CMMC is designed to ensure that defense contractors are all meeting at least a basic level of cybersecurity hygiene for protecting sensitive defense information. CMMC is designed to subject all DOD contractors to third-party cybersecurity assessments.
CMMC’s ultimate aim is to ensure that defense contractors do not get hacked, resulting in the loss of sensitive defense information that could fall into the hands of U.S. adversaries.
CMMC v2.0 and NIST 800-171
CMMC v2.0 is organized in 3 levels, the level’s are:
- Level 1 (Foundational) only applies to companies that focus on the protection of Federal Contract Information (FCI)…
- Level 2 (Advanced) is for companies working with CUI. (*1)
- Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs).
(*1) CUI is government created or owned information that requires safeguarding
The CMMC guidance heavily leverages NIST 800-171 as its guidance to protect CUI (Controlled Unclassified Information).
NIST 800-171 is a subset of requirements taken directly from the NIST 800-53 publication that specifically apply to CHI shared by the federal government with a non-federal entity.
Though the CMMC is still a work in progress with most enterprises mapping their security to 2.0, which is in approval at this time. (CMMC 2.0) In the new 2.0 version of this guidance, most CMMC-RPs practitioners expect software/SaaS solutions sold to the DoD. to be at CMMC Level 2 or higher.
Mapping YouAttest to NIST 800-171
To this end YouAttest has mapped the 800-171 matrix to NIST 800-53, IGA (Identity Governance) best practices. User Access Reviews and attestation of rights, especially around access to CUI, is a big part of the CMMC guidelines.
The Top 5 Controls that YouAttest Addresses for NIST 800-171
#1: NIST 800-171 Control #: 3.1.1
Control Family: Access Control
Desc: Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
NIST 800-53 Mapping: PR.AC-4
IGA Relevance: Proper IGA practices mandate that a process is in place for both the provisioning but also the REVIEW of the existing permissions and any changes in the privileges.
YouAttest Functionality for Control: YouAttest automates the User Access Review (UAR) process that is required by this control – to attest to the permissions granted to access CUI and systems holding CUI.
#2: NIST 800-171 Control #1: 3.1.2
Control Family: Access Control
Desc: Employ the principle of least privilege, including for specific security functions and privileged accounts.
NIST 800-53 Mapping: PR.AC-6
IGA Relevance: The guiding principle of identity governance is PR.AC-6, the “principle of least privilege” – which states that users and accounts are only granted the minimal privileges to do their job.
YouAttest Functionality for Control: YouAttest automates the process of ensuring the “principle of least privilege” through automation of the user access review (UAR) process – which ensures the principle of least privilege is implemented.
#3: NIST 800-171 Control #1: 3.3.9
Control Family: Derived
Desc: Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
NIST 800-53 Mapping: CM-5
IGA Relevance: Identity Governance mandates that only approved users are granted access to specified resources – especially those mandating admin accounts.
YouAttest Functionality for Control: YouAttest attest to user, group and application privileges – especially those with admin privileges.
#4: NIST 800-171 Control #1: 3.8.2
Control Family: Media Protection
Desc: Limit access to CUI on information system media to authorized users.
NIST 800-53 Mapping: MP-2, MP-4, MP-6
IGA Relevance: Proper identity governance dictates that accounts w/ CUI be properly authorized and attested to for access.
YouAttest Functionality for Control: YouAttest provides this attestation of accounts with access to resources controlling CUI.
#5: NIST 800-171 Control #1: 3.10.1
Control Family: Physical Protection
Desc: Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
NIST 800-53 Mapping: PE-2, PE-5, PE-6
IGA Relevance: Proper identity governance requires that user w/access to physically access containing CUI be authorized and attested to for access. Users with physical access should be accounted for and quantified in an auditable system – preferably enumerated in a dynamic group for scalability and flexibility.
YouAttest Functionality for Control: YouAttest automates the attestation of these groups associated with physical access.
YouAttest is an automated user access review tool that helps organizations analyze and monitor user access policies – especially around CUI (Controlled Unclassified Information) which is covered under NIST 800-171. With YouAttest, companies can trust that they are in compliance with 800-171 for identity attestation and that CUI is only accessed by authorized identities.