Disclaimer: This story is entirely fictional. Any resemblance to actual persons, living or dead, or actual events, or actual companies is purely coincidental and unintended. The characters, companies, and events portrayed are purely a work of fiction. Jil Wright, a Certified CMMC Assessor, has provided this narrative to offer organizations seeking certification an example of what an assessment might entail. Jil Wright does not endorse any of the technologies mentioned in this story. Implementing the specific measures discussed does not guarantee that a practice will be met.
Company Overview
MakeBelieve Manufacturing (MBM), a mid-sized company specializing in aircraft parts for the Department of Defense (DoD), was scheduled for their CMMC assessment. Passing this assessment was crucial for maintaining their DoD contracts.
Ben Jammin was tasked with focusing on the System and Information Integrity (SI) domain, which is critical for ensuring the company’s systems are secure from flaws and malicious attacks.
Preparation
Months before the assessment, the company’s Chief Information Security Officer (CISO) spearheaded the preparation. The company’s policies and procedures were reviewed, and Ben ensured all documentation related to the SI domain requirements was up-to-date. The team conducted an internal audit to identify and address any gaps. Ben and his team practiced interviewing and documented how they tested certain implementations, ensuring they were ready to demonstrate and show settings when asked.
The Assessment Day Begins
The SI domain was assessed on Thursday of assessment week. That morning, the assessor, Mr. Bean, met the team in a virtual room to begin. He started with a brief overview of the domain and what he would be examining.
Ben: “Welcome, Mr. Bean. Our team all here and ready to begin.”
Documentation Review
Mr. Bean began by telling the team that he had examined the policies, procedures, and artifacts MBM had prepared for the domain. While he had been able to mark some of the assessment objectives as Met from the documentation review, he had more questions. He began with the first practice in the domain.
SI.3.14.1: Identify, report, and correct system flaws in a timely manner.
Mr. Bean: “Can you show me how you identify and report system flaws?”
Ben: “We have specific time frames for identifying, reporting, and correcting them. Our schedule is on page 3 of our Maintenance and Vulnerability Management Policy.”
Mr. Bean: “I see the specified times here. How do you ensure that these time frames are adhered to?”
Ben replied, “We use Microsoft Endpoint Manager and the Security recommendations in Microsoft Security Center. We also track these in our ticketing system to ensure they’re addressed within the specified times. The flaws that are remediated can be seen in a report from our ticketing system or in the dashboards of our tools. We review our reports in our monthly IT meeting.”
Mr. Bean: “Thank you. Would you mind walking through the tool for me?”
Ben shared his screen, “Sure, we can look at the compliance reports in Endpoint Manager. Here it shows applied updates. I can filter by time frame. Here are the ones we have fixed in the past 30 days, 3 months, and 6 months.”
“We can also look in the MS Security Center under Threat & Vulnerability Management,” Ben continued. “We can filter the recommendations by date to see updates and patches applied within a certain timeframe. We have custom reports set up here as well.”
Mr. Bean: “Thank you. I see that you are getting real-time alerts, that is within your 30-day timeline to identify flaws. They’re reported on the dashboard, in emails, and in your meeting. There are none that are showing that they are over the 90-day threshold you’ve set to fix the flaws.”
Mr. Bean marked the practice objectives a-f as met and made notes in the findings column.
| DOMAIN | OBJECTIVE | SECURITY REQUIREMENT | PRACTICE STATUS | FINDINGS |
|---|---|---|---|---|
| SI | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Met | Met all AOs |
| SI | 3.14.1[a] | The time within which to identify system flaws is specified. | Met | Maintenance and Vulnerability Management Policy |
| SI | 3.14.1[b] | System flaws are identified within the specified time frame. | Met | Screenshare – Microsoft Endpoint Manager and the Security recommendations in Microsoft Security Center |
| SI | 3.14.1[c] | The time within which to report system flaws is specified. | Met | Maintenance and Vulnerability Management Policy |
| SI | 3.14.1[d] | System flaws are reported within the specified time frame. | Met | Screenshare – Microsoft Endpoint Manager and the Security recommendations in Microsoft Security Center |
| SI | 3.14.1[e] | The time within which to correct system flaws is specified. | Met | Maintenance and Vulnerability Management Policy |
| SI | 3.14.1[f] | System flaws are corrected within the specified time frame. | Met | Screenshare – Microsoft Endpoint Manager and the Security recommendations in Microsoft Security Center |
SI.3.14.2: Provide Protection from Malicious Code at Designated Locations
Mr. Bean: “Tell me about your protections against malicious code.”
Ben: “We conducted a risk assessment and designated locations within our systems that are critical to our business. You can see them on our network diagram. These locations are protected by multiple layers of security. They include:
- Our endpoints such as desktops, laptops, and mobile devices
- Our servers, especially those hosting sensitive data, applications, and critical services
- Email Servers
- File Servers where shared files are stored and accessed
- Firewalls and gateways”
Mr. Bean: “And how do you ensure these protections are effective?”
Ben: “We run simulated phishing campaigns regularly. We receive alerts from Defender and regularly review our logs for any anomalies. We can take a look at Microsoft Defender for Endpoint and our firewall profile, which provides protection against malicious code and other security threats. You can see that policies are configured for antivirus. If we go to Endpoint protection > Firewall, we can look at the settings. We also review Advanced Threat Protection Settings monthly to ensure settings for real-time protection and automated investigation are enabled. We generate reports showing how threats have been detected and mitigated to review at our monthly IT meeting.”
| DOMAIN | OBJECTIVE | SECURITY REQUIREMENT | PRACTICE STATUS | FINDINGS |
|---|---|---|---|---|
| SI | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Met | Met all AOs |
| SI | 3.14.2[a] | Designated locations for malicious code protection are identified. | Met | Shown in network diagram |
| SI | 3.14.2[b] | Protection from malicious code at designated locations is provided. | Met | Interviewed responsible personnel, screenshare of Defender for Endpoint, Defender Security Center |
SI.3.14.3: Monitor System Security Alerts and Advisories and Take Action in Response
Mr. Bean: “Let’s talk about monitoring security alerts. How do you handle this?”
Ben: “Anita Vaca, our SOC team lead, can provide more details.”
Anita: “Sure, Mr. Bean. Have you had a chance to review our Incident Response Plan and Vulnerability Management Policy?”
Mr. Bean: “Yes, I have.”
Anita: “Great. My team is responsible for the continuous monitoring of our network and systems for security alerts and taking action to respond to any detected threats. Our policies outline the actions we take in response to alerts, which vary depending on the severity.
First, let’s open the Microsoft Defender Security Center. Here, I’ll show you the Threat & Vulnerability Management dashboard. It provides an overview of active alerts, device status, and vulnerability insights. You can see the alerts and advisories we received last month, their severity, and the actions we took in response.
If an alert indicates a high-severity threat, we initiate our IR plan. We create an incident ticket to assign analysts, track progress, and document the actions taken. This helps ensure that each incident is properly managed, and stakeholders are notified. We document the process from detection through resolution.
A lot of data is ingested into our SIEM, Azure Sentinel. The ‘Incidents’ section in Sentinel shows a list of detected incidents. There are tools available here that make it easier to understand and respond to the threats.”
Mr. Bean: “Can you walk me through one of these recent alerts?”
Anita navigated to the “Incidents & alerts” section in Defender. “I’ll click on a specific alert to display detailed information about the threat, including the affected devices, its severity, and the recommended actions. For example, this alert was about a potential vulnerability. We analyzed it, confirmed it was a false positive, and updated our definitions just to be safe.”
Mr. Bean: “Do you receive any other alerts and threat advisories, perhaps from something you subscribe to?”
Anita: “Yes, we receive advisories and alerts from several vendors we work with and from CISA.gov. Here’s an email advisory we received from CISA in May that could have affected our secure email gateway. I’ve included the alert email in the evidence we submitted, along with the ticket we created to run an out-of-schedule vulnerability scan. The steps we took to mitigate the vulnerability are detailed in the ticket.”
Mr. Bean: “Thank you, Anita. That was very informative.”
| DOMAIN | OBJECTIVE | SECURITY REQUIREMENT | PRACTICE STATUS | FINDINGS |
|---|---|---|---|---|
| SI | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Met | AOs are Met |
| SI | 3.14.3[a] | Response actions to system security alerts and advisories are identified. | Met | IR Plan, Vuln Management Policy |
| SI | 3.14.3[b] | System security alerts and advisories are monitored. | Met | Team/SIEM/Defender |
| SI | 3.14.3[c] | Actions in response to system security alerts and advisories are taken. | Met | CISA advisory Created a ticket and ran out of schedule scan in response |
Mr. Bean updated his findings sheet and continued to the next practice.
SI.3.14.4: Update Malicious Code Protection Mechanisms When New Releases Are Available
Mr. Bean: “How do you handle updates to your malicious code protection?”
Ben: “We have a policy to check for updates weekly, but Defender updates its antivirus definitions multiple times a day to ensure that it can detect and protect against the latest threats. These updates typically occur automatically. In Endpoint Manager, I can show you the status of antivirus updates across our managed devices. You can see when the last update was applied and the version of the definitions.”
| DOMAIN | OBJECTIVE | SECURITY REQUIREMENT | PRACTICE STATUS | FINDINGS |
|---|---|---|---|---|
| SI | 3.14.4 | Update malicious code protection mechanisms when new releases are available. | Met | AOs Met |
| SI | 3.14.4[a] | Determine if malicious code protection mechanisms are updated when new releases are available. | Met | Demo showing last update of definitions was this morning |
SI.3.14.5: Perform Periodic Scans of Organizational Systems and Real-Time Scans of Files from External Sources
Mr. Bean: “From reviewing documentation, I know that your policy says that scans are performed on at least a monthly basis. Can you show me that this is being done?”
Ben: “Finn Ternet from our IT team can show you our scanning process.”
Finn: “We actually perform scans weekly and real-time scans on all external files. Here’s our scanning dashboard, and you can see the logs of recent scans. We can take a look to see that real-time protection is enabled in Microsoft Defender by navigating to the Security Center to see the settings.”
Mr. Bean: “Thank you, can you demonstrate that real-time scans occur on files from external sources as they are downloaded, opened, or executed?”
Finn: “I can attempt to download the EICAR file, which is a standard test file used to demonstrate antivirus capabilities. As we download and open the file, Microsoft Defender should immediately detect and quarantine it. We can see this action in the Incidents & alerts section. In the logs, we would see the detection event. It includes details about the file, the threat level, and the actions taken. We do not allow portable storage devices. They are disabled, so no files may be executed that way.”
Mr. Bean: “Thank you for the demonstration.”
| DOMAIN | OBJECTIVE | SECURITY REQUIREMENT | PRACTICE STATUS | FINDINGS |
|---|---|---|---|---|
| SI | 3.14.5 | Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. | Met | Met all AOs |
| SI | 3.14.5[a] | The frequency for malicious code scans is defined. | Met | At least monthly per policy |
| SI | 3.14.5[b] | Malicious code scans are performed with the defined frequency. | Met | Screenshare showed weekly scans performed in Defender |
| SI | 3.14.5[c] | Real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed. | Met | Defender detected and quarantined the downloaded EICAR file. Logs showed details. No portable storage allowed. |
SI.3.14.6: Monitor Organizational Systems, Including Inbound and Outbound Communications Traffic, to Detect Attacks and Indicators of Potential Attacks
Mr. Bean: “How do you monitor inbound and outbound traffic for potential attacks?”
Ben: “Sparky Hotspot from our IT team can explain.”
Sparky: “We monitor inbound and outbound traffic continuously. You’ve seen Microsoft Defender for Endpoint, which provides an overview of monitored traffic and detected threats. We also integrate firewall logs into Sentinel to monitor network traffic, detect threats, and manage incidents. In the Incidents section in Sentinel, we can see a list of detected incidents involving inbound and outbound traffic and details on how they are investigated.”
Mr. Bean: “Can you show me an example of an attack detection?”
Sparky pulled up a case from the previous month. “Let’s click on one to view the details. This incident shows a suspicious outbound connection that was blocked by our firewall. We can see the source and destination IPs, the action taken, and the severity of the threat.”
Mr. Bean: “Thank you.”
| DOMAIN | OBJECTIVE | SECURITY REQUIREMENT | PRACTICE STATUS | FINDINGS |
|---|---|---|---|---|
| SI | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Met | AOs Met |
| SI | 3.14.6[a] | The system is monitored to detect attacks and indicators of potential attacks. | Met | Defender and Sentinel (SIEM) |
| SI | 3.14.6[b] | Inbound communications traffic is monitored to detect attacks and indicators of potential attacks. | Met | Demo of Defender and Sentinel (SIEM) logs |
| SI | 3.14.6[c] | Outbound communications traffic is monitored to detect attacks and indicators of potential attacks. | Met | Demo of Defender and Sentinel (SIEM) incidents |
SI.3.14.7: Identify Unauthorized Use of Organizational Systems
Mr. Bean: “This is the last practice in the domain and the last practice of the assessment. I see that you have defined authorized use of your system in your Acceptable Use Policy. How do you identify unauthorized use of your systems?”
Ben: “We track users’ use of the system. All their actions are logged. We maintain strict access controls and continuously monitor for unauthorized use of the system. For example, if we look at the reports section in Defender, we can see logs of all blocked logon attempts, including details such as the user, device, and URL. Our access controls also prevent users from installing unauthorized software. We also use web filtering. In Defender, we have web threat protection enabled. We’ve created a configuration profile to define categories we want to block, such as adult content, social media, and gambling sites.”
| DOMAIN | OBJECTIVE | SECURITY REQUIREMENT | PRACTICE STATUS | FINDINGS |
|---|---|---|---|---|
| SI | 3.14.7 | Identify unauthorized use of organizational systems | Met | AOs Met |
| SI | 3.14.7[a] | Authorized use of the system is defined. | Met | AUP, SSP |
| SI | 3.14.7[b] | Unauthorized use of the system is identified. | Met | Logs/alerts/reports, web filtering |
Mr. Bean completed his findings sheet.
MakeBelieve Manufacturing did a great job. At the end of the day, Mr. Bean provided preliminary feedback. He commended MakeBelieve Manufacturing for their pleasant attitude, thorough documentation, processes, and the team’s evident expertise. They discussed the next steps, with Mr. Bean informing them to expect a report and that they would reconvene for the out-brief the following week.
Ben felt a sense of relief and accomplishment. The assessment had been challenging but rewarding. He understood that maintaining compliance would be an ongoing effort, but the team was now more motivated than ever. MakeBelieve Manufacturing’s journey through the CMMC assessment, particularly the SI domain, underscored the importance of preparation, detailed documentation, and effective implementation. It was a testament to the company’s commitment to cybersecurity and their readiness to meet the high standards required for their critical work with the DoD.
