In this third and final post, Zscaler and C3 Integrated Solutions not only re-examine the workflow between CMMC and Zero Trust, but the real-world perspective. We focus here on the operational cyber and compliance perspective of what to expect when the rubber meets the road—and actually doing the work to implement CMMC. Zero Trust is a contemporary method for securing infrastructure that goes beyond just protecting data. When combined with the controls of CMMC, it can provide a clear path to achieving security, efficiency.As we speak, Organizations Seeking Assessment (OSA) are learning they can meet the CMMC’s cybersecurity and compliance requirements by following the steps to build a Zero Trust Architecture: Define the Protect surfaceMap the Transactional FlowsBuild a ArchitectureCreate Enforcement PoliciesMonitor and Maintain the NetworkA cloud first approach is the most effective way to implement, simplify, and secure Zero Trust and CMMC architectures and requirements. Owing to Cloud Service Providers (CSPs) native ability to scale resources, incorporating a Security-as-a-Service (SECaaS) into CMMC and Zero Trust environments is even more important as they can easily resist cyber threats and dynamically ramp up data and threat protection. Start with Design to Define Your Protect SurfaceEven if you’re not building from scratch, your CMMC approach should start with an examination of system design, identifying the security engineering principles and software development procedures that promote effective cyber security (SC.L2-3.13.2). Starting with system design ensures that security is built into the architecture from the ground up, rather than being retrofitted later—a common challenge in CMMC implementation. Define and document architecture designs and software development that support information security and then show how you employ them rather than deploying a system then going back to define architecture. Defining the protect surface enables the next essential step in CMMC implementation of mapping transactional flows—in layman’s terms—understanding how Controlled Unclassified Information (CUI) moves through an organization’s systems (AC.L2-3.1.3). Moreover, defining the “protect surface” enables OSAs to identify where CUI is processed, stored, and transmitted. It is critical to define both external and internal boundaries, as CMMC requires organizations to monitor and control access at these points (SC.L2-3.13.1). Mapping Transactional Flows and ScopingStart with understanding how CUI will flow through the organization with a CUI data flow diagram. From there, the focus can shift to understanding and establishing policy enforcement points (PEPs). In this stage people tend to get caught up in what constitutes “remote access” in CMMC security requirements such as AC.L2-3.1.14. Just how Zero Trust uses “identity as the perimeter” works in Zero Trust, CMMC describes how identity-based access constitutes encrypted, authenticated, and explicitly authorized access via managed access control points. “External systems” tends to be another fuzzy term for organizations looking to achieve compliance with security requirements such as AC.L2-3.1.20. The meaning of “external” in this context is systems that are completely outside of organizational control. To simplify compliance here, limit connections to external systems by using SASE to enforce organizational policies.Building the Right ArchitectureOnce the protected surface and transactional flows are mapped, the next step is to build the system architecture. An enclave approach, that isolates sensitive data and systems from the broader IT environment, is a common strategy for protecting CUI. This approach can also help navigate around technical debt. However, an enclave only works if you can fit your CUI operational processes within the enclave. FedRAMP Moderate or equivalent is required for external service providers (ESPs) that handle CUI. Create Enforcement Policies This area may be the strongest connection between Zero Trust and CMMC, as both are dependent on the principles of least privilege and least functionality. CMMC requirements often include “organizationally defined parameters,” which should be defined according to the system use and design. For example, the SI.L2-3.14.2 control requires organizations to “provide protection from malicious code at designated locations within organizational systems.” For a distributed workforce with an identity-based perimeter, these locations should extend beyond user endpoints to include the Security Service Edge, and potentially email gateways and other application gateways.Monitor and MaintainBuilding the system and passing the assessment is not the end state. Cybersecurity and compliance each require ongoing monitoring, maintenance, and tailoring. It is like having a baby; once it’s born you have to care for it for life. CMMC requirements require continuous visibility into system activity. Utilizing a real time monitoring tools and security operations center (SOC) can help interpret and act on signals. Monitoring and maintaining your system is critical for both compliance and operational security.Implementing Zero Trust, Implements CMMCCMMC requirements are not new; however, what CMMC brings into fruition is an enforcement mechanism for security requirements which have existed under DFARS for nearly a decade. Following Zero Trust frameworks provides a fantastic baseline for reaching CMMC compliance, but it’s not the full solution. One of the biggest challenges in CMMC implementation is documentation. A huge part of compliance is “showing your work” with documentation. The technology simply proves you are doing what you said you would do. Organizations that take a proactive approach—starting with system design, mapping transactional flows, and building an architecture based on Zero Trust principles—will not only meet CMMC requirements but also improve their overall security posture.For more on the connection between Zero Trust and CMMC check out our part 1 (Cracking the CMMC Code Using Zero Trust) and part 2 (Achieving ROI in CMMC) blog posts and our implementation webinar.
[#item_full_content] In this third and final post, Zscaler and C3 Integrated Solutions not only re-examine the workflow between CMMC and Zero Trust, but the real-world perspective. We focus here on the operational cyber and compliance perspective of what to expect when the rubber meets the road—and actually doing the work to implement CMMC. Zero Trust is a contemporary method for securing infrastructure that goes beyond just protecting data. When combined with the controls of CMMC, it can provide a clear path to achieving security, efficiency.As we speak, Organizations Seeking Assessment (OSA) are learning they can meet the CMMC’s cybersecurity and compliance requirements by following the steps to build a Zero Trust Architecture: Define the Protect surfaceMap the Transactional FlowsBuild a ArchitectureCreate Enforcement PoliciesMonitor and Maintain the NetworkA cloud first approach is the most effective way to implement, simplify, and secure Zero Trust and CMMC architectures and requirements. Owing to Cloud Service Providers (CSPs) native ability to scale resources, incorporating a Security-as-a-Service (SECaaS) into CMMC and Zero Trust environments is even more important as they can easily resist cyber threats and dynamically ramp up data and threat protection. Start with Design to Define Your Protect SurfaceEven if you’re not building from scratch, your CMMC approach should start with an examination of system design, identifying the security engineering principles and software development procedures that promote effective cyber security (SC.L2-3.13.2). Starting with system design ensures that security is built into the architecture from the ground up, rather than being retrofitted later—a common challenge in CMMC implementation. Define and document architecture designs and software development that support information security and then show how you employ them rather than deploying a system then going back to define architecture. Defining the protect surface enables the next essential step in CMMC implementation of mapping transactional flows—in layman’s terms—understanding how Controlled Unclassified Information (CUI) moves through an organization’s systems (AC.L2-3.1.3). Moreover, defining the “protect surface” enables OSAs to identify where CUI is processed, stored, and transmitted. It is critical to define both external and internal boundaries, as CMMC requires organizations to monitor and control access at these points (SC.L2-3.13.1). Mapping Transactional Flows and ScopingStart with understanding how CUI will flow through the organization with a CUI data flow diagram. From there, the focus can shift to understanding and establishing policy enforcement points (PEPs). In this stage people tend to get caught up in what constitutes “remote access” in CMMC security requirements such as AC.L2-3.1.14. Just how Zero Trust uses “identity as the perimeter” works in Zero Trust, CMMC describes how identity-based access constitutes encrypted, authenticated, and explicitly authorized access via managed access control points. “External systems” tends to be another fuzzy term for organizations looking to achieve compliance with security requirements such as AC.L2-3.1.20. The meaning of “external” in this context is systems that are completely outside of organizational control. To simplify compliance here, limit connections to external systems by using SASE to enforce organizational policies.Building the Right ArchitectureOnce the protected surface and transactional flows are mapped, the next step is to build the system architecture. An enclave approach, that isolates sensitive data and systems from the broader IT environment, is a common strategy for protecting CUI. This approach can also help navigate around technical debt. However, an enclave only works if you can fit your CUI operational processes within the enclave. FedRAMP Moderate or equivalent is required for external service providers (ESPs) that handle CUI. Create Enforcement Policies This area may be the strongest connection between Zero Trust and CMMC, as both are dependent on the principles of least privilege and least functionality. CMMC requirements often include “organizationally defined parameters,” which should be defined according to the system use and design. For example, the SI.L2-3.14.2 control requires organizations to “provide protection from malicious code at designated locations within organizational systems.” For a distributed workforce with an identity-based perimeter, these locations should extend beyond user endpoints to include the Security Service Edge, and potentially email gateways and other application gateways.Monitor and MaintainBuilding the system and passing the assessment is not the end state. Cybersecurity and compliance each require ongoing monitoring, maintenance, and tailoring. It is like having a baby; once it’s born you have to care for it for life. CMMC requirements require continuous visibility into system activity. Utilizing a real time monitoring tools and security operations center (SOC) can help interpret and act on signals. Monitoring and maintaining your system is critical for both compliance and operational security.Implementing Zero Trust, Implements CMMCCMMC requirements are not new; however, what CMMC brings into fruition is an enforcement mechanism for security requirements which have existed under DFARS for nearly a decade. Following Zero Trust frameworks provides a fantastic baseline for reaching CMMC compliance, but it’s not the full solution. One of the biggest challenges in CMMC implementation is documentation. A huge part of compliance is “showing your work” with documentation. The technology simply proves you are doing what you said you would do. Organizations that take a proactive approach—starting with system design, mapping transactional flows, and building an architecture based on Zero Trust principles—will not only meet CMMC requirements but also improve their overall security posture.For more on the connection between Zero Trust and CMMC check out our part 1 (Cracking the CMMC Code Using Zero Trust) and part 2 (Achieving ROI in CMMC) blog posts and our implementation webinar.