Complying with CMMC Configuration Management Requirements: Why Patching Isn’t Enough

Share this blog

Over the next few months, the Department of Defense (DoD) will start to incorporate Cybersecurity Maturity Model Certification (CMMC) requirements into its solicitations. This means that organizations in the Defense Industrial Base (DIB) that manage Controlled Unclassified Information (CUI) will soon need to establish capabilities for complying with these requirements and demonstrating these efforts in attestations and audits.

To comply with these requirements, teams will need to institute robust mobile device security. In this post, we will provide some background on CMMC and the underlying standards that teams will need to address. In addition, we will discuss how mobile device integrity intersects with configuration management practices and highlight why patching alone is not enough to meet CMMC requirements.

CMMC Configuration Management Practices

Level 2 Configuration Management (CM) Practices detail the technical system security requirements for hardware, software, and firmware. Organizations seeking certification (OSCs) need to implement controls that align with the following practices:

  • CM.L2-3.4.1 – System Baselining: Establish and implement secure baseline configurations.
  • CM.L2-3.4.2 – Security Configuration Enforcement: Establish and enforce security configuration settings.
  • CM.L2-3.4.3 – System Change Management: Track, review, approve or disapprove, and log changes to systems.
  • CM.L2-3.4.4 – Security Impact Analysis: Analyze security impact prior to implementing changes.
  • CM.L2-3.4.5 – Access Restrictions for Change: Define, document, approve, and enforce physical and logical access restrictions associated with changes.
  • CM.L2-3.4.6 – Least Functionality: Configure systems, so they provide only essential capabilities.
  • CM.L2-3.4.7 – Nonessential Functionality: Restrict, disable, or prevent the use of non-essential programs, functions, ports, protocols, and services.
  • CM.L2-3.4.8 – Application Execution Policy: Apply the deny-by-exception policy to prevent unauthorized software usage with permit-by-exception for authorized software usage.
  • CM.L2-3.4.9 – User-Installed Software: Control and monitor user-installed software.

Typically, teams know that they need to manage configurations for traditional devices, such as workstations and routers. However, the CMMC Assessment Guide specifically calls out mobile devices in the discussion section for these practices:

  • CM.L2-3.4.1 – System Baselining
  • CM.L2-3.4.3 – System Change Management

Since the guide includes mobile devices as part of system baselining and change management, teams should infer that all these practices must be applied to mobile endpoints.

NIST SP: Key Standards and Requirements

The CMMC draws from requirements specified in various National Institute of Standards and Technology (NIST) Special Publications (SP). In order to effectively address CMMC standards, it is vital to understand these various documents and the relevant context and guidance they provide. In the following sections, we’ll look at the specific publications and how they apply to configuration management and mobile technologies.

NIST 800-171 Revision 2: Configuration Management Controls

Level 2 CMMC 2.0 standards map to NIST 800-171 R 2 requirements. When looking at the configuration management control family, the first basic security requirement is 3.4.1:

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

In the discussion, this publication refers to SP 800-128 for guidance on security-focused configuration management.

NIST SP 800-128: Updates Reflect Increased Focus on Mobile

When NIST updated SP 800-128 in 2019, the agency included four new references to mobile devices, which it listed as substantive. This included retitling NIST SP 800-124, “Guidelines for Managing the Security of Mobile Devices in the Enterprise.” The authors also replaced “personal computers” with “endpoints (e.g., laptops, desktops, mobile devices).”

Fundamentally, this shift in language and focus shows that NIST recognized mobile devices as critical to productivity and security.

NIST SP 800-124 Revision 2 and NIST SP 1800-4B: Underscoring the Unique Risks of Mobile Devices

NIST SP 800-124 Revision 2 (Draft) was published in 2020, while NIST SP 1800-4B Final was published in 2019. The two discuss the unique security risks that mobile devices pose to an organization’s networks and systems. Although the two use slightly different language, both reference mobile threats that teams need to consider when implementing their CMMC configuration management controls.

NIST SP 1800-4B, section 3.4, “Risk Assessment,” outlines the following common threats to mobile devices:

  • Mobile malware
  • Social engineering
  • Stolen data due to loss, theft, or disposal
  • Unauthorized access
  • Electronic eavesdropping
  • Electronic tracking
  • Access to data by legitimate third-party applications

Further, in 3.4.2, NIST SP 1800-4B details the vulnerabilities commonly associated with applications, including those installed by:

  • Device owners
  • Carriers
  • Operating system bundles

Mobile Device Vulnerabilities: Why Patching Falls Short

Mobile device vulnerabilities and threats become more challenging as teams look at them through the lens of CMMC configuration management practices. Installing operating system and app security updates enables teams to meet some configuration management requirements. However, the reality is that patching falls far short of meeting CMMC standards and establishing robust security.

There are a couple of key reasons for this. First, patching isn’t always an option. Security personnel may have no control over personal mobile devices, including whether their OSs are on the latest version, which apps are downloaded, and whether apps are updated in a timely manner or at all. Even when looking at company-owned devices, apps that come pre-installed from carriers and apps bundled with operating systems can jeopardize compliance.

Second, significant time can elapse between when vulnerabilities are identified and when a patch is even available, let alone installed. The reality is that vendors in the mobile device ecosystem, including both device manufacturers and app providers, may not deliver patches in a timely manner once vulnerabilities have been identified. For example, news reports indicated that it took Apple more than six months to address several zero-day vulnerabilities that had been discovered. A researcher detected these vulnerabilities in iOS versions 14 and 15, which meant millions of users were exposed.

This is compounded by the well-documented delays in getting patches installed. One report found that businesses take an average of 215 days to patch a reported vulnerability, and even for critical vulnerabilities, it often takes six months for patching to be completed.

When you consider that more than one-third of the zero-days discovered specifically targeted mobile devices, this represents a significant exposure, both from a security and CMMC compliance standpoint.

Why Mobile Threat Defense Capabilities Are a Requirement for CMMC Configuration Management

NIST SP 800-124 Revision 2 outlines various mobile security technologies, explaining how they deliver unique capabilities:

  • Mobile Device Management (MDM) enables deployment, configuration, and active management for mobile devices.
  • Mobile Application Management (MAM) enables the establishment and enforcement of fine-grained control over different apps on a single managed device.
  • Mobile Threat Defense (MTD) enables the detection of malicious apps, network-based attacks, improper configurations, and known vulnerabilities in mobile apps or the mobile OS.

MTD delivers comprehensive configuration management controls that help organizations maintain secure configurations for mobile apps and operating systems. MTD fills in the gaps that MDM and MAM leave behind, providing the robust mobile device security that teams need to achieve CMMC compliance.

Advanced MTD solutions deliver real-time mobile device analysis and logging, providing visibility into:

  • Device weaknesses
  • OS vulnerabilities
  • Network attacks
  • Phishing attacks
  • Application vulnerabilities

This continuous device attestation capability ensures that organizations can implement and, more importantly, enforce secure configuration baselines across their mobile device fleet, including user-owned devices.

Zimperium: Unique Mobile Device Configuration Management for CMMC Compliance

Finding the right set of technologies that protect CUI and ensure continued CMMC compliance poses a challenge for most organizations. However, with Zimperium, you can streamline your mobile device security and compliance initiatives—so you can achieve your top-level organizational goals.

Zimperium zIPS is an advanced MTD solution for enterprises, government agencies, and contractors in the DIB sector. With this solution, organizations can establish the mobile device security controls that comply with CMMC standards and deliver advanced protections. To safeguard CUI against mobile threats and risks, zIPS detects mobile threats, notifies security teams of incidents, and blocks unauthorized access to resources. Used by many government agencies, including the DoD, Zimperium was the first MTD provider to be granted an Authority to Operate (ATO) status from the Federal Risk and Authorization Management Program (FedRAMP)

With Zimperium zIPS, organizations can leverage the only on-device MTD solution that protects CUI across Android, iOS, and ChromeOS devices. The solution offers robust safeguards against known and zero-day, advanced persistent threats. zIPS keeps mobile devices secure—without relying on cloud-based lookups, content scanning, or other privacy-invasive techniques.

zIPS is powered by a dynamically updatable engine. Z9 offers behavioral and machine learning techniques that detect device, network, phishing, and mobile attacks, without having to rely on updates or an active network connection.

Zimperium’s Advanced App Analysis (z3A) enables zIPS to perform in-depth mobile application scanning for privacy and security risks. The solution delivers detailed privacy ratings, malware classifications, security ratings, and customizable app privacy settings.

For more information on how Zimperium zIPS MTD or the Zimperium Mobile Application Protection Suite (MAPS) can help you meet CMMC requirements, contact us today.

Jim Kovach
Author: Jim Kovach
Mobile Security Specialist, Public Sector. View the author's experience and accomplishments on LinkedIn.

Get started with Zimperium today