Solutions / CMMC
CMMC Compliance
Simplify CMMC Level 2 and Level 3 compliance for Controlled Unclassified Information
Securing CUI and maintaining CMMC certification are critical priorities for the Defense Industrial Base. BrickStor SP is built to streamline compliance with both CMMC Level 2 and Level 3 — aligning precisely with the required controls so self-assessments and third-party assessments are faster, easier, and continuously evidenced.
Why CMMC Matters
CMMC certification directly affects your ability to compete and operate
Mandated by the U.S. Department of War (DoW, formerly Department of Defense), the Cybersecurity Maturity Model Certification sets rigorous cybersecurity requirements aimed at protecting Controlled Unclassified Information from increasingly sophisticated threats.
CMMC Level 2 comprises the 110 controls of NIST SP 800-171. CMMC Level 3 builds on those 110 controls by adding 24 more advanced controls focused on Advanced Persistent Threats — requiring advanced access controls, network segmentation, and incident response capabilities.
Achieving and maintaining compliance at these levels is essential. DoW (formerly DoD) contracts frequently require certification, directly influencing an organization's ability to compete, operate effectively, and safeguard sensitive data. Non-compliance or a breach can disrupt critical supply chains, cause substantial financial and reputational loss, and threaten future contracting opportunities.
BrickStor SP goes beyond the NIST 800-171 baseline — delivering advanced data security, comprehensive data protection, and proactive threat prevention for unstructured data, whether it lives on premises or in the cloud.
Control Coverage
BrickStor SP addresses 33 controls across 7 CMMC families
Where CUI is stored, accessed, and protected, BrickStor maps directly to the controls an assessor will ask about.
How BrickStor SP Addresses Critical CMMC Controls
Control-by-control alignment
3.1
Access Control
- 3.1.2Access Enforcement
- BrickStor employs granular access controls down to the file and integrates with centralized identity services (Active Directory / LDAP) plus ABAC to provide strict access control enforcement over CUI data.
- 3.1.4Separation of Duties
- BrickStor includes features that enable organizations to create a separation of duties, protecting security objects and logs from manipulation or deletion. ImmutaVault and Cybersnaps ensure data owners can prevent data from being changed or deleted prematurely.
- 3.1.5Least Privilege
- Enabling least-privilege policies with BrickStor is straightforward through integration with Active Directory and LDAP for system administration and file access. Accounts can be grouped to establish the privileges and permissions afforded to the user.
- 3.1.6Least Privilege — Privileged Accounts
- BrickStor's Active Defense and user behavior auditing capabilities enable organizations to scrutinize the use of privileged accounts and enforce the use of non-privileged accounts when such access is not needed.
- 3.1.7Least Privilege — Privileged Functions
- Active Defense and user behavior auditing provide alerts on the misuse of privileged accounts, and monitor all privileged account actions.
- 3.1.8Unsuccessful Login Attempts
- BrickStor enables organizations to specify behaviors for unsuccessful login attempts.
- 3.1.9System Use Notification
- Organizations can display a customized system use notification for administrators.
- 3.1.11Session Termination
- Organizations can customize the session termination behavior for administrative and user sessions.
3.3
Audit and Accountability
- 3.3.1Event Logging
- BrickStor logs all file and permission activity through user behavior auditing, while the system audit logs all changes made by system administrators.
- 3.3.2Audit Record Content
- The user behavior audit log includes the timestamp, user account, client IP, file operation, and complete file path. The system audit log contains the timestamp, admin account, function, settings, and results.
- 3.3.3Audit Record Generation
- BrickStor enables auditing on a per-dataset basis with indefinite retention. Logs can be forwarded to a centralized logging facility.
- 3.3.4Response to Audit Logging Process Failures
- The BrickStor health service alerts administrators by email or webhook when an audit service fails or when space is filling up for audit logs on a deployment.
- 3.3.5Audit Record Review, Analysis, and Reporting
- BrickStor features a robust user behavior auditing and analysis interface in Hub Central. Authorized users can conduct in-depth analysis of file activity — filtering by user, client IP, file, operation type, or off-hours activity.
- 3.3.6Audit Record Reduction and Report Generation
- Integrated reporting in Hub Central lets administrators generate audit reports and summarize user behavior activity, highlighting issues, discrepancies, and anomalies.
- 3.3.7Time Stamps
- NTP-enabled synchronized timestamps ensure log accuracy and integrity.
- 3.3.8Protection of Audit Information
- Immutable, replicated snapshots guard against log tampering or deletion. ImmutaVault's separation of duties adds protection for audit and compliance-sensitive information — vaults can be configured with minimum retention times that cannot be reduced, and the data is isolated to create a virtual air gap within each system.
3.5
Identification and Authentication
- 3.5.1User Identification and Authentication
- BrickStor enforces the use of unique identifiers and accounts. Active Defense provides alerts on the use of shared accounts for administrative functions.
- 3.5.3Multi-Factor Authentication
- BrickStor supports multi-factor authentication when logging into Hub Central.
- 3.5.4Replay-Resistant Authentication
- All authentication mechanisms employed by BrickStor are replay-resistant.
- 3.5.7Password Management
- BrickStor connects to centralized authentication and identity providers. If an organization chooses to use local accounts, BrickStor enables password rules and policies for those accounts.
- 3.5.11Authentication Feedback
- BrickStor does not provide information that would allow unauthorized individuals to compromise authentication mechanisms through failed authentication feedback.
- 3.5.12Authenticator Management
- BrickStor does not deploy with any default authenticators, ensuring default or generic accounts cannot be exploited through well-known passwords.
3.6
Incident Response
- 3.6.1Incident Handling
- BrickStor includes an incident management workflow in Hub Central that integrates with the organization's incident management applications and framework. The workflow captures a detailed, attributable log of actions and remediations taken in response to an incident, exportable as a PDF report.
- 3.6.2Incident Monitoring, Reporting, and Response Assistance
- BrickStor automatically creates an incident for each event along with an attributable list of actions. This information can be forwarded in real time via email and webhooks to other systems, retained indefinitely, and exported into various report formats.
3.8
Media Protection
- 3.8.3Media Sanitization
- Organizations can use FIPS 140-3 crypto-erase functions, compliant with NIST media purge standards, for reuse and disposal.
- 3.8.5Media Transport Protection
- BrickStor uses dual-layer FIPS 140-3 encryption for both hard drives and flash drives during physical transport.
- 3.8.9System Backup — Cryptographic Protection
- BrickStor uses FIPS-validated AES-256 encryption to safeguard snapshots and backup data. Keys can be stored in a protected key manager or an external KMIP-compliant key manager.
3.13
System and Communications Protection
- 3.13.8Transmission Confidentiality and Integrity
- BrickStor encrypts data at rest and in transit. Data at rest is encrypted with up to two layers of FIPS 140-3 AES-256 encryption without impacting performance. BrickStor supports TLS and encrypted protocols for SMB, NFS, and S3.
- 3.13.10Cryptographic Key Establishment and Management
- BrickStor can leverage its internal key manager or an external KMIP-compliant key manager. Organizations can establish key rotation policies for automatic rotation of cryptographic keys in accordance with their policies and regulations.
- 3.13.11Cryptographic Protection
- BrickStor uses FIPS 140-3 validated cryptographic modules.
3.14
System and Information Integrity
- 3.14.3Security Alerts, Advisories, and Directives
- RackTop distributes timely advisories and updates regarding vulnerabilities that can affect BrickStor users, providing appropriate workarounds and software updates.
- 3.14.6System Monitoring
- BrickStor's Active Defense capabilities let organizations monitor suspicious file activity in real time, along with indicators of attack and lateral movement. BrickStor alerts on probing activity, the attempted or successful use of weak protocols, and shared accounts — all recorded in audit logs.
- 3.14.8Information Management and Retention
- BrickStor's data protection policies can be configured to facilitate retention and management of data in accordance with policies and regulations — ensuring data is retained for as long as needed and no longer. Organizations can report on the policies and their implementation per dataset.
Control descriptions describe how BrickStor SP capabilities align with CMMC / NIST SP 800-171 controls. CMMC compliance is an organizational program; BrickStor addresses the data-layer controls for the systems where CUI resides. Contact RackTop for a detailed control-mapping discussion specific to your environment.
Frequently asked questions
- CMMC Level 2 comprises the 110 controls of NIST SP 800-171 — the security requirements for protecting Controlled Unclassified Information. Level 3 builds on those 110 controls by adding 24 more advanced controls focused on Advanced Persistent Threats, including advanced access controls, network segmentation, and incident response capabilities.
- No single product makes an organization CMMC compliant — compliance is an organizational program spanning people, process, and technology. BrickStor SP directly addresses the data-layer controls across multiple CMMC families, and its alignment with required controls makes self-assessments and third-party assessments faster and easier to evidence for the systems where CUI lives.
- BrickStor SP delivers advanced data security controls, comprehensive data protection, and proactive threat prevention for unstructured data — including inline Active Defense, ImmutaVault virtual air gap, immutable audit, and surgical recovery. These capabilities support the more advanced Level 3 controls aimed at Advanced Persistent Threats, not just the Level 2 baseline.
- Yes. BrickStor SP is available as a physical appliance, as a SAN gateway on existing block storage, and as a virtual appliance for private, public, and hybrid cloud — so the same CMMC-aligned controls apply wherever CUI resides.
- Yes. BrickStor produces continuous, queryable audit and compliance evidence as a byproduct of how the platform operates — every file operation captured, every administrative action logged, every incident documented and exportable. Integrated reporting in Hub Central generates audit reports directly.
Make Your Next CMMC Assessment Faster and Easier
Talk to a RackTop federal mission engineer about a control-mapping walkthrough for your environment — and see how BrickStor SP streamlines CMMC Level 2 and Level 3 for the systems where your CUI lives.