Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

The Roadmap to Level 3 In CMMC Compliance

When the Department of Defense (DOD) and its governmental partners announced the Cybersecurity Maturity Model Certificate (CMMC) standard in 2019, and published its first overview in January, 2020, organizations that did or wanted to do business with the DOD scrambled to figure out what it meant for them.

Now that this framework has had a chance to settle in, companies are beginning to put their action plans into place, and are thinking about how to step up their response maturity levels from Level 1, which is “Basic Cyber Hygiene,” to level 5, which is called “Advanced/Progressive.”


While the basic steps to get started were covered in a previous blog post, we also wanted to focus on organizations that have determined they need access to, or will generate, Controlled Unclassified Information (CUI), which requires a level 3 “Good Cyber Hygiene” certification.

To find out how to put a roadmap to level 3 in place, we talked with Mona Ghadiri, Senior Product Manager at Trustwave.

Q.   Please give us a brief overview of what CMMC is and how it’s impacted organizations.

Mona:   The CMMC program came out of another government program called DFARS, which is part of a regulation for NIST called 800.171, and they are all focused on cybersecurity maturity frameworks and implementation. The goal is to ensure your perimeter, your endpoints, your cloud and your network configurations are all documented and that there are incident response procedures, there is continual monitoring, and ideally there is proactive threat hunting.

Q.   What should organizations know about the different levels of certification?

Mona:    Anyone who has the government as a customer has to abide by these programs, or else they will have trouble responding to RFP’s. So, don’t just think about the documentation for phase 1 that gets you the bare minimum, because your competitors will view this as a competitive advantage. You should be aiming for at least level 3. And it’s important for organizations to know that this requires an upfront investment but, because the government wants us protected, it will provide funding in the awards to cover those investments.

Q.   Focusing on level 3 and higher, what advice do you have for organizations that are ready to put an action plan in place?

Mona:    At this level you would be talking about Security Operations Center (SOC) and SOC monitoring, so it’s important to realize that they are not all the same. For customers who are out there shopping, simply going for the cheapest option might not get them the support they need in building the necessary program and running the needed incident response plan.

Think about the overall integrity of what you need to execute. Don’t just look to check boxes – because it might come back to bite you. If you buy a SOC service, and it doesn’t have 24/7 monitoring, rethink your choice. Sharing the burden in off hours or weekends between different teams introduces a lot of complexity, and you could be introducing a single point of failure or hand-off issue between your security spheres. A comprehensive 24/7/365 service with integrated threat detection and response can provide a quicker route to coverage than trying to outsource the people doing the work.  

Q. How can organizations turn CMMC into a competitive advantage?

Mona:   The government will be using these standards to separate the wheat from the chaff. Folks notice who are meeting the most stringent requirements—who’s putting the most skin in the game are those demonstrating that they are partners in helping solve threats against national security.

Implementing services like SOC aren’t an overnight process. The first RFPS to include these requirements will begin in November 2020, and you’ll only have 3-6 months after a contract is awarded to get your services set up. Just remember that there’s a longer lead time than you might expect, so the folks that are planning properly for implementation right now will probably reap the biggest rewards. 

Q.   What kind of services could make the process easier—and possibly more cost-effective?

Mona:    From a cost-effective point-of-view regarding SOC monitoring, what really matters is what sources are being ingested, and whether you have tools that can provide the actionable alerts. That’s how you get the highest value for your budget.

With my clients, I advise them to focus more on endpoint detection and response and security incident event management (SIEM) tools, because those are going to give you much better and more actionable intelligence.

One way to think of approaching a low-cost threat detection response program that meets the requirements of CMMC would be to focus on collecting end point, network and cloud logs, but only the logs that are security relevant. Then focus on what to do with the information, once it’s collected. Automation can help reduce detect to response time, but there’s a fine line between too much automation and not enough. When you hear people talk about fully automated threat detection… slowly back out of the room. You can’t get away with automated threat detection and still be CMMC compliant.

Find out how Managed Threat Detection and Response services from Trustwave can help your business on their CMMC journey.

Latest Trustwave Blogs

Trustwave Named in 2024 Gartner® Market Guide for Managed Detection and Response (MDR)

For the second consecutive year, Trustwave has been named a Representative Vendor in the 2024 Gartner® Market Guide for Managed Detection and Response.

Read More

6 Steps on How to Respond to a Data Breach Before it Ruins Your Business

Too many consumers have awoken one morning to find messages from a retailer or their bank detailing purchases made through their account of which they were unaware. While the realization that they...

Read More

Understanding the Impact of AI on Data Privacy

The world is just beginning to understand how the intersection of artificial intelligence (AI) and data privacy will impact organizations, their employees, and those who use their services. As of...

Read More