Simplify your CMMC implementation with Field Effect

Cybersecurity Maturity Model Certification (CMMC) Version 2.0 is currently undergoing review of public comments and final approval and is expected to be formally released early in 2025.

This framework will have a massive impact on Defense Industrial Base (DIB) members, requiring substantial changes in how these companies manage their cybersecurity infrastructure and data protection strategies.

Although CMMC faces some challenges, many members of the DIB and the managed service providers (MSPs) that support them are starting to prepare themselves for the updated release.

To be successful, they must assess their current practices, identify gaps, and collaborate effectively with a Certified Third-Party Assessment Organization (C3PAO). During the audits, 3PAOs will request evidence such as documentation, configuration settings, logs, and conduct interviews and physical inspections, a new process for most members of the DIB.

For many, including our compliance team here at Field Effect, implementation efforts will become a priority in early 2025. As you develop your implementation plan, you may also look to improve your cybersecurity, detect non-conformities, and collect evidence for your upcoming audit.

Field Effect MDR makes all three possible—and easy—especially with our new NIST SP 800-171 (Rev 2) Control Mappings. We’ll show you how, but first a quick reminder on the three levels of CMMC.

The levels of CMMC

For readers still getting up to speed with CMMC, here’s a quick breakdown of the three levels of certification:

• Level 1 requires organizations to perform basic cybersecurity practices, focusing primarily on protecting Federal Contract Information (FCI). At this level, organizations can forgo C3PAO audits and complete annual self-attestations of compliance with standardized documentation and reporting.
• Level 2 requires organizations to document processes guiding their efforts to achieve CMMC Level 2 maturity. This level aligns with NIST SP 800-171. Most organizations at this level will require a triennial assessment through a C3PAO, including their initial certification audit.
• Level 3 is based on a subset of NIST SP 800-172 requirements. The highest-priority, most-critical defense programs at this level will require government-led assessments.

How can Field Effect help?

Field Effect MDR alerts users of security risks, vulnerabilities, and malicious behaviors with our proprietary ARO reporting format.

Short for Actions, Recommendations, and Observations, AROs are prioritized, jargon-free alerts with actionable instructions, or details of any automated actions taken, that make it easy for any organization to understand the security issue detected, any action already taken to mitigate, and their next steps.

With the click of a button, AROs can map to the NIST SP 800-171 standard. That means alerts contain detailed advice on leveraging information from our MDR to prepare for your next audit.

Here are some examples.

Malware detected?

Field Effect MDR deploys a combination of signature and heuristic-based analytics. This combined approach ensures that well-understood threats are identified quickly and efficiently, while novel or emerging threats are also detected.

We can also take action to prevent malware installations and isolate impacted endpoint devices from the network, ensuring all types of malware are contained.

Upon detecting or stopping a malware threat, we’ll issue an ARO and provide a helpful reminder of your obligations under 800-171 (see below) to track incidents and report them to designated authorities inside and outside your organization.

Removable drive detected?

When our endpoint agents detect USB activity, the ARO will remind the user of 3.8.7: Control the use of removable media on system components. This control requires that any removable media containing CUI be encrypted and labelled. The admin will also be notified for awareness.

In addition, MDR admins will soon be able to further strengthen their implementation of this control by enabling USB blocking for unapproved devices.

Outdated OS detected?

When Field Effect detects an out-of-date operating system or other endpoint vulnerability, it will remind you of your obligations under 3.12.2: Develop and implement action plans designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

The ARO will also provide clear visibility into which devices are affected, with instructions for addressing the problem.

Our portal’s internal note-making functionality also makes it easy to show a 3PAO your vulnerability management program. Linking to the change ticket where the issue was resolved ensures you'll have all the evidence the auditor requires.

From notification, to triage, to resolution—it’s all readily available.

Detect flaws before a 3PAO does

Discovering a serious network architecture or security flaw during a CMMC assessment is a top fear among IT and compliance staff. Imagine an auditor identifying things like:

• Deprecated communication and encryption protocols
• Single-factor authentication
• Changes to networks performed without authorization

We help reduce this risk by continuously monitoring your network, cloud services, and endpoints to detect and report on vulnerabilities and misconfigurations. This allows your organization to create a Plan of Action and Milestones (POA&M) to address the issue before your next audit.

Can Field Effect support companies that require CMMC?

This is a question we’ve received several times recently, so let’s dive into it. We’re currently exploring what it would take to achieve CMMC Level 2, or its Canadian equivalent which is under development. Until either compliance framework is ready for general release, we’re in hurry-up-and-wait mode.

Field Effect offers world-class MDR with flexible deployment options that allow our customers to keep the majority of their data out of the cloud—an important consideration for many companies in the DIB. Under the current rules for CMMC Version 2.0, Field Effect would be considered an External Service Provider (ESP) or a Security Protection Asset (SPA) for the entity seeking certification.

Either way, to be recognized as an ESP or an SPA, we’ll be required to achieve an equivalent level of certification:

• CMMC L1 to support DIB companies requiring L1
• CMMC L2 to support DIB companies requiring L2

Many of our MSP channel partners are in a similar situation. The proposed rules state that, as an ESP, they also require an equivalent level of certification. As such, many wonder if the time, effort, and cost to get certified is worth it based on current and potential clients. 

One thing for certain is that, as we confirmed during our journey to ISO27001 certification, our technical, physical, and human resource controls are top-notch and constantly improving. Because of this, we’re confident in our ability to meet the requirements of NIST SP 800-171 (and therefore also CMMC Level 2).

So, coming back to the original question, can we support CMMC? Let’s talk about it. Our Security and Compliance team would be happy to discuss your specific scenario, including:

1. How much Confidential Unclassified Information (CUI) do you hold/process?
2. How and where do you store the CUI you hold?
3. What technical controls are currently in place on this data?
4. Is your CUI stamped as NOFORN or ITAR?

From there, we can determine how best Field Effect can support you in your CMMC compliance journey. Reach out to our team today to get the conversation started.