CMMC Compliance

CMMC Compliance: Automated Threat Detection

CMMC (Cybersecurity Maturity Model Certification) is a framework to ensure that controlled unclassified information (CUI) is protected by appropriate levels of cybersecurity practices and processes when it’s residing on federal contractors’ networks. CMMC applies to any federal contractor, including over 300,000 companies in the supply chain – such as small businesses, commercial item contractors and foreign suppliers.

The Department of Defense intends to incorporate CMMC into their Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contracts, according to the Office of the Under Secretary of Defense for Acquisition & Sustainment CMMC. While CMMC does encompass NIST SP 800-171 requirements, it also extends beyond it to include five different levels of compliance.

How Blumira Can Help

Blumira’s modern security platform helps your organization easily meet and exceed CMMC framework requirements for logging, monitoring, threat detection and response. At a high level, we either support or complement a variety of CMMC controls from Level 1-5, covering the following main capabilities: C001-C004; C007-C010; C013-C021; C029-C032; C035; C037-C042.

Below is a full detailed list of the different capabilities (C) and controls that align with them, and how Blumira meets the control or can help you meet them.


C001 – Establish system access requirements
Level 1
AC.1.001 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

How Blumira Helps:
Blumira allows you to enable role-based administration to limit access to its platform. Blumira can also detect, alert and provide remediation steps if it identifies any unauthorized, suspicious or anomalous login activity to your systems.


C002 – Control internal system access
Level 1
AC.1.002 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Level 2
AC.2.007 – Employ the principle of least privilege, including for specific security functions and privileged accounts.
AC.2.008 – Use non-privileged accounts or roles when accessing non-security functions.
AC.2.009 – Limit unsuccessful log-on attempts.
AC.2.013 – Monitor and control remote access sessions.

Level 3
AC.3.017 – Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
AC.3.018 – Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

How Blumira Helps:
Blumira provides role-based administration to limit access for your users to its platform. Blumira’s platform also allows you to monitor/alert you on privileged access use; monitor/alert you based on the number of login attempts to detect attacks such as password spraying; and monitor/alert you to remote access risks, including detection for risky public connections such as Windows Remote Desktop Protocol (RDP) and Server Message Block (SMB).

Blumira’s role-based administration and separation of log data within the cloud-delivered service helps reduce the risk of malevolent activity without collusion. Blumira’s service allows you to monitor, alert and respond to non-privileged users executing privileged functions.


C003 – Control remote system access
Level 3

AC.3.014 – Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
AC.3.021 – Authorize remote execution of privileged commands and remote access to security- relevant information.

Level 4
AC.4.032 – Restrict remote network access based on organizationally defined risk factors such as time of day, location of access, physical location, network connection state, and measured properties of the current user and role.

How Blumira Helps:

Blumira can help by monitoring and alerting organizations of remote access, including detections of any risky connections such as Windows Remote Desktop Protocol (RDP) and Server Message Block (SMB). Blumira’s service also helps monitor remote execution of privileged commands within your environment. With dynamic blocklists, organizations can prevent known detected threats from gaining access by blocking them. They can also monitor for geo-impossible alerts during two-factor authentication.


C004 – Limit data access to authorized users and processes
Level 1
AC.1.003 – Verify and control/limit connections to and use of external information systems.

How Blumira Helps:
Blumira provides role-based administration to limit access to its platform.


C006 – Manage asset inventory
Level 4
AM.4.226 – Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.

How Blumira Helps:
With Blumira’s reporting functionality, you can gain greater visibility into your systems with specific component attributes.


C007 – Define audit requirements
Level 2
AU.2.041 – Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
AU.2.042 – Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Level 3
AU.3.045 – Review and update logged events.
AU.3.046 – Alert in the event of an audit logging process failure.

How Blumira Helps:
Blumira’s centralized logging gives you the ability to track user activity, allowing you to trace their actions uniquely back to certain users to hold them accountable for their actions. Blumira’s cloud SIEM retains logs for at least a year for auditing purposes.

Blumira’s search and reporting functionality gives you deeper visibility into audit logs for review. Blumira’s platform also reports on operational changes or disruptions, including the status of Blumira’s logging sensor and diagnostics for logflow to alert you in the event of an audit logging process failure.


C008 – Perform auditing
Level 2
AU.2.043 – Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.

Level 3
AU.3.048 – Collect audit information (e.g., logs) into one or more central repositories.

Level 5
AU.5.055 – Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging.

How Blumira Helps:
Blumira’s cloud SIEM service provides a centralized repository for all logs and audit information, and can identify when a system stops logging or sending logs to Blumira’s service, then notifies the organization. All log data is stamped with an authoritative source – Blumira attaches its own time of parse to every log entry and converts to/aligns with the correct UTC time provided by Google Cloud Platform NTP (network time protocol) servers.


C009 – Identify and protect audit information
Level 3
AU.3.049 – Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
AU.3.050 – Limit management of audit logging functionality to a subset of privileged users.

How Blumira Helps:
Blumira’s cloud SIEM service separates logging and audit tools from customers’ production environments to prevent unauthorized access, modification and deletion. Blumira’s platform limits the management of audit logging functionality to only a subset of privileged users with role-based administration.


C010 – Review and manage audit logs
Level 2
AU.2.044 – Review audit logs.

Level 3
AU.3.051 – Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
AU.3.052. – Provide audit record reduction and report generation to support on-demand analysis and reporting.

Level 4
AU.4.053 – Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity.
AU.4.054 – Review audit information for broad activity in addition to per-machine activity.

How Blumira Helps:
Blumira’s search and reporting functionality provides deeper visibility into audit logs. Blumira’s platform correlates audit records to indications of suspicious activity and unauthorized access, then provides data and prioritized alerts to the organization. Blumira’s pre-built reports provide the ability to support on-demand analysis and reporting.

Blumira’s threat detection library allows for the automation of audit log analysis to help identify and act on indicators of threats and suspicious activity. Blumira’s reporting provides visibility to enable organizations to perform audits on broad activity, in addition to pre-machine activity.


C013 – Establish configuration baselines
Level 2
CM.2.061 – Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
CM.2.062 – Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

How Blumira Helps:
With Blumira’s logging capabilities and wide coverage of integrations, organizations can inventory their security systems. Blumira provides role-based administration for its own platform, and monitors other systems for the creation of new privileged accounts, or changes and escalations in existing account privileges to alert organizations to potentially malicious internal activity.


C014 – Perform configuration and change management
Level 2
CM.2.064 – Establish and enforce security configuration settings for information technology products employed in organizational systems.
CM.2.065 – Track, review, approve, or disapprove, and log changes to organizational systems.

Level 3
CM.3.068 – Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

How Blumira Helps:
Blumira’s platform monitors and identifies any risky access to an organization’s networks, such as through public Remote Desktop Protocol (RDP) and Server Message Block (SMB) access. Blumira tracks and logs any changes to organizational systems, while monitoring and alerting organizations to the use of insecure ports.


C015 – Grant access to authenticated entities
Level 1
IA.1.076 – Identify information system users, processes acting on behalf of users, or devices.

How Blumira Helps:
Blumira’s service collects audit logs that can be used to identify information system users or processes acting on behalf of users or devices.


C016 – Plan incident response
Level 2
IR.2.092 – Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

Level 4
IR.4.100 – Use knowledge of attacker tactics, techniques, and procedures in incident response planning and execution.

How Blumira Helps:
With Blumira’s pre-built playbooks, organizations can achieve operational incident-handling capabilities for organizational systems including preparation, detection, analysis, containment, recovery, and user response activities. Blumira’s playbooks provide pre-defined procedures for security incidents to make response and remediation automated and easy.


C017 – Detect and report events
Level 2
IR.2.093 – Detect and report events.
IR.2.094 – Analyze and triage events to support event resolution and incident declaration.

How Blumira Helps:
Blumira’s platform provides automated threat detection and reporting capabilities, with threat analysis, pre-built detection rules, prioritized alerts and security playbooks for automated threat response to help customers resolve events and incidents.


C018 – Develop and implement a response to a declared incident
Level 2
IR.2.096 – Develop and implement responses to declared incidents according to pre- defined procedures.

Level 3
IR.3.098 – Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

Level 4
IR.4.101 – Establish and maintain a security operations center capability that facilitates a 24/7 response capability.

Level 5
IR.5.106 – In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data.
IR.5.102 – Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns.
IR.5.108 – Establish and maintain a cyber incident response team that can investigate an issue physically or virtually at any location within 24 hours.

How Blumira Helps:
Blumira provides pre-built playbooks that outline predefined procedures for security incident response. Blumira’s detection workflows provide tracking, documentation and reporting that can be shared with designated authorities.

Blumira’s platform provides automated monitoring with 24/7 detection capabilities to enable real-time responses to anomalous activity, and it also centralizes customer access to security logging and reporting. Blumira’s responsive security analyst team is available to customers to help with questions about incidents and further investigation.


C019 – Perform post incident reviews
Level 2
IR.2.097 – Perform root cause analysis on incidents to determine underlying causes.

How Blumira Helps:
Blumira’s search and reporting functionality allows for deeper root-cause analysis on security incidents, as well as stacked matched evidence (gathering relevant information across different security tools) available in findings/detections.


C020 – Test incident response
Level 3
IR.3.099 – Test the organizational incident response capability.

How Blumira Helps:
Blumira has created guides on how to easily test a SIEM’s detections for common incidents, like password spraying, lateral movement, malicious code execution, privilege escalation and more. Blumira has also tested customer deployments to ensure that organizations are able to detect and respond to incidents.


C021 – Manage maintenance
Level 2
MA.2.111 – Perform maintenance on organizational systems.
MA.2.112 – Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
MA.2.113 – Require multi-factor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

How Blumira Helps:
Blumira’s cloud-delivered service is automatically and frequently updated for customers with maintenance for parsers, new detection rules and more. With role-based administration, Blumira can help limit permissions for users that access its platform. Blumira also requires multi-factor authentication (MFA) for access to its cloud application.


C029 – Manage backups
Level 2
RE.2.137 – Regularly perform and test data backups.

Level 3
RE.3.139 – Regularly perform complete, comprehensive, and resilient data backups as organizationally defined.

How Blumira Helps:
Blumira’s service regularly performs and tests Blumira logging backups, while it also performs complete, comprehensive and resilient backups.


C030 – Manage information security continuity
Level 5
RE.5.140 – Ensure information processing facilities meet organizationally defined information security continuity, redundancy, and availability requirements.

How Blumira Helps:
Blumira’s platform provides monitoring and alerts on common system misconfigurations to help organizations gain visibility into their security posture. It also provides alerts on any operational changes, including failovers and disruptions in system operations.


C031 – Identify and evaluate risk
Level 2
RM.2.141 – Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
RM.2.142 – Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

Level 3
RM.3.144 – Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.

Level 4
RM.4.149 – Catalog and periodically update threat profiles and adversary TTPs
RM.4.150 – Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
RM.4.151 – Perform scans for unauthorized ports available across perimeter network boundaries over the organization’s Internet network boundaries and other organizationally defined boundaries.

How Blumira Helps:
Organizations can periodically assess risk to their operations and data with the help of Blumira’s search and reporting functionality that can generate reports on security and compliance, identifying potential gaps. Blumira is a software as a service (SaaS) service that monitors itself for vulnerabilities.

Blumira’s platform employs threat intelligence to provide guidance to organizations on their system and security architecture. It can also detect access using insecure ports via RDP, SMB and others.


C032 Manage risk
Level 2
RM.2.143 – Remediate vulnerabilities in accordance with risk assessments.

Level 5
RM.5.155 – Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.

How Blumira Helps:
As a SaaS service, Blumira can help organizations remediate vulnerabilities in near real-time when they are identified. To enable organizations to test the effectiveness of security solutions, Blumira has created guides on how to easily test a SIEM’s detections for common incidents, like password spraying, lateral movement, malicious code execution, privilege escalation and more.


C035 – Define and manage controls
Level 2
CA.2.158 – Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

Level 3
CA.3.161 – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

How Blumira Helps:
Blumira can help organizations assess the effectiveness of controls by monitoring and alerting them to any misconfigurations of their existing security controls, as well as providing ongoing monitoring to help ensure continued effectiveness.


C037 – Implement threat monitoring
Level 3
SA.3.169 – Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders.

Level 4
SA.4.171 – Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.
SA.4.173 – Design network and system security capabilities to leverage, integrate, and share indicators of compromise.

How Blumira Helps:
Blumira’s integrated threat intelligence feeds allow for threat detection and response based on information sharing. To help organizations establish a cyber threat hunting capability, Blumira’s platform provides automated threat detection and response, with detection rules written by Blumira’s internal security analyst team, based on a proactive threat hunting playbook.

Blumira also leverages threat intelligence to inform its threat detection and response capabilities, with community-based sharing that allows organizations to opt into sharing and automatically blocking malicious sources with other customers within Blumira’s ecosystem – learn more in Community Blocking.


C038 – Define security requirements for systems and communications
Level 3
SC.3.181 – Separate user functionality from system management functionality.
SC.3.182 – Prevent unauthorized and unintended information transfer via shared system resources.

Level 5
SC.5.198 – Configure monitoring systems to record packets passing through the organization’s Internet network boundaries and other organizationally defined boundaries.
SC.5.230 – Enforce port and protocol compliance.

How Blumira Helps:
Blumira’s cloud platform separates data from its production systems, and supports role-based administration to limit user access. Blumira’s platform can detect data exfiltration to help organizations identify and prevent unauthorized and unintended information transfer.

Blumira also logs and monitors internet and organizationally-defined boundaries, while detecting and alerting on insecure port usage via RD, SMB, etc. to help organizations with port and protocol security and compliance.


C039 – Control communications at system boundaries
Level 4
SC.4.199 – Utilize threat intelligence to proactively block DNS requests from reaching malicious domains.

Level 5
SC.5.208 – Employ organizationally defined and tailored boundary protections in addition to commercially available solutions.

How Blumira Helps:
As part of automated threat response, Blumira’s platform provides URL blocklists to help organizations proactively block DNS requests from reaching malicious domains. Blumira’s dynamic blocklists can be enabled to help block malicious source IPs and domains on organizations’ firewalls.


C040 – Identify and manage information system flaws
Level 1
SI.1.210 – Identify, report, and correct information and information system flaws in a timely manner.

Level 2
SI.2.214 – Monitor system security alerts and advisories and take action in response.

Level 4
SI.4.221 – Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.

How Blumira Helps:
To help organizations identify, report and correct information system flaws in a timely manner, Blumira’s search and reporting functionality gives them the ability to investigate potential security issues in real time. Blumira’s platform monitors security systems, providing prioritized alerts with predefined security playbooks that help guide customers through response.

Blumira’s platform also subscribes to multiple threat feeds to inform and enrich domain data on an ongoing basis to help inform intrusion detection and threat hunting.


C041 – Identify malicious content
Level 5
SI.5.222 – Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions.
SI.5.223 – Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.

How Blumira Helps:
Blumira can help depending on the customer’s specific endpoint security stack by integrating with their systems to stream and monitor security events and logs sent to Blumira’s platform. Blumira’s platform monitors individuals and system components on an ongoing basis for anomalous or suspicious behavior, then alerts organizations in real time to respond.


C042 – Perform network and system monitoring
Level 2
SI.2.216 – Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
SI.2.217- Identify unauthorized use of organizational systems.

How Blumira Helps:
With Blumira’s automated detection and response capabilities, organizations can monitor their systems, inbound and outbound traffic, and detect attacks and indicators of potential attacks. Blumira can also help detect and alert on unauthorized access and use of organizational systems.