All About CMMC

The New CMMC 2.0 Requirements

Cybersecurity Maturity Model Certification (CMMC) 2.0 requires three different levels of accreditation associated with federal contracts. Level 2 requires contracts to meet the 110 requirements in the National Institute of Standards & Technology (NIST) 800-171 Rev. 2 titled “Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations.” CUI is information that government agencies have deemed worthy of protection. To protect CUI, organizations must first understand what data they possess that is considered CUI and the proper markings and protection policies that should be applied to it.

Click here to read our blog post on CMMC 2.0

The Importance of Marking CUI and Its Challenges

CUI markings alert an individual to the presence of CUI data in a document, email or other media and dictate the set of controls that must be followed with that data. However, marking CUI comes with three main challenges:

Remembering Everything: There are two types of CUI – CUI Basic and CUI Specified – and under each of these there are 20 categories and 120+ subcategories. 
Following the Rules: For the CUI program to be effective, all participants must be on board properly applying and following markings.
Implementing in the Modern Workplace: Organizations need a solution with the information access advantages of the modern workplace that also makes it easy for Microsoft users – either in the cloud, on premises, or mobile – to apply and comply with CUI markings.

To an end user, remembering each category and its subsequent set of rules and dissemination controls is an arduous task, so organizations must find a way to make it easy to apply and follow markings and alert them to possible mistakes.

ISEC7 CLASSIFY takes the guesswork out of implementing a CUI program by defining the CUI categories
and associated controls through our platform, ensuring that your markings follow the most current CUI
registry.

Key Benefits:

Defines CUI categories, ensuring your markings follow the correct protocol. 
Same presentation for Microsoft Office users, enabling a common user experience for web and
desktop.
Mobile email client integration for users on mobile devices
Employees can mark and disseminate information regardless of work platform. 
CUI classification schemas are easily updated, ensuring any CUI Registry updates can be quickly
implemented. 
All marked media receives its own unique tracking ID for full auditing and statistics to
understand where CUI is being transmitted.

How Does ISEC7 CLASSIFY Help?

Click the image above to view full size

The Importance of a Zero Trust Architecture

Executive orders in the past few years have been pushing the government towards a Zero Trust
Architecture strategy, which requires strict and continuous authentication of both people and devices
when accessing resources on a private network. While Zero Trust is not explicitly named in the new
CMMC requirements, CMMC practices emphasize the principle of least privilege access, which aligns
with Zero Trust. Implementing Zero Trust practices is a good way to ensure that sensitive data is only
seen and shared by those who have the proper permissions and can help fast-track your CMMC process.

How Does CipherInsights Help?

Cryptographic discovery and risk assessment tool CipherInsights, from Quantum Xchange, upholds Zero
Trust in that it continuously monitors network traffic to identify risk, evaluates compliance against Zero
Trust policies, and does not depend on data from other products. CipherInsights can be deployed to
identify and/or investigate cryptographic weaknesses, alerting when not in compliance with CMMC’s
section IA.L2-3.5.10, requiring the use of only cryptographically protected passwords.

With NIST expected to standardize its post-quantum cryptographic algorithms in 2024, the agency is
urging organizations to begin their migration planning starting with a complete inventory of the use of

cryptography throughout the enterprise. In under 90 minutes, CipherInsights can be deployed to
generate a complete Crypto Bill of Materials to assess risk and prioritize the replacement of legacy
encryption with NIST standardized quantum-resistant algorithms.

Key Benefits:

Identifies the use of outdated protocols and quantum-vulnerable public key encryption, i.e., TLS
1.1, SSL 3.0, MD5 or SHA-1.
Flags suspicious encrypted traffic between endpoints.
Spots weakly signed, untrustworthy, wildcarded, self-signed, or expired certificates.
Alerts on communications such as user authentication and database traffic that should be
encrypted but appear in clear text.
Allows users to discover, catalog, and prioritize cryptographic risk based on the zero-trust
framework.
Generates detailed reports that can be directly submitted to regulatory bodies or used for
internal audits.
Enforces policies, maintains compliance, and manages organizational progress toward crypto agility.

With the new CMMC requirements in place, it is imperative that organizations stay in compliance and
follow the guidelines to strengthen any cryptographic weaknesses and protect and safeguard their data,
including CUI. Strong protection starts with visibility into the state of your data and cryptographic
infrastructure. Together, ISEC7 CLASSIFY and Quantum Xchange’s CipherInsights enable enterprises to
combat cyber risks, meet federal mandates, comply with data security and consumer privacy standards,
validate security policies, and bring their existing mobile networks into the quantum era.

Copy of Copy of Copy of Copy of NRF2023 LINKED IN (1200 × 600 px) (4087 × 2338 px) (4087 ×

Want to Get in Touch?

Get in touch to learn more about our services, products, and partnerships and how we help government agencies with their digital transformation and keeping data safe.