Audit and Compliance

Demonstrating CMMC Compliance with Unified PAM

Go through a high-level analysis of how Securden Unified PAM supports compliance with CMMC requirements. You can use it to correlate requirements at a domain-level as specified by CMMC and find how Securden satisfies them with its comprehensive capabilities.

What is the CMMC framework?

The defense industrial base (DIB) is a prime target for cyber-attacks. To protect national security information within the DIB - the U.S. Department of Defense designed the CMMC framework.

The Cybersecurity Maturity Model Certification (CMMC) is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department through acquisition programs.

List of CMMC domains

The CMMC defines 17 security domains which are further classified into 171 security best practices. These security practices help organizations have a formal set of cybersecurity activities that are consistent and help mitigate data breaches.

The 17 domains are as listed below:

  • Access Control (AC)
  • Asset Management (AM)
  • Audit and Accountability (AU)
  • Awareness and Training (AT)
  • Configuration Management (CM)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Recovery (RE)
  • Risk Management (RM)
  • Security Assessment (CA)
  • Situational Awareness (SA)
  • System and Communication Protection (SC)
  • System and Information Integrity (SI)

The CMMC provides a certification to ensure that companies are keeping up with the required processes to be cybersecure. Generally, multiple software tools are used to keep up with requirements and also to obtain a higher certification by proving good cybersecurity posture.

How Securden Unified PAM helps

Securden Unified PAM is a holistic privileged access management solution that has capabilities to help comply with multiple domains requirements under the CMMC framework. Companies that work with the government can secure their CMMC certification easier with Unified PAM.

5 CMMC Domains that Securden Unified PAM helps comply with

CMMC Domain Securden Unified PAM Capabilities
Access Control (AC)

The access control domain is regarding access controls, rights and authorization to access data and resources. It encapsulates account assignment and depicts how passwords and credentials are used. This domain also highlights provisioning and elevating access to privileged accounts. In summary it requires organizations to:

  • Establish system access requirements
  • Control internal system access
  • Control remote system access
  • Limit data access to authorized users and processes

Securden Unified PAM can be utilized to satisfy all the access control recommendations related to managing privileged and administrative identities. This includes discovery and management of privileged accounts, and comprehensive auditing of sensitive access.

  1. It lets you assign users roles and therefore varying levels of permissions and capabilities (RBAC) – based on their needs.
  2. Sensitive accounts and systems added to Unified PAM can be classified into folders and access to these accounts can be granted by designating approvers.
  3. Remote access capabilities let users and third-party vendors launch secure one-click SSH/SQL/RDP connections to IT assets.
  4. Endpoint privilege elevation and delegation management allows administrators to define exactly who can access what on a particular system.
Asset Management (AM)

The asset management domain involves gathering insights on assets and keeping an asset inventory.

  • Identify and document assets
  • Manage asset inventory

Securden Unified PAM helps with discovery of IT assets and create an inventory within the PAM solution. It also identifies certain attributes of these systems like their operating system (OS). Users can utilize PAM to directly launch connections to these assets.

Audit and Accountability (AU)

The asset management domain involves gathering insights on assets and keeping an asset inventory.

  • Define audit requirements
  • Perform secure auditing
  • Identify and protect audit information
  • Review and manage audit logs Identify and document assets

Securden Unified PAM ensures that all system account activity can be traced back to the users who performed them. This holds them accountable for their actions

  1. Logged activity and events can be comprehensively reviewed, alerts can be generated in cases of failure.
  2. All audit data are stored centrally and can be retained as long as needed by the organization. Audit logs can also be selectively sent to SIEM solutions.
  3. All audits capture comprehensive information including the date, time and system information where the event occurred.
  4. Audits are protected from tampering – they are securely vaulted with AES-256 encryption, and users cannot edit or change audit logs in any way.
  5. Role based access controls ensure that only authorized privileged users can view audit logs and generate reports when necessary.
Identification and Authentication (IA)

The identification and authentication domain involves controls to verify user identities, devices and processes. It also enforces password complexity requirements and multi factor authentication to access privileged accounts.

  • Identify users, systems and verify them before allowing access to system information.
  • Enforce a minimum password complexity and prohibit password re-use
  • Enforce MFA and optionally SSO for access to privileged accounts

Securden Unified PAM ensures that all users and shared accounts are identified through verification and passwords are complex and rotated.

  1. Robust authentication mechanisms, including multi-factor authentication (MFA) and single sign-on (SSO) can ensure that only authorized personnel can access privileged accounts.
  2. Privileged passwords can be generated based on pre-defined complexity rules (by defining a password policy) and password re-use and hard coded password use can be fully eliminated.
  3. All passwords are encrypted and stored, as well as protected cryptographically during transit.
  4. Periodic password resets can be configured to ensure that passwords never remain the same for a long time.
Systems and Communications Protection (SC)

The system and communications protection domain is about securing systems and communications. It includes:

  • Monitoring, controlling, and protecting organizational communications
  • Specifics behind individual components that make up the domain.

Securden Unified PAM helps by securing privileged sessions through encryption and secure tunneling to protect communication channels. Privilege elevation and delegation capabilities allow users to gain elevated privileges as and when needed. This prevents unauthorized access and mitigates the risk of breaches.

Conclusion

Securden Unified PAM supports companies to comply with requirements to protect information by meeting CMMC security controls and suggested practices. This in turn helps safeguard unclassified information within the Department of Defense (DoD) supply chain.

Securden Help Assistant
What's next?
Request a Demo Get a Price Quote

Thanks for sharing your details.
We will be in touch with you shortly

Thanks for sharing your details.
We will be in touch with you shortly