More Than MDM: Mobile Device Security for CMMC Compliance

Share this blog

Despite the upheaval over the last year, the Cybersecurity Maturity Model Certification (CMMC) isn’t going anywhere. While the Department of Defense (DoD) changed many requirements when it released CMMC 2.0, Defense Industrial Base (DIB) members need to focus their compliance efforts sooner rather than later. Although no official timeline formalizing CMMC 2.0 exists, the Pentagon’s director of CMMC policy, Stacy Bostjanick, has indicated that the DoD may provide a new interim rule by March 2023, meaning that contracts and acquisitions could be impacted as early as May 2023.

CMMC 2.0’s practices map to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 r2 control families. At its most basic level, CMMC 2.0 shifts DIB member security models toward Zero Trust Architectures. However, the cross-referencing between standards creates a complex web of interconnected controls, especially for organizations that need to understand where mobile device security fits into their CMMC compliance posture.

Unraveling the Regulatory Web: From CMMC to NIST SP 800-124 R2

To understand mobile device security, you need to take a slightly circuitous route through the different compliance standards.

CMMC Practice AC.L2-3.1.18

The CMMC Level 2 Assessor Guide drives your CMMC audit and includes practice AC.L2-3.1.18 – Mobile Device Connection which requires you to control the connection of mobile devices. As part of the Assessment Objectives, your CMMC Certified Assessor (CCA) needs to determine if:

[a] mobile devices that process, store, or transmit CUI are identified

[b] mobile device connections are authorized

[c] mobile device connections are monitored and logged

Since these objectives are vague, the Assessor Guide includes two additional references. First, it points you to NIST SP 800-171 R2 3.1.18. Additionally, it includes a discussion of NIST SP 800-171 R2 that notes:

Many controls for mobile devices are reflected in other CUI security requirements. NIST SP 800-124 provides guidance on mobile device security.

NIST SP 800-171 R2 3.1.18: Control Connection of Mobile Devices

Heading over to NIST 800-171 R2 brings you to Access Control requirement 3.1.18. In the discussion, NIST outlines the following usage restrictions and implementation guidance for mobile devices:

  • device identification and authentication
  • configuration management
  • implementation of mandatory protective software (e.g., malicious code detection, firewall)
  • scanning devices for malicious code
  • updating virus protection software
  • scanning for critical software updates and patches
  • conducting primary operating system (and possibly other resident software) integrity checks
  • disabling unnecessary hardware (e.g., wireless, infrared)

NIST SP 800-124 R2 “Guidelines for Managing the Security of Mobile Devices in the Enterprise”

NIST recognizes that mobile devices and their security requirements have changed significantly over the last ten years. In SP 800-124 R2’s “Overview of Mobile Security Technologies,” the agency defines seven different enterprise mobile security technologies.

In its definitions, NIST outlines three mobile security technologies that people often view as interchangeable:

  • Enterprise Mobility Management (EMM) or Mobile Device Management (MDM): to deploy, configure, and actively manage mobile devices
  • Mobile Application Management (MAM): to establish and enforce fine-grained control over different apps on a single managed device
  • Mobile Threat Defense (MTD): to detect the presence of malicious apps, network-based attacks, improper configurations, and known vulnerabilities in mobile apps or the mobile OS

By clearly delineating these three technologies, NIST clarifies the need to combine the different security capabilities for a comprehensive mobile device security posture.

Mobile Threat Defense: The Critical Piece to the CMMC Puzzle

NIST distinguishes MTD from EMM, MDM, and MAM in section 4.2.3 “Mobile Threat Defense,” by outlining the following MTD capabilities:

  • real-time continuous monitoring
  • assessing apps after deployment and during runtime
  • detecting and protecting mobile devices, apps, and end users against attack via wireless network
  • detecting attacks against an app or OS software, such as side-loaded apps
  • detecting and alerting users to unexpected interactions among apps or use of data on the device

MTD Completes the Mobile Device Security Technology Stack

MDM enables you to provision devices and set basic configurations on devices that you manage. However, it lacks capabilities that can monitor and detect:

  • mobile phishing attacks that install malicious code on devices
  • malicious applications downloaded from untrusted sources
  • real-time device health
  • cloud application security
  • advanced threats

SP 800-124 R2 lists MTD as a mitigation and countermeasure for several threats:

  • exploitation of underlying vulnerabilities in devices
  • credential theft via phishing
  • installation of unauthorized certificates

Further, MTD is the only mitigation and countermeasure listed for the installation of unauthorized certificates.

MTD Mitigates Bring Your Own Device (BYOD) Risks

When employees use personal devices as part of your remote work model, they become the administrators, deciding when to upgrade their OS, choosing network connections, and downloading apps.

Most people don’t want to install an application that allows their employers access to their devices. MTD enables you to secure personal devices without compromising employee privacy. An MTD that detects threats on-device rather than sending information to a cloud secures mobile devices without the need to collect or process personally identifiable information (PII).

MTD enables you to secure employee-owned devices so that you can implement and maintain CMMC compliance across all devices that connect to your networks.

How Zimperium Uniquely Protects Mobile Devices for CMMC 2.0 Compliance

To comply with Assessment Objectives, you need to give your CCA the documentation proving that you have a comprehensive approach to mobile device security. MTD is critical to your CMMC compliance posture, providing visibility into threat and risk postures to augment your MDM technology’s capabilities.

Zimperium zIPS is an advanced MTD solution for enterprises and government agencies in the DIB striving to meet current CMMC standards as part of their mobile device security controls. Used by many government organizations, including the DoD, Zimperium was the first mobile threat defense (MTD) provider to be granted an Authority to Operate (ATO) status from the Federal Risk and Authorization Management Program (FedRAMP).

zIPS remains the only patented, on-device MTD solution that provides the technical capabilities to protect CUI across Android, iOS, and ChromeOS from known and zero-day, advanced persistent threats. zIPS is purpose-built to provide enterprises and government agencies with a privacy-focused experience and does not rely on cloud-based lookups, content scanning, or other privacy-invasive techniques to keep mobile devices secure.

Zimperium’s z9™ dynamically updatable engine powers zIPS with behavioral and machine learning techniques to detect device, network, phishing, and application mobile attacks without needing updates or an active network connection. Additionally, z3A Advanced App Analysis enables zIPS to perform in-depth mobile application scanning for privacy and security risks, with detailed privacy ratings, malware classifications, security ratings, and customizable app privacy settings.

For more information about how Zimperium can help you achieve your CMMC compliance goals, contact us today.

Jim Kovach
Author: Jim Kovach
Mobile Security Specialist, Public Sector. View the author's experience and accomplishments on LinkedIn.