Over the next two years, many companies will face the challenge of compliance with the Cybersecurity Maturity Model Certification program, the U.S. Department of Defense’s supply chain cybersecurity requirements. CMMC was developed as a response to cyber threats and breaches of the military supply chain. Any company that has ties to a defense contract or supplies another company that holds a defense contract will be required to prove Level 1 foundational compliance. Level 1 is all about the basics of safeguarding networks and data, or basic cyber hygiene. What a lot of people don’t realize is they are already doing some of this with their existing SOX and NIST 800-53.x compliance programs. In a series of three articles, I will give an overview of the NIST and CMMC frameworks. I will summarize how they apply to SAP, how they correlate to one another and to SOX compliance, and how to prove it during audits. Part 1: Introduction to cyber compliance with NIST/CMMC Frameworks The NIST 800-53.x framework was developed by the National Institute of Standards in Technology (NIST) to provide a set of best practices for securing a broad range of technologies and how to measure compliance. It is broken down into eighteen control families used to manage and measure technology risk. These families include areas such as access control, configuration management, and incident response, to name a few. This framework has become the standard that most networks, hardware, and software are measured by. The latest NIST 800-53 Revision 5 documentation is now available at this link. The CMMC framework measures many of the same things as the NIST 800-53.x and provides a crosswalk between CMMC and NIST controls. The CMMC framework has a defined set of practice levels that group controls into a measurable maturity level. The goal of this measurement is to show compliance with different Department of Defense contract requirements. The full set of CMMC Documentation is available here. Purpose and Applicability As these frameworks have developed over the last 10 years, it has become necessary to apply them to the application layer in order to fully secure and manage corporate risk. Applying a framework directly to SAP started with the Sarbanes-Oxley (SOX) Act in 2002. The idea of segregation of duties and the management of access is a part of both the NIST and CMMC frameworks. As hackers have continued in their creative endeavors, the deeper application of security measures beyond the network perimeter has become necessary to protect against zero-day threats. Relationship to SOX and SOD The idea of SOX Separation of Duties (SOD) has direct correlation to both NIST and CMMC controls. A control is a definition of how something should be set up in a system. It creates a definition to measure the configuration by. That measurement translates to cyber risk. The following is an example of two levels of CMMC Access Controls and their corresponding NIST 800-53Rev5 controls that will look familiar:

Practice Levels
Level 1	Level 2
AC.L2-3.1.2 *Transaction & Function Control* Limit information systems access to the types of transactions and functions that authorized users are permitted to execute · NIST SP 800-171 Rev 2 3.1.2 · NIST SP 800-53 Rev 5 (AC2)	AC.L2-3.1.4 *Separation of Duties* Separate the duties of individuals to reduce the risk of malevolent activity without collusion · NIST SP 800-171 Rev 2 3.1.4 · NIST SP 800-53 Rev 5 (AC5)

(U.S. Department of Defense) When SAP security and audit professionals look at this table, they automatically recognize that these two controls are directly related to the SOD management work they’ve been doing for SOX compliance for twenty years. This makes it a great case study to break down as a CMMC/NIST compliance example. In CMMC, practice levels are the measure of maturity of an organization in terms of compliance with the CMMC framework. Starting in May of 2023, a company must be at Level 1 and be able to prove it through a self-assessment in order to participate in the bidding and fulfilling of a DoD contract. That self-assessment must include verifiable proof of control compliance. Levels Level 1 compliance to the Transaction & Function Control in SAP correlates to removing SAP_ALL, SAP_ALMOST, any roles with a * in S_TCODE, and access to transactions outside of the persons job area. In SAP language, this would be limiting transactions to only what the user needs, also known as the principle of least privilege. For a deeper dive into direct application of cybersecurity principles into SAP, take a look at my book “A Practical Guide to Cybersecurity in SAP,” available on Amazon or through Espresso Tutorials. Level 2 compliance would include Level 1 Transaction & Function control and builds upon that with full Separation of Duties. The use of SAP GRC Access Control or other similar tools to monitor SOD risks, both potential and actual SOD Violations, and regular user access reviews proves compliance to Level 2 AC.L2-3.1.4 Separation of Duties requirements in CMMC and NIST 800-53 Rev 5 (AC2) and (AC5). Evaluation In order to be evaluated to the Level 2 standard, the company must be evaluated by a third-party assessor that is certified in CMMC audit work. A way to look at it is that a Level 1 self-assessment is like an internal audit review and Level 2 assessment is the external audit review. Each of the CMMC or NIST controls can be evaluated in this manner. Controls will be broken down by relevancy to the system, how they should be evaluated, validated, remediated, and documented. From a compliance perspective, this is the process for getting through a CMMC audit. Integrating CMMC compliance efforts into an existing NIST cybersecurity compliance program requires an additional level of risk assignment and assessment. In the process of doing the control evaluation and compliance process, a risk level will be assigned to the applicable controls. This risk assessment allows for the control work being done for SAP to roll up into a companywide risk management program as a numeric value. A deeper dive into performing a risk assessment in SAP against a cybersecurity framework will be covered in the next article in this series. This is Part 1 of a 3 Part series, click below to 'follow' expert Julie Hallett and get notified when Part 2 & 3 are published.

Becoming CMMC or NIST Compliant and How to Prove It

Reading time: 4 mins

Key Takeaways

⇨ Companies working with the Department of Defense will need to comply with the Cybersecurity Maturity Model Certification program by 2023.

⇨ These frameworks ensure basic data safety, network security, and cyber hygiene.

⇨ To be certified, companies must not just be compliant. They need to know how to prove it.

Over the next two years, many companies will face the challenge of compliance with the Cybersecurity Maturity Model Certification program, the U.S. Department of Defense’s supply chain cybersecurity requirements.
In part one of a three-article series, we will demonstrate how to first understand the NIST/CMMC frameworks, and how they relate to SOX and separation of duties.
CMMC was developed as a response to cyber threats and breaches of the military supply chain. Any company that has ties to a defense contract or supplies another company that holds a defense contract will be required to prove Level 1 foundational compliance. Level 1 is all about the basics of safeguarding networks and data, or basic cyber hygiene. What a lot of people don’t realize is they are already doing some of this with their existing SOX and NIST 800-53.x compliance programs.