terça-feira, janeiro 14, 2025
HomeCyber SecurityStrengthening Cybersecurity: CMMC with Cisco's NIST Cybersecurity Framework 2.0 Mapping
Cyber Security

Strengthening Cybersecurity: CMMC with Cisco’s NIST Cybersecurity Framework 2.0 Mapping

By Admin
0
2
Strengthening Cybersecurity: CMMC with Cisco’s NIST Cybersecurity Framework 2.0 Mapping


CMMC Requirements and Cisco’s Security Portfolio alignment to NIST CSF 2.0

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to ensure that contractors have adequate cybersecurity measures in place to protect sensitive information. CMMC applies to DoD contractors, who must achieve certification to be eligible for future government contracts. Higher education institutions that perform research under DoD contracts are also subject to CMMC requirements. A quick breakdown of the CMMC Levels are as follows:

CMMC 2.0 Level 1: Known as “Foundational,” is designed for contractors handling Federal Contract Information (FCI). This level focuses on basic cyber hygiene practices and includes 17 practices that align with the Federal Acquisition Regulation (FAR) 52.204-21.

These practices are fundamental and aim to protect FCI from unauthorized access and disclosure.

CMMC 2.0 Level 2: Referred to as “Advanced,” is intended for organizations handling Controlled Unclassified Information (CUI). This level requires compliance with the 110 security requirements outlined in NIST SP 800-171. Level 2 emphasizes safeguarding CUI by implementing a more comprehensive set of cybersecurity practices.

Organizations must demonstrate a more mature and proactive cybersecurity posture to protect sensitive information effectively.

CMMC 2.0 Level 3: Known as “Expert,” is reserved for organizations managing highly sensitive information and facing advanced persistent threats. Level 3 builds on the practices in Level 2 and incorporates additional requirements from NIST SP 800-172. This level focuses on advanced cybersecurity practices, such as enhanced monitoring and response strategies, to ensure robust protection against sophisticated cyber threats.

Organizations at this level must exhibit the highest degree of cybersecurity maturity and capability.

For graphical explanation of the CMMC model and it’s Levels see Figure 1: CMMC Model below:

Figure 1: CMMC Model

Cisco has currently mapped their Cisco Security portfolio to the National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework (CSF) 2.0 (See Figure 2: Cisco Capability Mapping to NIST CSF 2.0).

Download Cisco’s NIST CSF 2.0 Mapping white paper here.

Figure 2: Cisco Capability Mapping to NIST CSF 2.0

Mapping Cisco’s Security portfolio to NIST CSF 2.0 is important for several reasons. First, it ensures that Cisco’s solutions align with a widely recognized and comprehensive cybersecurity framework, facilitating better integration and interoperability across diverse industries and sectors. This alignment helps Cisco demonstrate to its customers that its security offerings are designed to meet global standards and best practices, enhancing customer trust and confidence.

Mapping to NIST CSF 2.0 enables Cisco to provide a structured approach for organizations to govern, identify, protect, detect, respond, and recover from cybersecurity threats, thereby supporting customers in effectively managing their cybersecurity risks. By aligning its portfolio with NIST CSF 2.0, Cisco can also address other evolving regulatory requirements and industry standards (such as CMMC), ensuring its products remain relevant and effective.

So, here is the good news!

The NIST CSF 2.0 can be directly mapped to NIST SP 800-171 and NIST SP 800-172 (the driving force behind CMMC). This means that the NIST CSF 2.0 mapping is significantly relevant to CMMC, and the Cisco NIST CSF 2.0 mapping can assist you with achieving your CMMC Compliance.

More good news!

Additionally, to make things even easier, the internal mapping work of CMMC and the NIST CSF 2.0 has already been done. The NIST National Cybersecurity Center of Excellence (NCCoE) and the U.S. Department of Energy (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) have developed this detailed mapping between the CMMC Framework and the NIST Cybersecurity Framework (CSF). This bidirectional mapping enables users of either Framework to map their results in the context of the other Framework!

With Cisco’s capability mapping of the Cisco Secure portfolio to NISTs CSF 2.0 is extremely helpful in assisting with CMMC Compliance.

How it all works

Mapping NIST SP 800-171 and NIST SP 800-172 to the Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is designed to enhance the protection of sensitive unclassified information that is shared by the Department of Defense (DoD) with its contractors. It incorporates a set of cybersecurity standards and best practices into a certification framework. At its core, CMMC integrates elements from established cybersecurity guidelines, notably NIST Special Publication (SP) 800-171 and NIST SP 800-172.

NIST SP 800-171 outlines security requirements for protecting Controlled Unclassified Information (CUI) within non-federal systems, offering 14 families of security requirements that align closely with the CMMC domains. These domains include Access Control, Incident Response, and Risk Management, among others, which are directly mapped to the security requirements specified in NIST SP 800-171 to ensure compliance and enhance security measures.

NIST SP 800-172 builds upon the foundation set by NIST SP 800-171, providing enhanced security requirements for protecting CUI in critical systems. While NIST SP 800-171 focuses on basic safeguarding requirements, NIST SP 800-172 introduces additional controls to counter advanced persistent threats (APTs). These controls are particularly relevant to higher CMMC levels, where more mature and sophisticated cybersecurity practices are required.

The advanced security measures in NIST SP 800-172 align with the CMMC domains by ensuring that contractors implement robust protection mechanisms, such as enhanced monitoring, incident response, and asset management, which are crucial for safeguarding sensitive information against increasingly sophisticated cyber threats.

The relationship between the CMMC framework and NIST SP 800-171 and SP 800-172 is further solidified through a detailed mapping of practices across CMMC’s levels of maturity. Each CMMC level requires the implementation of specific practices that are largely derived from the requirements found in these NIST publications.

As organizations progress to higher CMMC maturity levels, they must implement more stringent practices outlined in NIST SP 800-172, thus enabling them to effectively respond to complex cyber threats. This comprehensive mapping ensures that contractors progressively enhance their cybersecurity posture, safeguarding the DoD’s sensitive information throughout the supply chain.

How can we use the NIST CSF 2.0 to help with CMMC?

Now that we understand relationship of NIST SP 800-171 and NIST SP 800-172 above with CMMC we can talk about the relationship. between NIST SP 800-171 / NIST SP 800-172 and the NIST Cybersecurity Framework (CSF).

NIST SP 800-171 and the NIST CSF 2.0 are both pivotal in guiding organizations to manage and mitigate cybersecurity risks effectively. NIST SP 800-171 focuses specifically on protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations.

Controlled Unclassified Information (CUI) refers to information that the U.S. government deems necessary to safeguard or disseminate controls in accordance with laws, regulations, or government-wide policies. CUI requires specific handling and dissemination protocols to protect sensitive information that could affect the government’s operations, privacy, or security if improperly released.

NIST SP 800-171 provides a set of 110 security requirements organized into 14 families, such as Access Control and Incident Response, to establish a robust cybersecurity posture. These requirements align with the NIST CSF 2.0’s core functions Govern, Identify, Protect, Detect, Respond, and Recover (see Figure 3: NIST Cybersecurity Framework 2.0) by offering specific security measures that organizations can implement to achieve these overarching goals.

Figure 3: NIST Cybersecurity Framework 2.0

This alignment ensures that organizations can use NIST SP 800-171 as a practical guide to fulfill the NIST CSF 2.0’s objectives in a structured manner.

NIST SP 800-172 extends the foundational security requirements of NIST SP 800-171 by introducing additional controls aimed at countering advanced persistent threats (APTs). These enhanced security measures are particularly relevant for critical systems where the risk of sophisticated cyber-attacks is higher.

NIST SP 800-172 complements the NIST CSF 2.0 by providing advanced strategies and practices that align with the NIST CSF 2.0’s detailed implementation tiers and profiles. For example, the Detect function of the NIST CSF 2.0 is supported by NIST SP 800-172’s emphasis on enhanced monitoring and anomaly detection, ensuring that organizations can not only protect CUI but also proactively identify and address potential threats before they can cause significant harm.

Both NIST SP 800-171 and NIST SP 800-172 serve as practical resources for implementing the NIST CSF 2.0’s comprehensive risk management framework. While the NIST CSF 2.0 provides a high-level, flexible framework applicable to various industries and sectors, NIST SP 800-171 and SP 800-172 offer concrete, actionable requirements and controls that can be directly applied to protect sensitive information. By mapping the specific security requirements of NIST SP 800-171 and NIST SP 800-172 to the NIST CSF 2.0’s core functions and categories, organizations can effectively bridge the gap between strategic cybersecurity planning and practical implementation.

This synergy enables organizations to develop a resilient cybersecurity program that not only meets regulatory requirements but also aligns with industry best practices to manage cybersecurity risks comprehensively.

Conclusion

I am proud to work for a company like Cisco, which offers a comprehensive range of security tools and assists customers in complying with CMMC. A significant amount of engineering effort has gone into aligning the NIST CSF 2.0 with the Cisco security portfolio, making it highly effective for helping customers meet CMMC requirements. There is even more to look forward to, as this alignment with NIST CSF 2.0 allows Cisco to map to other frameworks such as CISv8, NIST SP 800-53, MITRE ATT&CK, ISO 27001, and even internationally with the European Union’s NIS2 directive. #LETsGO

Additional Resources

Cisco
Cisco and CMMC Compliance

Partners
Red River and CMMC Compliance

Share:

Previous articleHow to help people affected by the LA fires
Next articleDryer Vent Cleaning Cost: What to Expect and Why It Matters
Adminhttps://koudanews.com
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Load more

Recent Comments

ABOUT US

koudanews is your Technology, Nanotechnology, Artificial Intelligence, Telecom, Cloud Computing, Big Data, Cyber Security, Software Development, Drone, Mobile, 3D Printing, Green Technology and IOT related news website. We provide you with the latest breaking news and videos straight from the tech industry.

POPULAR POSTS

POPULAR CATEGORY

Copyright ©2024 - koudanews.com. All rights reserved.