Issue link: https://www.code42.com/resources/i/1425668
1 Code42's Incydr GOV and Cybersecurity Maturity Model Certification (CMMC) CMMC - What is it and how does Incydr help its customers maintain compliance? Incydr, our Insider Risk Management solution, supports customer compliance with Cybersecurity Maturity Model Certification (CMMC) requirements by providing organizations with end to end data encryption, log encryption, data protection, critical data control and security they need for handling Department of Defense (DoD) related Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). In addition, Incydr provides powerful foundational capabilities to detect, investigate and respond to file exposure and exfiltration risks without disrupting legitimate collaboration. What is CMMC? In January 2020, the DoD released the Cybersecurity Maturity Model Certification (CMMC) v1.0. The CMMC model builds on the standards called for in the current DFARS rule, namely NIST Special Publication 800- 171 – Protecting Controlled Unclassified Information (CUI) in Non-federal Systems and Organizations. The certification process will require companies to be audited by a Certified Third- Party Assessment Organization (C3PAO). These certifications will follow a set of standards that will ensure that the CMMC is interpreted the same way across the board. Who does CMMC apply to? If a Defense Industrial Base (DIB) Contractor provides services to the federal government— specifically the Department of Defense (DoD) —the Cybersecurity Maturity Model Certification (CMMC) applies to them. In fact, every DoD contractor who handles DoD's Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) will be required to comply with DoD's CMMC certification process. If the organization does not get the certification, it may be ineligible to bid on or perform government work. How does Incydr Gov help its customers maintain CMMC compliance and contractual requirements to the DoD? Our Incydr product delivers several key functionalities that play a vital role in supporting CMMC: End-to-end encryption: Customer file data, including event, alert, and audit log data, is encrypted with end-to-end encryption using AES 256-bit FIPS 140-2 validated modules to secure data at rest and AES 256-bit Transport Layer Security (TLS 1.2) encryption to secure all data in transit. Insider Risk Management - Inside Risk Indicators: CMMC requires organizations to incorporate into security training and awareness the ability to recognize and report potential indicators on insider risk. With Incydr you get real-time visibility into data exfiltration events and actionable insight into Insider Risk Indicators within your organization. Cloud Based Services: The Incydr product collects exfiltrated endpoint data to allow for recovery and restoration of data for investigations. This data is retained for 30 or 90 days, depending on the subscription purchased. Transparency and Accountability: The Incydr product captures and retains user data movement, so a user's actions are logged and can be reviewed for malicious data exfiltration events. CMMC Highlights Does Incydr align with CMMC and NIST 800-171? Incydr has performed an internal control self- assessment and meets the criteria for NIST SP 800-171. Code42 is also self- assessed at CMMC Level 3 Good Cyber Hygiene. Incydr has performed a self-assessment of the CMMC capabilities. How do you know what level of CMMC you will need? The level a CSP needs depends on the type of information it handles, and the requirement set forth in the Government contract or subcontract. CMMC divides information into two big "buckets": Federal Contract Information ("FCI") is "information provided by or generated for the Government under contract not intended for public release". Controlled Unclassified Information ("CUI" is "information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government wide policies," but is not classified. CUI generally includes things like personally identifying information, Government financial records, and controlled technical information.