Skip to content
    How Blumira Helps With

    The CMMC Framework

    The Blumira modern security platform helps your organization easily meet and exceed CMMC framework requirements for logging, monitoring, threat detection, and response. We either support or complement a variety of CMMC controls from Levels 1 & 2, covering many domains.

    Industry Financial screenshot
    Introduction

    CMMC Compliance

    CMMC (Cybersecurity Maturity Model Certification) is a framework to ensure that controlled unclassified information (CUI) is protected by appropriate levels of cybersecurity practices and processes when it’s residing on federal contractors’ networks. CMMC applies to any federal contractor, including over 300,000 companies in the supply chain – such as small businesses, commercial item contractors and foreign suppliers.

    The Department of Defense intends to incorporate CMMC into their Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contracts, according to the Office of the Under Secretary of Defense for Acquisition & Sustainment CMMC. While CMMC encompasses NIST SP 800-171 requirements, it also extends beyond it to include three different levels of compliance, Foundational (Level 1), Advanced (Level 2), and Expert (Level 3).

    NOTE: There are many changes coming for CMMC v2. In short, CMMC v2 is aligning to the NIST 800-171 standards. All of the controls below have mappings listed for CMMC v2 and NIST 800-171. The CMMC control numbers now are aligned to 800-171; for example, AC.L1-3.1.1 maps to NIST 800-171 control 3.1.1. Also see how Blumira helps customers meet NIST 800-171.

    How Blumira Helps With Access Control Requirements

    • Access Control Level 1: AC.L1-3.1.1 & 3.1.2

      Access Control Level 1: AC.L1-3.1.1 & 3.1.2

      AC.L1-3.1.1 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

      AC.L1-3.1.2 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

      Blumira allows you to enable role-based administration to limit access to its platform. Blumira can also detect, alert, and provide remediation steps if it identifies any unauthorized, suspicious, or anomalous login activity to your systems.

    • Access Control Level 1: AC.L1-3.1.20

      Access Control Level 1: AC.L1-3.1.20

      AC.L1-3.1.20 – Verify and control/limit connections to and use of external information systems.

      Blumira provides role-based administration to limit access to its platform.

    • Access Control Level 2: AC.L2-3.1.5, 3.1.6, 3.1.8, 3.1.12, 3.1.4, 3.1.7

      Access Control Level 2: AC.L2-3.1.5, 3.1.6, 3.1.8, 3.1.12, 3.1.4, 3.1.7

      AC.L2-3.1.5 – Employ the principle of least privilege, including for specific security functions and privileged accounts.

      AC.L2-3.1.6 – Use non-privileged accounts or roles when accessing non-security functions.

      AC.L2-3.1.8 – Limit unsuccessful log-on attempts.

      AC.L2-3.1.12 – Monitor and control remote access sessions.

      AC.L2-3.1.4 – Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

      AC.L2-3.1.7 – Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

      Blumira provides role-based administration to limit access for your users to its platform. The Blumira platform also allows you to monitor/alert you on privileged access use; monitor/alert you based on the number of login attempts to detect attacks such as password spraying; and monitor/alert you to remote access risks, including detection for risky public connections such as Windows Remote Desktop Protocol (RDP) and Server Message Block (SMB).

      Blumira’s role-based administration and separation of log data within the cloud-delivered service helps reduce the risk of malevolent activity without collusion. Blumira’s service allows you to monitor, alert and respond to non-privileged users executing privileged functions.

    • Access Control Level 2: AC.L2-3.1.13 & 3.1.15

      Access Control Level 2: AC.L2-3.1.13 & 3.1.15

      AC.L2-3.1.13 – Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

      AC.L2-3.1.15 – Authorize remote execution of privileged commands and remote access to security- relevant information.

      Blumira can help by monitoring and alerting organizations of remote access, including detections of any risky connections such as Windows Remote Desktop Protocol (RDP) and Server Message Block (SMB). Blumira also helps monitor remote execution of privileged commands within your environment. With dynamic blocklists, organizations can prevent known detected threats from gaining access by blocking them. They can also monitor for geo-impossible alerts during two-factor authentication.



    Access Control Level 1: AC.L1-3.1.1 & 3.1.2

    AC.L1-3.1.1 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

    AC.L1-3.1.2 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

    Blumira allows you to enable role-based administration to limit access to its platform. Blumira can also detect, alert, and provide remediation steps if it identifies any unauthorized, suspicious, or anomalous login activity to your systems.

    Access Control Level 1: AC.L1-3.1.20

    AC.L1-3.1.20 – Verify and control/limit connections to and use of external information systems.

    Blumira provides role-based administration to limit access to its platform.

    Access Control Level 2: AC.L2-3.1.5, 3.1.6, 3.1.8, 3.1.12, 3.1.4, 3.1.7

    AC.L2-3.1.5 – Employ the principle of least privilege, including for specific security functions and privileged accounts.

    AC.L2-3.1.6 – Use non-privileged accounts or roles when accessing non-security functions.

    AC.L2-3.1.8 – Limit unsuccessful log-on attempts.

    AC.L2-3.1.12 – Monitor and control remote access sessions.

    AC.L2-3.1.4 – Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

    AC.L2-3.1.7 – Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

    Blumira provides role-based administration to limit access for your users to its platform. The Blumira platform also allows you to monitor/alert you on privileged access use; monitor/alert you based on the number of login attempts to detect attacks such as password spraying; and monitor/alert you to remote access risks, including detection for risky public connections such as Windows Remote Desktop Protocol (RDP) and Server Message Block (SMB).

    Blumira’s role-based administration and separation of log data within the cloud-delivered service helps reduce the risk of malevolent activity without collusion. Blumira’s service allows you to monitor, alert and respond to non-privileged users executing privileged functions.

    Access Control Level 2: AC.L2-3.1.13 & 3.1.15

    AC.L2-3.1.13 – Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

    AC.L2-3.1.15 – Authorize remote execution of privileged commands and remote access to security- relevant information.

    Blumira can help by monitoring and alerting organizations of remote access, including detections of any risky connections such as Windows Remote Desktop Protocol (RDP) and Server Message Block (SMB). Blumira also helps monitor remote execution of privileged commands within your environment. With dynamic blocklists, organizations can prevent known detected threats from gaining access by blocking them. They can also monitor for geo-impossible alerts during two-factor authentication.



    How Blumira Helps With Audit & Accountability and Configuration Management Requirements

    • Audit and Accountability: AU.L2-3.3.1 - 3.3.4

      Audit and Accountability: AU.L2-3.3.1 - 3.3.4

      AU.L2-3.3.1 – Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

      AU.L2-3.3.2 – Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

      AU.L2-3.3.3 – Review and update logged events.

      AU.L2-3.3.4 – Alert in the event of an audit logging process failure.

      Blumira centralized logging gives you the ability to track user activity, allowing you to trace actions uniquely back to certain users and hold them accountable. The Blumira cloud SIEM retains logs for at least a year for auditing purposes.

      Search and reporting functionality gives you deeper visibility into audit logs for review. The Blumira platform also reports on operational changes or disruptions, including the status of logging sensor and diagnostics for logflow to alert you in the event of an audit logging process failure.

    • Audit and Accountability Level 2: AU.L2-3.3.7 - 3.3.9

      Audit and Accountability Level 2: AU.L2-3.3.7 - 3.3.9

      AU.L2-3.3.7 – Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.

      AU.L2-3.3.8 – Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

      AU.L2-3.3.9– Limit management of audit logging functionality to a subset of privileged users.

      The Blumira cloud SIEM separates logging and audit tools from customers’ production environments to prevent unauthorized access, modification, and deletion. Blumira’s platform limits the management of audit logging functionality to only a subset of privileged users with role-based administration.

    • Audit and Accountability Level 2: AU.L2-3.3.5 & 3.3.6

      Audit and Accountability Level 2: AU.L2-3.3.5 & 3.3.6

      AU.L2-3.3.5 – Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

      AU.L2-3.3.6 – Provide audit record reduction and report generation to support on-demand analysis and reporting.

      Blumira search and reporting functionality provides deeper visibility into audit logs. The Blumira platform correlates audit records to indications of suspicious activity and unauthorized access, then provides data and prioritized alerts to the organization. Blumira’s pre-built reports provide the ability to support on-demand analysis and reporting.

      The Blumira threat detection library allows for the automation of audit log analysis to help identify and act on indicators of threats and suspicious activity. Blumira reporting provides visibility to enable organizations to perform audits on broad activity, in addition to pre-machine activity.

    • Configuration Management Level 2: CM.L2-3.4.1 & 3.4.6

      Configuration Management Level 2: CM.L2-3.4.1 & 3.4.6

      CM.L2-3.4.1 – Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

      CM.L2-3.4.6 – Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

      With Blumira logging capabilities and wide coverage of integrations, organizations can inventory their security systems. Blumira provides role-based administration for its own platform, and monitors other systems for the creation of new privileged accounts, or changes and escalations in existing account privileges to alert organizations to potentially malicious internal activity.

    • Configuration Management Level 2: CM.L2-3.4.2, 3.4.3, 3.4.7

      Configuration Management Level 2: CM.L2-3.4.2, 3.4.3, 3.4.7

      CM.L2-3.4.2 – Establish and enforce security configuration settings for information technology products employed in organizational systems.

      CM.L2-3.4.3 – Track, review, approve or disapprove, and log changes to organizational systems.

      CM.L2-3.4.7 – Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

      The Blumira platform monitors and identifies any risky access to an organization’s networks, such as through public Remote Desktop Protocol (RDP) and Server Message Block (SMB) access. Blumira tracks and logs any changes to organizational systems, while monitoring and alerting organizations to the use of insecure ports.

    Audit and Accountability: AU.L2-3.3.1 - 3.3.4

    AU.L2-3.3.1 – Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

    AU.L2-3.3.2 – Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

    AU.L2-3.3.3 – Review and update logged events.

    AU.L2-3.3.4 – Alert in the event of an audit logging process failure.

    Blumira centralized logging gives you the ability to track user activity, allowing you to trace actions uniquely back to certain users and hold them accountable. The Blumira cloud SIEM retains logs for at least a year for auditing purposes.

    Search and reporting functionality gives you deeper visibility into audit logs for review. The Blumira platform also reports on operational changes or disruptions, including the status of logging sensor and diagnostics for logflow to alert you in the event of an audit logging process failure.

    Audit and Accountability Level 2: AU.L2-3.3.7 - 3.3.9

    AU.L2-3.3.7 – Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.

    AU.L2-3.3.8 – Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

    AU.L2-3.3.9– Limit management of audit logging functionality to a subset of privileged users.

    The Blumira cloud SIEM separates logging and audit tools from customers’ production environments to prevent unauthorized access, modification, and deletion. Blumira’s platform limits the management of audit logging functionality to only a subset of privileged users with role-based administration.

    Audit and Accountability Level 2: AU.L2-3.3.5 & 3.3.6

    AU.L2-3.3.5 – Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

    AU.L2-3.3.6 – Provide audit record reduction and report generation to support on-demand analysis and reporting.

    Blumira search and reporting functionality provides deeper visibility into audit logs. The Blumira platform correlates audit records to indications of suspicious activity and unauthorized access, then provides data and prioritized alerts to the organization. Blumira’s pre-built reports provide the ability to support on-demand analysis and reporting.

    The Blumira threat detection library allows for the automation of audit log analysis to help identify and act on indicators of threats and suspicious activity. Blumira reporting provides visibility to enable organizations to perform audits on broad activity, in addition to pre-machine activity.

    Configuration Management Level 2: CM.L2-3.4.1 & 3.4.6

    CM.L2-3.4.1 – Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

    CM.L2-3.4.6 – Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

    With Blumira logging capabilities and wide coverage of integrations, organizations can inventory their security systems. Blumira provides role-based administration for its own platform, and monitors other systems for the creation of new privileged accounts, or changes and escalations in existing account privileges to alert organizations to potentially malicious internal activity.

    Configuration Management Level 2: CM.L2-3.4.2, 3.4.3, 3.4.7

    CM.L2-3.4.2 – Establish and enforce security configuration settings for information technology products employed in organizational systems.

    CM.L2-3.4.3 – Track, review, approve or disapprove, and log changes to organizational systems.

    CM.L2-3.4.7 – Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

    The Blumira platform monitors and identifies any risky access to an organization’s networks, such as through public Remote Desktop Protocol (RDP) and Server Message Block (SMB) access. Blumira tracks and logs any changes to organizational systems, while monitoring and alerting organizations to the use of insecure ports.

    How Blumira Helps With Risk Assessment and Identification and Authentication Requirements

    • Risk Assessment Level 2: RA.L2-3.11.1 & 3.11.2

      Risk Assessment Level 2: RA.L2-3.11.1 & 3.11.2

      RA.L2-3.11.1 – Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

      RA.L2-3.11.2 – Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

      Organizations can periodically assess risk to their operations and data with the help of Blumira search and reporting functionality that can generate reports on security and compliance, identifying potential gaps. Blumira is software as a service (SaaS) that monitors itself for vulnerabilities.

      The Blumira platform employs threat intelligence to provide guidance to organizations on their system and security architecture. It can also detect access using insecure ports via RDP, SMB, and others.

    • Risk Assessment Level 2: RA.L2-3.11.3

      Risk Assessment Level 2: RA.L2-3.11.3

      RA.L2-3.11.3 – Remediate vulnerabilities in accordance with risk assessments.

      As a SaaS product, Blumira can help organizations remediate vulnerabilities in near real-time when they are identified. To enable organizations to test the effectiveness of security solutions, Blumira has created guides on how to easily test a SIEM’s detections for common incidents like password spraying, lateral movement, malicious code execution, and privilege escalation.

    • Identification and Authentication: IA.L1-3.5.1

      Identification and Authentication: IA.L1-3.5.1

      IA.L1-3.5.1 – Identify information system users, processes acting on behalf of users, or devices.

      Blumira collects audit logs that can be used to identify information system users or processes acting on behalf of users or devices.

    • Incident Response: IR.L2-3.6.1 - 3.6.3

      Incident Response: IR.L2-3.6.1 - 3.6.3

      IR.L2-3.6.1 – Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

      IR.L2-3.6.2 – Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

      IR.L2-3.6.3 – Test the organizational incident response capability.

      Blumira has created guides on how to easily test a SIEM’s detections for common incidents like password spraying, lateral movement, malicious code execution, and privilege escalation. Blumira has also tested customer deployments to ensure that organizations are able to detect and respond to incidents.

    Risk Assessment Level 2: RA.L2-3.11.1 & 3.11.2

    RA.L2-3.11.1 – Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

    RA.L2-3.11.2 – Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

    Organizations can periodically assess risk to their operations and data with the help of Blumira search and reporting functionality that can generate reports on security and compliance, identifying potential gaps. Blumira is software as a service (SaaS) that monitors itself for vulnerabilities.

    The Blumira platform employs threat intelligence to provide guidance to organizations on their system and security architecture. It can also detect access using insecure ports via RDP, SMB, and others.

    Risk Assessment Level 2: RA.L2-3.11.3

    RA.L2-3.11.3 – Remediate vulnerabilities in accordance with risk assessments.

    As a SaaS product, Blumira can help organizations remediate vulnerabilities in near real-time when they are identified. To enable organizations to test the effectiveness of security solutions, Blumira has created guides on how to easily test a SIEM’s detections for common incidents like password spraying, lateral movement, malicious code execution, and privilege escalation.

    Identification and Authentication: IA.L1-3.5.1

    IA.L1-3.5.1 – Identify information system users, processes acting on behalf of users, or devices.

    Blumira collects audit logs that can be used to identify information system users or processes acting on behalf of users or devices.

    Incident Response: IR.L2-3.6.1 - 3.6.3

    IR.L2-3.6.1 – Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

    IR.L2-3.6.2 – Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

    IR.L2-3.6.3 – Test the organizational incident response capability.

    Blumira has created guides on how to easily test a SIEM’s detections for common incidents like password spraying, lateral movement, malicious code execution, and privilege escalation. Blumira has also tested customer deployments to ensure that organizations are able to detect and respond to incidents.

    How Blumira Helps With Maintenance, Assessment, System and Communication, and System and Information Integrity Requirements

    • Maintenance: MA.L2-3.7.1, 3.7.2, 3.7.5

      Maintenance: MA.L2-3.7.1, 3.7.2, 3.7.5

      MA.L2-3.7.1 – Perform maintenance on organizational systems.

      MA.L2-3.7.2 – Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

      MA.L2-3.7.5 – Require multi-factor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

      Blumira cloud-delivered SIEM is automatically and frequently updated for customers with maintenance for parsers, new detection rules and more. With role-based administration, Blumira can help limit permissions for users that access the platform. Blumira also requires multi-factor authentication (MFA) for access to its cloud application.

    • Security Assessment: CA.L2-3.12.1 & 3.12.3

      Security Assessment: CA.L2-3.12.1 & 3.12.3

      CA.L2-3.12.1 – Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

      CA.L2-3.12.3 – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

      Blumira can help organizations assess the effectiveness of controls by monitoring and alerting them to any misconfigurations of their existing security controls, as well as providing ongoing monitoring to help ensure continued effectiveness.

    • System and Communications Protection: SC.L2-3.13.3 & 3.13.4

      System and Communications Protection: SC.L2-3.13.3 & 3.13.4

      SC.L2-3.13.3– Separate user functionality from system management functionality.

      SC.L2-3.13.4 – Prevent unauthorized and unintended information transfer via shared system resources.

    • System and Information Integrity: SI.L1-4.13.1 & S1.L2-3.14.3

      System and Information Integrity: SI.L1-4.13.1 & S1.L2-3.14.3

      SI.L1-4.13.1 – Identify, report, and correct information and information system flaws in a timely manner.

      S1.L2-3.14.3 – Monitor system security alerts and advisories and take action in response.

      To help organizations identify, report, and correct information system flaws in a timely manner, Blumira search and reporting functionality gives them the ability to investigate potential security issues in real time. The Blumira platform monitors security systems, providing prioritized alerts with predefined security playbooks that help guide customers through response.

      The Blumira platform also subscribes to multiple threat feeds to inform and enrich domain data on an ongoing basis to help inform intrusion detection and threat hunting.

    • System and Information Integrity: SI.L2-3.14.6 & 3.14.7

      System and Information Integrity: SI.L2-3.14.6 & 3.14.7

      SI.L2-3.14.6 – Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

      SI.L2-3.14.7- Identify unauthorized use of organizational systems.

      With Blumira automated detection and response capabilities, organizations can monitor their systems, inbound and outbound traffic, and detect attacks and indicators of potential attacks. Blumira can also help detect and alert on unauthorized access and use of organizational systems.

    Maintenance: MA.L2-3.7.1, 3.7.2, 3.7.5

    MA.L2-3.7.1 – Perform maintenance on organizational systems.

    MA.L2-3.7.2 – Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

    MA.L2-3.7.5 – Require multi-factor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

    Blumira cloud-delivered SIEM is automatically and frequently updated for customers with maintenance for parsers, new detection rules and more. With role-based administration, Blumira can help limit permissions for users that access the platform. Blumira also requires multi-factor authentication (MFA) for access to its cloud application.

    Security Assessment: CA.L2-3.12.1 & 3.12.3

    CA.L2-3.12.1 – Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

    CA.L2-3.12.3 – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

    Blumira can help organizations assess the effectiveness of controls by monitoring and alerting them to any misconfigurations of their existing security controls, as well as providing ongoing monitoring to help ensure continued effectiveness.

    System and Communications Protection: SC.L2-3.13.3 & 3.13.4

    SC.L2-3.13.3– Separate user functionality from system management functionality.

    SC.L2-3.13.4 – Prevent unauthorized and unintended information transfer via shared system resources.

    System and Information Integrity: SI.L1-4.13.1 & S1.L2-3.14.3

    SI.L1-4.13.1 – Identify, report, and correct information and information system flaws in a timely manner.

    S1.L2-3.14.3 – Monitor system security alerts and advisories and take action in response.

    To help organizations identify, report, and correct information system flaws in a timely manner, Blumira search and reporting functionality gives them the ability to investigate potential security issues in real time. The Blumira platform monitors security systems, providing prioritized alerts with predefined security playbooks that help guide customers through response.

    The Blumira platform also subscribes to multiple threat feeds to inform and enrich domain data on an ongoing basis to help inform intrusion detection and threat hunting.

    System and Information Integrity: SI.L2-3.14.6 & 3.14.7

    SI.L2-3.14.6 – Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

    SI.L2-3.14.7- Identify unauthorized use of organizational systems.

    With Blumira automated detection and response capabilities, organizations can monitor their systems, inbound and outbound traffic, and detect attacks and indicators of potential attacks. Blumira can also help detect and alert on unauthorized access and use of organizational systems.

    Get Started for Free

    Experience the Blumira Free SIEM, with automated detection and response and compliance reports for 3 cloud connectors, forever.