This is the fifth in a 15-part blog series where we'll discuss each domain in Cybersecurity Maturity Model Certification (CMMC). In addition, this article touches upon one of the domains within CMMC: In this blog, we will explore the CMMC domain, System and Information Integrity (SI).
The System and Information Integrity domain will discuss the importance of information system flaws, malicious code, and periodic system scans. Knowing how to deal with each of these areas is core to meeting the requirements in this domain.
We will be exploring System and Information Integrity in the following manner:
In the System and Information Integrity domain, the focus will be on identifying and reporting system flaws, protecting against malicious code and monitoring existing systems, and performing periodic scans for your organization's safety.
For CMMC 2.0, there are four practices in CMMC Level 1 outlined for System and Information Integrity and three for Level 2. For CMMC Level 3, the SI practices are yet to be determined. So let us dive deeper into the topics discussed in the practices for SI:
For any given system, there is a potential for flaws to arise within that system, especially when it is being updated. Therefore, it is important your organization identifies systems with both potential flaws and announced software/firmware flaws, to be prepared for any potential vulnerabilities that might arise from them. You must also be proactive when dealing with flaws and work on relevant updates, patches, hotfixes, or security updates to ensure your system is not at risk. This is where continuous monitoring will also come into play to watch your systems for any potential issues constantly. Your organization can determine what method you take to protect your systems and mitigate flaws. There are also resources that some resources can help, such as the Common Vulnerabilities and Exposures Database (CVE).
Continuing the discussion from flaw remediation, protection from malicious code, and maintaining that protection is vital for your organization and this domain. For malicious code, you have to be on the lookout for both the physical and virtual potential entries that can give access to your system. There are various system entry points to consider, including firewalls, servers, workstations, computers, or mobile devices. Malicious code can be viruses, worms, Trojan horses, spyware, or more. Some mechanisms to protect against malicious code include anti-virus signatures, configuration management, and secure coding practices. To further ensure protection, you must continuously update protection mechanisms against malicious code, as malware and other dangerous entities are continuously being updated to circumvent security features. Configuring software to check for updates in your anti-virus software is an example of being proactive in updating. Remaining vigilant in protecting your systems against malicious code is a core focus in this practice.
As aforementioned, being proactive in protecting your system will be vital. To continue this practice of proactiveness, performing periodic scans of your information systems, as well as real-time scans of files that are received from external sources, is essential. One of the most efficient methods of achieving this is anti-virus/anti-malware software. You can use it to perform periodic and real-time scans, and your organization can determine the frequency and what is checked. For a point of reference, your real-time scans should check all incoming files downloaded, opened, or saved, and periodic scans can check previously saved files with new malware information. It is important to ensure the software is updated and continuous to check for updates as well (previously mentioned) so that you are not missing out on any vulnerabilities that could be coming in with the files you receive.
Security alerts and advisories are information that can provide insight into potential vulnerabilities, relevant updates, or actions to take regarding the maintenance of your information systems. It should be done within your organization to monitor these alerts and advisories, not disregarding them, as well as taking action on them. There are publicly available sources of security alerts and advisories, such as the United States Computer Emergency Readiness Team (US-CERT), as well as software vendors, subscription services, and relevant industry information-sharing analysis centers (ISACs), which generate these for you. Actions to take on these can include notifying relevant external organizations that might be affected or taking action within your organization by updating a system following the information provided.
Monitoring has been repeatedly brought up throughout the discussion of this domain, and there is a reason behind it. Monitoring your organizational systems for flaws, vulnerabilities, and malicious code has been discussed, but communications also need to be focused on. This includes incoming and outgoing communication, allowing you to detect potential attacks better and be prepared against them. This all comes back to system monitoring, which is also internal and external. Internal monitoring would include observing events within the system, such as audit record activities. External monitoring would include observing events occurring at or outside the system boundary. Implementing system monitoring within your organization for communications is important, but it is also an integral part of incident response and continuous monitoring.
One of the key methods to maintaining system and information integrity is to look into and identify any unauthorized use of your system. Any unusual or unauthorized activity related to inbound/outbound communications or internal and external system boundaries should be identified and immediately dealt with. Information that you receive from the system monitoring efforts your organization implements becomes an input to continuous monitoring programs that further prevent any unauthorized access. This also means that you must implement ways to identify all authorized activity as well, whether it be through access control or some other method.
This domain covers various important topics, ranging from flaw remediation to malicious code protection and focusing on continuous monitoring and unauthorized use. The integrity of your systems and the information within them is the core behind each of these and an essential part of your organization.
For CMMC Level 1, your organization must perform a self-assessment for the practices outlined and required within System and Information Integrity. For CMMC Level 2, your organization must look further into the remaining three practices required and provide proper implementation and documentation. Here is some guidance on what to include or look for: