Simplify CMMC compliance.
Anchor reduces the scope of your CUI information system making CMMC 2.0 level 2 compliance easier.
Anchor reduces the scope of your CUI information system making CMMC 2.0 level 2 compliance easier.
We provide a brief introduction to the basic requirements of the CMMC 2.0 and how Anchor can be used to reduce the cost and effort to become CMMC certified. To that end, we provide a security architecture that is broad and easy to implement for a variety of organizations. We provide examples of IT infrastructures and how the architecture can fit custom to each. Lastly, we provide a detailed mapping exercise, clearly illustrating the domains and sub-domains that are covered by the Anchor platform independently or with the support of other solutions.
The Cybersecurity Maturity Model Certification (CMMC) is a certification, contractors need before they can perform work for the Department of Defense. All suppliers including small and medium sized businesses must implement CMMC 2.0 level 2 or higher to maintain business within the Department of Defense supply chain. The CMMC framework is built on the NIST 800-171 foundation, which the Defense Industrial Base (DIB) has been attesting to, since 2017 for their contracts.
This document explains the key aspects of the CMMC and how Anchor can be used to reduce the cost and effort to become CMMC certified.
A security plan simply describes what an organization does in order to be secure. How do you know your organization is secure? Because you do the things in your security plan.
As for CMMC, your System Security Plan (SSP) describes how you protect sensitive information from the government such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
From CMMC CA.L2-3.12.4:
A system security plan (SSP) is a document that outlines how an organization implements its security requirements. An SSP outlines the roles and responsibilities of security personnel. It details the different security standards and guidelines that the organization follows.
Being certified for CMMC means having an auditor review your organization’s SSP to ensure it meets all of the requirements for the CMMC level at which you’re being certified, and verifying that your organization is actually doing everything you claim in your SSP.
A Covered Contractor Information System defines the boundaries of connected network of computers and devices that process sensitive data from the government such as FCI and CUI.
Anything that contains or processes this kind of information is part of the covered contractor information system. Your SSP must thoroughly cover your entire covered contractor information system. Limiting and reducing the scope of devices that can process FCI and CUI reduces the size of your covered contractor information system and therefore simplifies the SSP needed to protect it.
The simpler your SSP, the easier it is to create, implement, and audit. Easier means faster and at a lower cost. The formula to reduce your cost and effort be CMMC certified is:
A Security Architecture is the technical design of your covered contractor information system, including what all is in it, how it all fits together, and how it enables controls to implement your SSP.
In this section, we provide the proposed security architecture with the Anchor platform. The architecture is simple and broad; it applies to a variety of business scenarios, covering a wide range of industries with different IT infrastructure, from very elementary to sophisticated and hybrid.
The proposed architecture is illustrated in Figure 1. With Anchor, the “system” is the set of Anchor-enabled devices containing CUI. Anchor simplifies CMMC compliance by reducing the system boundary from a complex network to a narrow set of Anchored files that are end-to-end encrypted by Anchor with FIPS-validated cryptography [CMVP].
At the heart of our architecture lies the fact that Anchored CUI can only be consumed at Anchor-enabled endpoints due to the robust end-to-end encryption system integrated into the desktop platform built by Anchor. The key management, and audit logging services are both provided by the Anchor platform, external to the desktop agent. These services provide the secure access management and audit log creation in coordination with the desktop platform, with components orthogonal to the rest of the organization IT infrastructure (above the blue line in Figure 1), making the implementation of the security plan simpler, lower cost, and more robust.
End-point users are managed by Active Directory (local or Azure). The CUI files can be stored on a network drive or a cloud store, but they cannot be decrypted on those drives due to end-to-end encryption. As the CUI is always encrypted at rest, each device containing CUI is treated as a mobile device.
In this section, we provide a few sample IT architectures with possible use cases associated. As discussed in the last section, end-to-end encryption provided over the Anchor platform supports the security architecture for internal collaboration over a variety of use cases (illustrated in Figure 2).
(a) Many organizations keep CUI internally within their network at local file servers (mainly over Windows Server OS). For example, manufacturing, construction, and high-tech engineering organizations, building products and IP for the DoD use a variety of file types and applications, including CAD and Office. Anchor keeps the designs, associated IP, contracts, and calculations encrypted in the file server, while enabling access from the desired applications shown in Figure 3 without a change in the workflow or the application itself. Directories and CUI files are stored on a network drive but cannot be decrypted on that drive due to end-to-end encryption. As the CUI is always encrypted at rest, each device containing CUI is treated as a mobile device.
As a result, CUI is protected automatically as per CMMC, while the organization does not lose any efficiency in processing the data.
Autodesk AutoCAD
Dassault Systèmes SolidWorks
Autodesk Revit
PTC Creo
Bluebeam Revu
Siemens NX
(b) With the pandemic, organizations have a considerable amount of its workforce needing to access CUI remotely. In such cases, files are downloaded to the local drives for processing. This is sometimes despite the policies on VPN use, due to the performance issues associated with remote consumption. Such local store and access inflate the attack surface and makes the CUI policies difficult to enforce.
With the Anchor platform, this would not pose a problem. An admin can simply include the local drive as a protected area and make sure that the CUI remains safe, even when accessed remotely by the employees or contractors.
Furthermore, Anchor’s protection extends to a Mobile App for iPhone and Android platforms, as shown in Figure 4. As a result, CUI can be accessed from smart phones and tablets.
(c) Organizations are moving to a hybrid IT infrastructure with cloud applications and data stores involved in everyday processes. Most organizations will have certain processes handled over FedRAMP High government clouds such as Microsoft GCC High. However, it is likely that there will be applications and processes involving CUI on commercial cloud as well. Anchor platform provides the flexibility of protecting data on commercial cloud due to its robust end-to-end encryption integrated.
DFARS 7012 and ITAR have additional requirements, such as information must not be exported out of the United States. This creates an obstacle to using commercial cloud storage because commercial clouds store data outside the US and are administrated by people outside the US. However, they carve out an exception when the information end-to-end encrypted with FIPS-validated cryptography. With Anchor end-to-end encryption you can store data on commercial clouds and still be compliant.
Assuming the security architecture described above, we provide a breakdown of the CMMC 2.0 Level 2 practices by whether and how they can be covered with Anchor in the Anchor CMMC 2.0 Shared Responsibility Matrix below. We also provide supplemental text that can be used in your SSP as a template.
In summary, there are 27 CMMC controls that Anchor helps you address.
Each practice is labeled as one of
Anchor Security Architecture Covered | The Anchor security architecture described above effectively implements the practice. |
Shared Coverage | The Anchor security architecture described above contributes to implementing the practice, but complete coverage will require additional contribution from the customer. |
Customer Responsibility | The customer is responsible for implementing the practice entirely. |
This document provides a comprehensive overview of CMMC 2.0 Level 2 and NIST 800-171 controls mapping that Anchor addresses. This guide will be your key to success in achieving CMMC compliance with Anchor.
This page introduced the CMMC and its key points at high level. It described a model security architecture based on Anchor and Windows 10/11 that applies to a broad range of Department of Defense contractors and their business environments. Finally, it mapped the CMMC 2.0 Level 2 practices to the model Anchor Security Architecture and provided templates that can be used when creating your organization’s SSP, reducing the time and effort to get CMMC 2.0 Level 2 certification.
Industries