General Information
Preference Documentation
Log Data Documentation
- Log Data Examples
- Interesting Types of Events
  - SSH Logins and Activity
Related Tech and Configurations
- macOS
Compliance
- cmdReporter and US Govt Standards Details
  - How cmdReporter Meets CMMC, DFARS, and NIST 800-171 Requirements
  - NIST 800-53r4 (high) controls met by using cmdReporter
- Security Baseline Reporting Preferences
  - Security Benchmark Reporting Logs

How cmdReporter Meets CMMC, DFARS, and NIST 800-171 Requirements

Daniel Griggs

Modified on: Mon, 9 Nov, 2020 at 4:11 PM

Overview

NIST Special Publication 800-171: Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations.

"All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts."
source

NIST 800-171 Sections Most Relevant to cmdReporter Operations

Section 3.3: Audit and Accountability

3.3.1 - Create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity.

cmdReporter generates and stores this information by default.

3.3.2 - Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

All cmdReporter events include the following attribution details.
Timestamp
Originating user account
Effective user account for event
Originating IP address of ssh connection
Machine UUID
Machine MAC address
Machine serial number

3.3.3 - Review and update audited events.

cmdReporter stores audit events in JSON to facilitate collection by security and log aggregation tools.

cmdReporter has Direct log collection support for:
Splunk
Logstash
More in development

3.3.4 - Alert in the event of an audit process failure.

cmdReporter will log any errors to the audit system or cmdReporter itself.

3.3.5 - Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.

3.3.6 - Provide audit reduction and report generation to support on-demand analysis and reporting.

3.3.7 - Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

3.3.8 - Protect audit information and audit tools from unauthorized access, modification, and deletion.

3.3.9 - Limit management of audit functionality to a subset of privileged users.

Section 3.6: Incident Response

3.6.1 - Establish an operational incident-handling capability for organizational systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.

3.6.2 - Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.

Section 3.13: System and Communications Protection

3.13.1 - Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

Section 3.14: System and Information Integrity

3.14.6 - Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

3.14.7 - Identify unauthorized use of the information system.