Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

The Roadmap to Level 3 In CMMC Compliance

When the Department of Defense (DOD) and its governmental partners announced the Cybersecurity Maturity Model Certificate (CMMC) standard in 2019, and published its first overview in January, 2020, organizations that did or wanted to do business with the DOD scrambled to figure out what it meant for them.

Now that this framework has had a chance to settle in, companies are beginning to put their action plans into place, and are thinking about how to step up their response maturity levels from Level 1, which is “Basic Cyber Hygiene,” to level 5, which is called “Advanced/Progressive.”


While the basic steps to get started were covered in a previous blog post, we also wanted to focus on organizations that have determined they need access to, or will generate, Controlled Unclassified Information (CUI), which requires a level 3 “Good Cyber Hygiene” certification.

To find out how to put a roadmap to level 3 in place, we talked with Mona Ghadiri, Senior Product Manager at Trustwave.

Q.   Please give us a brief overview of what CMMC is and how it’s impacted organizations.

Mona:   The CMMC program came out of another government program called DFARS, which is part of a regulation for NIST called 800.171, and they are all focused on cybersecurity maturity frameworks and implementation. The goal is to ensure your perimeter, your endpoints, your cloud and your network configurations are all documented and that there are incident response procedures, there is continual monitoring, and ideally there is proactive threat hunting.

Q.   What should organizations know about the different levels of certification?

Mona:    Anyone who has the government as a customer has to abide by these programs, or else they will have trouble responding to RFP’s. So, don’t just think about the documentation for phase 1 that gets you the bare minimum, because your competitors will view this as a competitive advantage. You should be aiming for at least level 3. And it’s important for organizations to know that this requires an upfront investment but, because the government wants us protected, it will provide funding in the awards to cover those investments.

Q.   Focusing on level 3 and higher, what advice do you have for organizations that are ready to put an action plan in place?

Mona:    At this level you would be talking about Security Operations Center (SOC) and SOC monitoring, so it’s important to realize that they are not all the same. For customers who are out there shopping, simply going for the cheapest option might not get them the support they need in building the necessary program and running the needed incident response plan.

Think about the overall integrity of what you need to execute. Don’t just look to check boxes – because it might come back to bite you. If you buy a SOC service, and it doesn’t have 24/7 monitoring, rethink your choice. Sharing the burden in off hours or weekends between different teams introduces a lot of complexity, and you could be introducing a single point of failure or hand-off issue between your security spheres. A comprehensive 24/7/365 service with integrated threat detection and response can provide a quicker route to coverage than trying to outsource the people doing the work.  

Q. How can organizations turn CMMC into a competitive advantage?

Mona:   The government will be using these standards to separate the wheat from the chaff. Folks notice who are meeting the most stringent requirements—who’s putting the most skin in the game are those demonstrating that they are partners in helping solve threats against national security.

Implementing services like SOC aren’t an overnight process. The first RFPS to include these requirements will begin in November 2020, and you’ll only have 3-6 months after a contract is awarded to get your services set up. Just remember that there’s a longer lead time than you might expect, so the folks that are planning properly for implementation right now will probably reap the biggest rewards. 

Q.   What kind of services could make the process easier—and possibly more cost-effective?

Mona:    From a cost-effective point-of-view regarding SOC monitoring, what really matters is what sources are being ingested, and whether you have tools that can provide the actionable alerts. That’s how you get the highest value for your budget.

With my clients, I advise them to focus more on endpoint detection and response and security incident event management (SIEM) tools, because those are going to give you much better and more actionable intelligence.

One way to think of approaching a low-cost threat detection response program that meets the requirements of CMMC would be to focus on collecting end point, network and cloud logs, but only the logs that are security relevant. Then focus on what to do with the information, once it’s collected. Automation can help reduce detect to response time, but there’s a fine line between too much automation and not enough. When you hear people talk about fully automated threat detection… slowly back out of the room. You can’t get away with automated threat detection and still be CMMC compliant.

Find out how Managed Threat Detection and Response services from Trustwave can help your business on their CMMC journey.

Latest Trustwave Blogs

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More