Example <br />
| |
| '''You are responsible for information security in your organization, and you have created a
| |
| | |
| supply chain risk management plan [a,b,c]. One of the organization’s suppliers determines
| |
| | |
| that it has been the victim of a cyberattack. Your security team meets with the supplier to
| |
| | |
| determine the nature of the attack and to understand the adversary, the attack, the potential
| |
| | |
| for corruption of delivered goods or services, and current as well as future risks. The
| |
| | |
| understanding of the supply chain will help protect the local environment. Subsequently, you
| |
| | |
| update the risk management plan to include a description of the necessary configuration
| |
| | |
| changes or upgrades to monitoring tools to improve the ability to identify the new risks, and
| |
| | |
| when improved tools are available, you document the acquisition of defensive tools and
| |
| | |
| associated functionality to help mitigate any of the identified techniques [d].
| |
| | |
| '''Potential Assessment Considerations <br />
| |
| '''•
| |
| | |
| Does the organization’s current supply chain risk management plan apply across the
| |
| | |
| enterprise, or does it only apply to a limited portion of the supply chain [b]?
| |
| | |
| '''KEY REFERENCES '''
| |
| | |
| •
| |
| | |
| NIST SP 800-172 3.11.7e
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| CA.L3-3.12.1e – Penetration Testing
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 67
| |
| | |
| ''' '''
| |
| | |
| Security Assessment (CA) <br />
| |
| '''CA.L3-3.12.1E – PENETRATION TESTING '''
| |
| | |
| Conduct penetration testing at least annually or when significant security changes are made
| |
| | |
| to the system, leveraging automated scanning tools and ad hoc tests using subject matter
| |
| | |
| experts.
| |
| | |
| '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
| |
| | |
| Determine if: <br />
| |
| [a] Automated scanning tools are identified; <br />
| |
| [b] Ad hoc tests using subject matter experts are identified; and <br />
| |
| [c] Penetration testing is conducted at least annually or when significant security changes
| |
| | |
| are made to the system, leveraging automated scanning tools and ad hoc tests using
| |
| | |
| subject matter experts.
| |
| | |
| '''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
| |
| | |
| '''Examine <br />
| |
| '''[SELECT FROM: Security assessment policy; procedures addressing penetration testing;
| |
| | |
| security plan; security assessment plan; penetration test report; security assessment report;
| |
| | |
| security assessment evidence; other relevant documents or records].
| |
| | |
| '''Interview <br />
| |
| '''[SELECT FROM: Organizational personnel responsible for security assessments; penetration
| |
| | |
| testing team; system/network administrators; organizational personnel responsible for
| |
| | |
| information security].
| |
| | |
| '''Test <br />
| |
| '''[SELECT FROM: Automated mechanisms supporting security assessments; automated
| |
| | |
| mechanisms supporting penetration testing].
| |
| | |
| '''DISCUSSION [NIST SP 800-172] '''
| |
| | |
| Penetration testing is a specialized type of assessment conducted on systems or individual
| |
| | |
| system components to identify vulnerabilities that could be exploited by adversaries.
| |
| | |
| Penetration testing goes beyond automated vulnerability scanning. It is conducted by
| |
| | |
| penetration testing agents and teams with particular skills and experience that include
| |
| | |
| technical expertise in network, operating system, and application-level security. Penetration
| |
| | |
| testing can be used to validate vulnerabilities or determine a system’s penetration resistance
| |
| | |
| to adversaries within specified constraints. Such constraints include time, resources, and
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| CA.L3-3.12.1e – Penetration Testing
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 68
| |
| | |
| ''' '''
| |
| | |
| skills. Organizations may also supplement penetration testing with red team exercises. Red
| |
| | |
| teams attempt to duplicate the actions of adversaries in carrying out attacks against
| |
| | |
| organizations and provide an in-depth analysis of security-related weaknesses or
| |
| | |
| deficiencies. <br />
| |
| Organizations can use the results of vulnerability analyses to support penetration testing
| |
| | |
| activities. Penetration testing can be conducted internally or externally on the hardware,
| |
| | |
| software, or firmware components of a system and can exercise both physical and technical
| |
| | |
| controls. A standard method for penetration testing includes pretest analysis based on full
| |
| | |
| knowledge of the system, pretest identification of potential vulnerabilities based on the
| |
| | |
| pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All
| |
| | |
| parties agree to the specified rules of engagement before the commencement of penetration
| |
| | |
| testing. Organizations correlate the rules of engagement for penetration tests and red
| |
| | |
| teaming exercises (if used) with the tools, techniques, and procedures that they anticipate
| |
| | |
| adversaries may employ. The penetration testing or red team exercises may be organization-
| |
| | |
| based or external to the organization. In either case, it is important that the team possesses
| |
| | |
| the necessary skills and resources to do the job and is objective in its assessment. <br />
| |
| [NIST SP 800-53A] provides guidance on conducting security assessments.
| |
| | |
| '''FURTHER DISCUSSION '''
| |
| | |
| It is important that the organization has a repeatable penetration testing capability,
| |
| | |
| regardless of who performs the penetration testing. This requirement entails performing
| |
| | |
| tests against components of the organization’s architecture to identify cyber weaknesses and
| |
| | |
| vulnerabilities. It does not mean everything in the architecture requires penetration testing.
| |
| | |
| This requirement provides findings and mitigation strategies that benefit the organization
| |
| | |
| and help create a stronger environment against adversary efforts. It may be beneficial for
| |
| | |
| the organization to define the scope of penetration testing. The organization’s approach may
| |
| | |
| involve hiring an expert penetration testing team to perform testing on behalf of the
| |
| | |
| organization. When an organization has penetration testing performed, either by an internal
| |
| | |
| team or external firm, they should establish rules of engagement and impose limits on what
| |
| | |
| can be performed by the penetration test team(s). <br />
| |
| Ensuring the objectivity of the test team is important as well. Potential conflicts of interest,
| |
| | |
| such as having internal testers report directly or indirectly to network defenders or an
| |
| | |
| external test team contracted by network defense leadership, must be carefully managed by
| |
| | |
| organizational leadership. <br />
| |
| Reports on the findings should be used by the organization to determine where to focus
| |
| | |
| funding, staffing, training, or technical improvements for future mitigation strategies.
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| CA.L3-3.12.1e – Penetration Testing
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 69
| |
| | |
| ''' '''
| |
| | |
| '''Example <br />
| |
| '''You are responsible for information security in your organization. Leveraging a contract
| |
| | |
| managed by the CIO, you hire an external expert penetration team annually to test the
| |
| | |
| security of the organization’s enclave that stores and processes CUI [a,c]. You hire the same
| |
| | |
| firm annually or on an ad hoc basis when significant changes are made to the architecture or
| |
| | |
| components that affect security [b,c].
| |
| | |
| '''Potential Assessment Considerations <br />
| |
| '''•
| |
| | |
| Does the organization have internal team members who possess the proper level of
| |
| | |
| expertise to perform a valued penetration testing effort [b]?
| |
| | |
| •
| |
| | |
| If the penetration testing is performed by an internal team, are the individuals
| |
| | |
| performing the testing objectively [b]?
| |
| | |
| •
| |
| | |
| Is a penetration testing final report provided to the internal team responsible for
| |
| | |
| organizational defense?
| |
| | |
| •
| |
| | |
| If previous penetration tests have been conducted, can the organization provide samples
| |
| | |
| of penetration test plans, findings reports, and mitigation guidance based on the findings
| |
| | |
| [a,b,c]?
| |
| | |
| '''KEY REFERENCES '''
| |
| | |
| •
| |
| | |
| NIST SP 800-172 3.12.1e
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| SC.L3-3.13.4e – isolation
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 70
| |
| | |
| ''' '''
| |
| | |
| System and Communications Protection (SC) <br />
| |
| '''SC.L3-3.13.4E – ISOLATION '''
| |
| | |
| Employ physical isolation techniques or logical isolation techniques or both in organizational
| |
| | |
| systems and system components.
| |
| | |
| '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] ''' | |
| | |
| Determine if: <br />
| |
| [ODP1] One or more of the following is/are selected: physical isolation techniques;
| |
| | |
| logical isolation techniques; <br />
| |
| [ODP2] Physical isolation techniques are defined (if selected); <br />
| |
| [ODP3] Logical isolation techniques are defined (if selected); <br />
| |
| [a] Physical isolation techniques or logical isolation techniques or both are employed in
| |
| | |
| organizational systems and system components.
| |
| | |
| '''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
| |
| | |
| '''Examine <br />
| |
| '''[SELECT FROM: System and communications protection policy; procedures addressing
| |
| | |
| boundary protection; system design documentation; procedures addressing the use of thin
| |
| | |
| nodes; list of key internal boundaries of the system; security plan; boundary protection
| |
| | |
| hardware and software; system configuration settings and associated documentation;
| |
| | |
| enterprise architecture documentation; system architecture; security architecture
| |
| | |
| documentation; system audit records; system component inventory; list of security tools and
| |
| | |
| support components to be isolated from other system components; other relevant
| |
| | |
| documents or records].
| |
| | |
| '''Interview <br />
| |
| '''[SELECT FROM: Organizational personnel responsible for information security;
| |
| | |
| system/network administrators; system developers; organizational personnel responsible
| |
| | |
| for boundary protection].
| |
| | |
| '''Test <br />
| |
| '''[SELECT FROM: Mechanisms implementing the boundary protection capability; mechanisms
| |
| | |
| implementing physical isolation techniques; mechanisms supporting and/or implementing
| |
| | |
| the isolation of information security tools, mechanisms, and support components;
| |
| | |
| mechanisms supporting and/or implementing the capability to separate system components
| |
| | |
| supporting organizational missions and business functions; mechanisms implementing
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| SC.L3-3.13.4e – isolation
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 71
| |
| | |
| ''' '''
| |
| | |
| logical isolation techniques; mechanisms supporting or implementing separate network
| |
| | |
| addresses/different subnets; mechanisms supporting and/or implementing thin nodes].
| |
| | |
| '''DISCUSSION [NIST SP 800-172] '''
| |
| | |
| A mix of physical and logical isolation techniques (described below) implemented as part of
| |
| | |
| the system architecture can limit the unauthorized flow of CUI, reduce the system attack
| |
| | |
| surface, constrain the number of system components that must be secure, and impede the
| |
| | |
| movement of an adversary. When implemented with a set of managed interfaces, physical
| |
| | |
| and logical isolation techniques for organizational systems and components can isolate CUI
| |
| | |
| into separate security domains where additional protections can be implemented. Any
| |
| | |
| communications across the managed interfaces (i.e., across security domains), including for
| |
| | |
| management or administrative purposes, constitutes remote access even if the
| |
| | |
| communications remain within the organization. Separating system components with
| |
| | |
| boundary protection mechanisms allows for the increased protection of individual
| |
| | |
| components and more effective control of information flows between those components.
| |
| | |
| This enhanced protection limits the potential harm from and susceptibility to hostile cyber-
| |
| | |
| attacks and errors. The degree of isolation can vary depending on the boundary protection
| |
| | |
| mechanisms selected. Boundary protection mechanisms include routers, gateways, and
| |
| | |
| firewalls separating system components into physically separate networks or subnetworks;
| |
| | |
| virtualization and micro-virtualization techniques; encrypting information flows among
| |
| | |
| system components using distinct encryption keys; cross-domain devices separating
| |
| | |
| subnetworks; and complete physical separation (i.e., air gaps). <br />
| |
| System architectures include logical isolation, partial physical and logical isolation, or
| |
| | |
| complete physical isolation between subsystems and at system boundaries between
| |
| | |
| resources that store, process, transmit, or protect CUI and other resources. Examples
| |
| | |
| include: <br />
| |
| •
| |
| | |
| Logical isolation: Data tagging, digital rights management (DRM), and data loss
| |
| | |
| prevention (DLP) that tags, monitors, and restricts the flow of CUI; virtual machines or
| |
| | |
| containers that separate CUI and other information on hosts; and virtual local area
| |
| | |
| networks (VLAN) that keep CUI and other information separate on networks.
| |
| | |
| •
| |
| | |
| Partial physical and logical isolation: Physically or cryptographically isolated networks,
| |
| | |
| dedicated hardware in data centers, and secure clients that (a) may not directly access
| |
| | |
| resources outside of the domain (i.e., all applications with cross-enclave connectivity
| |
| | |
| execute as remote virtual applications hosted in a demilitarized zone [DMZ] or internal
| |
| | |
| and protected enclave), (b) access via remote virtualized applications or virtual desktop
| |
| | |
| with no file transfer capability other than with dual authorization, or (c) employ
| |
| | |
| dedicated client hardware (e.g., a zero or thin client) or hardware approved for multi-
| |
| | |
| level secure (MLS) usage.
| |
| | |
| •
| |
| | |
| Complete physical isolation: Dedicated (not shared) client and server hardware;
| |
| | |
| physically isolated, stand-alone enclaves for clients and servers; and (a) logically
| |
| | |
| separate network traffic (e.g., using a VLAN) with end-to-end encryption using Public Key
| |
| | |
| Infrastructure (PKI)-based cryptography or (b) physical isolation from other networks.
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| SC.L3-3.13.4e – isolation
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 72
| |
| | |
| ''' '''
| |
| | |
| Isolation techniques are selected based on a risk management perspective that balances the
| |
| | |
| threat, the information being protected, and the cost of the options for protection.
| |
| | |
| Architectural and design decisions are guided and informed by the security requirements
| |
| | |
| and selected solutions. Organizations consider the trustworthiness of the isolation
| |
| | |
| techniques employed (e.g., the logical isolation relies on information technology that could
| |
| | |
| be considered a high value target because of the function being performed), introducing its
| |
| | |
| own set of vulnerabilities. <br />
| |
| [NIST SP 800-160-1] provides guidance on developing trustworthy, secure, and cyber
| |
| | |
| resilient systems using systems security engineering practices and security design concepts.
| |
| | |
| '''FURTHER DISCUSSION '''
| |
| | |
| For this requirement, organizations must identify the systems or enclaves that need to be
| |
| | |
| isolated, then design and implement the isolation. The resulting isolation solutions are
| |
| | |
| documented or referenced in the SSP. Documentation will be dependent on the design
| |
| | |
| selected and may include a high-level diagram, but specific details that may change on some
| |
| | |
| frequency would be omitted. During an assessment, providing details such as subnet and
| |
| | |
| VLAN implementation identifiers, internal boundary protection hardware and software,
| |
| | |
| interface device functionality, and system configuration and Access Control List (ACL)
| |
| | |
| settings will be useful.
| |
| | |
| '''Example <br />
| |
| '''You are responsible for information security in your organization, which holds and
| |
| | |
| processes CUI. You have decided to isolate the systems processing CUI by limiting all
| |
| | |
| communications in and out that enclave with cross-domain interface devices that implement
| |
| | |
| access control [a]. Your security team has identified all the systems containing such CUI,
| |
| | |
| documented network design details, developed network diagrams showing access control
| |
| | |
| points, documented the logic for the access control enforcement decisions, described the
| |
| | |
| interface and protocol to the identification and authentication mechanisms, and documented
| |
| | |
| all details associated with the ACLs, including review, updates, and credential revocation
| |
| | |
| procedures.
| |
| | |
| '''Potential Assessment Considerations <br />
| |
| '''•
| |
| | |
| Has the organization clearly identified where they use physical, logical, or both isolation
| |
| | |
| techniques [a]?
| |
| | |
| •
| |
| | |
| Can the organization describe the isolation techniques they have employed [a]?
| |
| | |
| •
| |
| | |
| Has the organization deployed subnetting, internal firewalls, and VLANs to control
| |
| | |
| packet flow between internal segments [a]?
| |
| | |
| •
| |
| | |
| Does the organization employ metadata to inform isolation techniques [a]?
| |
| | |
| '''KEY REFERENCES '''
| |
| | |
| •
| |
| | |
| NIST SP 800-172 3.13.4e
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| SI.L3-3.14.1e – Integrity Verification
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 73
| |
| | |
| ''' '''
| |
| | |
| System and Information Integrity (SI) <br />
| |
| '''SI.L3-3.14.1E – INTEGRITY VERIFICATION '''
| |
| | |
| Verify the integrity of security critical and essential software using root of trust mechanisms
| |
| | |
| or cryptographic signatures.
| |
| | |
| '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
| |
| | |
| Determine if: <br />
| |
| [ODP1] Security critical or essential software is defined; <br />
| |
| [a] Root of trust mechanisms or cryptographic signatures are identified; and <br />
| |
| [b] The integrity of security critical and essential software is verified using root of trust
| |
| | |
| mechanisms or cryptographic signatures.
| |
| | |
| '''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
| |
| | |
| '''Examine <br />
| |
| '''[SELECT FROM: System and information integrity policy; procedures addressing software,
| |
| | |
| firmware, and information integrity; system design documentation; security plan; system
| |
| | |
| configuration settings and associated documentation; system component inventory;
| |
| | |
| integrity verification tools and associated documentation; records of integrity verification
| |
| | |
| scans; system audit records; cryptographic mechanisms and associated documentation;
| |
| | |
| records of detected unauthorized changes to software, firmware, and information; other
| |
| | |
| relevant documents or records].
| |
| | |
| '''Interview <br />
| |
| '''[SELECT FROM: Organizational personnel responsible for information security;
| |
| | |
| organizational personnel responsible for software, firmware, and/or information integrity;
| |
| | |
| system developers; system/network administrators].
| |
| | |
| '''Test <br />
| |
| '''[SELECT FROM: Software, firmware, and information integrity verification tools;
| |
| | |
| mechanisms supporting and/or implementing integrity verification of the boot process;
| |
| | |
| mechanisms supporting and/or implementing protection of the integrity of boot firmware;
| |
| | |
| cryptographic mechanisms implementing software, firmware, and information integrity;
| |
| | |
| safeguards implementing protection of the integrity of boot firmware].
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| SI.L3-3.14.1e – Integrity Verification
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 74
| |
| | |
| ''' '''
| |
| | |
| '''DISCUSSION [NIST SP 800-172] '''
| |
| | |
| Verifying the integrity of the organization’s security-critical or essential software is an
| |
| | |
| important capability since corrupted software is the primary attack vector used by
| |
| | |
| adversaries to undermine or disrupt the proper functioning of organizational systems. There
| |
| | |
| are many ways to verify software integrity throughout the system development life cycle.
| |
| | |
| Root of trust mechanisms (e.g., secure boot, trusted platform modules, Unified Extensible
| |
| | |
| Firmware Interface [UEFI]), verify that only trusted code is executed during boot processes.
| |
| | |
| This capability helps system components protect the integrity of boot firmware in
| |
| | |
| organizational systems by verifying the integrity and authenticity of updates to the firmware
| |
| | |
| prior to applying changes to the system component and preventing unauthorized processes
| |
| | |
| from modifying the boot firmware. The employment of cryptographic signatures ensures the
| |
| | |
| integrity and authenticity of critical and essential software that stores, processes, or
| |
| | |
| transmits, CUI. Cryptographic signatures include digital signatures and the computation and
| |
| | |
| application of signed hashes using asymmetric cryptography, protecting the confidentiality
| |
| | |
| of the key used to generate the hash, and using the public key to verify the hash information.
| |
| | |
| Hardware roots of trust are considered to be more secure. This requirement supports 3.4.1e
| |
| | |
| and 3.4.3.e. <br />
| |
| [FIPS 140-3] provides security requirements for cryptographic modules. [FIPS 180-4] and
| |
| | |
| [FIPS 202] provide secure hash standards. [FIPS 186-4] provides a digital signature
| |
| | |
| standard. [NIST SP 800-147] provides BIOS protection guidance. [NIST TRUST] provides
| |
| | |
| guidance on the roots of trust project.
| |
| | |
| '''FURTHER DISCUSSION '''
| |
| | |
| Organizations verify the integrity of security critical and essential software every time that
| |
| | |
| software is executed. Secure boot mechanisms for firmware and a cryptographically
| |
| | |
| protected boot chain ensure the integrity of the operating system (OS) and security critical
| |
| | |
| software, and cryptographic techniques ensure the essential software has not been
| |
| | |
| tampered with after development prior to execution. If software is itself considered to be
| |
| | |
| CUI or if it uses CUI, this requirement ensures it has not been compromised. <br />
| |
| Software and information integrity verification tools can help check the integrity during the
| |
| | |
| development process for those organizations developing software. As critical software is
| |
| | |
| updated, the integrity of any configuration data and the software must result in updated
| |
| | |
| signatures and an ongoing verification process. <br />
| |
| Operating systems include mechanisms to validate digital signatures for installed software.
| |
| | |
| Most software packages use signatures to prove the integrity of the provided software, and
| |
| | |
| the organization should leverage these capabilities. Similarly, most hardware appliance
| |
| | |
| vendors have secure boot checks in place for their devices and built-in features that check
| |
| | |
| the digital signature of an upgrade/update package before they allow an upgrade to take
| |
| | |
| place. For locally developed software, the organization should sign the software to ensure its
| |
| | |
| integrity.
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| SI.L3-3.14.1e – Integrity Verification
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 75
| |
| | |
| ''' '''
| |
| | |
| '''Example 1 <br />
| |
| '''You are responsible for information security in your organization. Your security team has
| |
| | |
| identified the software used to process CUI, and the organization has decided it is mission-
| |
| | |
| critical software that must be protected. You take three actions. First, you ensure all of the
| |
| | |
| platform’s configuration information used at boot is hashed and stored in a TPM [a]. Second,
| |
| | |
| you ensure that the platforms used to execute the software are started with a digitally signed
| |
| | |
| software chain to a secure boot process using the TPM. Finally, you ensure the essential
| |
| | |
| applications are cryptographically protected with a digital signature when stored and the
| |
| | |
| signature is verified prior to execution [b].
| |
| | |
| '''Example 2 <br />
| |
| '''Your organization has a software security team, and they are required to validate unsigned
| |
| | |
| essential software provided to systems that do not have TPM modules. The organization has
| |
| | |
| a policy stating no software can be executed on a system unless its hash value matches that
| |
| | |
| of a hash stored in the approved software library kept by the software security team [a]. This
| |
| | |
| action is performed by implementing software restriction policies on systems. The team
| |
| | |
| tests the software on a sandbox system, and once it is proven safe, they run a hashing
| |
| | |
| function on the software to create a hash value. This hash value is placed in a software library
| |
| | |
| so the system will know it can execute the software [b]. Any changes to the software without
| |
| | |
| the software security team’s approval will result in the software failing the security tests,
| |
| | |
| and it will be prevented from executing.
| |
| | |
| '''Potential Assessment Considerations <br />
| |
| '''•
| |
| | |
| Does the organization use cryptographic signatures to ensure the integrity and
| |
| | |
| authenticity of critical and essential software and data [b]?
| |
| | |
| •
| |
| | |
| Has the organization identified those devices that require integrity verification of the
| |
| | |
| boot process [a]?
| |
| | |
| •
| |
| | |
| Does the organization use a TPM to store hashes of pre-run time configuration
| |
| | |
| parameters for those systems [b]?
| |
| | |
| •
| |
| | |
| Does the organization leverage the TPM configuration hash to verify the hardware and
| |
| | |
| software configuration is unchanged in order to determine that a system is trustworthy
| |
| | |
| before running mission-essential applications [b,c]?
| |
| | |
| •
| |
| | |
| Does the organization use the TPM for remote attestation to determine to which extent
| |
| | |
| information can be trusted from another system [b,c]?
| |
| | |
| •
| |
| | |
| Has the organization identified devices requiring organization-defined security
| |
| | |
| safeguards that must be implemented to protect the integrity of boot firmware [a]?
| |
| | |
| •
| |
| | |
| Has the organization defined security safeguards that will be implemented to protect the
| |
| | |
| integrity of boot firmware in mission-essential devices [a]?
| |
| | |
| •
| |
| | |
| Has the organization implemented organization-defined security safeguards to protect
| |
| | |
| the integrity of boot firmware in organization-defined essential devices [b]?
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| SI.L3-3.14.1e – Integrity Verification
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 76
| |
| | |
| ''' '''
| |
| | |
| '''KEY REFERENCES '''
| |
| | |
| •
| |
| | |
| NIST SP 800-172 3.14.1e
| |
| | |
|
| |
| | |
| ''' '''
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| SI.L3-3.14.3e – Specialized Asset Security | |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 77
| |
| | |
| ''' '''
| |
| | |
| '''SI.L3-3.14.3E – SPECIALIZED ASSET SECURITY '''
| |
| | |
| Ensure that specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems
| |
| | |
| and test equipment are included in the scope of the specified enhanced security
| |
| | |
| requirements or are segregated in purpose-specific networks.
| |
| | |
| '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] ''' | |
| | |
| Determine if: <br />
| |
| [a] Specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems and test
| |
| | |
| equipment are included in the scope of the specified enhanced security requirements;
| |
| | |
| and
| |
| | |
| [b] Systems and system components that are not included in specialized assets including IoT,
| |
| | |
| IIoT, OT, GFE, Restricted Information Systems and test equipment are segregated in
| |
| | |
| purpose-specific networks.
| |
| | |
| '''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
| |
| | |
| '''Examine <br />
| |
| '''[SELECT FROM: Access control policy; information flow control policies; system and services
| |
| | |
| acquisition policy; system and communications protection policy; procedures addressing
| |
| | |
| security function isolation; procedures addressing application partitioning; procedures
| |
| | |
| addressing security engineering principles used in the specification, design, development,
| |
| | |
| implementation, and modification of the system; procedures addressing information flow
| |
| | |
| enforcement; procedures addressing access enforcement; system architecture; system
| |
| | |
| design documentation; security plan; system component inventory; system configuration
| |
| | |
| settings and associated documentation; system baseline configuration; list of security
| |
| | |
| functions to be isolated from non-security functions; system audit records; security
| |
| | |
| requirements and specifications for the system; list of approved authorizations (user
| |
| | |
| privileges); list of information flow authorizations; other relevant documents or records].
| |
| | |
| '''Interview <br />
| |
| '''[SELECT FROM: Organizational personnel responsible for access enforcement;
| |
| | |
| system/network administrators; organizational personnel responsible for information
| |
| | |
| security; system developers; system integrators; organizational personnel responsible for
| |
| | |
| acquisition/contracting; organizational personnel responsible for determining system
| |
| | |
| security requirements; system security architects; enterprise architects; organizational
| |
| | |
| personnel responsible for system specification, design, development, implementation, and
| |
| | |
| modification].
| |
| | |
| '''Test <br />
| |
| '''[SELECT FROM: Mechanisms implementing the access control policy; mechanisms
| |
| | |
| implementing the information flow enforcement policy; mechanisms supporting the
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| SI.L3-3.14.3e – Specialized Asset Security
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 78
| |
| | |
| ''' '''
| |
| | |
| application of security engineering principles in system specification, design, development,
| |
| | |
| implementation, and modification].
| |
| | |
| '''DISCUSSION [NIST SP 800-172] '''
| |
| | |
| Organizations may have a variety of systems and system components in their inventory,
| |
| | |
| including Information Technology (IT), Internet of Things (IoT), Operational Technology
| |
| | |
| (OT), and Industrial Internet of Things (IIoT). The convergence of IT, OT, IoT, and IIoT
| |
| | |
| significantly increases the attack surface of organizations and provides attack vectors that
| |
| | |
| are challenging to address. Compromised IoT, OT, and IIoT system components can serve as
| |
| | |
| launching points for attacks on organizational IT systems that handle CUI. Some IoT, OT, and
| |
| | |
| IIoT system components can store, transmit, or process CUI (e.g., specifications or
| |
| | |
| parameters for objects manufactured in support of critical programs). Most of the current
| |
| | |
| generation of IoT, OT, and IIoT system components are not designed with security as a
| |
| | |
| foundational property and may not be able to be configured to support security functionality.
| |
| | |
| Connections to and from such system components are generally not encrypted, do not
| |
| | |
| provide the necessary authentication, are not monitored, and are not logged. Therefore,
| |
| | |
| these components pose a significant cyber threat. Gaps in IoT, OT, and IIoT security
| |
| | |
| capabilities may be addressed by employing intermediary system components that can
| |
| | |
| provide encryption, authentication, security scanning, and logging capabilities—thus,
| |
| | |
| preventing the components from being accessible from the Internet. However, such
| |
| | |
| mitigation options are not always available or practicable. The situation is further
| |
| | |
| complicated because some of the IoT, OT, and IIoT devices may be needed for essential
| |
| | |
| missions and business functions. In those instances, it is necessary for such devices to be
| |
| | |
| isolated from the Internet to reduce the susceptibility to cyber-attacks. <br />
| |
| [NIST SP 800-160-1] provides guidance on security engineering practices and security | |
| | |
| design concepts.
| |
| | |
| '''FURTHER DISCUSSION '''
| |
| | |
| Specialized Assets are addressed in the scoping guidance, which should be overlaid on this
| |
| | |
| requirement. The OSC must document Specialized Assets in the asset inventory; develop,
| |
| | |
| document, and periodically update system security plans; and include Specialized Assets in
| |
| | |
| the network diagram. The Specialized Asset section of the SSP should describe associated
| |
| | |
| system boundaries, system environments of operation, how security requirements are
| |
| | |
| implemented, and the relationships with or connections to other systems. <br />
| |
| Specialized Assets within the Level 3 CMMC assessment scope must be either assessed
| |
| | |
| against all CMMC security requirements or separated into purpose-specific networks.
| |
| | |
| Specialized Assets may have limitations on the application of certain security requirements.
| |
| | |
| To accommodate such issues, the SSP should describe any mitigations. <br />
| |
| Intermediary devices are permitted to mitigate an inability for the asset itself to implement
| |
| | |
| one or more CMMC requirements. An example of an intermediary device used in conjunction
| |
| | |
| with a specialized asset is a boundary device or a proxy. <br />
| |
| The high-level list of Specialized Assets includes:
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| SI.L3-3.14.3e – Specialized Asset Security
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 79
| |
| | |
| ''' '''
| |
| | |
| •
| |
| | |
| Government Furnished Equipment;
| |
| | |
| •
| |
| | |
| IoT and IIoT devices (physical or virtual) with sensing/actuation capability and
| |
| | |
| programmability features;
| |
| | |
| •
| |
| | |
| OT used in manufacturing systems, industrial control systems (ICS), or supervisory
| |
| | |
| control and data acquisition (SCADA) systems;
| |
| | |
| •
| |
| | |
| Restricted Information Systems, which can include systems and IT components that are
| |
| | |
| configured based on government requirements; and
| |
| | |
| •
| |
| | |
| Test equipment.
| |
| | |
| '''Example <br />
| |
| '''You are responsible for information security in your organization, which processes CUI on
| |
| | |
| the network, and this same network includes GFE for which the configuration is mandated
| |
| | |
| by the government. The GFE is needed to process CUI information [a]. Because the company
| |
| | |
| cannot manage the configuration of the GFE, it has been augmented by placing a bastion host
| |
| | |
| between it and the network. The bastion host meets the requirements that the GFE cannot,
| |
| | |
| and is used to send CUI files to and from the GFE for processing. You and your security team
| |
| | |
| document in the SSP all of the GFE to include GFE connectivity diagrams, a description of the
| |
| | |
| isolation mechanism, and a description of how your organization manages risk associated
| |
| | |
| with that GFE [a].
| |
| | |
| '''Potential Assessment Considerations <br />
| |
| '''•
| |
| | |
| Has the organization documented all specialized assets in asset inventory [a]?
| |
| | |
| •
| |
| | |
| Has the organization documented all specialized assets in the SSP to show how risk is
| |
| | |
| managed [b]?
| |
| | |
| •
| |
| | |
| Has the organization provided a network diagram for specialized assets [a,b]?
| |
| | |
| '''KEY REFERENCES '''
| |
| | |
| •
| |
| | |
| NIST SP 800-172 3.14.3e
| |
| | |
|
| |
| | |
| ''' '''
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| SI.L3-3.14.6e – Threat-Guided Intrusion Detection | |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 80
| |
| | |
| ''' '''
| |
| | |
| '''SI.L3-3.14.6E – THREAT-GUIDED INTRUSION DETECTION '''
| |
| | |
| Use threat indicator information and effective mitigations obtained from, at a minimum,
| |
| | |
| open or commercial sources, and any DoD-provided sources, to guide and inform intrusion
| |
| | |
| detection and threat hunting.
| |
| | |
| '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] ''' | |
| | |
| Determine if: <br />
| |
| [ODP1] External organizations from which to obtain threat indicator information and
| |
| | |
| effective mitigations are defined; <br />
| |
| [a] Threat indicator information is identified; <br />
| |
| [b] Effective mitigations are identified; <br />
| |
| [c] Intrusion detection approaches are identified; <br />
| |
| [d] Threat hunting activities are identified; and <br />
| |
| [e] Threat indicator information and effective mitigations obtained from, at a minimum,
| |
| | |
| open or commercial sources and any DoD-provided sources, are used to guide and inform
| |
| | |
| intrusion detection and threat hunting.
| |
| | |
| '''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
| |
| | |
| '''Examine <br />
| |
| '''[SELECT FROM: System and information integrity policy; information security program plan;
| |
| | |
| procedures addressing security alerts, advisories, and directives; threat awareness program
| |
| | |
| documentation; procedures addressing system monitoring; procedures for the threat
| |
| | |
| awareness program; risk assessment results relevant to threat awareness; records of
| |
| | |
| security alerts and advisories; system design documentation; security plan; system
| |
| | |
| monitoring tools and techniques documentation; system configuration settings and
| |
| | |
| associated documentation; system monitoring logs or records; system audit records;
| |
| | |
| documentation on the cross-organization information-sharing capability; other relevant
| |
| | |
| documents or records].
| |
| | |
| '''Interview <br />
| |
| '''[SELECT FROM: Organizational personnel responsible for information security program
| |
| | |
| planning and plan implementation; system/network administrators; organizational
| |
| | |
| personnel responsible for the threat awareness program; organizational personnel
| |
| | |
| responsible for the cross-organization information-sharing capability; organizational
| |
| | |
| personnel responsible for information security; organizational personnel responsible for
| |
| | |
| installing, configuring, and/or maintaining the system; organizational personnel security
| |
| | |
| alerts and advisories; organizational personnel responsible for implementing, operating,
| |
| | |
| maintaining, and using the system; organizational personnel, organizational elements,
| |
| | |
| and/or external organizations to whom alerts, advisories, and directives are to be
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| SI.L3-3.14.6e – Threat-Guided Intrusion Detection
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 81
| |
| | |
| ''' '''
| |
| | |
| disseminated; personnel with whom threat awareness information is shared by the
| |
| | |
| organization; system developers].
| |
| | |
| '''Test <br />
| |
| '''[SELECT FROM: Mechanisms supporting and/or implementing the threat awareness
| |
| | |
| program; mechanisms supporting and/or implementing the cross-organization information-
| |
| | |
| sharing capability; mechanisms supporting and/or implementing the system monitoring
| |
| | |
| capability; mechanisms supporting and/or implementing the definition, receipt, generation,
| |
| | |
| and dissemination of security alerts, advisories, and directives; mechanisms supporting
| |
| | |
| and/or implementing security directives; mechanisms supporting and/or implementing
| |
| | |
| threat hunting; mechanisms supporting and/or implementing intrusion detection;
| |
| | |
| mechanisms supporting and/or implementing the discovery, collection, distribution, and use
| |
| | |
| of indicators of compromise].
| |
| | |
| '''DISCUSSION [NIST SP 800-172] '''
| |
| | |
| Threat information related to specific threat events (e.g., TTPs, targets) that organizations
| |
| | |
| have experienced, threat mitigations that organizations have found to be effective against
| |
| | |
| certain types of threats, and threat intelligence (i.e., indications and warnings about threats
| |
| | |
| that can occur) are sourced from and shared with trusted organizations. This threat
| |
| | |
| information can be used by organizational Security Operations Centers (SOC) and
| |
| | |
| incorporated into monitoring capabilities. Threat information sharing includes threat
| |
| | |
| indicators, signatures, and adversary TTPs from organizations participating in threat-
| |
| | |
| sharing consortia, government-commercial cooperatives, and government-government
| |
| | |
| cooperatives (e.g., CERTCC, CISA/US-CERT, FIRST, ISAO, DIB CS Program). Unclassified
| |
| | |
| indicators, based on classified information but which can be readily incorporated into
| |
| | |
| organizational intrusion detection systems, are available to qualified nonfederal
| |
| | |
| organizations from government sources.
| |
| | |
| '''FURTHER DISCUSSION '''
| |
| | |
| One way to effectively leverage threat indicator information is to access human- or machine-
| |
| | |
| readable threat intelligence feeds. Effectiveness may also require the organization to create
| |
| | |
| TTPs in support of operational requirements, which will typically include defensive cyber
| |
| | |
| tools supporting incident detection, alerts, incident response, and threat hunting. It is
| |
| | |
| possible that this requirement will be implemented by a third-party managed service
| |
| | |
| provider, and in that case, it will be necessary to carefully define the boundary and
| |
| | |
| responsibilities between the OSC and the ESP to guarantee a robust implementation. It is also
| |
| | |
| important that the OSC validate threat indicator integration into the defensive cyber toolset
| |
| | |
| by being able to (1) implement mitigations for sample industry relevant indicators of
| |
| | |
| compromise (e.g., IP address, file hash), (2) identify sample indicators of compromise across
| |
| | |
| sample endpoints, and (3) identify sample indicators of compromise using analytical
| |
| | |
| processes on a system data repository.
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
|
| |
| | |
| SI.L3-3.14.6e – Threat-Guided Intrusion Detection
| |
| | |
| '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
| |
| | |
| 82
| |
| | |
| ''' '''
| |
| | |
| '''Example <br />
| |
| '''You are responsible for information security in your organization. You have maintained an
| |
| | |
| effective intrusion detection capability for some time, but now you decide to introduce a
| |
| | |
| threat hunting capability informed by internal and external threat intelligence [a,c,d,e]. You
| |
| | |
| install a SIEM system that leverages threat information to provide functionality to: <br />
| |
| •
| |
| | |
| analyze logs, data sources, and alerts;
| |
| | |
| •
| |
| | |
| query data to identify anomalies;
| |
| | |
| •
| |
| | |
| identify variations from baseline threat levels;
| |
| | |
| •
| |
| | |
| provide machine learning capabilities associated with the correlation of anomalous data
| |
| | |
| characteristics across the enterprise; and
| |
| | |
| •
| |
| | |
| categorize data sets based on expected data values.
| |
| | |
| Your team also manages an internal mitigation plan (playbook) for all known threats for your
| |
| | |
| environment. This playbook is used to implement effective mitigation strategies across the
| |
| | |
| environment [b]. Some of the mitigation strategies are developed by team members, and
| |
| | |
| others are obtained by threat feed services.
| |
| | |
| '''Potential Assessment Considerations <br />
| |
| '''•
| |
| | |
| Which external sources has the organization identified as threat information sources [a]?
| |
| | |
| •
| |
| | |
| Does the organization understand the TTPs of key attackers [c,d]?
| |
| | |
| •
| |
| | |
| Does the organization deploy threat indicators to EDR systems, network intrusion
| |
| | |
| detection systems, or both [c,d,e]?
| |
| | |
| •
| |
| | |
| What actions does the organization implement when a threat alert/indicator is signaled
| |
| | |
| [c,d,e]?
| |
| | |
| •
| |
| | |
| Does the organization use internal threat capabilities within their existing security tools
| |
| | |
| [e]?
| |
| | |
| •
| |
| | |
| How does the organization respond to a third-party notification of a threat indicator [e]?
| |
| | |
| '''KEY REFERENCES '''
| |
| | |
| •
| |
| | |
| NIST SP 800-172 3.14.6e
| |
|
| |
|
| == Appendix A – Acronyms and Abbreviations == | | == Appendix A – Acronyms and Abbreviations == |