Foghorn Consulting was retained by an aerospace client to perform AWS Architecture and Infrastructure engineering work to assist with obtaining the Cybersecurity Maturity Model Certification.
The Cybersecurity Maturity Model Certification (CMMC) framework is the Department of Defense’s (DoD) unifying standard for the implementation of cybersecurity measures within the Defense Industrial Base (DIB). The CMMC Assessment Guides that are developed, maintained, and published by the DoD provide the objectives, specific criteria, and technical guidelines for assessing the conformance of DIB organizations seeking CMMC Certification to the applicable cybersecurity practices of the CMMC standard, which is grounded in the National Institute of Standards and Technology (NIST) Special Publication 800-171. These guides serve as the controlling technical authority for the purposes of assessing the implementation of CMMC practices.
Foghorn worked in collaboration with the client to obtain CMMC compliance within their AWS Environment by leveraging AWS services and native tooling including AWS Config, Organizations, SSO, GuardDuty, and Security Hub. Deployment and IaC was completed via Terraform.
Creating the proposal
The client had retained Foghorn in previous engagements for work related to DevSecOps pipelines. A scope and statement of work was requested outlining the work needed for CMMC framework compliance.
Foghorn worked to provide a Work Breakdown Structure (WBS) that outlined the estimated hours for each deliverable in the effort scope. This was approximated to be 130 hours of highly technical resource time.
When the Statement of work was executed Foghorn onboarded Senior Engineering resources with the following AWS Certifications and Specialties that were relevant to the effort:
- AWS Certified Solutions Architect Professional for Architecture Support
- AWS Certified Security – Specialty for tooling and implementation as well as IAM and Organization management.
- AWS Certified Advanced Networking – Specialty for VPC and Network Architecture work.
Foghorn Engineers began building this solution for the client in mid April, and the final task for CMMC compliance tooling was completed mid June. Totaling 2 months of work during the engagement, from scope to completion.
At the completion of Foghorn’s engagement, the client achieved an understanding of their AWS cloud security and compliance posture. By implementing and utilizing native AWS services and tooling with understanding and expertise from Foghorn, the ability to maintain and assess current CMMC compliance in the client’s AWS environment was achieved.
Metrics generated from this engagement in respect to the implementation consisted of several key performance indicators. The first was the proper detection of non-compliance with the AWS environment using the rulesets generated from NIST-800-171 guidelines within AWS Config. Additionally AWS Security Hub and AWS Guard Duty were employed to validate and maintain visibility in the AWS environment.
The second metric was the proper security of the single sign-on in respect to the Authentication, Authorization, and Accounting of the environment (also referred to as: three A’s of Identity and Access Management). Permission sets were vetted by the client teams to validate that least privilege access was provided to stakeholders so that tasks and assignments within the AWS environment could be completed.
Accurate accounting of all actions within the environment by users and service accounts was accomplished using a centralized cloud trail for audit purposes and VPC Flow Logging was implemented for Network Traffic inspection. KPIs consisted of accurate reference and confirmation of logging for both actions within the environment, as well as VPC-to-VPC and VPC-to-on-premises network traffic inspection.
Issues mainly stemmed from a few of the larger rules sets within NIST 800-171 at the time of implementation. Foghorn engineers built out the rules sets and discovered some parameters would not work within the argument limits out of the box. This was instead accomplished by modular approaches to the rules sets and implementing them in phases. Doing so allowed for the environment to gradually come within CMMC compliance while also accomplishing no downtime in the production environment during the work.
Internal documentation was able to be generated with common problems and known resolutions that can be leveraged in the next iteration of this exercise, resulting in faster time to completion and lower cost to the client.
By leveraging IaC frameworks (Terraform), AWS native tooling, and Foghorn engineering expertise the client was able to implement a low-cost, repeatable, and automated approach to CMMC compliance.