Graylog Security in Action | Watch the Video Now

Log Management for CMMC

The Cybersecurity Maturity Model Certification (CMMC) seeks to help secure the Defense Industrial Base (DIB) supply chain by requiring contractors and subcontractors to standardize their security controls. With CMMC 2.0, the Office of the Under Secretary of the Defense Acquisition and Sustainment (OUSD(A&S)) designated National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 as the foundation of the framework.

Any company that needs to meet CMMC 2.0 Level 2 compliance must meet all the controls listed in SP 800-171 to bid on a Department of Defense (DoD) contract. As organizations prepare themselves for the incoming compliance storm, understanding centralized log management’s value to meet and maintain CMMC 2.0 and NIST 800-171 compliance is more critical than ever. 

What is CMMC 2.0?

CMMC 2.0 is a maturity model setting out a series of “levels” that connect to best practices for protecting data. As a maturity model, CMMC  2.0 focuses on moving from Level 1’s Basic Cyber Hygiene requirements and adding additional controls at each level. 

Additionally, CMMC 2.0 focuses on the data that an organization collects, not the number of employees or revenue. Only two types of government data matter: 

  • Federal Contract Information (FCI): information provided by or generated for the Government under a contract to develop a product or service that is not intended for public release
  • Controlled Unclassified Information (CUI): government created or owned information that has laws, regulations, or government-wide policies requiring safeguarding or dissemination

Any organization that has FCI must meet the Level 1 Basic Cyber Hygiene requirements. Any organization that has CUI must meet Level 2 compliance or above. 

How Does NIST 800-171 fit into the CMMC 2.0 puzzle?

CMMC 2.0 requires that any organization collecting, storing, processing, or sharing CUI needs to implement all 110 NIST 800-171 controls. NIST 800-171 consists of 14 control families, including:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security 
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

To go one step deeper into the CMMC/NIST quicksand, NIST 800-171 refers to NIST 800-53. 800-53 goes into more detail than 800-171, specifying controls and discussing best practices. 

Centralized Log Management: The Missing Piece of the CMMC 2.0 Puzzle

Compliance teams are on the never-ending quest to provide audit documentation for assurance purposes. From a compliance standpoint, event log data is an underappreciated hero. However, this is a bit of a “good news/bad news” scenario for compliance. The good news is that NIST 800-171 references “event logging” several times. The bad news is that complex IT infrastructures generate massive amounts of event log data, often providing information in different formats. 

Where does NIST 800-171 mention event logging?

 

NIST 800-171 Section NIST 800-171 Text Mapped to NIST 800-53
Access Control
Derived Security Requirements
3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
  • AC-6(9) Least Privilege Log Use of Privileged Functions
  • AC-6(10) Least Privilege Prohibit Non-Privileged Users from Executing Privileged Functions
Basic Security Requirements
3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
  • AU-2 Event Logging
  • AU-3 Content of Audit Records
  • AU-3(1) Content of Audit Records Additional Audit Information
  • AU-6 Audit Record Review, Analysis, and Reporting
  • AU-11 Audit Record Retention
  • AU-12 Audit Record Generation
3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. See above
Derived Security Requirements
3.3.3 Review and update logged events. AU-2(3) Event Logging Review and Updates
3.3.4 Alert in the event of an audit logging process failure. AU-5 Response to Audit Logging Process Failures
3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. AU-6(3) Audit Record Review, Analysis, and Reporting Correlate Audit Record Repositories
3.3.6 Provide audit record reduction and report generation to support on-demand analysis and reporting. AU-7 Audit Record Reduction and Report Generation
3.3.7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.
  • AU-8 Time Stamps
  • AU-8(1) Time Stamps Synchronization with Authoritative Time Source
3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion. AU-9 Protection of Audit Information
3.3.9 Limit management of audit logging functionality to a subset of privileged users. AU-9(4) Protection of Audit InformationAccess by Subset of Privileged Users

 

Complete the CMMC 2.0 Puzzle with Centralized Log Management

Event logs act as the foundation of any compliance program, but they are the final piece to proving CMMC 2.0 compliance. Centralized log management solutions enable organizations to collect the data they need to prove governance over their cybersecurity posture. 

Compliance teams often struggle trying to aggregate and correlate data into meaningful reports:

  • Too many locations: Using vendor-supplied solutions makes gathering and aggregating audit data a nightmare as they export data from each location. 
  • Too many formats: System, application, and device event logs often use different formatting, making it difficult to correlate data.
  • Too complex for reporting: The compliance team needs to create reports manually and supply them to audit teams.

Centralized log management solutions solve all of these problems:

  • Reduced operational costs with a single source of information: They bring all event log data together in a single location so that the compliance team can find all the information. 
  • Enhanced data correlation: They standardize event log data so that compliance teams can rapidly correlate the large volumes of data to find patterns or answer audit requests. 
  • Streamlined reporting: They enable compliance teams to build reports that can give auditors at-a-glance visibility into the company’s compliance posture without spending hours working in a spreadsheet.

Graylog: Centralized Log Management for Proving Governance

Graylog’s centralized log management solution enables customers to document their compliance activities. With our centralized log management solution, compliance teams can collaborate, sharing and saving data in a single source of documentation. This reduces the operational costs associated with audits. Our Graylog Extended Log Format (GELF) standardizes event log information. This solves divergent log formats’ problems, making it easier for compliance teams to find patterns and reduce the human error risk that can lead to audit findings.

To protect logs, Graylog’s solution syncs with an organization’s authoritative identity source, such as Active Directory or LDAP, ensuring appropriate rights and permissions. Additionally, we use encryption to protect log data, recognizing that it often contains sensitive information. 

With our Enterprise solution, compliance departments can create Teams. This functionality allows them to create and share dashboards. Using dashboards, the compliance team can create data searches that aggregate the information they need to collect to prove compliance. Within the dashboard, they can create charts and graphs, making review easier for the auditors. 

Organizations that need to meet CMMC 2.0 Level 2 and NIST 800-171 compliance can use Graylog to enhance their audit processes and reduce operational costs that documentation requests create.