Cybercriminals never rest. Achieving CMMC certification doesn’t mean bad actors won’t stop trying to infiltrate your systems. What certification does show is your commitment to continuously protect those systems, especially those that handle sensitive government data such as FCI and CUI.
In an earlier post, we discussed ongoing security and maintenance in order to remain CMMC-compliant beyond certification. We touched on continuous monitoring as one of the strategies for maintaining compliance. This post takes a closer look at continuous monitoring, why it’s important, and some ways you can implement it.
Why Continuous Monitoring Is Crucial
Continuous monitoring keeps you proactive, which is critical to cybersecurity. The reasons and resulting benefits are numerous.
- Threat detection and response: By proactively monitoring for noncompliance issues, suspicious activity, and security breaches, you get a head start on identifying vulnerabilities in your systems, allowing you to remediate and reduce the likelihood of incidents. If an incident does occur, you detect it in real time, which means you can respond quickly and reduce damage.
- Ongoing compliance: CMMC requires ongoing assessment of security controls, and continuous monitoring provides the necessary data to demonstrate compliance with the required standards. Also, as CMMC requirements change over time, continuous monitoring ensures you remain aware of your systems and how they function, making it easier to adapt to regulatory changes. Another consideration is that changes in your business situation—such as personnel, technologies, or procedures—can cause changes in your security situation. Continuous monitoring geared toward CMMC requirements ensures that you remain in compliance. The data resulting from your monitoring efforts can be used to document your ongoing compliance, which will be useful for audits and recertification assessments. See DoD CMMC Assessment Guide, Level 2, CA.L2-3.12.3 - Security Control Monitoring.
- Enhanced cybersecurity posture: Continuous monitoring ensures a consistent evaluation of your organization’s security practices. Following up on the results is also critical. Regularly updating your security protocols based on monitoring results strengthens your overall security and keeps your organization resilient against cyberthreats. Continuous monitoring helps you better understand your security landscape and identify areas for improvement, so that you can evolve your security measures and stay ahead of evolving threats.
- Culture of awareness: Building a culture of cybersecurity awareness is vital to the safety and success of any organization, and continuous monitoring can play a part in that effort. Communication regarding your company’s continuous monitoring efforts ensures your employees understand its importance, and targeted role-based training helps them with monitoring data relevant to their work, responding to threats accordingly, and engaging in overall security best practices.
What Continuous Monitoring Involves
Key activities for continuous monitoring include the following.
- Use of automated monitoring tools: Automated tools are critical, as they make your monitoring truly continuous, and they provide detailed logs and reports for review and analysis. These tools can be used effectively in many areas.
- Security information and event management (SIEM) tools can be used to collect, analyze, and aggregate security data from various sources including authentication events, file access, administrative actions, and firewall logs, as well as to send alerts and take mitigating actions such as isolating affected systems. Some popular SEIM tools include Splunk, LogRhythm, IBM QRadar and Microsoft Sentinel. Artificial Intelligence (AI) is being used more and more to allow SIEM tools to analyze large amounts of data and predict behavior outside of baseline norms.
- Intrusion detection systems (IDS) and intrusion prevention systems (IPS) work in tandem to protect your networks by detecting and preventing malicious activities in real-time. An IDS monitors your network traffic for anomalies and suspicious activity, while an IPS actively blocks threatening actors from gaining access. Examples include Zeek, Palo Alto NGFW, Suricata, and Cisco Secure Firewall.
- Endpoint detection and response (EDR) tools monitor the endpoints connected to your systems (client devices such as desktops, laptops, and mobile phones) for malware and suspicious behavior. They send alerts when suspicious activities occur and can automate or assist in removing threats. Commonly used EDR tools include CrowdStrike Falcon, SentinelOne, and Microsoft Defender.
- Scheduled audits and reviews: Regular audits should be conducted to validate that your defined security practices are being correctly followed. Because this is a manual activity, you will need to rigorously ensure they are done regularly as scheduled.
- Analysis of automated tool audit logs: Even when using automated tools to monitor systems and send alerts when threats are detected, organizations should also manually review and analyze their audit logs for signs of suspicious activity or anomalous events. This should be done at least weekly.
- Internal audit: Best practice is to conduct internal audits at least quarterly and should cover access controls, configuration management, system integrity, and incident response, with particular emphasis on your systems that handle FCI or CUI. It is helpful to use a checklist that includes the requirements pertinent to your CMMC level. Be sure to log your findings and track any remediation that needs to be done. You should also ensure that your supporting documentation is up to date, including your System Security Plan, Plan of Action & Milestones, and Incident Response Plan.
- Annual assessment: Conducting an annual assessment of your security controls helps you to maintain a strong cybersecurity posture. Engaging a third-party assessor can provide an objective evaluation and help identify potential vulnerabilities. If you anticipate needing CMMC Level 2 or 3 certification, consider scheduling a yearly mock assessment with an authorized C3PAO. This proactive approach increases your likelihood of passing the official assessment, ensures continued compliance, and highlights areas that may require improvement. It also helps ensure you're fully prepared when it’s time for recertification.
- Policy review: At least once a year, you should review your security policies and make sure they are up to date based on any business process changes as well as any changes in process resulting from incidents or threats.
- Documentation and evidence collection: The purpose of this activity is to prove your compliance via records and audit trails. Best practices include retaining audit logs for at least 90 days online and one year archived, reviewing and documenting users’ roles and permissions at least quarterly, and maintaining incident and response logs for all reported events. DFARS 252.204-7012 requires Defense Contractors to preserve all records of affected systems for 90 days after reporting a cyber incident to the DoD.
- Feedback and continuous improvement: All the above activities should prompt continuous updates and improvements. A corrective action plan should be created after each audit or incident requiring remediation and should include timeline, responsible parties, and scheduled follow-up. Management security briefings should be given at least monthly, so that top level executives are aware of your organization’s compliance status and security risks. Employee training should also be updated periodically based on findings from incidents and audits.
For more information about continuous monitoring or any other aspect of CMMC compliance, contact CyberNINES at this link and one of our cybersecurity experts will be in touch directly.
Resources