Achieving CMMC 2.0 compliance: identifying and masking sensitive information!

Data masking for CMMC compliance: The Cybersecurity Maturity Model Certification (CMMC) is a key security framework developed by the US Department of Defense (DoD). It is designed to ensure that sensitive information, such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), is adequately protected within the defence industry. The current version, CMMC 2.0, is heavily based on the requirements of NIST SP 800-171 and, in part, NIST SP 800-172. To comply with CMMC, organisations need to know:

1. where sensitive data is stored,
2. who is authorised to access it,
3. how this data is protected throughout its entire lifecycle.

Many requirements implicitly assume that organisations can automatically identify and control sensitive information. Manual processes quickly reach their limits, particularly in hybrid cloud, multi-cloud and legacy environments.

The article describes several tools from the IRI portfolio:

1. IRI DarkShield® for the automatic identification, classification and masking of sensitive data
2. IRI FieldShield® for rule-based masking of structured data
3. IRI CellShield® for masking in spreadsheets
4. IRI Voracity® as an integrated platform for data management, ETL, data quality and data protection

These tools support continuous data discovery, rule-driven masking and audit trail management.

1. Identification of data sets: Identify where FCI and CUI are located.

IRI support:

1. File system scanning
2. Databases
3. Document repositories
4. Cloud storage

This involves analysing structured and unstructured data such as PDFs, Office documents, images and log files. A precise definition of the CUI scope for certification.

2. Access control and least privilege: Restrict access to sensitive data to the necessary minimum.

IRI support:

1. irreversible masking
2. pseudonymisation
3. synthetic data generation
4. role-based data sharing

This ensures that production CUI data is replaced with protected values in test or analysis environments.

3. Data protection and media sanitisation: Prevention of unauthorised disclosure.

IRI support:

1. Static data masking
2. Dynamic data masking
3. Protection of data ‘at rest’, ‘in transit’ and ‘in use’
4. Test data management

This ensures that production CUI data does not enter development or test environments.

4. Risk management: Reducing the impact of potential security breaches.

IRI support:

1. Data detection reports
2. Risk analyses
3. Prioritisation of protective measures

Masked data is of little or no value to attackers.

5. Auditability and continuous monitoring: Demonstrable compliance.

IRI support:

1. Logs
2. Reports
3. Repeatable jobs
4. Documented policies

This enables auditors to track when data was found, classified and protected. In the defence industry, data masking and discovery solutions are typically used for:

• Identification of CUI prior to audits
• Protection of development and test environments
• Redaction and masking of shared documents
• Analytics and AI projects using data compliant with data protection regulations
• Demonstration of security measures along the supply chain and at subcontractors.

Conclusion: CMMC does not explicitly require data masking. However, many requirements from NIST SP 800-171 can be met much more easily and transparently if sensitive data is automatically detected, classified and masked. The authors therefore argue that a data-centric security approach using discovery and masking tools simplifies certification whilst simultaneously increasing the actual level of security.

Efficiency meets experience: For more than four decades, our software solutions have been supporting companies in data management and data protection – technologically leading, reliable in productive use and applicable across all industries.

In use since 1978: Numerous well-known companies, service providers, financial institutions and state and federal authorities are among our long-standing customers.

Maximum compatibility: Our software supports both classic mainframe platforms (Fujitsu BS2000/OSD, IBM z/OS, z/VSE, z/Linux) and modern open system environments such as Linux, UNIX derivatives and Windows.