CMMC IS HERE. ARE YOU PREPARED?
ProShop can help you meet CMMC security standards.
Why is CMMC important?
The Cybersecurity Maturity Model Certification is the mechanism that will facilitate a standardized approach to implementing cybersecurity across the defense industrial base. Any company working in the DiB will need some level of certification, depending on the type of contract performed.
The CMMC contains a blueprint for developing a cybersecurity department and capabilities, the benefits of which cannot be overstated. So, even if not required, companies should consider implementing some of the CMMC security controls in order to better operate in the digital landscape.
What are the Requirements you need to meet to reach CMMC and how can ProShop help?
The requirements are broken into 17 different domains, ranging from purely technical controls of your network and devices to personnel management and security awareness training, making this standard a truly company-wide endeavor. Depending on the type of contract a company has, different levels of requirements will be needed.
As a digital manufacturing environment, ProShop facilitates managing cybersecurity policies and procedures, alongside tasks and training for staff, within the architecture of various workflows.
Rather than a stand-alone system, cybersecurity should be integrated into the fabric of the company: we feel ProShop is uniquely positioned for manufacturers looking to integrate cybersecurity management and documentation within their existing environment.
How does ProShop help you achieve these goals?
We were excited to let the CMMC inform aspects of our ProShop development: we have a suite of security features which can be used to meet some of the very important requirements. We’re most excited about:
Facilitate complex user passwords by configuring password requirements with a selection of possible options and configurations
No more insanely weak passwords – ProShop does not allow the use of the 100,000 most commonly used passwords
Prevent any word or phrase of your choice from being used in a password with a configurable field
Fully supported MFA with FIPS compliant security keys
ProShop assigns a unique identifier to each user, allowing the actions of each individual to be uniquely traced, and monitored for anomalies
A complete record of all edits made within ProShop will be available to select privileged users
All Currently Available CMMC Requirements
Limit unsuccessful login attempts.
User accounts are automatically disabled after a customizable number of unsuccessful login attempts have been made. All active sessions for users with disabled accounts are automatically terminated. CMMC Requirement: AC.2.009
Use non-privileged accounts or roles when accessing nonsecurity functions.
‘C’ users are able to use an ‘A’ Seat to perform basic functions. More info about our user licenses here. CMMC Requirement: AC.2.008
Provide privacy and security notices consistent with applicable CUI rules.
When any User logs into ProShop, they must agree to a Security Notice that outlines their obligations while using ProShop, and warns them that their activities are being monitored. The Privacy Notice reminds Users of their obligations for PII. ProShop will provide a template for these Notices, but the notices must be configured properly so that it adheres to your particular legal requirements. CMMC Requirement: AC.2.005
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
‘A’ seat users cannot perform configurations to system or view sensitive data. CMMC Requirement: AC.3.018
Terminate (automatically) a user session after a defined condition
Customizable session timeouts and unsuccessful login attempt limits. CMMC Requirement: AC.3.019
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
A complete history of all edits made to records in ProShop is available. CMMC Requirement: AU.2.042
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. This can be configured via OS level clock synchonization.
CMMC Requirement: AU.2.043
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
ProShop assigns a User Identifier to each User. User activity monitored with anomalies, such as unsuccessful login attempts, are automatically recorded and reported. CMMC Requirement: AU.2.041
Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Logged information will be protected behind Elasticsearch security. CMMC Requirement: AU.3.049
Limit management of audit logging functionality to a subset of privileged users.
Audit log permissions will be enabled or disabled on a per-user basis. CMMC Requirement: AU.3.050
Identify system users, processes acting on behalf of users, and devices.
All Users have a unique identifier. Devices may be managed through the equipment module CMMC Requirement: IA.1.076
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
Tokens for session management are generated via cryptographically secure random number generator and cannot be reused after a user session ends. OTP device support prevents intercepted login credentials from being used to access ProShop. Detection of re-used or out of date One Time Passwords is automatically recorded and reported CMMC Requirement: IA.3.084
Prevent reuse of identifiers for a defined period.
User accounts are, by default, not deleted but marked as inactive, so reuse of user identifiers isn’t possible. CMMC Requirement: IA.3.085User accounts are, by default, not deleted but marked as inactive, so reuse of user identifiers isn’t possible. CMMC Requirement: IA.3.085
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts
ProShop integration with FIPS compliant Yubikey OTP devices. CMMC Requirement: IA.3.083
Enforce a minimum password complexity and change of characters when new passwords are created.
ProShop supports customizable password complexity rules with pre-configured regimes that meet various standards. CMMC Requirement: IA.2.078
Store and transmit only cryptographically-protected passwords.
Standards compliant password hashing in place. No passwords are stored in the database. CMMC Requirement: IA.2.081
Prohibit password reuse for a specified number of generations.
A customizable number of previous password hashes can be stored per user. CMMC Requirement: IA.2.079
Obscure feedback of authentication information.
Authentication information is not specific when login is unsuccessful. CMMC Requirement: IA.2.082
Allow temporary password use for system logons with an immediate change to a permanent password.
System administrators can assign temporary passwords to users. This allows login but requires the immediate registration of a new password that meets defined password complexity guidelines.
Yes, as a web platform employees can login from home. Employees must be provided with a secure connection to the company network. However, facilitating remote work requires implementing a range of security controls. NIST’s “Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions” provides a good overview of how to facilitate remote work securely as a company.
ProShop supports Yubikeys, and FIPS compliant Yubikeys, as a second factor authentication. Yubikeys are centrally managed within ProShop.
Session Management is configurable, and can be distinctly set for each user. Session Management is done through the Security Configurations Module
Password configurations may be set in the Security Configurations Module. Passwords configuration options include length, complexity, and required characters. ProShop disallows any of the 100,000 most commonly used passwords, and you may also disallow the use of any words or phrases of your choosing.
Yes, File Permissions may be set per role or user.
Yes, you can track user activity through the Edit Log.
The level of certification you will need will be dictated by type of government contract and data you possess (FCI, CUI, ITAR, etc.). The DoD will explicitly state the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs) that you receive.
Yes, the NIST SP 800-171 standard was heavily consulted for the creation of the CMMC. You can use all documentation for NIST800-171 compliance for CMMC compliance. In many cases, the requirements are exactly the same.
An audit performed by a C3PAO will be required to receive your certification. This assessment will likely be onsite.
Yes, Physical security is required for CMMC. Access to sensitive equipment should be restricted and physical access procedures for your organizational site should be defined and communicated to your staff.
Yes, we are currently working towards CMMC ourselves.