CMMC, the Cybersecurity Maturity Model Certification, is intended to ensure that the Defense Industrial Base protects:
- Sensitive Federal Contract Information (FCI)
- Controlled Unclassified Information (CUI)
CMMC 1.0 had a five-level maturity model each requiring specific cybersecurity practices and processes. CMMC 2.0 streamlines the program, aligning with NIST SP 800-171, with three maturity levels:
- Level 1 (Foundational)
- Level 2 (Advanced)
- Level 3 (Expert)
Level 2, specifically, is crucial for organizations handling CUI and requires adherence to NIST SP 800-171 requirements.
In the modern world where (a) highly adaptive and evasive threats (HEAT) browser-borne threats and (b) where web browsers have emerged as superapps1 where most users spend most of their days, it’s arguable that browser security is a crucial component of CMMC 2.0 compliance. The unprotected web browser has vulnerabilities that can lead to data loss without dedicated security.
Here are a few reasons why browser security is crucial for CMMC compliance:
1. Browser Security can defend CUI from unauthorized access
CMMC 2.0 Level 2 mandates stringent access control measures to protect CUI. Browser security features such as managed browser configurations, data loss prevention (DLP) policies, and multi-factor authentication (MFA) for web-based applications, are vital for ensuring that only authorized personnel access CUI.
2. Mitigating Risks from Malicious Code and Exploits
According to the recent Menlo Security State of Browser Security Report, the growing sophistication of cybercriminals are now leveraging AI-powered attacks, phishing-as-a-service (PhaaS), and zero-day vulnerabilities to target unprotected web browsers. In the midst of this, CMMC 2.0 requires organizations to protect against malicious code and exploits, aligning with NIST SP 800-171's focus on vulnerability management. Regular security updates are crucial for preventing malicious code from compromising endpoints and protecting sensitive data. But guess what: it’s hard to get users to restart browsers or their computers. Cloud-based browser security can implement updates on pace with every resolved exploit, and users are protected from zero-days faster. Oh yes, in regard to restarting that PC? That’s a reason why replacement browsers can’t help you comply with CMMC.
3. Ensuring Secure Web Application Usage
Web-based applications have become the primary way most businesses manage critical business processes that handle CUI. CMMC 2.0 demands strong security controls on business applications.
4. Addressing User Behavior and Awareness:
Returning to the State of Browser Security Report, phishing remains a huge problem:
Browser-based phishing attacks – especially those leveraging evasive phishing techniques and business collaboration tools such as Slack or Teams – have become more convincing and harder to detect. Brand impersonation has been used at an accelerating rate in phishing attacks to deceive the user about a site’s legitimacy.
CMMC 2.0 stresses the importance of user awareness and training. But training can go only so far. Menlo Protect with HEAT Shield AI blocks zero-hour phishing attempts for full click-time protection, often up to six days before other vendors can detect such threats.
Here’s a checklist for implementing browser security to help comply with CMMC 2.0:
✓ Pick the right architecture: Replacement browsers won’t cut it: they can’t keep pace with innovations that require the latest desktop capabilities, and, don’t forget that users won’t restart their PCs. With cloud-based browser security, the browser taking the hits from threat actors is always up to date and running in a disposable container
✓ Don’t forget files and archives in web traffic: Files and archives of enormous sizes can transit browser traffic. Network equipment can’t see full files. Replacement browsers can’t manage password-protected files. Menlo offers file hash checks, anti-virus, and sandboxing for files and archives. Close that malware vector!
✓ Provide secure access to internal apps for your dynamic user community: Menlo Secure Application Access can replace your VPN and provide secure access to internal applications via the Menlo Secure Cloud Browser. It’s the fastest way to deliver secure access to contractors and other BYOD users
✓ Compliance with efficiency: Browser security can reduce alert volume from legacy detection devices by up to 70%, making your SOC more efficient
✓ Leverage DLP that includes Browser Context: Prevent data loss on the browser channel with DLP that inspects full files and archives, even password-protected, carried in HTML and browser usage controls like paste limitations
Complying with CMMC 2.0 is a journey, at least considering that there are varying compliance levels. Considering the web browser’s growing role in accessing FCI and CUI, you need browser security as part of a layered security model to stop web-borne threats. The Menlo Secure Enterprise Browser solution provides a powerful path for Defense Industrial Base contractors to attach CMMC 2.0 compliance and protect FCI and CUI.
Menlo can help. Read the tech brief for more information on how the Menlo Secure Enterprise Browser solution assists organizations in their journey to CMMC compliance.
---------------
1 Gartner, G00782898, Emerging Tech: Security — The Future of Enterprise Browsers, April 2023
