In 2017 defense contractors became subject to a cybersecurity mandate by the Federal Government, starting with the Defense Acquisition Federal Regulation Supplement.  DFARS required DoD Contractors to adopt cybersecurity standards according to the NIST SP 800-171 Cybersecurity Framework.

On January 30, 2020, the Department of Defense  released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) to ensure cybersecurity controls and processes would be put in place to protect controlled unclassified information (CUI) on DoD contractor systems.

CMMC will be mandatory for 300K Government Contractors, establishing cybersecurity as a foundation for future DoD Acquisitions.   This imposes cybersecurity requirements on a large base of contractors that has never dealt with Federal Contractor Information (FCI) requirements.

CMMC requirements will flow down to all subcontractors from prime contractors.  All future RFPs will require adherence to various levels of CMMC.  Government Contractors will have to pass a CMMC audit so they can become certified and continue to offer their products and services to the DoD.  The required CMMC level will be a pass/fail evaluation at the proposal stage for contract awards.  Contracts will not be awarded to organizations that do not meet the required level.

Between June and September of 2020, the initial round of audits will begin for a select number of Department of Defense Programs/RFIs, with the required CMMC Levels identified. A CMMC 3rd Party Assessment Organization (C3PAO) will ask Defense Contractors to prove how they process, store and transmit Controlled Unclassified Information (CUI).  Government Contractors will need to be certified to the required Level in order to receive and bid on the RFP.

The timing of Accreditation Audits is now projected to be Q4 2020 (Calendar) going forward, with RFI’s including CMMC references as early as June and RFPs including CMMC references by Q4.

CMMC requires policy, process and plan documentation covering all security domains

The CMMC Model has 5 Levels with a number of defined Practices and Processes in each Level

NIST Controls
Level 1 17 Basic Cyber Hygiene Basic safeguarding of FCI
Level 2 65 Intermediate Cyber Hygiene Transition step to protect CUI
Level 3 119 Good Cyber Hygiene Protecting CUI
Level 4 123 Proactive Protecting CUI and reducing risk of APTs
Level 5 128 Advanced/Progressive Protecting CUI and reducing risk of APTs


Government Contractors can use the “Self Assessment Handbook – NIST Handbook 162” provided by the National Institute of Standards and Technology (NIST).

CMMC Level 3 is based on compliance with NIST 800-171, plus 20 additional Practices, including the following:

Access Control:

  • Limiting information system access to authorized users
  • Separating the duties of individuals to reduce the risk of malevolent activity
  • Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs
  • Prevent unauthorized access using authentication and encryption

Audit and Accountability

  • Create and retain system audit logs and records to enable monitoring, analysis, investigation and reporting of unauthorized system activity
  • Review and update logged events
  • Alert in the event of an audit logging process failure
  • Collect audit information (logs) into one or more central repositories
  • Protect audit information and audit logging tools from unauthorized access, modification and deletion
  • Correlate audit record review, analysis and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious or unusual activity
  • Provide audit record reduction and report generation to support on-demand analysis and reporting

Media Protection

  • Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport
  • Save security event log data in one or more central repositories


  • Regularly perform complete, comprehensive and resilient data backups

Security Assessment

  • Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls

Level 3 of the CMMC model specifically points to the requirement for Security Event Log Management Software.

Prophecy International has been providing Event Log Management Solutions to the Intelligence Community, Military, Non-Military and Government Contractors for over 15 years, and continues to invest in software that supports event log collection, forwarding, analysis and reporting.   SNARE Enterprise Agents and Log Management Servers will help government contractors address CMMC Level 3 Requirements.

More information about SNARE Log Management Software can be found at, with options for a software demonstration and free supported software trials.

AustCyber did a piece on Australian companies and listed Snare among those with strategies in place to cover your remote workstations. You can find the article on their site and if you want to learn more about how we can help you collect logs from remote workstations, reach our and contact our helpful staff or request a consultation with one of our senior engineers!



With the advent of staff being more and more mobile with work activities, they are often not in the office. This remote teleworking has been a growing trend for many years and can mean that employee systems are not on the corporate network ever or very infrequently. If the systems are not on the corporate network, then the audit logs and other activity from their laptops cannot always be collected in near real time as there is no connection to the internal SIEM system that is typically on the corporate network. The corporate SIEM systems need to be protected and rarely on open networks as they contain sensitive information and need to be protected from tampering and viewing from unauthorized parties. This can leave the end point systems exposed to unauthorized activity from the staff member doing something they should not be doing, or to being hacked from an external party while on some other open network like a Starbucks, a cafe, a hotel or an airport’s wireless network for example. If the system gets compromised, then no log or alert information can be sent to the corporate SIEM and the security teams won’t know that one of their employees was just hacked. In general, most connections would require the employee to VPN when remote or go into an office location to connect to the LAN so the logs can be sent to the corporate SIEM. But by then the system may already be compromised so it could spread the malware on the corporate network and result in a larger scale incident. Many attacks can go unnoticed after a seemingly innocuous event such as not patching the system, a user clicked on a malicious link and malware was installed, a remote hacker exploits some weakness in the systems settings or via a new day zero vulnerability. Some attacks may try and hide on users’ systems until the user connects back to the corporate network but there will still be subtle bits of activity that can be detected and reported on with software installs and process execution.

So how can Snare help with this problem?

We have the capability to collect the logs from the employee’s system in near real time over the internet, all securely over TLS using a mutual authentication key to our Snare Collector/Reflector technology. The system can be open to the internet and only allow authorized connections from the Snare agents to the Snare Collector/Reflector. Any system that does not have the relevant authorization keys won’t be allowed to connect. Along with TLS certificate strict validation the destination connection can be trusted and securely send the log data to the central SIEM. The connection works much like a VPN does for the traditional laptop to corporate network when a user is remote, but it limited only to the Snare Agent and the Snare Collector/Reflector for sending log data. This then allows all remote workers systems to have near real time monitoring and collect the audit logs whenever they are on the Internet such as in a cafe, hotel, airport or a Starbucks, which are all common areas they can be exposed from a remote exploitation attack, so this ability helps with early incident detection and data breaches of the users endpoint system before it can spread to other users and the corporate network. The technology can be deployed on the corporate network or in the cloud and reflected around to other parts of the network and multiple SIEM systems as needed to facilitate early warnings and reporting for the security team and any SOC an organisation has in place. The time to detection of a breach is always critical to containment and minimizing any business impact. That’s why collecting the data in near real time is always important to minimize the impact to the business.