WIXLIB

Cybersecurity Maturity Model Certification(CMMC)August 20, 2020

LogRhythm, Inc. All rights reserved.This document contains proprietary and confidential information of LogRhythm, Inc., which is protected by copyrightand possible non-disclosure agreements. The Software described in this Guide is furnished under the End User LicenseAgreement or the applicable Terms and Conditions (“Agreement”) which governs the use of the Software. ThisSoftware may be used or copied only in accordance with the Agreement. No part of this Guide may be reproduced ortransmitted in any form or by any means, electronic or mechanical, including photocopying and recording for anypurpose other than what is permitted in the Agreement.DisclaimerThe information contained in this document is subject to change without notice. LogRhythm, Inc. makes no warrantyof any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied warranty ofmerchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any direct, indirect,incidental, consequential, or other damages alleged in connection with the furnishing or use of this information.TrademarkLogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned may betrademarks, registered trademarks, or service marks of their respective holders.LogRhythm Inc.4780 Pearl East CircleBoulder, CO 80301(303) 413-8745www.logrhythm.comPhone Support (7am - 6pm, Monday-Friday)Toll Free in North America (MT) 1-866-255-0862Direct Dial in the Americas (MT) 1-720-407-3990EMEA (GMT) 44 (0) 844 3245898META (GMT 4) 971 8000-3570-4506APAC (SGT) 65 31572044

Table of ContentsCMMC – AI Engine Rules . 6CMMC – Investigations . 75CMMC – Reports and Reporting Packages . 105Summary Reports . 106Detailed Reports. 124Reporting Packages . 126CMMC – Requirements . 127Cybersecurity Maturity Model Certification Deployment Guide. 341Intended Audience. 341CMMC Deployment Guide – Install and Enable the Compliance Module. 343CMMC Deployment Guide – Verify the Installation. 344CMMC Deployment Guide – Configure the Compliance Module . 345Cybersecurity Maturity Model Certification User Guide. 346CMMC User Guide – AI Engine Rules. 347CMMC User Guide – Investigations. 349CMMC User Guide – Reports and Reporting Packages . 351CMMC User Guide – LogRhythm GeoIP Functionality . 353CMMC User Guide – Compliance Maturity Model: A Foundation and Road Map . 354LogRhythm, Inc. Contents3

Cybersecurity Maturity Model Certification (CMMC)Disclaimer: Organizations are not required as a matter of law to comply with this document, unless legislation, or adirection given under legislation or by some other lawful authority, compels them to comply. This document does notoverride any obligations imposed by legislation or law. Furthermore, if this document conflicts with legislation or law, thelatter takes precedence.The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) developed the CybersecurityMaturity Model Certification (CMMC) to assess and certify a company’s maturity of cybersecurity practices andprocesses. The objective and mandate of the CMMC is that Department of Defense (DoD) contractors obtain third-partycertification to ensure appropriate levels of cybersecurity practices are in place to meet a “basic cyber hygiene” and toprotect controlled unclassified information (CUI) residing on partner systems. The cybersecurity practices and CUIprotection already exist in regulations like Defense Federal Acquisition Regulation Supplement (DFARS) and NIST;however, those standards do not stipulate a third-party assessment to validate cybersecurity effectiveness andmaturity, and to provide certification.The CMMC builds upon established NIST special publications and DFAR regulations (with some additional sources,including UK Cyber Essentials and the Australia Cyber Security Centre Essential Eight maturity model). CMMCcomprises 17 capability domains that include 171 practices or controls. The 17 capability domains are shown in thediagram below.Organizations seeking certification will be certified at one of five levels that measure both technical control capacityand process maturity. The lowest level of the certification (Level 1) requires entities to adhere to a sub-set of the 171controls (as prescribed by the (OUSD(A&S))) and to demonstrate they are performing the required processes. The fivecertification levels are briefly summarized below.4

Cybersecurity Maturity Model Certification (CMMC)Each certification level requires increased process maturity and additional control practices. The DoD will assess whichCMMC level is appropriate for a particular contract and deliver that level in contract Sections L and M of thecorresponding request for proposal (RFP). The DoD will use the assessment as a “go/no go” evaluative determination.The level of certification required in each contract will depend upon the amount of CUI a company will handle orprocess. Independent third-party organizations (C3PAOs) will evaluate customers' environments for certification. Acompany will specify the level of the certification requested and will be certified at the appropriate CMMC level upondemonstrating the appropriate maturity to the satisfaction of the assessor and certifier.All contractors within the Defense Industrial Base (DIB) are required to comply with some level of CMMC, dependingupon the amount of unclassified networks that handle, process, and/or store federal contract information (FCI) or CUIand as stipulated by their specific contract. Companies that solely produce Commercial-Off-The-Shelf (COTS) productswill not be required to obtain a certification. For more detailed information on CMMC, see the (OUSD(A&S)) website. Thewebsite provides the most current version of the CMMC regulation (1.02) and offers an overview powerpoint withbackground on the CMMC and details on the processes and practices for each certification level.The LogRhythm platform enables your organization to meet many CMMC practices by collecting, managing, andanalyzing log data. LogRhythm AI Engine (AIE) rules, alarms, reports, investigations, and general SIEM functionality alsohelps your organization satisfy certain control practices outlined by the CMMC.LogRhythm understands that organizations may be at different points of compliance maturity, so the CMMC modulegives organizations the flexibility to realize value at any point along that maturity scale. The CMMC module is focusedon the control requirements traditionally used for best practice purposes. LogRhythm supports someCMMC recommendations and decreases the cost to meet others through pre-built content and functionality. Usingadvanced LogRhythm functionality such as NetMon, TrueIdentity, SysMon, Threat Research content, and CaseManagement may enhance pre-built content to better support an organization's compliance efforts.IT environments consist of heterogeneous devices, systems, and applications—all reporting log data. Millions ofindividual log entries can be generated daily, if not hourly. The task of organizing this information can beoverwhelming. Additional recommendations to analyze and report on log data render manual processes or homegrownremedies inadequate and cost prohibitive for many organizations. LogRhythm delivers log collection, archiving, andrecovery across the entire IT infrastructure and automates the first level of log analysis. Log data is categorized,identified, and normalized for easy analysis and reporting. LogRhythm’s powerful alerting capabilities automaticallyidentify the most critical issues and notify relevant personnel. The CMMC module and associated reporting packageworks out of the box with some level of customization available. Utilizing the CMMC module assists in building andmaintaining a sound compliance program5

Cybersecurity Maturity Model Certification (CMMC)CMMC – AI Engine RulesCMMC – AI Engine Rules6

Cybersecurity Maturity Model Certification (CMMC)AI Engine RulesRule IDDescriptionControl SupportAlarmingClassificationsLog SourcesCCF: AbnormalAmount of DataTransferred1230This rule alerts whenever asignificant change (400%increase or 75% decrease) inBytes In or Bytes Out from aspecific host.AC.1.001, AC.1.002, AC.1.003, AC.2.006, AC.2.007, AC.2.008, AC.2.009, AC.2.010, AC.2.011, AC.2.013, AC.2.015,AC.2.016, AC.3.018, AC.3.012, AC.3.020, AC.3.014, AC.3.021, AC.3.022, AC.5.024, AM.3.036, AM.4.226, AU.2.041,AU.2.042, AU.2.043, AU.2.044, AU.3.045, AU.3.046, AU.3.048, AU.3.051, AU.3.052, AU.4.053, AU.4.054, AU.5.055,CM.2.062, CM.2.063, CM.2.065, CM.3.069, CM.5.074, IA.1.076, IA.1.077, IA.2.078, IA.2.079, IA.2.080, IA.3.084, IA.3.085, IA.3.086, IR.2.092, IR.2.093, IR.2.094, IR.2.096, IR.3.098, IR.3.099, IR.4.101, IR.5.106, IR.5.102, IR.5.108, MA.2.111, MA.2.112, MP.2.119, MP.2.120, MP.2.121, MP.3.123, MP.3.124, PS.2.128, PE.1.131, PE.1.132, PE.1.133,RE.2.137, RE.2.138, RE.3.139, RE.5.140, RM.2.141, RM.2.143, RM.3.144, RM.4.149, RM.4.150, RM.4.151, RM.5.152, CA.2.158, CA.3.161, SA.4.171, SA.4.173, SC.1.175,SC.1.176, SC.2.178, SC.2.179, SC.3.177, SC.3.180, SC.3.181, SC.3.182, SC.3.183, SC.3.184, SC.3.185, SC.3.188,SC.3.190, SC.3.191, SC.4.197, SC.4.228, SI.1.210, SI.1.211,SI.1.212, SI.1.213, SI.2.214, SI.2.216, SI.2.217, SI.3.218, SI.5.223NoOperations :Warning1. Include All LogSources2. Include All LogSourcesCMMC – AI Engine Rules7

Cybersecurity Maturity Model Certification (CMMC)AI Engine RulesRule IDDescriptionControl SupportAlarmingClassificationsLog SourcesCCF: AbnormalOrigin Location1208First tracks geographiclocations for logins.Afterwards, triggers when anew origin location is seenfor a user.AC.1.001, AC.1.002, AC.1.003, AC.2.006, AC.2.007, AC.2.008, AC.2.009, AC.2.010, AC.2.011, AC.2.013, AC.2.015,AC.2.016, AC.3.018, AC.3.012, AC.3.020, AC.3.014, AC.3.021, AC.3.022, AC.5.024, AM.3.036, AM.4.226, AU.2.041,AU.2.042, AU.2.043, AU.2.044, AU.3.045, AU.3.046, AU.3.048, AU.3.051, AU.3.052, AU.4.053, AU.4.054, AU.5.055,CM.2.062, CM.2.063, CM.2.065, CM.3.069, CM.5.074, IA.1.076, IA.1.077, IA.2.078, IA.2.079, IA.2.080, IA.3.084, IA.3.085, IA.3.086, IR.2.092, IR.2.093, IR.2.094, IR.2.096, IR.3.098, IR.3.099, IR.4.101, IR.5.106, IR.5.102, IR.5.108, MA.2.111, MA.2.112, MP.2.119, MP.2.120, MP.2.121, MP.3.123, MP.3.124, PS.2.128, PE.1.131, PE.1.132, PE.1.133,RE.2.137, RE.2.138, RE.3.139, RE.5.140, RM.2.141, RM.2.143, RM.3.144, RM.4.149, RM.4.150, RM.4.151, RM.5.152, CA.2.158, CA.3.161, SA.4.171, SA.4.173, SC.1.175,SC.1.176, SC.2.178, SC.2.179, SC.3.177, SC.3.180, SC.3.181, SC.3.182, SC.3.183, SC.3.184, SC.3.185, SC.3.188,SC.3.190, SC.3.191, SC.4.197, SC.4.228, SI.1.210, SI.1.211,SI.1.212, SI.1.213, SI.2.214, SI.2.216, SI.2.217, SI.3.218, SI.5.223NoSecurity : Attack1. Include All LogSources2. Include All LogSourcesCMMC – AI Engine Rules8