Reading Time: 5 minutes
The Cybersecurity Maturity Model Certification (CMMC) is needed to combat widespread data exfiltration within the US Department of Defense (DoD)’s massive global supply chain. The 171 CMMC controls, called practices, focus on reducing risk to Controlled Unclassified Information (CUI) anytime it is outside US federal government systems.
To make its practices easier to understand and implement, CMMC categorizes them into 17 domains. Each practice also relates to one of 43 CMMC capabilities, and is required starting at one of the standard’s five maturity levels (Level 1 through Level 5).
The CMMC System and Information Integrity (SI) domain has 13 practices spanning all five CMMC maturity levels from “basic cyber hygiene” (CMMC Level 1) up to “advanced/progressive” (CMMC Level 5). Its goal is to ensure that assets in your IT environment that contain or process CUI, from laptops to applications to file shares, are “continuously monitored to detect violations of the authorized security state.” Because it is such a common attack vector, CMMC calls out email specifically as needing constant monitoring and protection to “detect malicious activity.”
The controls and processes to achieve the 13 System and Information Integrity practices range from “security 101” activities like running antivirus software and patching your supported third-party software to employing special email protections like anti-spam and attachment sandboxing to highly advanced analytics to detect suspicious insider behavior patterns.
