Why CMMC security baselines are so important
As you start to figure out how to get your company CMMC compliant, you probably noticed that establishing low-level controls that meet the high-level requirements is far more complicated than you realized. You know that the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is a primary guiding document. However, none of this gives you the roadmap you need to understand how to set these technical controls. Setting CMMC security baselines is a fundamental step to getting compliant, and automating continuous control compliance is the way to stay that way.
What does CMMC say about setting security baselines?
Anyone who needs to meet a CMMC Level beyond Level 1 needs to create the appropriate documentation for configuration management. According to the CMMC Assessment Guide Level 3, a fundament control for Level 2 compliance is Configuration Management (CM) 2.061. CMMC Level 2 is the stepping stone to Level 3, and CM.2.061 states that organizations must:
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
This control then maps to NIST 800-171, but that sets basic processes for determining whether a baseline is set and whether it has the correct governance and documentation.
Reading through the complex regulatory web of internal references, you can go from NIST SP 800-171 to NIST SP 800-53 to NIST 800-128 and NIST 800-70. It’s these last two publications that walk you through the process of setting the appropriate baselines and configurations.
3 steps to setting CMMC security baseline configurations
Now that you know where the primary documentation lives, you can start getting into the exact details around setting your security configurations. Heading over to NIST SP 800-70 gives you some fundamental steps to take when setting these baselines.
Determine Local Requirements
Before you can start putting controls in place, you need to know where your security risks are and define threats you need to mitigate. According to NIST, the risk mitigation methodology should include:
- Identify functional needs: understanding how end-users will use the product helps define the security needs
- Identify threats and vulnerabilities: identifying the potential threat sources that apply to a specific IT product or system helps set baseline controls
- Identify security needs: determining security controls that minimize or eliminate threats better secures systems, networks, and software
Browse and Retrieve Checklists
Once you determine the local requirements, you can start collecting information around securing your environment. The NIST Checklist Repository contains all the checklists available for download. You can process these checklists with Security Content Automation Protocol (SCAP) validated products. NIST categorizes checklists based on content type, like:
- Prose: narrative descriptions for manually configuring a product
- Automated: documented in machine-readable format but do not fully match SCAP requirements
- SCAP Content: machine-readable standardized SCAP format that SCAP-validated product can process
Although you can you any of these three content types to set your baselines, SCAP-expressed checklists make it easier to consistently and efficiently maintain low-level security controls.
Apply Checklists to IT Products
Finally, you apply the checklists by either modifying the product’s setting or verifying existing settings. Some best practices include:
- Test in a non-operational environment to minimize any conflicts that can lead to downtime
- Review the Rollback Capability field to determine whether you can revert to the original configuration
- Back up the original configuration before making any changes
- Back up all critical data files in case you need to restore the system to pre-checklist configurations
- Verification: after reviewing and testing, ensure that product settings are not inadvertently altered.
SteelCloud: SCAP-Validated Security Baseline Automation
SteelCloud’s patented compliance software suite automates the security baseline configuration process, saving you time and money as you try to meet CMMC compliance requirements. Our solution automates scanning and remediation while providing compliance reporting so you can document all your compliance activities in a single location.