Are you prepared to continue to progress on your Cyber security Maturity Model Certification(CMMC) journey? The sixth domain in the CMMC Level 1 requirements is System and Information Integrity. The primary focus of this practice is Identify and manage information system flaw. In this post, we will build on our knowledge of the domains and practices of Level 1, with a focus on the first practice in System and Information Integrity, SI.1.210. 

What is a CMMC Assessment? 

A CMMC assessment is the methodology to certify that a contractor is compliant with the CMMC standard. CMMC Third Party Assessment Organizations (C3PAOs) carry out this methodology and evaluate your company’s unclassified networks. The CMMC evaluation process gives contractors guidance for a specific CMMC level (1-5); if you pass this process, the C3PAO issues the appropriate CMMC certificate. Passing a level 1 assessment, for example, confirms that you’re meeting the basic safeguarding requirements for Federal Contract Information (FCI). FCI is information not marked as public or for public release (specified in FAR Clause 52.204-21). 

What is System and Information Integrity – SI.1.210? 

Identify, report, and correct information system flaws in a timely manner. Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. NIST SP 800-40 provides guidance on patch management technologies. 

What are the SI.1.210 Assessment Objectives and Objects? 

Assessment procedures consist of an objective and a set of objects. The assessment objective includes a determination statement related to the CMMC practice content to ensure traceability of assessment results to requirements. These results determine if a practice is satisfied. Assessmentobjects specify the specific items that a C3PAO assesses (e.g., mechanisms, activities, and individuals). 

SI.1.210 assessment objectives: The time within which to identify system flaws is specifiedSystem flaws are identified within the specified time frameThe time within which to report system flaws is specified. System flaws are reported within the specified time frame. The time within which to correct system flaws is specifiedSystem flaws are corrected within the specified time frame .

SI.1.210 assessment objects:A C3PAO can assess document-based artifacts associated with your system, hardware, software, or firmware safeguards, protection-related actions supporting your system that involves people, and any other personnel related to these elements. 

What are the Assessment Methods forSI.1.210? 

Assessment methods define the nature and extent of assessors’ actions (e.g., examining, interviewing, and testing). They are outlined below for SI.1.210  

Examine: This method refers to reviewing, inspecting, observing, studying, or analyzing assessment objects. In regards to SI.1.210 a C3PAO may examineSystem and information integrity policy; procedures addressing flaw remediation​Procedures addressing Configuration management .System security plan​.List of flaws and vulnerabilities .Potentially affecting the system​.List of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws) 

Interview: This method refers to the process of holding discussions with individuals or   groups to facilitate understanding, achieve clarification, or obtain evidence. A C3PAO may System or network administrators. Personnel with information security responsibilitiesPersonnel installing, configuring, and maintaining the system. Personnel with responsibility for flaw remediation.Personnel with configuration management responsibility 

Inspect: This method is the process of exercising assessment objects under specified conditions to compare actual behavior with expected behavior. All assessment objects that a C3PAO can examine forSupporting or implementing reporting, and correcting system flaws. Mechanisms supporting or implementing testing software and firmware updates. 

How Do I know if I’m Complying to the SI.1.210 Practice? 

System and Information Integrity is a domain that builds upon the concepts of Access Control, and establishes some more specifics that require attention. You may already have made progress and set measures in place to ensure that you are working towards complying with this practice and its requirements, but you might be wary of what C3PAO’s might assess and how you would stand in an assessment. If this is the case, taking a free CMMC self-assessment can help you gauge where you are in the CMMC compliance process for this domain. Taking this next step can help you better you’re standing towards compliance, and take you one step closer in achieving CMMC Level 1 certification.