CMMC and NIST 800-171
Virtru products and services support regulatory compliance under a number of security control frameworks. This document describes how Virtru products support compliance with the DoD “Cybersecurity Maturity Model Certification” (CMMC), which is based on the NIST 800-171 control framework. CMMC is designed to protect sensitive information, and soon will be required for all defense contractors. Universities and grant-funded research entities face similar requirements to meeting the 800-171 controls as such.
Program Background
Executive Order 13556 designates the National Archives and Records Administration (NARA) as the “Executive Agent” for a program to protect the “Controlled Unclassified Information” used by federal agencies.
The specific controls for protecting CUI under the CMMC Level 2 program (the level most widely applicable) are detailed in NIST Special Publication 800-171 r2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. This publication details the specific security requirements for agencies protecting the confidentiality of CUI, including that held outside federal systems.
Obviously, a great deal of sensitive work takes place under Department of Defense auspices, and contractors to the DOD (collectively referred to as the Defense Industrial Base), are required to meet requirements under the Cybersecurity Maturity Model Certification program (CMMC) as the program rolls out. The publication of the DFARS interim rule (effective November 30, 2020), began a five-year “phase-in” period, during which CMMC compliance will only be required in select pilot contracts. CMMC 2.0 is expected to become a general contractual requirement, once the Department completes the rulemaking process, and fully implements the program for all contractor work.
Virtru’s Role
Virtru’s primary role in customer networks focuses on the encryption of messages and files, and the ability to attach access control policies to them. These policies control the access granted to specific users and groups, as well as optional watermarking, forwarding prevention, and access expiration dates. Virtru also provides tools supporting auditing and monitoring of these operations.
Virtru provides support for controls in the following Control Families: Access Control, Audit & Accountability, Configuration Management, Media Protection, Systems & Communications Protection.
Virtru maintains a FedRAMP Moderate certification that covers our processing environment, policies, and practices. This certifies our compliance with the NIST 800-53 framework, “Security and Privacy Controls for Information Systems and Organizations” (a superset of NIST 800-171), which includes annual penetration testing. Virtru also maintains and makes available our annual SOC 2 audit report.
The Virtru platform provides the ability to assert policies around access control, including the ability to revoke access or specify an expiration date. In addition to supporting DLP and other compliance goals, these policies can support several specific CMMC controls when properly configured and used. The use of Virtru products and services does not by itself guarantee compliance with any security framework, but Virtru offers powerful capabilities that can play a key role in customers' security and compliance programs.
Customers with complex regulatory requirements are encouraged to work with their Sales and Support contacts, to ensure that their system is specified and configured properly to provide the desired control support.
CMMC Levels/Requirements
CMMC 2.0 specifies three levels of compliance:
Level 1, “Optimizing” is the foundational level. Requires proper control implementation, verified by a self-assessment conducted by the contractor.
Level 2, “Advanced”, incorporates the controls specified under NIST SP 800-171, and requires that a third-party assessment be done. The majority of defense contractors and universities will have responsibilities at Level 2, and this document focuses on those customers
Level 3, the“Expert” level, is currently awaiting final publication. It is expected to include the NIST SP 800-172e enhancements to 800-171, and to require that a US government assessment be done.
Details of Virtru Control Support for CMMC
Virtru has created a support matrix sheet that documents the CMMC controls that can be supported through the use of Virtru products, and which aspects of the referenced controls are the customer’s responsibility, which are Virtru’s, and which are a shared responsibility between the two. The support matrix incorporates the original NIST framework language.
Please reach out to your account manager or submit a request via the Virtru Support Center to review the CMMC Support and Responsibility Matrix.