How to keep the conversation going when you talk about audits and CMMC security configurations

If you’re looking to clear out a room at a party, utter the word “audit.” While audits are necessary for holding organizations accountable, they require a lot of time and paperwork. When looking to meet and maintain compliance with the Cybersecurity Maturity Model Certification (CMMC), the bigger problem is that the landscape continuously changes. Today’s controls can change by tomorrow if cybercriminals find a new way to use common vulnerabilities and exposures (CVEs). Leveraging automation to maintain CMMC security configurations for continuous assurance reduces audit costs and increases employee productivity.

What are security configurations?

Security configurations and security baselines are technical configuration settings that technology manufacturers suggest organizations implement to prevent cybercriminals from infiltrating devices, systems, networks, and software. For example, your organizations might use Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) or Center for Internet Security (CIS) Benchmarks.

These low-level technical controls are difficult to manage manually. Generally, the low-level technical configurations are maintained in a firmware repository or software databases. Often, organizations use security content automation protocol (SCAP) tools to manage these configurations. SCAP-validated tools can read the configurations, scan your environment, and identify out-of-compliance configurations.

What is the risk if you have out-of-compliance security configurations?

Security configurations help you prevent malicious actors from using CVEs to infiltrate your environment. CVEs, or common vulnerabilities and exposures, are known flaws that security researchers identify. After identifying the flaw, the security researchers inform the manufacturer, who then releases a security patch update. Once the manufacturer has released the security update, the CVE can be publicly listed.

Once a CVE is made public, malicious actors can use these to look for security vulnerabilities in an organization’s IT stack. This is why patching cadence, or the time it take a company to install security patches, is essential to their security posture. Best practices are to apply critical security patches within 30 days of the update’s release.

Why is maintaining and documenting security configurations difficult?

Not only is maintaining security configurations difficult, but complex IT infrastructures make documenting compliance activities cumbersome. Often, organizations that managing security configurations manually document waivers in spreadsheets which makes collecting audit documentation time-consuming.

Difficult to prioritize

Many companies struggle to maintain security configurations because updates come in different forms. Some types of patches include:

• Hotfix
• Point release
• Program temporary fix
• Security
• Service pack

While a security patch might be a high priority, a point release might address several software errors, called bugs, or a program as a temporary fix might respond to a single bug. These bugs often impact usability rather than security.

Because so many types of patches exist, understaffed IT departments can struggle to prioritize the patches if they don’t have visibility into criticality.