CMMC Requirements: Level Three

Now we enter the most nebulous category of CMMC 2.0 requirements: level three. While we know where the requirements will come from, we don’t know exactly how many will be added from the NIST 800-172 publication. While there are potentially as many as 35 new controls to be added, I am expecting the final number to come to around 20, spread across the various subcategories. Speaking of which, there are no new requirements in the categories of audit and accountability, maintenance, media protection, and physical protection so Level 3 adds to 10 of the categories from the previous level. And now I think all that is left to do is to tackle those 10 categories to wrap up what the CMMC 2.0 Level 3 requirements look like.

Access control has potentially three new controls, two of which fit into the idea of least privilege where measures are put into place so that only necessary users/systems can access sensitive data. The third control is particularly interesting: dual authorization. While this may seem like multifactor authentication at first, it is actually a control that provides resistance to social engineering. A couple of examples of this would be implementing and enforcing policies that require approval from a second person before new access is granted to sensitive data, or two people are required to approve a change of bank accounts for a client. The latter scenario has been used many times by an attacker pretending to be a vendor to get money transferred to an account they control.

Awareness and Training

There are two new controls here, both aimed at enhancing the training already being provided by the previous levels. I wouldn’t be surprised to see both of these being included in the final requirements.

Configuration Management

Configuration management also brings a potential three controls, all being aimed at documenting and monitoring system components with two requiring the process to be automated. This is another area where I would expect at least two controls to be required.

Identification and Authentication

Three more potential controls are added in the identification and authentication category. I expect the first requirement, where network connections are only made after bidirectional authentication, to be included here. The other two include password management of systems that can’t employ MFA and the limiting of ways that components can be connected to the secured network.

Incident Response

Incident response has two new requirements, both of which I consider to be pretty heavy lifts over previous controls. The first is the establishment of a SOC (security operations center) and the second is the establishment of an incident response team. While these may already be a part of larger companies, they could be a large undertaking for smaller organizations. If these are added requirements, I hope that they will allow for third parties to provide the services, as that will lower the barrier to entry.

Requirements for enhanced screening procedures of approved individuals, and contingency plans for such individuals to have access to sensitive data revoked are in the personnel security category. Due to the human element being such a critical factor, I see both of these as likely entrants into the requirement list.

Risk Assessments

Tied for the most number of new controls is risk assessments with seven. Due to this number, I don’t see a way that at least some of these controls aren’t included for level three. Two controls are intended to address supply chain risks, two are for documenting and assessing security solutions, one has automation requirements that tie in with the SOC requirement, one is for threat information collection, and probably the most difficult to implement control is the periodic threat hunting activities.

Security assessment requires that penetration tests be performed. I strongly suspect that this requirement will be included.

System and Communication Protection

System and communication protection brings in 5 controls, so I would expect to see at least one or two of these as requirements, although these controls are a bit less typical. Interestingly, two of the controls seem to be focused somewhat on a “security by obscurity” approach. Another continues with the trickery, with the potential of honeypots being used as part of an organization’s security plan with another calling for the creation of a “moving target” environment. The most typical control involves the physical and/or logical segmentation of systems and components.

System and Information Integrity

Finally, we are at the second set of 7 new controls with system and information integrity. One of the most important things for any organization, CMMC or not, that is included in these controls is for the periodic review of sensitive data and removal of what is no longer needed. Several more controls involve monitoring and review of components for changes and integrity. And finally there is a control for periodically refreshing systems from a known and trusted state.

So there we have it, a brief summary of all three levels of CMMC. Next, I plan on discussing what could be expected for the required assessments for all three levels.