Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CMMC Operations Report

by Cody Dumont
October 14, 2020

CMMC Operations Report

The Cybersecurity Maturity Model Certification (CMMC) was developed to create a framework to assess an organization's implementation of cybersecurity practices evenly across the defense industrial base.  Using NIST 800-53 and NIST 800-171 as the baseline, the primary objective of CMMC is to consolidate the two security catalogs into a single measurable framework. Over the next 5 years, starting in June 2020, organizations that create Government off-the-shelf (GOTS) products, handle Federal Contract Information (FCI), or Controlled Unclassified Information (CUI) will need to show compliance at 1 of the 5 levels. Only Cyber 3rd Party Accreditation Organizations (C3PAO) will be able to certify an organization as compliant or not. Tenable.sc provides on-prem solutions for assessing Cyber Exposure practices and maps these practices to known assessment regulations such as NIST, CSF, and others. This report provides the operation teams with detailed needed to assess the current state of the network.

The first step in achieving any level of compliance with CMMC begins with an understanding of the current environment. The CISO must be able to understand the current state of patch management, system hardening, and different methods of system classification. This report focuses on a few key domains in CMMC, they are: Risk Management (RM), Security Assessment (CA), Media Protection (MP), and Configuration Management (CM). Each of these domains are starting points into other domains, for example the CM domain is a requirement before assessments into Identification & Authentication (IA) & System & Information Integrity (SI). The CM domain is the basis for hardening standards that are outlined by Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs), or the Center for Internet Security (CIS) Benchmarks. Both sets of hardening guidelines are auditable using the Tenable Audit files, and provide the foundation for good system configuration and hardening. Once these standards are widely deployed in the network, the risk managers can begin to evaluate other CMMC domains such as the aforementioned IS or SI. For example, the IA domain requires, "Enforce a minimum password complexity and change of characters when new passwords are created." While CM requires organizations to "establish and enforce security configuration settings for information technology products employed in organizational systems." These two controls work together and provide the CISO with tools needed to measure and discuss the current status of risk with other contributors.

This report starts by providing an executive summary of the vulnerability and compliance status using Tenable.sc. Then each chapter breaks out into more operational details allowing the CISO, risk managers, and IT managers to clearly develop a plan of action and work toward achieving different maturity levels. A key aspect to mitigating risk is to understand the current likelihood of a vulnerability being exploited by adversaries. Tenable created the Vulnerability Priority Rating (VPR) to help add current threat intelligence to the risk analysis process. At the heart of VPR is a series of machine learning models working together to forecast threats. Specifically, the threat forecast seeks to answer the question: What is the appropriate level of near-term threat for a vulnerability based on the latest available data?

As the CISO and IT managers also work together to establish the hardening standards that are appropriate for the organization. These configuration settings will most likely be different for each organization, and Tenable provides audit files for a majority of the CIS Benchmarks and DISA STIGs. In both cases Tenable.sc uses a field called Cross Reference to connect the NIST 800-53, to NIST 800-171, and to other standards such as the Cybersecurity Framework. The CMMC cross links all these widely accepted standards together and provides organizations with a well-established baseline to begin reducing risk. As CMMC maturity levels are achieved, the more mature the security practices become. This report helps to pull this configuration data together in a detailed view to aid in the improvement of compliance planning.

The report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the Tenable.sc Feed under the category Compliance and Configuration Assessment. The report requirements are:

  • Tenable.sc 5.14.1
  • Nessus 8.10.1
  • Tenable Audit Files

Tenable.sc Continuous View (CV) is the market-defining On-Prem Cyber Exposure Platform. Tenable.sc CV provides the ability to continuously assess the implementation of cybersecurity practices and institutionalization of cybersecurity processes. Regardless of the maturity model the organization is measuring against, Tenable.sc provides the essential information to report accurate and reliable metrics.

This report contains:

Executive Summary: The Executive Summary chapter summarizes the operational status of the organization's efforts to achieve CMMC compliance. The chapter provides a trend comparison of the compliance checks and current vulnerabilities compared to resurfaced vulnerabilities. In additions there are matrices that provide summary counts on current, mitigated, configuration checks, and vulnerability detection methods.

Risk Management: This chapter provides the operations team with detailed information about the most critical risks identified on the network. Tenable.sc tracks the life time of the vulnerability and records when vulnerabilities are discovered, when patches are issued, and when vulnerabilities are mitigated.  This chapter provides details to support vulnerability management service level agreement, and tracking mitigation efforts and provides focus on the most vulnerable hosts.  

Anti-Virus Vulnerability Details: CMMC requires organizations to maintain anti-virus and anti-malware solutions.  This chapter provides a summary view of how the organization is progressing with managing the anti-virus and anti-malware solutions.  

Configuration Compliance Details: The CMMC relies heavy on several audit standards such as NIST 800-53, NIST 800-171, and CSF.  This chapter provides several different views into the compliance configuration checks and with asset classification.

Systems By Detection Method: Tracking system detection methods is helpful when understanding where assets are located and how other systems may interact with said systems.  This chapter breaks out systems detected methods and sensor type. Focusing on active and passive detections, the chapter then highlights the direction in which communications are observed. 

Try for Free Buy Now

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.