The DoD is rolling out their new cybersecurity audit plan around NIST SP 800-171: Cybersecurity Maturity Model Certification, or CMMC. This means checking contractors' compliance against a very strict checklist of assessment objectives, each of which must have at least one form of evidence of completion, although the auditor can ask for more than one. The evidence must adequately (do the right thing) and sufficiently (in all the right places across the system) prove compliance.
This is going to be a high bar when assessed according to the written guidance. None of these instructions say you must have a SIEM (Security Information and Event Management System), so do we really need one?
What is a SIEM anyway?
A Security Information and Event Management (SIEM) system is a technology solution designed to detect, monitor, and analyze security events within an IT environment. SIEM combines two essential security functions: Security Information Management (SIM), which involves the collection, storage, and analysis of log data, and Security Event Management (SEM), which focuses on real-time monitoring, correlation, and alerting of security incidents. By integrating these capabilities, SIEM platforms provide a centralized view of security data across an organization, enabling enhanced incident detection and response.
The SIEM is truly the heart of an active cybersecurity operation. There are low maturity companies hoping that their defenses hold up, but have little way of telling if they are without a SIEM; then there are companies who have taken the next step in cybersecurity maturity and have a SIEM. The dividing line is that stark. There are a lot of things companies need in pursuit of good cybersecurity, but a SIEM is a core tool.
That still doesn't mean CMMC says you have to have one. However, there are several places in the CMMC/171 controls and assessment objectives that drive us toward SIEM for nearly all companies pursuing a CMMC certification.
You can technically be certified without one, but it is really difficult, and generally SIEM is the easiest and least costly approach to meeting a number of CMMC controls.
The focus is really on the SIM logging functions. There are 45 assessment objectives from 12 controls that speak to monitoring or logging that a SIEM can be used to meet, and most of these explicitly call for logging or monitoring. By using SIEM rule sets you can easily automate the monitoring function and create alerts that meet CMMC monitoring requirements. Here is a good list of assessment objectives that could be met with a SIEM.
Relevant Assessment Objectives (AOs)
AC.L2-3.1.7.d [d] the execution of privileged functions is captured in audit logs.
AC.L2-3.1.12.d [d] remote access sessions are monitored.
AU.L2-3.3.1.d [d] audit records, once created, contain the defined content;
AU.L2-3.3.1.f [f] audit records are retained as defined.
AU.L2-3.3.4.a [a] personnel or roles to be alerted for an audit logging process failure are identified;
AU.L2-3.3.4.b [b] types of audit logging process failures for which alert will be generated are defined;
AU.L2-3.3.4.c [c] identified personnel or roles are alerted in the event of an audit logging process failure.
AU.L2-3.3.8.a [a] audit information is protected from unauthorized access;
AU.L2-3.3.8.b [b] audit information is protected from unauthorized modification;
AU.L2-3.3.8.c [c] audit information is protected from unauthorized deletion;
AU.L2-3.3.8.d [d] audit logging tools are protected from unauthorized access;
AU.L2-3.3.8.e [e] audit logging tools are protected from unauthorized modification; and
AU.L2-3.3.8.f [f] audit logging tools are protected from unauthorized deletion.
AU.L2-3.3.9.b [b] management of audit logging is limited to the defined subset of privileged users.
CM.L2-3.4.9.c [c] installation of software by users is monitored.
PE.L1-3.10.4.a [a] audit logs of physical access are maintained.
SC.L1-3.13.1.c [c] communications are monitored at the external system boundary;
SC.L1-3.13.1.d [d] communications are monitored at key internal boundaries;
SC.L2-3.13.13.b [b] use of mobile code is monitored.
SI.L2-3.14.3.a [a] response actions to system security alerts and advisories are identified;
SI.L2-3.14.3.b [b] system security alerts and advisories are monitored;
SI.L2-3.14.6.a [a] the system is monitored to detect attacks and indicators of potential attacks;
SI.L2-3.14.6.b [b] inbound coms traffic is monitored to detect attacks and indicators of potential attacks;
SI.L2-3.14.6.c [c] outbound coms traffic is monitored to detect attacks and indicators of potential attacks.
So, technically you are not required to have a SIEM for CMMC, but without one it is pretty challenging. Having a SIEM and using it as intended can also provide significant risk reduction for cyber attacks.