How Can Managed File Transfer Become CMMC Compliant?
Is your managed file transfer CMMC compliant? If you’re not compliant, and you’re required to be, it can cost you current or future contracts.
To whom does CMMC apply? CMMC, or Cybersecurity Maturity Model Certification, applies to anyone who works with the U.S. Department of Defense, including contractors and subcontractors. When initially launched, CMMC implementation affected over 300,000 organizations.
What Is CMMC and How Does It Impact My Business?
CMMC is a relatively new body of cybersecurity regulations rolling out in the Department of Defense (DoD) supply chain. Based on Special Publication 800-171, Federal Information Processing Standard (FIPS) 200, and other documents published by the National Institute of Standards and Technology (NIST), CMMC provides contractors in the supply chain with a maturity model that determines their capability to handle Controlled Unclassified Information (CUI).
CUI is a unique designation for data. Created in 2010 through an Executive Order by then-President Barack Obama, CUI defines a category of information that, while not classified (and thus subject to military or federal law as such), still serves an essential purpose in the operation of defense or executive agencies. NIST 800-171 and CMMC outline the requirements necessary for protecting CUI.
To gauge cyber contractor maturity, CMMC provides a tiered approach based on five levels determined by cybersecurity hygiene (which includes the number of technical security practices implemented) and processes (the capability to manage organizational security).
There are five levels of CMMC:
- Level 1 (Basic): Organizations demonstrate basic cybersecurity hygiene and the processes to implement it. At this level, organizations have the bare minimum in terms of security controls and capabilities.
- Level 2 (Intermediate): Maturity Level 2 finds organizations at intermediate cybersecurity hygiene with the ability to document security policies and practices as pertains to CMMC implementation.
- Level 3 (Good): At Level 3, organizations practice good cybersecurity hygiene alongside managing plans related to cybersecurity. At this level, organizations plan and implement security goals, projects, provisioning, resourcing, and training with relevant stakeholders. This level is the minimum required maturity level for any contractor planning to create, manage, transmit, or store CUI.
- Level 4 (Proactive): Level 4 requires organizations to have proactive cybersecurity hygiene measures in place to address attacks from advanced persistent threats (APTs) and review and improve their existing cybersecurity efforts through corrective action.
- Level 5 (Advanced): At the highest level of CMMC certification, organizations demonstrate advanced and sophisticated cybersecurity measures against APTs beyond Level 4, along with the ability to optimize existing cybersecurity systems based on review and documentation.
It is certainly the case that when it comes to transferring files within a context where CUI is involved, any file transfer solution would need to meet minimum security requirements for at least Maturity Level 3.
How Does MFT Play Into CMMC Compliance?
Because CMMC regulations require much more than simple technical security measures to protect data, a compliant file transferring solution can bring several types of data control, security, and auditing capabilities. This is why many contractors opt for managed file transfer (MFT) solutions to handle enterprise file sharing.
Consider CMMC Maturity Level 3, the minimum level needed to handle CUI. At this level, a managed file transfer solution would need to include the following features:
- Encryption for all data at rest and data in transit: Typical encryption algorithms at this level include AES-128 or AES-256 (for data at rest) and TLS 1.2 or higher (for data in transit).
- Sufficient Access Controls: An MFT solution that maintains compliance will include ways to limit system access to authorized users, place access limits based on transaction type, limit login attempts, strictly control user privileges, and verify or control the number of transactions on the system.
- Audit Logs: CMMC calls for IT systems that provide audit logs for the actions of users on the system. This includes the capacity to uniquely trace steps across the system, maintain immutable logs for forensic analytics, accurately timestamp logs, create alerts based on logged events, protect audit information from tampering or corruption, and generate reports based on audit logs.
- Reporting and Documentation: MFTs should include ways to report activity in the system, typically through a dashboard that supports reporting and documentation efforts. These documents will often be needed to address audit requests, but they also inform important and necessary practices like risk management.
Additionally, compliant MFTs must still serve high-performance enterprise workloads:
- Scheduled and Batch Transfers: Handling large file transfers or high-volume batch transfers while maintaining speed and agility are the primary reasons for using file transfers like MFT. An MFT also allows for scheduling these transfers, which can serve an essential purpose of offloading network-intensive transfers after hours.
- Scalability: An MFT provides a solid backbone for scalable file transfer schemas where strategic transfers and data monitoring can flex larger or smaller depending on an organization’s needs.
- Enterprise Integration: An MFT with the right integrations is worth its weight in gold. An MFT that can incorporate functionality with productivity tools, security information and event management (SIEM) solutions, cloud platforms, and cloud computing applications extends how an organization can use that data effectively.
What Should Businesses Look For in a CMMC-compliant Managed File Transfer Solution?
When it comes to MFT and compliance, organizations are going to assess any solution based on two criteria:
- Features and Enterprise Tools: What does this tool bring to my business? How does it help leverage our data meaningfully? What can it bring in terms of intelligence and insights, and flexibility and scalability?
- Compliance and Security: How does this MFT provide security measures in line with CMMC? Does it provide technical measures, administrative controls, physical security, or some combination of those three?
With that in mind, an MFT solution should check all the following boxes:
- The technology meets the minimum desired CMMC maturity level.
- The technology provides extensive auditing and logging (ideally a robust SIEM solution).
- The technology includes productivity integrations or other features like built-in dashboards that provide more with control over how the system is used.
- The technology supports robust MFT controls like detailed scheduling and tracking and high-volume transfers.
The Kiteworks® Platform and CMMC Compliance
When it comes to CMMC, businesses must work with an MFT provider that meets CMMC requirements without sacrificing enterprise usability and functionality. The Kiteworks platform helps an organization leverage cutting-edge MFT features with secure, compliant technology.
With the Kiteworks platform, businesses get the following:
- Security and Compliance: Our systems utilize AES-256 encryption for data at rest and TLS 1.2+ for data in transit. Its hardened virtual appliance, granular controls, authentication, and other security stack integrations, along with comprehensive logging and audit, enable organizations to achieve compliance efficiently.
- Audit Logging: With Kiteworks immutable audit logs, organizations can trust that they can detect attacks sooner and maintain the correct chain of evidence to perform forensics. Since the system merges and standardizes entries from all the components, its unified Syslog and alerts save security operations center (SOC) team crucial time and help a compliance team prepare for audits.
- Single-tenant Private Cloud: File transfers, file storage, and access will occur on a dedicated Kiteworks instance, deployed on-premises, on Infrastructure-as-a-Service (IaaS) resources, or hosted in the cloud by the Kiteworks Cloud server. That means no shared runtime, databases or repositories, resources, or potential for cross-cloud breaches or attacks.
- Scalability and Cost Consolidation: Centralized governance, logging, and administration will also save administrative time and costs. All Kiteworks servers come seamlessly equipped with secure, best-of-breed file sharing and secure email.
- Seamless Automation: The Kiteworks platform supports MFT automation to facilitate content transfer into and out of SFTP and other repositories like file shares and AWS S3.
- Self-service Ease of Use: Business users access the back end of the Kiteworks SFTP server through familiar web file-sharing folders. Employees who are delegated by the administrators manage the folders to create new folder trees for new partners or nest new folders for new data subjects.
- Data Visibility and Management: Our CISO Dashboard gives organizations an overview of their data: where it is, who is accessing it, how it is being used, and if it complies with CMMC. The CISO Dashboard empowers business leaders to make informed decisions about security and regulatory requirements.
To learn more about CMMC compliance and managed file transfer, watch our webinar on CMMC and file transfer compliance. And as always, sign up for updates from the Kiteworks blog or to request a free demo of the Kiteworks platform.
[brochure] Automate Your Business with Security and Compliance First
[blog post] 11 Requirements for Secure Managed File Transfer
[white paper] CMMC Compliance Guide: How to Meet CMMC Secure File Transfer Requirements