MISI & Cyber Maturity Model Certification
MISI has been an integral part of the CMMC standards development process and we are contracted by the Pentagon's Office of Small Business Programs (OSBP) to work with small businesses, HBCUs, Colleges and manufacturers. MISI is leading the DoD's Project Spectrum CMMC compliance for small and medium sized defense industrial base (DIB) companies pilot.
For two years, our organization has used our cyber labs to test leading cyber solutions and to prototype and integrate open source and proprietary cyber technologies that can assist the DIB with CMMC compliance.
MISI is also contracted to conduct training and outreach events at our 40,000 SQFT facility and around the United States.
The Maryland Innovation and Security Institute's (MISI) DreamPort team have been testing and evaluating tools and techniques that can be used by manufacturers to accelerate the ability to prepare and comply with the upcoming CMMC standard and eventual DoD Far modifications that will make the CMMC mandatory.
The data we are collecting from our testing and evaluation efforts is designed to provide information on efficacy, pricing and ease of use of various industry solutions.
MISI Tested Solutions for Manufacturers
MISI has been leading the way for since 2018 in the test and evaluation of solutions that can meet the need of manufacturers who are DoD prime or subcontractors to comply with NIST-800-171 and or the upcoming CMMC standard.
Many companies think IT when it comes to CMMC compliance and are not experienced or familiar with the unique challenges manufacturers have in their enterprise which includes IT, OT and IoT technologies that must be assessed, patched and monitored for compliance.
How Does MISI's DreamPort Team Conduct Test & Evaluation
The MISI DreamPort team broadly advertises to industry the opportunities to provide their solutions that are designed to conduct automated cyber risk assessments of environments with IT and industrial control networks and devices that are typical in manufacturing environments.
Our team evaluates submissions from the various solution companies to ensure that their solutions are viable and likely to be able to support the purpose of our testing that includes the ability of the solution to provide data needed to assess compliance with NIST 800-171 and the CMMC standard.
The MISI team utilizes its labs that are set up with multiple test IT and manufacturing networks and that utilize operating systems, servers, desktops, programmable logic controllers, representative manufacturing equipment and certain processes utilized in small to medium sized manufacturing environments, it is our mock factory test bed.
Additional testing can occur in live Defense Industrial Base manufacturing (DIB) customers that have volunteered to allow use of their networks and manufacturing environments to test certain software and hardware tools to determine the effectiveness of such tools to assist DoD manufacturers with cyber audit and compliance requirements, to our team for testing in our labs and or live testing in manufacturer facilities that have volunteered their organizations to participate in our testing and evaluation efforts.
The combination of testing in our labs and live testing provides an unparalleled body of information on how certain tools can accelerate compliance with NIST and CMMC standards and regulations but also at what cost and what level of effort. Key to our quest for information is the desire to find solutions that are cost effective, that work and are minimally disruptive to business operations.
Test & Evaluation Personnel
Our test and evaluation personnel are experienced cyber, data scientist, electrical and mechanical engineers and an advisory team of resources from government, academia and the manufacturing sector.
Our test and evaluation process include the testing of how the selected tools respond to cyber attacks designed to disrupt IT and related manufacturing operations. So, while collecting data that can provide the information needed to prepare and close gaps in compliance with CMMC and NIST standards is important, alerting manufacturers to impeding or active cyber threats is also an important part of our test and evaluation efforts.
Continuous Monitoring & Assessment
While auditing of manufacturers is an initial important part of how DoD plans to assess manufacturers compliance with the CMMC, it is well understood that continuous monitoring and risk assessments is truly the only way to cost effectively and quickly assess the cyber compliance and resilience of any manufacturer that the DoD is considering for award of important DoD contracts.
Our team has designed and has been actively testing a solution and data agnostic cloud based continuous monitoring capability that can collect cyber risk data associated with the CMMC and correlate the collected data against the CMMC requirements to determine compliance.
The testing is being conducted using a variety of appliances and software solutions designed to assess cyber threats and vulnerabilities for manufacturers and other industrial control heavy environments. All current testing is being conducted in actual manufacturing environments.
Representative Test & Evaluation Criteria
- Agent – Does the solution require an agent (installation)? Agents are small software modules that are installed on hardware and collect information.
- Install Time – What is the average install time?
- Business Interference – Would installation affect the operational ability of the client business?
- Machine Learning Training – If the software uses machine learning, how long does the software tool require to learn the target environment?
- Bake-in Period – Can the solution reduce dwell time and identify and detect threats in an environment on day one, as soon as it has been deployed (i.e., no "bake-in" period)?
- External Network Calls – Does the solution reach out to any external networks for analysis/assessment?
- Government Cloud – Would the solution be able to connect to a secure government cloud? This type of capability can accelerate pushing data to CMMC cloud-based assessment tools and databases.
- Government Contract – Is the solution currently available in any government procurement contract?
- Installation Options – Does the solution have a variety of installation options? For example, as a hardware appliance or as a virtual appliance?
- Data Exportation – Can data collected be exported to support compliance tools?
- On-premises vs Cloud – Does the solution require a cloud only approach to implementation or does it support a non-cloud on premise implementation option?
- API, Query and Export – Does the solution provide the capability to make queries on all the collected data and to export the results in common formats to allow further analysis with external tools?
- Role-based Views and Security – Does the solution provide the capability to create different custom dashboards, with views of data and alerts based on roles/logins? Does the solution support multifactor authentication?
- Report Customization Options – Does the solution support the generation of different reports from the data contained in the system in different sizing layouts) and formats, such as PDF, CSV or Excel?
- Support for Data At Rest and Data In Motion Encryption – Does the solution allow and support multiple encryption options that can ensure the integrity and security of the data collected.
- IPv4/6 – Can the solution detect IPv4 and IPv6 assets?
- Customized Alerts – Does the solution provide the ability to customize the criticality of the alerts in accordance to the values of specific parameters like IP address, MAC addresses, ports, protocols, involved in the event?
- Alert Notifications – Does the solution provide alerts and notifications of anomalies and deviations from normal and display them to operators and administrators?
- Time-based Network Analysis – Can the solution provide the ability to compare the complete status of the ICS network at two different times or snapshots, in order to analyze the changes occurred in a particular interval (e.g. added/removed nodes, links, variables, etc.)?
- Threat Detection – Does the solution detect actual or attempted unauthorized network access and movement, malformed traffic, rogue devices, man in the middle attacks, device spoofing and other suspicious network activity?
- Logging – Does the solution dynamically log devices and communications between devices in real-time and off-line?
- Log Ingestion – Does the solution have the ability to passively ingest, process, and correlate logs in the environment?
- Monitoring – What kind of systems (historians, devices) can be monitored?
- Behavior Analytics – Does the solution utilize threat behavior analytics?
- Machine Learning Behavior Analytics – Does the solution implement machine learning for anomaly detection? Threat Detection?
- PLC Integrity Validation – Does the solution conduct PLC integrity validation?
- Licensing – What licensing model does the solution employ (i.e. per node, per device, flat rate, etc.)?
- Support – What kind of support option does the company have (i.e. 24/7 support)? How is it priced?
- Training – What type of training is available for the solution? On site? Virtual? What is the cost of training?
- Score – Does the solution assign any threat/vulnerability score upon completion of a scan?
- Asset Characterization – Does your solution fingerprint or characterize the assets (historian vs PLC)? Is your solution active, passive or a combination?
- IoC/YARA – Can your solution allow for ingestion of indicators of compromise, YARA rules?