Four Considerations for Making Your IoT/ICS Networks CMMC Compliant

In early 2020, the US Department of Defense released the Cybersecurity Maturity Model Classification (CMMC). Contractors in the DoD supply chain must be evaluated against this maturity model by a third-party audit. The CMMC contains seventeen capability domains, each of which encompasses a different area of security. Each of these domains will be evaluated on a level from one to five — five being the most mature — and the organization will be assigned an overall CMMC level based on their evaluation results.

The CMMC is a big deal, because the level that an organization achieves will determine which DoD contracts they’re eligible for.

But for many organizations, CMMC certification is understandably daunting. The capability domains outlined in CMMC are very broad, encompassing everything from physical security to personnel security to asset management and beyond. But it’s important to note that the goal of the CMMC is not to encourage supply chain organizations simply to meet the model’s requirements — the requirements are so broad because building a culture of cybersecurity, one that’s effective enough to evolve for future threats, is a holistic effort that encompasses the entire organization.

This is why organizations that are preparing for CMMC evaluation need to make sure they consider their IoT/ICS environments. Modern attacks often cross IT/OT boundaries, which is why unified security monitoring and governance across both IT and OT networks is the optimal way to quickly detect and respond to threats. .

Plus there are very few CMMC domains that don’t apply to IoT/ICS networks. Asset discovery, threat detection, incident response — these are all things that are just as relevant to your IoT/ICS network as your IT network. In fact, addressing those domains without addressing IoT/ICS networks is an incomplete response.

While CMMC has many specific requirements, much of what it mandates can be summed up with a few broad considerations. If you aren’t sure where to start, these four considerations can help set you on the right track to achieving CMMC compliance for your IoT/OT networks.

1) Do you have visibility into IoT/ICS risk, and understand how it makes you vulnerable against the threats CMMC is protecting against?

You can’t protect what you don’t know about, and you can’t make data-driven decisions about how you approach cybersecurity without knowledge about the devices or ‘assets” in your networks. We work with many organizations that don’t actually have visibility into their IoT or ICS networks — meaning, they don’t know how many devices they have or details about vulnerabilities in those devices, nor do they understand how those assets communicate and are connected to each other.

Without that information, it’s impossible to prioritize risk mitigation, detect active threats targeting your environment, or ensure that your  security posture  is strong enough to protect your crown jewels against a potential attack.  Indeed, even knowing or discussing with the relevant stakeholders in your organization what your crown jewels are is an often overlooked part of security policy.

All of these things are key to CMMC compliance across multiple domains. Ultimately, it’s impossible to address CMMC compliance for your IoT/ICS network without visibility — and that not only means visibility into your assets themselves (including their properties), but also visibility into risks and vulnerabilities, such as unauthorized connections to the internet or unpatched devices.

Relevant CMMC Domains: Most directly, Asset Management (AM) and Configuration Management (CM) mandate the need for asset visibility — but indirectly, nearly all CMMC domains require you to be able to actually see and understand how your IoT/ICS networks are configured. For example, it’s impossible to effectively detect and respond to threats (as mandated in the Incident Response (IR) domain) without visibility.

2) How strong is your overall IoT/ICS network architecture?

The visibility into your IoT/ICS assets, properties, and communications is also key to answering this question. The focus of CMMC is on building a stronger overall cybersecurity posture in DoD supply chain contractors, and within that, building a strong overall approach to IoT/ICS network security is important.

Once you have visibility into IoT and ICS device communications, you can verify that your IoT/ICS network architecture is as strong as it should be — for example, make sure that devices are only communicating with the internet as intended, or make stronger network segmentation rules.

Relevant CMMC Domains: System and Communications Protection (SC)

3) What vulnerabilities in your IoT/OT network could be putting your whole organization at risk?

Many CMMC requirements focus on identifying and addressing vulnerabilities. In the case of IoT/ICS networks, these could mean unaddressed CVEs, malfunctioning devices, or the use of unauthorized ports. CMMC requires that you’re able to detect and prioritize vulnerabilities like this, so that you’re managing and addressing risk on an ongoing basis.

Relevant CMMC Domains: Risk Management (RM), Security Assessment (CA)

4) Can you detect threats that are targeting your IoT/ICS systems?

Detecting IoT/ICS threats is a very different game than detecting threats that target IT systems. While IT threats are often detected and blocked by endpoint detection and response or AV software, embedded IoT/ICS devices don’t support agents and are typically invisible to your IT teams — so your approach to IoT/ICS threat detection needs to incorporate IoT/ICS-aware behavioral analytics to detect abnormal machine behavior that could indicate an attack.

This is not an area where your IT approaches can be used in the IoT/ICS environment. The requirements are just too different.

Relevant CMMC Domains: Incident Response (IR), Situational Awareness (SA), System and Information Integrity (SI)

While the individual requirements mentioned in the CMMC dive into deeper specifics than the broad considerations addressed above, many of them ultimately tie back to those core goals. Considering these four core aspects of IoT/ICS security will give you a good starting point and a foundation for the overall goals of CMMC compliance.

If you’re preparing your IoT/ICS environment for a CMMC audit, CyberX can help. CyberX’s agentless IoT/OT security platform is easy to deploy and delivers insights within minutes of being connected to the network — providing immediate value to organizations that need to meet the CMMC standard. Purpose-built for IoT/OT security, the CyberX platform provides broad capabilities for addressing IoT/OT security across multiple CMMC domains. Furthermore, CyberX’s Advanced Reporting Dashboard enables customized compliance dashboards that allow you to quickly demonstrate CMMC compliance to auditors. Download the full solution brief to learn more about how CyberX supports CMMC compliance.