Expedite CMMC With Keeper Security.
Keeper Security Government Cloud (KSGC) password manager and privileged access manager is FedRAMP Authorized and addresses your Cybersecurity Maturity Model Certification (CMMC) requirements.
What Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense (DoD) cybersecurity compliance and certification program focused on the independent assessment of defense contractors against NIST 800-171 security controls for protecting Controlled Unclassified Information (CUI).
CMMC builds upon the existing DFARS 252.204-7012 regulations. Access controls and data protection are at the forefront of the model to reduce the risk of cyber threats.
Meeting CMMC's security controls requires a combination of people, processes and technology. By implementing Keeper Security Government Cloud (KSGC), DoD contractors can address coverage on 26 of the 110 controls in CMMC level 2. See the table below for a detailed list of controls covered by KSGC.
How Keeper Security Government Cloud Helps DIB Contractors Meet CMMC Requirements For Password Security
The majority of CMMC's security controls are based on NIST 800-171 Revision 2, which was released in 2020. NIST 800-171 Revision 3 is being released in the 1st quarter of 2024 and includes new password security requirements
Many DIB IT teams lack visibility into their organization’s password security posture. KSGC analyzes the strength and security of stored passwords across the organization. KSGC assesses each password against criteria for complexity, uniqueness, and potential exposure on the dark web, providing a comprehensive risk score for individual credentials and the overall password hygiene of the organization. IT administrators receive actionable insights through detailed reports and dashboards, highlighting weak, reused, or compromised passwords, enabling them to proactively enforce password policies and initiate corrective measures.
KSGC's continuous monitoring and alerting system ensures administrators can quickly respond to potential security vulnerabilities, significantly enhancing the organization's defense against cyber threats by maintaining strong, secure credentials.
How Keeper Security Government Cloud Helps DIB Contractors Meet CMMC Requirements for Secure File Sharing
DIB organizations regularly receive and collaborate with the DoD on CUI files. CMMC requires that organizations follow strict security protocols when sharing CUI, such as using encryption and limiting access to only authorized users.
Email is generally not encrypted, making it possible for cyber criminals to intercept emails and attachments in transit. Sending sensitive information over email also risks the information being forwarded, saved or printed without the sender's permission.
Some contractors use Microsoft Encrypted Email, which sends the recipient to a secure login screen to access the email with the files. However, in many cases, internal controls on government machines do not allow this login process to occur, so the agency doesn’t receive the information.
Alternatively, DIB contractors can create an encrypted PDF and then separately send the agency the password for the PDF via a plaintext email. This process is cumbersome, insecure and not user-friendly for employees.
Securely Store and Share Files With KSGC
KSGC has built-in FedRAMP Authorized file-sharing capabilities and provides a secure and user-friendly way to share files. Keeper offers secure vault-to-vault sharing and one-time sharing with elliptic curve encryption, meaning cybercriminals cannot intercept passwords or files in transit. Only the intended recipient can access the shared record. With One-Time Share, recipients are not required to log in or be licensed with Keeper to open and download the encrypted file.
Additionally, logs within Keeper show all sending and receiving information for one-time sharing. Real-time security alerts can also be turned on to notify system administrators via text, email or messaging platforms such as Slack or Teams when sharing occurs.
Encrypted file sharing is a must for any organization that works with the DoD. Keeper allows organizations to store and share their confidential files in an encrypted format for streamlined compliance and auditing.
CMMC Security Controls Covered by KSGC
CMMC will eventually adopt the 3rd revision of NIST 800-171, and defense contractors will need to account for new requirements.
Future CMMC Changes
- Ensuring that new or updated passwords are not on lists of commonly used, expected or compromised passwords
- Changing passwords when they have been compromised.
Definitions of the Table Below
- Meets - Keeper can be used as a primary means to satisfy a security control in your System Security Plan (SSP).
- Supports - Keeper can be used to strengthen the posture of a security control in your SSP
Security Control & Title
Overall Status
Comments
AC.L2-3.1.1 Authorized Access Control (CUI)
Supports
Keeper's Enterprise Password Manager (EPM) allows users to generate and store secure and unique passwords that support user authentication.
AC.L2-3.1.11
Session Termination
Supports
Keeper provides platform-specific session termination controls based on a period of time. EPM also provides re-authentication options for actions like autofilling a password.
AC.L2-3.1.12
Control Remote Access
Meets
KCM is a remote access gateway used to grant users access to resources in accordance with least privilege principles. It uses connection protocols such as RDP, HTTPS, SSH, VNC, Telnet, Kubernetes, MySQL, PostgreSQL, and SQL.
AC.L2-3.1.13
Remote Access Confidentiality
Meets
KCM uses FIPS 140-3 validated encryption to ensure remote access confidentiality.
AC.L2-3.1.14
Remote Access Routing
Meets
KCM is a remote access gateway that serves as a managed access control point.
AC.L2-3.1.15
Privileged Remote Access
Meets
KCM can limit user access to specific connections, limit access to a specific application within an RDP session and limit access by automatically running SSH commands at connection.
AU.L2-3.3.1 System Auditing
Supports
Keeper's Advanced Reporting and Alerts Module (ARAM) provides enterprise-level auditing and reporting of admin and user activity.
AU.L2-3.3.5
Audit Correlation
Supports
Keeper's ARAM seamlessly integrates with SIEM solutions for long-term storage and audit correlation.
AU.L2-3.3.6
Reduction & Reporting
Supports
Keeper's ARAM provides filters for 200+ event types.
CM.L2-3.4.2
Security Configuration Enforcement
Supports
EPM offers extensive group-based policies that control how Keeper can be used.
CM.L2-3.4.6
Least Functionality
Supports
KCM can limit a remote RDP session to a single application, control clipboard behavior, disable printing and more.
IA.L2-3.5.10
Cryptographically Protected Passwords
Meets
EPM securely stores and transmits passwords using FIPS 140-3 validated encryption.
IA.L2-3.5.11
Obscure Feedback
Supports
EPM masks passwords and other sensitive information. Keeper also allows for the creation of custom record types with masking settings for each custom field.
IA.L2-3.5.3
Multi-Factor Authentication
Supports
Keeper supports multiple MFA methods including TOTP, RSA SecureID, Duo Security, FIDO2 security keys, Windows Hello and mobile device biometric authentication. It also requires additional approval when a new device is used to access an account.
IA.L2-3.5.4
Replay-Resistant Authentication
Meets
KSM transmits secrets in an encrypted TLS tunnel. The secrets are decrypted by the user's device.
IA.L2-3.5.7
Password Complexity
Meets
EPM offers customizable password complexity settings for master passwords, and passwords generated for defined domains and IP addresses. Security audit reports show stats on the strengths and weaknesses of passwords in the organization.
IA.L2-3.5.8
Password Reuse
Meets
EPM enables organizations to eliminate password reuse by generating unique passwords for every account. Security audit reports show password reuse statistics.
IA.L2-3.5.9
Temporary Passwords
Supports
EPM allows for secure sharing of temporary credentials by transferring ownership of a password record or through a one-time share.
SC.L2-3.13.10
Key Management
Supports
KSM securely stores and transmits secrets such as SSH keys, API keys, encryption keys, passwords and more using FIPS 140-3 validated zero-knowledge encryption. KSM can also automatically rotate secrets.
SC.L2-3.13.11
CUI Encryption
Meets
EPM uses its FIPS 140-3 validated zero-knowledge encryption to encrypt any CUI and is FedRAMP Authorized at the Moderate Impact level.
SC.L2-3.13.16
Data At Rest
Meets
EPM uses FIPS 140-3 validated zero-knowledge encryption to encrypt any CUI stored in the system at rest and is FedRAMP Authorized at the Moderate Impact level.
SC.L2-3.13.6
Network Communication by Exception
Supports
Network access can be restricted by enabling IP address allow listing.
SC.L2-3.13.8
Data In Transit
Meets
EPM uses FIPS 140-3 validated zero-knowledge encryption to encrypt any CUI in transit and is FedRAMP Authorized at the Moderate Impact level.
SC.L2-3.13.9
Connections Termination
Meets
KCM session timeout settings are configurable.
SI.L2-3.14.3
Security Alerts & Advisories
Supports
Keeper's BreachWatch monitors passwords for indicators of compromise and alerts the user or admin if any of the passwords have been impacted in a breach.
SI.L2-3.14.7
Identify Unauthorized Use
Supports
Keeper's ARAM allows for the creation of alerts based on 200+ event types. EPM's Compliance Reporting module provides additional reporting to identify unauthorized sharing or use of passwords.
KSGC Is FedRAMP Authorized
Keeper Security Government Cloud password manager and privileged access manager is FedRAMP Authorized and maintains the Keeper Security zero-trust security framework alongside a zero-knowledge security architecture.
KSGC provides:
Full visibility and control over employee password strength
Secure file sharing and file storage
Granular, Role Based Access Controls (RBAC)
Zero-Trust Network Access
Dark web exposure alerting
