CMMC Compliance with Tripwire

How Tripwire Enterprise Keeps Controlled Unclassified Information (CUI) Safe for the DoD

Download the pdf

The U.S. Department of Defense (DoD) is implementing the Cybersecurity Maturity Model Certification (CMMC) program to standardize the level of cybersecurity implemented throughout its 300,000 suppliers. In practice, this means that every member of the Defense Industrial Base (DIB) will be required to pass an audit in order to win DoD contracts. Tripwire Enterprise gives you out-of-the-box compliance testing for the most demanding portions of CMMC compliance. 

CMMC version 1.0 was released in 2020, followed by version 2.0 in 2021. In 2024, the DoD published the final rule for CMMC, 32 CFR, to reduce the number of assessment levels from five to three. This change simplifies CMMC compliance and better aligns its parameters with NIST SP 800-171 and –172. CMMC implementation is rolling out in four phases over the course of multiple years, with full implementation beginning out in 2025 and full adherence required for all DoD contracts by 2028. 

According to the U.S. Department of Defense, “The purpose of CMMC is to verify that defense contractors are compliant with existing protections for federal contract information (FCI) and controlled unclassified information (CUI) and are protecting that information at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats.” 

How the CMMC Is Structured

The way CMMC is structured is fairly straightforward. At the highest levels are 14 domains. These are functional areas such as access control or physical security. Within each domain, there are processes, capabilities, and best practices. 

  • Processes can be thought of as the regularly occurring events or plans needed to maintain security. Processes are usually stated very generally, such as: “Establish, maintain and resource a plan that includes Access Control.” These processes are broadly stated to allow for the variances that naturally exist in different organizations. 

  • Capabilities are more functional. They describe a specific action that needs to be taken or a goal that must be achieved. One example is: “Perform auditing.” 

  • Practices are a group of specific actions. Taken collectively, they allow an organization to create a capability. An example practice would be: “Control posted or processed on publicly accessible information systems.”  

The 14 domains of the CMMC 

  1. Access Control (AC) 

  1. Awareness and Training (AT) 

  1. Audit and Accountability (AU) 

  1. Configuration Management (CM) 

  1. Identification and Authentication (IA) 

  1. Incident Response (IR) 

  1. Maintenance (MA) 

  1. Media Protection (MP) 

  1. Personnel Security (PS) 

  1. Physical Protection (PE) 

  1. Risk Assessment (RA) 

  1. Security Assessment (CA) 

  1. System and Communications Protection (SC) 

  1. System and Information Integrity (SI) 

     

Who Must Comply and What Will It Cost?

Bid solicitations will indicate whether a contract requires compliance with CMMC. As the CMMC Audit Bureau (the body responsible for certifying auditors) ramps up the auditing infrastructure, the number of contracts subject to CMMC will increase.   

While a bidder and its subcontractors will be required to demonstrate compliance prior to the bid being awarded, bidders will not be required to be compliant in order to make a bid. The winning bidder will be able to expense certain costs of compliance to help mitigate the impact of CMMC on small suppliers. 

Tripwire® Enterprise offers out-of-the-box support for many of the CMMC requirements. The data it generates can be used to demonstrate compliance to meet auditors’ requirements.  

 

CMMC Levels

CMMC is designed to scale based on the sensitivity of the data that is handled by a contractor. As the data becomes more sensitive, the number and difficulty of practices required increases. Because of this, CMMC is organized into three levels.  

Also, the level of cybersecurity maturity attained by contractors must increase with the sensitivity of the data handled. At Level 1, for example, contractors must demonstrate that they have changed the default passwords on wireless access points, but they don’t have to have written policies or controls that monitor the access points’ passwords. As the CMMC level increases, contractors are expected to operationalize processes. At the highest CMMC levels, contractors are expected to actively tune their cybersecurity tools and processes to respond to a changing threat landscape.  

The 3 Levels of CMMC

1. Foundational: Basic cyber hygiene practices, including incident response plans, vulnerability management programs, and secure communication protocols 

2.  Intermediate: Alignment with NIST SP 800-171 practices, implementing network and application layer monitoring and security awareness training  

3. Advanced: Adherence with NIST SP 800-172 controls with mature cybersecurity practices and optimizations in place, such as identify and access management and continuous monitoring. 

 

Tripwire Enterprise in a CMMC Deployment

Tripwire Enterprise’s role in CMMC is to monitor the network for compliance to CMMC requirements and to provide the evidence that auditors can use to confirm compliance. Specifically, it inspects devices on the network and verifies that practices have been implemented and are being properly maintained.   

The Reporting Challenge

Tripwire Enterprise eliminates the reporting challenge of CMMC by creating reports that demonstrate compliance to auditors. For example, if network device passwords are supposed to be changed every three months, Tripwire regularly scans them and reports if their passwords were indeed changed appropriately. If a password has not been changed according to policy, the variance is flagged in the report. A waiver or explanation is then required to explain why the policy was not followed.  

Powerful Integrations 

Tripwire Enterprise integrates with the following:

  • Systems of record, such as ServiceNow, Cherwell, Jira, and Remedy
  • Tripwire Event Sender, for exporting rich change data to SIEMs like QRadar and Splunk
  • Governance, Risk and Compliance (GRC) frameworks

These capabilities are critical for every contractor seeking certification for a number of reasons:

  • Planned changes are often documented in a system of record. But proving that only the expected changes occurred is difficult without a tool like Tripwire Enterprise, which confirms expected changes and reports on unexpected ones.
  • Organizations often use a SIEM in their security operations center (SOC) as the single pane of glass representing potential security incidents. Tripwire’s change data and security data often play a role in identifying and mitigating security incidents.
  • GRC tools are often used to consolidate and report on cybersecurity data like that provided by Tripwire Enterprise. Integration shortens the time-to-value provided by the GRC.

One of Tripwire Enterprise’s most fundamental capabilities is establishing a secure baseline configuration for your system and tracking all changes against that baseline. That’s the core value of file integrity monitoring (FIM) combined with security configuration management (SCM). Tripwire Enterprise ensures the integrity of your files and systems and keeps a record of all changes. It then produces audit-ready reports to make proof of compliance easier.

 

Schedule Your Demo Today

Let us take you through a demo of Tripwire security and compliance solutions and answer any of your questions.

Request a Demo