The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity controls framework developed by the United States Department of Defense (DoD), released in January 2020 with the intent to protect the confidentiality, integrity, and availability of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in Defense Industrial Base (or U.S. Government contractors and subcontractors) companies' custody. CUI is "information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls." Similarly, FCI refers to "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments."
Overall, CMMC aims to ensure Defense Industrial Base (DIB) companies implement good cybersecurity practices and processes to protect FCI and CUI processed, transmitted, and stored within non-Government IT networks and systems (or unclassified networks). At a high level, CMMC consists of five cumulative levels of cybersecurity processes and practices structured as a progressive framework as follows:
Consequently, organizations handling FCI require a CMMC level 1 certification, while companies that store, process, or transmit CUI need a CMMC level 3 certification. The DoD is currently following a phased approach to implement CMMC, beginning with only 15 Prime acquisitions in 2021 and 475 by 2025. However, any organization seeking to do business with the DoD will eventually need to have an appropriate CMMC certification if it hopes to be awarded a DoD contract for which CMMC is a requirement. Hence, organizations should start planning their CMMC compliance efforts early and implement procedural and technical security controls needed to fulfill their business objectives while complying with the Government's rules.
This blog series demonstrates how organizations can use Gigasheet as a tool to meet their CMMC Level 3 compliance obligations in an effort to provide helpful information and context. The first part of this blog series identifies the CMMC Level 3 practices within the Audit and Accountability and Situational Awareness domains that Gigasheet addresses. The second part of this blog will show a real-world application of the identified CMMC Level 3 practices to demystify the CMMC compliance standard. Please, keep in mind that this blog does not constitute CUI guidance.
CMMC level 3 consists of 130 practices spread across 17 security domains. Eleven of those are within the Audit and Accountability security domain, while only one is within the Situational Awareness domain.
Audit and Accountability Domain
Audit and accountability refer to the process of reconstructing the sequence of actions leading to a specific security-related occurrence within a system or network from start to finish to ensure accurate and timely attribution.
There are eleven CMMC level 3 Audit and Accountability practices, as summarized in Table 1, all of which can be fully or partially addressed with Gigasheet through process implementations.
Table 1 – Summary of CMMC Level 3 Audit and Accountability Practices
AU.2.041 - Ensure the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Tracking system actions to an individual relies on system logs containing sufficient information to enable attribution, such as user ID, source and destination IP addresses, and timestamps. While this practice applies exclusively to operating systems, devices, and applications, Gigasheet can help implement procedures to identify missing information in system logs. For example, you could upload a web proxy log file to Gigasheet and quickly observe that the source IP address field is missing by simply looking at the available columns within the sheet.
AU.2.042 - Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
While Gigasheet does not generate logs intrinsically, it can store and archive large audit log volumes from multiple systems, making them readily available to security analysts to monitor, analyze, investigate, and report unusual or suspicious system activities. Gigasheet as a long-term log storage solution can help organizations meet their data retention requirements and significantly increase log management efficiencies due to Gigasheet's hot storage architecture. Users can store and combine as many uncompressed files as they want, performing fast on-demand analysis without the performance limitations imposed by hot-warm-cold storage architectures.
AU.2.043 - Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.
Like AU.2.041, this practice applies exclusively to operating systems and devices. However, Gigasheet's time cleanup feature can convert timestamps in log files to a standard time zone and time format, providing time consistency across multiple log files.
AU.2.044 - Review audit logs.
Reviewing audit logs with Gigasheet is fast and straightforward. Users can perform on-demand analysis of multiple log files with zero performance limitations. Users can also use Gigasheet's built-in functions to help summarize data or find the "needle in the haystack," such as grouping and splitting columns, converting timestamps to a standard format and time zone, and perform cross-file searches.
AU.3.045 - Review and update logged events.
Practice AU.3.045 requires organizations to regularly re-evaluate systems' logged security events and determine which events need to be added, modified, or deleted. Many organizations re-evaluate systems' logged events following major security incidents, when changes to the IT infrastructure occur, or at a specified frequency, such as bi-annually or quarterly.
Identifying missing security events or log sources is possible through Gigasheet's timeline feature. Users can create events timelines by grouping log files from different sources to chronologically reconstruct the actions leading to a particular incident or proactively hunt for threats. Doing so can quickly revealing missing log sources when timelines cannot be fully reconstructed. Similarly, Gigasheet's column grouping feature can promptly show overly chatty events that may need to be adjusted or disabled.
AU.3.046 - Alert in the event of an audit logging process failure.
Gigasheet cannot alert when audit logging processes fail because it is not designed to receive logs in real-time. However, Gigasheet can help implement manual procedures to identify when log sources stop generating security events. For example, you could extract log files from a log server into Gigasheet and use the column grouping feature to identify log sources with low log volume, potentially indicating that the log source stopped sending events to the log server at some point.
AU.3.048 - Collect audit information into one or more central repositories.
In addition to being a spreadsheet for incident response and threat hunting, Gigasheet is also a file repository and can aggregate and store audit logs centrally in a standard format (CSV).
AU.3.049 - Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Gigasheet employs robust access control and data security safeguards to preserve the confidentiality, integrity, and availability of users' files. Gigasheet assigns read-only permissions by default to any file uploaded to the platform, preventing anyone from modifying file contents. However, users can change column header names without affecting the integrity of the log files. Gigasheet provides users with multi-factor authentication on their accounts to protect against password-based threats, such as brute force or credential stuffing attacks. For enterprises, Gigasheet can be configured to support per-file deletion protection to reduce the risk of accidentally deleting critical files.
AU.3.050 - Limit management of audit logging functionality to a subset of privileged users.
Gigasheet's enterprise level configuration can support role-based access controls to enable organizations to define groups of users and assign permissions based on organizations' unique requirements. For example, users might want to set up access permissions to allow some users to read any log file but prevent deleting or sharing files.
AU.3.051 - Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
Using Gigasheet's timeline feature, users can upload files from different log sources and create correlated events timelines. The timeline of events is displayed as a separate sheet, enabling users to analyze multiple data sources from a single-pane view. Additionally, Gigasheet now lets you combine multiple files with equal columns, enabling the analysis of months' or even years' worth of logs. For example, you can upload various rotated log files to Gigasheet and use the Combine function to create a single file containing all rotated files.
AU.3.052 - Provide audit record reduction and report generation to support on-demand analysis and reporting
Audit record reduction refers to summarizing and organizing data to provide a more meaningful view, which is possible in Gigasheet using robust filters, column grouping, and charting and diagramming tools.
Situational Awareness Domain
Situational awareness refers to the process of using real-world threat information to inform and support decision-making processes. Within CMMC Level 3, there is only one Situational Awareness practice as outlined in Table 2.
Table 2 – Summary of CMMC Level 3 Situational Awareness Practices
SA.3.169 - Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders
Gigasheet has manual and automated methods to integrate threat intelligence data into the security events management process. Gigasheet's built-in threat intelligence feed Enrichments allow you to automatically enrich data elements within different file columns, such as IP addresses and file hashes. Gigasheet also allows users to integrate with other third-party threat intelligence feeds, such as VirusTotal, Recorded Future, GreyNoise and more coming in the future.
Suppose you receive threat intelligence via email from US-CERT or similar groups. In that case, you can quickly ingest this data manually into Gigasheet by creating CSV files of the threat data of interest and use Gigasheet's cross-file lookup feature to detect malicious or suspicious activity within your log files.
Create you own Gigasheet account here.