Guide on Cybersecurity Maturity Model Certification (CMMC 2.0)

Cybersecurity Maturity Model Certification
Rate this post

CMMC 2.0 Model is the latest upgraded version of CMMC v 1.0 established back in 2020. The Department of Defense (DoD) in a bid to mitigate the growing risk of cyber security threats, released the Cybersecurity Maturity Model Certification (CMMC) framework in January 2020. The objective behind establishing this framework was to ensure that businesses maintain an appropriate level of cybersecurity to protect Federal Contact Information (FCI) and Controlled Unclassified Information (CUI).

Prior to the enforcement of CMMC, contractors were responsible for implementing and monitoring their own cybersecurity best practices. However, these contractors were never audited and verified for their level of security maintained. This is because they were allowed to self-attest to their level of security. But with the establishment of CMMC, there was an entire shift in the paradigm of cybersecurity in the industry among contractors serving the DoD. 

Now the DoD worked on the model of “trust but verify” rather than simply relying on the self-attestation approach. Unlike most cybersecurity frameworks, CMMC was designed and established to specifically address the issue of supply chain cyber security threats. The framework provides an excellent foundation for establishing a strong cybersecurity program to effectively manage cyber threats. Over a year after enforcing CMMC, the federal government 2021 issued a new version of the framework, CMMC 2.0 which is designed to simplify compliance requirements for contractors. Let us today learn about the CMMC 2.0 model and understand the 3 levels and their different controls. 

What is CMMC Compliance?

Cybersecurity Maturity Model Certification is a cybersecurity program developed by the United States Department of Defense (DoD). It is a standard and an industry best practice that organizations dealing with the Department of Defense (DoD) are required to comply with. The framework is designed to measure the defense contractor’s capability, and readiness, in mitigating cybersecurity threats prevailing in the industry.

The CMMC Compliance framework is a collection of processes and security implementations of various cybersecurity standards such as NIST, FAR, and DFARS. Achieving CMMC Certification of Compliance simply suggests the level of maturity an organization’s current cybersecurity initiative stands at in the industry. The primary objective of attaining the certification is to improve the security of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) that is in the possession and use of their federal contractors. 

CMMC or CMMC v1.0 was designed with 5 maturity levels ranging from the basics of cyber hygiene at Level 1 to the progressive and advanced level at Level 5. So, while an organization operating with non-classified DoD data was expected to meet Level 3 or a level below that for CMMC Compliance.

Organizations operating with high-value information were expected to achieve Level 4 or higher. However, last year in 2021 the Federal Government issued a new version of the framework, CMMC 2.0. As per the updated version of CMMC 2.0, there are just levels in this version of compliance. So, now achieving CMMC 2.0 compliance requirements vary depending on the contract, with some requiring only Level 1 or Level 2, Level 3. Elaborating this in detail, let us learn what the CMMC 2.0 is for a better understanding of the standard and the compliance program.

What is CMMC 2.0?

CMMC 2.0 is the latest version or rather an upgraded version of CMMC Compliance introduced earlier last year in 2021. So, the CMMC 2.0 changes currently included reducing the number of compliance “levels” from five to three, and changes in terms of making it easier for contractors to self-certify their compliance. Elaborating more on the latest version and explaining the CMMC 2.0 controls, we have outlined CMMC 2.0 vs 1.0 changes introduced in the table below.  The table broadly outlines the key changes introduced in the latest version of the CMMC 2.0 model by the DoD.

CMMC 2.0 vs CMMC 1.0

PCI DSS v3.2.1PCI DSS v4.0
Requirement and Testing Procedures Section 2.1: Changing Defaults and Removing Unnecessary Accounts

Before installing a system on the network, it’s crucial to change all vendor-supplied defaults and disable or remove any
unnecessary default accounts. This applies to all default passwords, including those used by operating systems, security software, application and system accounts, point-of-sale (POS) terminals, payment applications, and Simple Network Management Protocol (SNMP) community strings, among others.


• 2.1.a: Select a sample of system components. With the assistance of a system administrator, try to log into the devices and applications using the default vendor-supplied accounts and passwords. The goal is to confirm that all default passwords have been changed. This includes passwords on operating systems, security software, application and system accounts, POS terminals, and SNMP community strings. Vendor manuals and online sources can be used to find vendor-supplied accounts and passwords.

•2.1.b: For the chosen sample of system components, verify that all unnecessary default accounts have been removed or disabled. This includes accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, and so on.

• 2.1.c: Conduct interviews with personnel and review supporting documentation to confirm the following:

- All vendor defaults, including default passwords on operating systems, security software, application and system accounts, POS terminals, SNMP
community strings, and so on, are changed before a system is installed on the network.

- Unnecessary default accounts, including those used by operating systems, security software, applications, systems, POS terminals, SNMP, and so on, are removed or disabled before a system is installed on the network.

Section 2.2.2: Management of Vendor Default Accounts

Vendor default accounts are managed in the following ways:

- If the vendor default account(s) will be used, the default password is changed as per Requirement 8.3.6.

- If the vendor default account(s) will not be used, the account is removed or disabled.

• 2.2.2.a: Review the system configuration standards to ensure they include the management of vendor default accounts in accordance with all elements specified in this requirement.

• 2.2.2.b: Examine the vendor documentation and observe a system administrator logging on using vendor default accounts. This is to verify that accounts are implemented in accordance with all elements specified in this requirement.

• 2.2.2.c: Review the configuration files and conduct interviews with personnel to confirm that all vendor default accounts that will not be used are removed or disabled.
Requirement and Testing Procedures 2.2.1 The principle here is to assign only a single primary function to each server. This is done to avoid the coexistence of functions that demand different security levels on the same server. For instance, web servers, database servers, and DNS should each be implemented on their own separate servers.

• 2.2.1.a Choose a sample of system components. Then, examine the configurations of these systems to confirm that each server is dedicated to just one primary function.

• 2.2.1.b In cases where virtualization technologies are employed, scrutinize the configurations of the system to ensure that each virtual system component or device is assigned only one primary function.

This ensures that even in a virtualized environment, each function is isolated in its own virtual system component or device.
2.2.3 The management of primary functions that require different security levels is handled in one of the following ways:

- A system component contains only a single primary function,
OR,

- If primary functions with varying security levels exist on the same system component, they are isolated from each other,
OR,

- If primary functions with varying security levels exist on the same system component, they are all secured to the level required by the function with the highest security need.

• 2.2.3.a Inspect the standards for system configuration to confirm that they include the management of primary functions that require different security levels, as specified in this requirement.

• 2.2.3.b Examine the configurations of the system to verify that primary functions requiring different security levels are managed in one of the ways specified in this requirement.

• 2.2.3.c If virtualization technologies are in use, review the configurations of the system to ensure that system functions requiring different security levels are managed in one of the following ways:

o Functions with differing security needs do not coexist on the same system component.

o Functions with differing security needs that exist on the same system component are isolated from each other.

o Functions with differing security needs on the same system component are all secured to the level required by the function with the highest security need.
Requirement and Testing Procedures 2.2.2 The guideline here is to activate only those services, protocols, daemons, etc., that are essential for the system’s function.

• 2.2.2.a Choose a sample of system components. Inspect the enabled system services, daemons, and protocols on these components to ensure that only necessary services or protocols are activated.

• 2.2.2.b Identify any insecure services, daemons, or protocols that are enabled. Interview relevant personnel to confirm that these are justified as per the documented configuration standards.

2.2.5 The directive is to eliminate all superfluous functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

• 2.2.5.a Select a sample of system components. Inspect their configurations to ensure that all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, etc., has been removed.

• 2.2.5.b Review the documentation and security parameters to confirm that the enabled functions are documented and support a secure configuration.

• 2.2.5.c Examine the documentation and security parameters to ensure that only the functionality documented is present on the sampled system components. This helps maintain a clean and secure system environment.
2.2.4 Ensure only essential services, protocols, daemons, and functions are active, and disable or remove all non-essential ones.

• 2.2.4.a Check system configuration standards to confirm that necessary services, protocols, and daemons are identified and recorded.

• 2.2.4.b Review system configurations to ensure:

- All non-essential functionality is disabled or removed.

- Only the functionality required and documented in the configuration standards is active.


Requirement and Testing Procedures 2.2.3 Enforce the application of extra security measures for any necessary services, protocols, or daemons that are deemed to be insecure.

• Carry out an inspection of the configuration settings to ensure that security features have been properly documented and implemented for all services, daemons, or protocols that are identified as insecure.


2.2.5 In the event of any insecure services, protocols, or daemons being present:

- A business justification is documented.

- Additional security measures are documented and put into effect that mitigate the risk of using insecure services, protocols, or daemons.


• 2.2.5.a If any insecure services, protocols, or daemons are present, review the system configuration standards and conduct interviews with personnel to ensure they are managed and implemented in line with all the elements specified in this requirement.

• 2.2.5.b If any insecure services, protocols, or daemons are present, inspect the configuration settings to confirm that additional security measures are in place to reduce the risk of using insecure services, daemons, and protocols.
Requirement and Testing Procedures2.1.1 For wireless environments that are connected to the cardholder data environment or that transmit cardholder data, ensure that ALL wireless vendor defaults are altered at the time of installation. This includes, but is not limited to, default wireless encryption keys, passwords, and SNMP community strings.

• 2.1.1.a Conduct interviews with the responsible personnel and review the supporting documentation to confirm that:

-> The encryption keys were altered from their default settings at the time of installation.

-> The encryption keys are changed whenever anyone with knowledge of the keys leaves the company or changes their position.

• 2.1.1.b Interview the personnel and review the policies and procedures to confirm that:

-> The default SNMP community strings are required to be changed upon installation.

-> The default passwords/passphrases on access points are required to be changed upon installation.

• 2.1.1.c Review the vendor documentation and log into the wireless devices, with the assistance of the system administrator, to confirm that:

-> The default SNMP community strings are not in use.

-> The default passwords/passphrases on access points are not in use.

• 2.1.1.d Review the vendor documentation and observe the wireless configuration settings to confirm that the firmware on wireless devices is updated to support strong encryption for:

-> Authentication over wireless networks.

-> Transmission over wireless networks.

• 2.1.1.e Review the vendor documentation and observe the wireless configuration settings to confirm that other security-related wireless vendor defaults were changed, if applicable.
2.3.1 For wireless environments that are connected to the CDE or that transmit account data, ensure that all wireless vendor defaults are either altered at the time of installation or confirmed to be secure. This includes, but is not limited to:

-> Default wireless encryption keys.

-> Passwords on wireless access points.

-> SNMP defaults.

-> Any other security-related wireless vendor defaults.

• 2.3.1.a Review the policies and procedures and conduct interviews with responsible personnel to confirm that processes are in place to either change wireless vendor defaults upon installation or to confirm them to be secure, in accordance with all elements of this requirement.

• 2.3.1.b Review the vendor documentation and observe a system administrator logging into wireless devices to confirm that:

-> SNMP defaults are not in use.

-> Default passwords/passphrases on wireless access points are not in use.

• 2.3.1.c Review the vendor documentation and wireless configuration settings to confirm that other security-related wireless vendor defaults were changed, if applicable.

2.3.2 For wireless environments that are connected to the CDE or that transmit account data, ensure that wireless encryption keys are changed under the following circumstances:

-> Whenever personnel with knowledge of the key leave the company or change roles.

-> Whenever a key is suspected of or known to be compromised.

• Conduct interviews with responsible personnel and review the key-management documentation to confirm that wireless encryption keys are changed in accordance with all elements specified in this requirement.
Requirement and Testing Procedures 2.4 Ensure the maintenance of an inventory of system components that fall within the scope of PCI DSS.

• 2.4.a Conduct a review of the system inventory to confirm that a list of hardware and software components is maintained and that it includes a description of the function or use for each component.

• 2.4.b Carry out interviews with personnel to confirm that the documented inventory is regularly updated and kept current.
12.5.1 Maintain an inventory of system components that are within the scope for PCI DSS, ensuring it includes a description of function or use and is regularly updated.

• 12.5.1.a Review the inventory to confirm that it includes all system components within the scope of PCI DSS and a description of the function or use for each component.

• 12.5.1.b Conduct interviews with personnel to confirm that the inventory is regularly updated and kept current.

Who needs to be CMMC Certified?

CMMC 2.0 is meant for any organization planning to do business with the DoD. This requirement applies to prime contractors, subcontractors, and any other supplier across the supply chain involved in the process. CMMC compliance requirements may vary depending on the contract, with some contracts requiring Level 1 or Level 2 compliance while other contracts may require up to Level 5.

The DoD contract specifies the level of compliance the contractor needs to meet. That said, for those businesses not working with the government or DoD does not mean they need not comply with CMMC 2.0. CMMC compliance, in general, is seen as an industry best practice so every organization should be able to achieve CMMC compliance.

CMMC 2.0 Model

CMMC 2.0 Model is the latest version of the standard designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department. CMMC Model of framework outlines the best cybersecurity practices at the highest level by domains that are segmented into different CMMC 2.0 controls. The contractors looking to work with DoD are required to demonstrate compliance by adhering to those controls and processes segmented across the 3 maturity levels of CMMC namely Level 1 Foundational, Level 2 Advanced, and Level 3 Expert. Let us learn about the 3 levels of the CMMC 2.0 Model a bit in detail. 

CMMC 2.0 Model In a Glance

PCI DSS v3.2.1PCI DSS v4.0
4.1

Implement robust cryptographic methods and security protocols to protect sensitive cardholder data when transmitted over open, public networks. This includes:



-> Acceptance is limited to trusted keys and certificates.

-> The employed protocol supports only secure versions or configurations.

-> The strength of encryption is suitable for the encryption technique in use.


Open, public networks can be, but are not limited to, the following:

- The Internet

- Wireless technologies, such as 802.11 and Bluetooth

- Cellular technologies, like Global System for Mobile communications (GSM), Code division multiple access (CDMA) General Packet Radio Service (GPRS)

- Satellite communications

Testing Procedures:

4.1.a

Pinpoint all areas where cardholder data is transmitted or received over open, public networks. Scrutinize documented standards and juxtapose them with system configurations to ensure the application of security protocols and potent cryptography in all areas.

4.1.b

Scrutinize documented policies and procedures to ensure that processes are outlined for the following:

-> Only trusted keys and/or certificates are accepted.

-> The protocol in use is configured to support only secure versions and configurations and does not support insecure ones.

-> The encryption strength is suitable for the encryption method being used.

4.1.c

Select and monitor a subset of real-time inbound and outbound transmissions (for example, by observing system processes or network traffic) to ensure that all cardholder data is encrypted with potent cryptography while in transit.

4.1.d

Inspect keys and certificates to ensure that only trusted keys and/or certificates are accepted.

4.1.e

Review system configurations to ensure that the protocol is configured to use only secure settings and does not support insecure versions or configurations.

4.1.f

Review system configurations to ensure that the appropriate encryption strength is applied for the encryption method in use. (Refer to vendor recommendations/best practices.)

4.1.g

For TLS implementations, review system configurations to ensure that TLS is enabled whenever cardholder data is transmitted or received. For example, for browser-based implementations:

-> The browser Universal Record Locator (URL) protocol displays “HTTPS”, and

-> Cardholder data is only requested if “HTTPS” is part of the URL

4.2.1.a

Review documented policies and procedures and conduct interviews with personnel to ensure processes are defined to include all elements specified in this requirement.



4.2.1.b

Inspect system configurations to ensure that robust cryptography and security protocols are implemented in accordance with all elements specified in this requirement.



4.2.1.c

Review cardholder data transmissions to ensure that all PAN is encrypted with robust cryptography when it is transmitted over open, public networks.



4.2.1.d

Review system configurations to ensure that keys and/or certificates that cannot be verified as trusted are rejected.
4.1.2

The tasks and responsibilities associated with executing activities in Requirement 4 are documented, assigned, and understood.

Testing Procedures:

4.1.2.a

Evaluate documentation to ensure that the descriptions of tasks and responsibilities for executing activities in Requirement 4 are documented and assigned.

4.1.2.b

Interview personnel tasked with executing activities in Requirement 4 to ensure that tasks and responsibilities are assigned as documented and are understood.

New requirement:

4.2.1

Robust cryptography and security protocols are utilized as follows to secure PAN during transmission over open, public networks:

-> Acceptance is limited to trusted keys and certificates.

-> Certificates used to secure PAN during transmission over open, public networks are confirmed to be valid and are not expired or revoked. This item is best practice until its effective date; please refer to the notes below for applicability details.

-> The protocol in use only supports secure versions or configurations and does not allow fallback to, or use of insecure versions, algorithms, key sizes, or implementations.

-> The encryption strength is appropriate for the encryption technique in use.

Testing Procedures:

4.2.1.a

Review documented policies and procedures and conduct interviews with personnel to ensure processes are defined to include all elements specified in this requirement.


4.2.1.b

Inspect system configurations to ensure that robust cryptography and security protocols are implemented in accordance with all elements specified in this requirement.


4.2.1.c

Review cardholder data transmissions to ensure that all PAN is encrypted with robust cryptography when it is transmitted over open, public networks.


4.2.1.d

Review system configurations to ensure that keys and/or certificates that cannot be verified as trusted are rejected.

New requirement:

4.2.1.1

An up-to-date log of the entity’s trusted keys and certificates, utilized to safeguard PAN during transmission, is maintained.


Testing Procedures:

. 4.2.1.1.a

Evaluate documented policies and procedures to ensure that processes are established for the entity to maintain a log of its trusted keys and certificates.



. 4.2.1.1.b

Examine the log of trusted keys and certificates to ensure that it is consistently updated.

3 Levels of CMMC 2.0

Foundational Level 1

CMMC 2.0 Level 1 is the foundational level comprising 17 controls of CMMC 1.0 Level 1, a limited subset of NIST 800-171. The CMMC Level1 applies to organizations handling and focused on protecting Federal Contract Information (FCI). These controls are meant for basic cyber hygiene to protect covered contractor information systems and engage contractors in developing a strong cybersecurity posture. Level 1 which is the foundational level of CMMC 2.0 allows self-assessment.

Advanced Level 2

CMMC 2.0 Level 2 is the advanced level comprising 110 controls of NIST 800-171. The Level 2 CMMC 2.0 is comparable to the Level3 of CMMC 1.0 requirements that reflect 14 domains and 110 controls of NIST SP 800-171 and eliminate all practices and maturity processes that were unique to CMMC.

It applies to those organizations handling Controlled Unclassified Information that is deemed critical to National Security Information.  Achievement and maintenance of compliance to this level require audit and assessment by a third party every three years. So, any contractor with a Defense Federation Acquisition Regulation (DFAR) clause in their contract will need to at least meet Level 2 requirements. Further, it is important to note that DFARS clause 252.204-7012 applies and specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting. 

Expert Level 3

CMMC 2.0 Level 3 focuses on protecting sensitive information against Advanced Persistent Threats (APTs) and is meant for organizations dealing with or handling Controlled Unclassified Information which is DoD’s top priority. Level 3 is similar or rather comparable to the CMMC 1.0 Level 5. Currently, the requirement for this level is still being developed but officially lists out 110 controls based on NIST 800-172. Any contractor with a DFARS clause in their contract will meet Level 3 requirements.

Meeting this requirement will require going beyond NIST SP 800-171 security requirements and including incident reporting. It is also important to note that the assessment of CMMC Level 3 will be completed by the government and not CMMC Third Party Assessment Organization (C3PAO).

NIST 800-171 14 Domains Covered in CMMC 2.0

PCI DSS v3.2.1PCI DSS v4.0Specification of Requirements
5.1.2 The tasks and duties associated with Requirement 5 are clearly defined, allocated, and comprehended.

-> 5.1.2.a Review the written records to confirm that the roles and duties associated with Requirement 5 are clearly defined and allocated.



-> 5.1.2.b Conduct interviews with staff responsible for Requirement 5 to ensure that the roles and duties are allocated as per the documentation and are comprehended.
An updated mandate for roles and responsibilities has been introduced. This mandate is to be implemented with immediate effect for all v4.0 evaluations.
5.1.2 For systems that are typically not susceptible to malicious software, carry out regular assessments to detect and assess emerging malware threats. This is to ascertain whether these systems continue to not necessitate anti-virus software.


Conduct discussions with staff to ensure that they are monitoring and assessing emerging malware threats for systems that are generally not prone to malicious software. This is to confirm whether these systems persist in not needing anti-virus software.
5.2.3 System components that are not susceptible to malware undergo regular evaluations, which include the following:

-> A documented inventory of all system components that are not susceptible to malware.

-> Identification and assessment of emerging malware threats for these system components.

-> Verification whether these system components continue to not need anti-malware protection.

5.2.3.a Review documented policies and procedures to confirm that a process is established for regular evaluations of any system components that are not susceptible to malware, encompassing all elements specified in this requirement.

5.2.3.b Conduct discussions with staff to confirm that the evaluations encompass all elements specified in this requirement.

5.2.3.c Review the list of system components identified as not susceptible to malware and compare it with the system components without an anti-malware solution deployed as per Requirement 5.2.1 to confirm that the system components align for both requirements.
Refined the requirement by shifting the emphasis to ‘system components that are not susceptible to malware.

New Requirement in PCI DSS v4.0:

5.2.3.1 The regularity of evaluations for system components deemed not susceptible to malware is determined by the entity’s focused risk analysis, which is conducted in line with all elements outlined in Requirement 12.3.1.



-> 5.2.3.1.a Review the entity’s focused risk analysis for the regularity of evaluations of system components deemed not susceptible to malware to confirm that the risk analysis was conducted in line with all elements outlined in Requirement 12.3.1.



-> 5.2.3.1.b Review the documented outcomes of regular evaluations of system components deemed not susceptible to malware and conduct discussions with staff to confirm that evaluations are conducted at the regularity defined in the entity’s focused risk analysis performed for this requirement.
New stipulation to establish the regularity of evaluations for system components not susceptible to malware in the entity’s focused risk analysis. This stipulation is considered a best practice until March 31, 2025.
5.2 Ensure that all anti-virus mechanisms are upheld as follows:

-> They are kept up to date,

-> They carry out regular scans

-> They produce audit logs which are preserved as per PCI DSS Requirement 10.7.


5.2.a Review policies and procedures to confirm that it is mandatory for anti-virus software and definitions to be kept current.

5.2.b Inspect anti-virus configurations, including the primary installation of the software to confirm that anti-virus mechanisms are:

-> Set up to perform automatic updates, and

-> Configured to carry out regular scans.

5.2.c Review a selection of system components, including all operating system types typically affected by malicious software, to confirm that:

The anti-virus software and definitions are up-to-date.

Regular scans are carried out.



5.2.d Inspect anti-virus configurations, including the primary installation of the software and a selection of system components, to confirm that:

-> Anti-virus software log generation is activated, and

-> Logs are preserved in line with PCI DSS Requirement 10.7.
5.3.1 The anti-malware solution(s) is consistently updated through automatic updates.

5.3.1.a Inspect the configurations of the anti-malware solution(s), including any primary installation of the software, to confirm the solution is set up to carry out automatic updates.

5.3.1.b Review system components and logs, to verify that the anti-malware solution(s) and definitions are up-to-date and have been deployed promptly.



5.3.2 The anti-malware solution(s):

-> Conducts regular scans and active or real-time scans. OR

-> Carries out continuous behavioral analysis of systems or processes.



5.3.2.a Review the configurations of the anti-malware solution(s), including any primary installation of the software, to confirm the solution(s) is set up to perform at least one of the elements specified in this requirement.



5.3.2.b Inspect system components, including all operating system types identified as susceptible to malware, to confirm the solution(s) is activated in line with at least one of the elements specified in this requirement.



5.3.2.c Review logs and scan results to confirm that the solution(s) is activated in line with at least one of the elements specified in this requirement.



5.3.4 Audit logs for the anti-malware solution(s) are activated and preserved in line with Requirement 10.5.1.



Inspect the configurations of the anti-malware solution(s) to confirm logs are activated and preserved in line with Requirement 10.5.1.
Divided a single requirement into three distinct parts, each focusing on a specific area:

-> Ensuring the malware solution is consistently updated through automatic updates,

-> Conducting regular scans and active or real-time scans (with an added alternative for continuous behavioral analysis),

-> Producing audit logs by the malware solution.
New Requirement in PCI DSS v4.0:

5.3.2.1 If regular malware scans are conducted to fulfill Requirement 5.3.2, the regularity of scans is determined in the entity’s focused risk analysis, which is carried out in line with all elements outlined in Requirement 12.3.1.



-> 5.3.2.1.a Review the entity’s focused risk analysis for the regularity of regular malware scans to confirm that the risk analysis was conducted in line with all elements outlined in Requirement 12.3.1.



-> 5.3.2.1.b Inspect the documented outcomes of regular malware scans and conduct discussions with staff to confirm that scans are carried out at the regularity defined in the entity’s focused risk analysis performed for this requirement.
New requirement to establish the regularity of regular malware scans in the entity’s focused risk analysis. This stipulation is considered a best practice until March 31, 2025.
New Requirement in PCI DSS v4.0:

5.4.1 Procedures and automated systems are established to identify and safeguard staff from phishing attacks.

-> Inspect the implemented procedures and scrutinize the systems to confirm that controls are established to identify and safeguard staff from phishing attacks.
New requirement to identify and safeguard staff from phishing attacks. This stipulation is considered a best practice until March 31, 2025.
New Requirement in PCI DSS v4.0:

5.3.3 For detachable electronic media, the anti-malware solution(s):

-> Conducts automatic scans when the media is inserted, connected, or logically mounted, OR

-> Carries out continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted.



5.3.3.a Review the configurations of the anti-malware solution(s) to confirm that, for detachable electronic media, the solution is set up to perform at least one of the elements outlined in this requirement.



5.3.3.b Inspect system components with detachable electronic media connected to confirm that the solution(s) is activated in line with at least one of the elements as outlined in this requirement.



5.3.3.c Review logs and scan results to confirm that the solution(s) is activated in line with at least one of the elements outlined in this requirement.
New requirement for an anti-malware solution for detachable electronic media. This stipulation is considered a best practice until March 31, 2025.

Getting Started with CMMC Compliance

CMMC 2.0 which is the latest version by the DoD is set to establish in an effort to mitigate cyberattacks that threaten U.S. military, technology, and commercial aspects. It is a standard that is designed to equip organizations and effectively deal with cybersecurity threats better. So, organizations looking to achieve CMMC 2.0 Compliance must kick-start their journey by achieving NIST 800-171.

This is simply because the CMMC 2.0 Advanced Level 2 mirrors the NIST 800-171 standard and aligns with the standard’s 110 security controls. So, clearly, compliance with NIST SP 800-171 will ensure effective implementation and achievement of certain levels of CMMC 2.0 compliance. 

Organizations handling CUI and looking to attain the DoD contracts must get started on their compliance path even if the final CMMC 2.0 requirements are yet to be officially established and work their way through the federal rulemaking and enforcement of federal cybersecurity regulations.

Moreover, since NIST 800-171 continues as the standard, organizations must seek to comply with and prepare to meet the NIST 800-171 control requirements without any delay as preparation for it will take up to over a year. For assistance and guidance on NIST 800-171 or CMMC2.0, you can get in touch with our compliance experts at VISTA InfoSec. They can guide you through the process and help your organization in the compliance journey. 

Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.