CMMC Compliance in SAP

CMMC stands for Cybersecurity Maturity Model Certification and is a verification mechanism of the Department of Defense (DoD) of the United States. The DoD uses CMMC to determine whether its vendors and contractors possess the resources, infrastructure, and preventative skills needed to work with Controlled Unclassified Information (CUI). CMMC provides increased assurance to the DoD that a vendor can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.

The CMMC framework measures cybersecurity maturity with five levels and aligns a set of processes and practices with the type and sensitivity of the information to be protected and the associated range of threats. The model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the broader community. 

The first part of this article describes CMMC in general. The second part elaborates how Xiting and its software solutions can help you achieve CMMC compliance by utilizing security monitoring and automation tools. 

CMMC Compliance

In the past years, the United States has experienced an increased level of cyber threats and attacks against sensitive data. The defense industrial base (DID) database that contains America’s most sensitive data, trade secrets, and intellectual property is one of the most lucrative targets. According to the Council of Economic Advisers, an agency within the Executive Office of the President, in 2016, it’s estimated that between $57 billion and $109 billion was lost due to malicious cyberattacks, a number that only grew in more recent years.

Learn more about the Council of Economic Advisers here: https://www.whitehouse.gov/cea/ and find The Cost of Malicious Cyber Activity to the U.S. Economy report here: https://www.hsdl.org/?view&did=808776

Therefore, the DoD put measures in place so that government contractors possess the means to responsibly safeguard any data sourced from DIB servers and databases.

Before CMMC, government contractors had to show cyber compliance through a self-assessment with NIST SP 800-171. With CMMC, the DoD took control of the parameters, expectations, and qualifications needed to comply with CMMC standards. If you want your organization to achieve CMMC compliance, you will likely have to make significant modifications to your cybersecurity policies, security plans, risk management, and more to achieve CMMC.

CMMC vs. NIST 800-171

CMMC and NIST SP 800-171 are very similar mainly because CMMC was built based on the NIST framework. Both frameworks aim to protect controlled unclassified information and require good cybersecurity hygiene. Let’s take a closer look at why they are different and why you still need to address CMMC even if you are NIST compliant.

CriteriaCMMCNIST
ScopeAssesses the maturity of a company’s cybersecurity processes and practicesAssesses the cybersecurity controls of a company
ComplianceFive levels of complianceOne level of compliance
CertificationRequires a third-party audit to certify your organizationWorks with self-attestation – no third-party audit required
Security DomainsCovers 17 domainsCovers 14 domains
ObligationContractors are contractually required to complyBased on recommended security practices
PurposeAims to reduce the risk in DoD supply chainAdopts cybersecurity best practices
Comparison of CMMC and NIST 800-171

Since every organization that deals with DoD must be CMMC certified by a third-party auditor, simply being NIST 800-171 compliant is not sufficient. However, NIST 800-171 is the foundation to earn your CMMC certification and hence that’s the first step to get CMMC certified. 

Determine your Level of Compliance

The CMMC introduced a sophisticated hierarchy of certification levels, determining which qualified DoD-identified contractors have access to what type of Controlled Unclassified Information or Federal Contract Information (FCI). With each level, numbered 1 through 5, the contractor in question must prove their ability to handle all associated practices and processes required by each level, as well as having a full assessment of the company’s maturity processes.

The expectations of performance for each level of compliance are as follows:

  • Level 1 – Basic Cyber Hygiene: CMMC Level 1 is the most basic of standards regarding compliance. Your company has proven to exercise base safeguards, but is not expected to be responsible for CUI or FCI. Contractors at this level must demonstrate the basic controls of the NIST 800-171.
  • Level 2 – Intermediate Cyber Hygiene: The next level up includes companies who have demonstrated a greater degree of cybersecurity protections within their organization. To pass this level, the audit must conclude that your company implements an increased level of security controls, including new ones required by CMMC. Process maturity includes standard operating procedures, policies, and plans.
  • Level 3 – Good Cyber Hygiene: The NIST 800-171 previously ensured all companies would qualify for this level of compliance. Your company demonstrates an acceptable capability of cybersecurity protections, elevating your process maturity and ensuring you implement a greater number of controls.
  • Level 4 – Proactive Cybersecurity: Everything from here on out goes beyond what NIST 800-171 would qualify you for alone. This level demonstrates a proactive, powerful cybersecurity program that encompasses the majority of controls from both NIST 800-171 and CMMC, plus a dedicated process maturity level showing that all activities are reviewed and relegated to management based on effectiveness.
  • Level 5 – Advanced Proactive Cybersecurity: Only the most well-established contractors can achieve this level of CMMC compliance. Your company must prove that you can repel advanced cyberattacks, as well as actively improve your infrastructure processes and policies. With Domain Technology Group’s assistance, you’ll be able to achieve your desired compliance level. If you’re interested in a partnership, visit our contact page so we can get started.

You will not be allowed to self-certify and you must be audited by a third-party assessment organization (C3PAO), or an accredited individual assessor to achieve compliance. The C3PAO or independent assessor will evaluate your company’s security environment to determine if the CMMC requirements have been met for that specific level.

CMMC by Domain

The CMMC model consists of 17 different domains of which some are also relevant for SAP systems. CMMC has three additional domains on top of NIST 800 171 which are Asset Management (AM), Recovery (RE), and Situational Awareness (SA). The below list provides an overview of the 17 domains with its 43 capabilities:

  • Access Control (AC)
    • Establish system access requirements
    • Control internal system access
    • Control remote system access
    • Limit data access to authorized users and processes
  • Asset Management (AM)
    • Identify and document assets
    • Manage asset inventory
  • Audit and Accountability (AU)
    • Define audit requirements
    • Perform auditing
    • Identify and protect audit information
    • Review and manage audit logs
  • Awareness and Training (AT)
    • Conduct security awareness activities
    • Conduct training
  • Configuration Management (CM)
    • Establish configuration baselines
    • Perform configuration and change management
  • Identification and Authentication (IA)
    • Grant access to authenticated entities
  • Incident Response (IR)
    • Plan incident response
    • Detect and report events
    • Develop and implement a response to a declared incident
    • Perform post incident reviews
    • Test incident response
  • Maintenance (MA)
    • Manage maintenance
  • Media Protection (MP)
    • Identify and mark media
    • Protect and control media
    • Sanitize media
    • Protect media during transport
  • Personnel Security (PS)
    • Screen personnel
    • Protect CUI during personnel actions
  • Physical Protection (PE)
    • Limit physical access
  • Recovery (RE)
    • Manage backups
    • Manage information security continuity
  • Risk Management (RM)
    • Identify and evaluate risk
    • Manage risk
    • Manage supply chain risk
  • Security Assessment (CA)
    • Develop and manage a system security plan
    • Define and manage controls
    • Perform code reviews
  • Situational Awareness (SA)
    • Implement threat monitoring
  • System and Communications Protection (SC)
    • Define security requirements for systems and communications
    • Control communications at system boundaries
  • System and Information Integrity (SI)
    • Identify and manage information system flaws
    • Identify malicious content
    • Perform network and system monitoring
    • Implement advanced email protections

Not all domains and capabilities are directly affecting your SAP systems. However, several of them, for example, Access Controls and Configuration Management, are key topics when it comes to protecting your SAP systems. Access Controls includes topics like segregation of duties (SoD), monitoring SAP security configuration, elevated access management for administrative users, and many more.

CMMC Compliance with Xiting’s Security Solutions

As a DoD contractor or an organization that wants to become one, it’s important to understand what are the steps to CMMC compliance. Xiting’s security solutions and security services allow you to achieve this more efficiently with automation tools. One of the first steps is to assess your information security processes in SAP and beyond. Let’s take a closer look at what needs to be done.

  1. Conduct readiness assessments & gap analysis of existing systems.
    • Identify where controlled unclassified information is stored and processed
    • Identify the level of compliance your organization requires.
    • Assess current operations and controls for compliance to:
      • DFARS and NIST 171 controls review
      • CMMC 20 Additional controls (for Level 3)
  2. Create / update System Security Plan (SSP)
    • Document system boundaries and connections
    • Document how security requirements are implemented
  3. Create remediation plan (plans of action & milestones)
    • Document known deficiencies
  4. Implement required controls
  5. Document and implement a plan to maintain compliance
  6. Ongoing cybersecurity monitoring & reporting

Xiting’s security solutions allow you to centrally analyze your SAP systems to understand where data is stored and processed. With its built-in central security monitoring, you cannot only document your security concept but also continuously monitor your entire landscape – on-premise and in the cloud. Xiting provides ready-to-use security concepts for ABAP systems, Java, SAP HANA, Solution Manager, SAP HCM as well as SAP Access Control (GRC). These ready-to-use concepts are dynamic documents that work with your system configuration and read your system configuration (centrally as well as decentralized) for all your connected systems. This allows you to define security requirements that you can continuously monitor. 

With the integration into your Security Information and Event Management (SIEM) systems (e.g. Splunk, ArcSight, IBM QRadar, Microsoft Azure Sentinel, etc.), you can achieve real-time monitoring. If you don’t have a SIEM system, but you want to use real-time notifications, Xiting offers an Email Adapter that can send security notifications via email (and also text messages) to your stakeholders. 

Xiting delivers a CMMC concept that allows you to analyze our entire SAP system landscape. For example, AC 2.009 – limit unsuccessful logon attempts, is one of the capabilities in the Access Controls domain. In the below figure, you can see the concept along with the assessment in your system (in this example, it was a local check for one system). The concept documents how the capability is achieved and supports the effectiveness of the implementation through configuration checks.

Example of CMMC check for AC.2.009
Detailed Analysis of System Configuration

Xiting Security Architect comes with over 100 different checks that are fully customizable and extensible to tackle your specific needs. You can run all these checks locally, or centrally against your entire landscape. The checks also consider system types so that certain checks are critical in production environments but non-critical in a development system.

With the Security Architect, you can analyze your landscape ad-hoc, or schedule recurring checks. With the integration to your SIEM system or a simple email adapter, you can monitor your CMMC compliance in real-time and be actively informed if, for example, configuration changes.

FAQs

What is the CMMC Accreditation Body (CMMC-AB)?

The CMMC-AB (https://www.cmmcab.org/) is an independent organization that will authorize and accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO) in accordance with DoD requirements. 

What’s the difference between CMMC and NIST SP 800-171?

Unlike NIST SP 800-171, the CMMC model possesses five levels. The CMMC model is cumulative whereby each level consists of practices and processes as well as those specified in the lower levels. The CMMC model includes additional cybersecurity practices in addition to the security requirements specified in NIST SP 800-171.

Is CMMC the same as ISO standards?

CMMC will combine elements of various cybersecurity control and security standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others, into one unified standard for CUI cybersecurity.

Does CMMC also affect small businesses?

CMMC does not consider the size of an organization and it’s applicable for small businesses to the largest global enterprises. The goal of CMMC is to be a cost-effective and affordable certification that can also be achieved by small businesses.

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings. 

What is DFARS?

To bid on contracts in the past, companies in the defense industrial base (DIB) could self-certify their compliance with Defense Federal Acquisition Regulations (DFARS). Going forward, DFARS will not be sufficient to win DoD RFPs.

What are the RFP requirements to win a DoD bid?

All contractors will need to be CMMC-certified at the level specified in the RFP to win, participate in, or even bid on a contract. If you don’t have the minimum CMMC level requests, your participation in the RFP will be rejected automatically.

Wrap Up

The CMMC certification is a challenging undertaking for organizations as it requires them to analyze the entire IT landscape, including their SAP systems. It has been estimated that 77% of all global business transactions come into contact with an SAP system at one time or another and therefore play an important role to achieve CMMC compliance. Xiting’s security solutions allow customers to analyze their SAP landscape and provide real-time documentation in the context of CMMC. With the integration to SIEM or the use of email alerts, you can safeguard your CMMC compliance in real-time and be proactively informed when changes impact your overall compliance.

Alessandro Banzer
Contact

Get in touch with us!

Do you have questions about our products?

+41 43 422 8803
[email protected]
+49 7656 8999 002
[email protected]
+1 855 594 84 64
[email protected]
+44 1454 838 785
[email protected]
Contact
Webinars

Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

Register now