ProShop can help you meet CMMC security standards.
Why is CMMC important?
The Cybersecurity Maturity Model Certification 2.0 is the mechanism that will facilitate a standardized approach to implementing cybersecurity best practices across the defense industrial base. CMMC 2.0, released November 4, 2021, diverges from CMMC 1.0 in several key areas: only certain companies doing certain kinds of DoD work will need a third-party audit of their cybersecurity posture. All companies working in the DiB will need to report their SPRS score through the Supplier Performance Risk System (SPRS). The CMMC, while focused on the protection of CUI and other sensitive data, contains a blueprint for developing a cybersecurity department and capabilities, the benefits of which cannot be overstated. So, even if not required, companies should consider implementing some of the CMMC security controls in order to better operate in the digital landscape.
What are the Requirements you need to meet to reach CMMC and how can ProShop help?
The Requirements of CMMC map directly to NIST800-171 and NIST800-172 Requirements.
The requirements are broken into 17 different domains, ranging from technical controls of your network and devices to personnel management and security awareness training, making this standard a truly company-wide endeavor.
As a digital manufacturing environment, ProShop facilitates managing cybersecurity policies and procedures, alongside tasks and training for staff, within the architecture of various workflows.
Rather than a stand-alone system, cybersecurity should be integrated into the fabric of the company: we feel ProShop is uniquely postioned for manufacturers looking to integrate cybersecurity management and documentation within their existing environment.
How does ProShop help you achieve these goals?
We were excited to let the CMMC inform aspects of our ProShop development: we have a suite of security features which can be used to meet some of the very important requirements. We’re most excited about:
Facilitate complex user passwords by configuring password requirements with a selection of possible options and configurations
No more insanely weak passwords – ProShop does not allow the use of the 100,000 most commonly used passwords
Prevent any word or phrase of your choice from being used in a password with a configurable field
Fully supported MFA with FIPS compliant security keys
ProShop assigns a unique identifier to each user, allowing the actions of each individual to be uniquely traced, and monitored for anomalies
A complete record of all edits made within ProShop will be available to select privileged users
User accounts are automatically disabled after a customizable number of unsuccessful login attempts have been made. All active sessions for users with disabled accounts are automatically terminated.
Provide privacy and security notices consistent with applicable CUI rules.
When any User logs into ProShop, they must agree to a Security Notice that outlines their obligations while using ProShop, and warns them that their activities are being monitored. The Privacy Notice reminds Users of their obligations for PII. ProShop will provide a template for these Notices, but the notices must be configured properly so that it adheres to your particular legal requirements.
Use non-privileged accounts or roles when accessing nonsecurity functions.
‘C’ users are able to use an ‘A’ Seat to perform basic functions. More info about our user licenses here.
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
‘A’ seat users cannot perform configurations to system or view sensitive data
Terminate (automatically) a user session after a defined condition
Customizable session timeouts and unsuccessful login attempt limits.
Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Logged information will be protected behind Elasticsearch security.
Limit management of audit logging functionality to a subset of privileged users.
Audit log permissions will be enabled or disabled on a per-user basis.
Identify system users, processes acting on behalf of users, and devices.
All Users have a unique identifier. Devices may be managed through the equipment module
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
Tokens for session management are generated via cryptographically secure random number generator and cannot be reused after a user session ends. OTP device support prevents intercepted login credentials from being used to access ProShop. Detection of re-used or out of date One Time Passwords is automatically recorded and reported
Prevent reuse of identifiers for a defined period.
User accounts are, by default, not deleted but marked as inactive, so reuse of user identifiers isn’t possible. CMMC Requirement: IA.3.085User accounts are, by default, not deleted but marked as inactive, so reuse of user identifiers isn’t possible.
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts
ProShop integration with FIPS compliant Yubikey OTP devices.
Enforce a minimum password complexity and change of characters when new passwords are created.
ProShop supports customizable password complexity rules with pre-configured regimes that meet various standards.
Store and transmit only cryptographically-protected passwords.
Standards compliant password hashing in place. No passwords are stored in the database.
Prohibit password reuse for a specified number of generations.
A customizable number of previous password hashes can be stored per user.
Obscure feedback of authentication information.
Authentication information is not specific when login is unsuccessful.
Allow temporary password use for system logons with an immediate change to a permanent password.
System administrators can assign temporary passwords to users. This allows login but requires the immediate registration of a new password that meets defined password complexity guidelines.
Can people access ProShop from home? How do I keep that safe?
Yes, as a web platform employees can login from home. Employees must be provided with a secure connection to the company network. However, facilitating remote work requires implementing a range of security controls. NIST’s “Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions” provides a good overview of how to facilitate remote work securely as a company.
What are your dual or second factor authentication options?
ProShop supports Yubikeys, and FIPS compliant Yubikeys, as a second factor authentication. Yubikeys are centrally managed within ProShop.
Are you offering cybersecurity consultations?
At this time, ProShop is not offering cybersecurity consultations inhouse, but we have Partner Cybersecurity organizations who we recommend. Contact [email protected] for a referral.
How long until ProShop logs me out of a session?
Session Management is configurable, and can be distinctly set for each user. Session Management is done through the Security Configurations Module.
Where do I find password settings in ProShop?
Password configurations may be set in the Security Configurations Module. Passwords configuration options include length, complexity, and required characters. ProShop disallows any of the 100,000 most commonly used passwords, and you may also disallow the use of any words or phrases of your choosing.
Does ProShop have configurable file permissions?
Yes, File Permissions may be set per role or user.
Does ProShop track user activity?
Yes, you can track user activity through the Edit Log.
What level will my company have to get certified to?
CMMC 2.0 no longer requires every company with DiB contracts to be Certified. Every company with a DiB contract is still required to implement NIST800-171, and must submit their SPRS score. Depending on the type of work performed, you may be asked to undergo a complete CMMC Audit. What was formally “Level 3” in CMMC 1.0 is now contained up to “Level 2” in CMMC 2.0.
Our IT department is currently working on NIST SP 800-171 compliance. Can that be used as a basis for CMMC, or does there have to be completely separate documentation?
Documentation used as part of a NIST800-171 implementation may also be used to show work towards a CMMC certification.
Does CMMC require an Onsite Assessment by a C3POA?
Whether the CMMC Audit requires an Onsite Assessment will be dependent on the Level of certification they are asked to get. Most companies, however, could benefit from a third-party audit of their company’s Cybersecurity architecture, even if not strictly required.
Is there a Physical Security component of CMMC?
Absolutely, physical security is a critical component of cybersecurity. Access to sensitive equipment should be restricted and physical access procedures for your organizational site should be defined and communicated to your staff.
Is ProShop ERP planning on getting CMMC certified?
ProShopERP is implementing NIST800-171, but is not required to obtain a CMMC certification.
Download the full pdf for how ProShop can help with CMMC compliance