Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: IR

Level Introduced: 4

Establish and maintain a security operations center capability that facilitates a 24/7 response capability.

CMMC Clarification:
As an organization matures it should dedicate resources to provide ongoing situational awareness. A security operations center (SOC) provides awareness through the ongoing collection of logs from the organization’s various defensive capabilities on its network and endpoints. The SOC processes the logs and any associated alerts in order to quickly identify and remediate threats before more damage is caused. Thus, ongoing monitoring is key to an effective cyber posture. In addition to technology a SOC must be staffed by the appropriate personnel to ensure data is collected, analyzed, and investigated.

A SOC might be a physical facility, an organizational construct, or a managed service. Regardless of the SOC organization, it must enable a 24 hours a day, seven days a week response capability. An organization can determine how best to staff and create the response capability; 24/7 on-site staffing may not be required.

You are the senior manager responsible for the organization’s incident response. You have coordinated with a CMMC compliant third-party security services provider to include your organization in that provider’s security operation center (SOC) coverage. The third-party SOC has established direct lines of communication between the SOC and your organization’s incident response capability to effectively integrate the SOC into your organization’s cybersecurity capabilities.

Additional ReadingNIST SP 800-61 provides guidance on incident handling. NIST SP 800-86 and SP 800-101 provide guidance on integrating forensic techniques into incident response. NIST SP 800-150 provides guidance on cyber threat information sharing. NIST SP 800-184 provides guidance on cybersecurity event recovery.
Ten Strategies of a World-class Cybersecurity Operations Center: https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies- cyber-ops-center.pdf
SANS Common and Best Practices for Security Operations Centers: Results of the 2019 SOC Survey: https://www.sans.org/media/analyst-program/common-practices-security- operations-centers-results-2019-soc-survey-39060.pdf
DHS Cyber Resilience Review Supplemental Resource Guide Volume 5 Incident Management: https://www.us-cert.gov/sites/default/files/c3vp/crr_resources_guides /CRR_Resource_Guide-IM.pdf


Establish and maintain a security operations center capability that operates [Assignment: organization-defined time period].

A security operations center (SOC) is the focal point for security operations and computer network defense for an organization. The purpose of the SOC is to defend and monitor an organization’s systems and networks (i.e., cyber infrastructure) on an ongoing basis. The SOC is also responsible for detecting, analyzing, and responding to cybersecurity incidents in a timely manner. The SOC is staffed with skilled technical and operational personnel (e.g., security analysts, incident response personnel, systems security engineers); often operates 24 hours per day, seven days per week; and implements technical, management, and operational controls (including monitoring, scanning, and forensics tools) to monitor, fuse, correlate, analyze, and respond to threat and security737 relevant event data from multiple sources. Sources include perimeter defenses, network devices (e.g., gateways, routers, and switches), and endpoint agent data feeds. The SOC provides a holistic situational awareness capability to help organizations determine the security posture of the system and organization. A SOC capability can be obtained in a many ways. Larger organizations may implement a dedicated SOC while smaller organizations may employ third-party organizations to provide such a capability.

[SP 800-61] provides guidance on incident handling. [SP 800-86] and [SP 800-101] provide guidance on integrating forensic techniques into incident response. [SP 800-150] provides guidance on cyber threat information sharing. [SP 800-184] provides guidance on cybersecurity event recovery.

Source: NIST Special Publication 800-172 (Draft)

Source: CMMC v1.02