CyberSecDef
commented
4 years ago Robert, That should work, but I wrote up the below notes to try to validate.
- I am a level one system (So only practices/assessment procedures marked XX.1.### are applicable), could I filter the CMMC Page to show all applicable CCIs? I can’t seem to search by wildcard on other pages.RFW: If you go to the RMF page, you will see options for C,I,A (Confidentiality, Integrity, Availability). For those columns, if you insert an 'X' in the filter block, only RMF controls that are specific to that security objective will show up. When I design the CMMC page, I will add a similiar set of filters for each level. That way if you are only concerned with say Level 3....you enter an X in that column and the table will update.2. Could I then download/export this list with the mapped CCI numbers knowing that more then 1 CCI may go to a CMMC practice/assessment procedure? RFW: I will likely pregenerate the Excel file (including linked controls and CCI Numbers). This excel file will let you filter by level and/or specific items. The auto-filtering should accomplish what you are seeking.
- If you add practice/assessment procedure numbers to the excel benchmark/cci crosswalk then I can download it and filter to applicable STIGs and then applicable practice numbers to generate an excel version of a STIG, which would be amazing.RFW: Once I find a way to automate the scraping process from the CMMC spreadsheet, this should be fairly easy. So long as I can do that then I think it works and has links for all intended purposes I’m aware of. Below is pretty much the same question but from level three to highlight how applicability of controls works in CMMC.
- I am a level three system (so only practices/assessment procedures mark XX.3.### or lower to include XX.1.### and XX.2.## are applicable)
For the CCI page, would you show a column reflecting practice number or capability number? I personally think practice number would be more useful, but am open to suggestions. The way you reflect AC-1 AC-1.3 for CCI-0001 would work too, but I’m trying not to overburden you and make this request smaller than larger.RFW: Will likely do both for consistency. From a programatic standpoint, adding both wont take but a few minutes longer.
If you throw a filter on top of the CMMC page similar to the RMF page that lets me click level 1, 2, 3, 4, 5 that would make defining applicable CMMCs much quicker and take out any need for wildcard searching I can think of.RFW: Yup. Thats the plan.
-Rob
I took a quick look at the CMMC website. There is a spreadsheet that appears to break CMMC requirements and processes down by security control family.
For instance, C001 is linked to the Level 1 process AC-1.001. AC-1.001 references RMF controls AC-2, AC-3, AC-17 (as well as several other relationships like FAR, NIST 800-17, CIS Controls, etc).
I'd like to get some details on how you'd like the Cyber.Trackr to work with and present this data.
What I'm thinking of off hand is:
CyberTrackr -> NIST 800-53 RMF Page Each control has a 'References' tab. On this tab, I will add the CMMC link (AC-2, AC-3, AC-17 will show references to AC-1.001) I will also add a link to CMMC Capabilitiy C001 There is also an RMF Export in PDF format that lists details and relationships for all RMF controls. I can add verbiage for linked CMMC processes in here as well.
Each RMF control is also linked to other CCI items and Assessment Procedures. By Extrapolation, we can assume the linked CCI/AP items are also linked to the CMMC processes. For instance, Since AC-1.001 is linked to AC-2, it would also be linked to the 79 individual AC-2 'type' CCI items (e.g. CCI-000007, CCI-000009, CCI-000013, etc). These AP and CCI linkages are the key we can use to getting into the STIG/SCAP requirements.
CyberTrackr -> STIGs Page The 'Benchmark - CCI - Control Crosswalk' is an excel spreadsheet the shows the intersection between STIGs, CCIs, RMF Controls and DIACAP Controls. For instance, you can select the Windows 10 STIG to see all the CCI's present in that STIG. You can also select a STIG to see the applicable RMF Security Controls. Alternatively, you can select a specific security control and see the related STIGs, or the related CCIs, or the related DIACAP controls.
I can update this spreadsheet to also include applicable CMMC capabilities and processes.
Within each STIG, the individual requirements are also displayed with each crosslinked CCI, Assessment Procedure, etc. I can add a section here for the CMMC relationships
CyberTrackr -> CCI Page This page lists all the CCI items currently monitored, along with links to specific RMF controls, Assessment Procedures and DIACAP controls. I can add CMMC columns to this table to show the above mentioned relationships. I can also update the Crosslink dump on this page to include this information.
Finally, I can make a new CMMC page that shows all the above information, but from the CMMC perspective.
Please let me know what you think. I try to get a new deployment on the Cyber Trackr released at least once a quarter. I can add the above to the queue for the next release, just let me know if the above makes sense or if there are other data sets you'd like to see added as well.