Skip to main content

CMMC Level 2

CaseBender supports Cybersecurity Maturity Model Certification (CMMC) Level 2, which requires implementation of 110 practices from NIST SP 800-171.

Key Capabilities

  • Practice Management: Track all 110 CMMC Level 2 practices across 14 domains
  • SPRS Scoring: Calculate and track your Supplier Performance Risk System (SPRS) score over time
  • Assessment Tracking: Manage self-assessments and third-party assessments (C3PAO)
  • POA&M Management: Track Plans of Action and Milestones for practices not yet fully implemented
  • Evidence Collection: Automated collectors gather evidence mapped to specific practices

Domain Coverage

DomainPracticesDescription
AC Access Control22Account management, access enforcement, remote access
AT Awareness & Training3Security awareness, role-based training
AU Audit & Accountability9Audit logging, audit review, audit protection
CM Configuration Management9Baseline configuration, change control
IA Identification & Authentication11MFA, device authentication, credential management
IR Incident Response3Incident handling, reporting, testing
MA Maintenance6System maintenance, maintenance tools
MP Media Protection4Media access, storage, transport
PE Physical Protection6Physical access, monitoring, visitor control
PS Personnel Security2Personnel screening, termination
RA Risk Assessment3Risk assessment, vulnerability scanning
CA Security Assessment4Assessment, monitoring, system connections
SC System & Communications Protection16Boundary protection, encryption, key management
SI System & Information Integrity7Flaw remediation, malicious code protection, monitoring

FedRAMP Moderate

CaseBender supports FedRAMP Moderate authorization, implementing controls from NIST SP 800-53 Rev 5.

Key Capabilities

  • Control Management: Track all 325 FedRAMP Moderate controls with implementation status
  • System Security Plan (SSP): Manage SSP documentation with version control and approval workflows
  • Continuous Monitoring (ConMon): Automated monthly reporting on control effectiveness
  • POA&M Management: Track remediation plans with OMB A-130 compliance
  • Authorization Periods: Manage authorization boundaries, ATOs, and reauthorization schedules
  • Significant Change Management: Track and assess significant changes that may affect authorization

Control Families

CaseBender maps its capabilities to all 20 NIST SP 800-53 control families, with particular strength in:
  • AC (Access Control): RBAC, MFA, session management, PAM
  • AU (Audit and Accountability): Unified audit trail, integrity protection, SIEM forwarding
  • IA (Identification and Authentication): Multi-factor, device trust, service authentication
  • IR (Incident Response): Case management, playbooks, SLA tracking
  • SC (System and Communications Protection): Encryption, TLS, network segmentation

HIPAA

CaseBender supports HIPAA compliance for organizations that handle Protected Health Information (PHI) as part of security operations.

Security Rule Safeguards

Administrative Safeguards (164.308)

SafeguardCaseBender Implementation
Security Management ProcessRisk assessment, vulnerability management, security monitoring
Assigned Security ResponsibilityRBAC with defined security roles
Workforce SecuritySCIM provisioning, access termination, insider threat monitoring
Information Access ManagementTLP-based access control, data classification, PAM
Security Awareness & TrainingCompliance training module with HIPAA-specific programs
Security Incident ProceduresCase management, incident response workflows, SLA tracking
Contingency PlanData retention, backup management, disaster recovery
EvaluationCompliance dashboards, control testing, gap analysis

Technical Safeguards (164.312)

SafeguardCaseBender Implementation
Access ControlUnique user identification, emergency access, auto-logoff, encryption
Audit ControlsUnified audit trail with PHI access logging
IntegrityData integrity verification, tamper-evident audit logs
AuthenticationMFA, WebAuthn, SSO, account lockout
Transmission SecurityTLS 1.3, encrypted inter-service communication

Breach Notification Rule (164.404-408)

  • Individual Notification: Generate and track notifications to affected individuals
  • HHS Notification: Manage notification to the Department of Health and Human Services
  • Media Notification: For breaches affecting 500+ individuals, manage media notifications
  • Breach Documentation: Maintain breach records for 6 years as required

Business Associate Agreements

  • Track BAAs with all business associates
  • Monitor BAA expiration dates and renewal requirements
  • Document BAA terms and data handling obligations

PCI DSS v4.0

CaseBender supports PCI DSS v4.0 for organizations that process payment card data in security investigations.

Key Capabilities

  • Requirement Tracking: All 12 PCI DSS requirements with 78 sub-requirements
  • Evidence Collection: Automated collectors for access controls, encryption, logging, and network security
  • Control Testing: Scheduled testing with evidence capture and result tracking
  • Incident Management: PCI-specific incident tracking with notification requirements
  • Assessment Periods: Manage QSA assessments and self-assessment questionnaires

Requirement Coverage

RequirementDescriptionCaseBender Mapping
1Network Security ControlsNetwork segmentation, firewall configuration
2Secure ConfigurationsContainer hardening, configuration management
3Protect Stored DataEncryption at rest, key management, data retention
4Protect Data in TransitTLS 1.3, encrypted communications
5Malicious Software ProtectionContainer scanning, dependency scanning
6Secure DevelopmentSAST, DAST, code review, vulnerability management
7Restrict AccessRBAC, least privilege, PAM
8Identify UsersMFA, unique IDs, authentication management
9Physical AccessOn-premise deployment documentation
10Log and MonitorUnified audit trail, SIEM forwarding, integrity
11Test SecurityPenetration testing, vulnerability scanning
12Organizational PoliciesPolicy management, training, incident response

Export Control

CaseBender includes export control compliance for organizations handling controlled technology data.

Key Capabilities

  • ECCN/ITAR Classification: Classify security data and tools under Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR)
  • Denied Party Screening: Screen entities against government restricted and denied party lists before data sharing
  • Country Controls: Enforce embargoed and restricted country rules on data access and sharing
  • License Management: Track export licenses with expiration dates and usage limits
  • Auto-Classification Engine: Suggest classifications based on data content and context

Screening Lists

CaseBender screens against:
  • Consolidated Screening List (CSL)
  • Entity List (BIS)
  • Specially Designated Nationals (OFAC SDN)
  • Denied Persons List (BIS)
  • Debarred List (DDTC)

EU AI Act

CaseBender supports EU AI Act compliance for organizations using AI capabilities within the platform.

Key Capabilities

  • AI System Registration: Register and catalog AI systems used within CaseBender (AI insights, auto-enrichment, correlation engine)
  • Risk Assessment: Evaluate AI systems against EU AI Act risk categories (minimal, limited, high, unacceptable)
  • Incident Reporting: Report and track AI-related incidents with root cause analysis
  • Conformity Assessment: Manage conformity assessments for high-risk AI systems
  • Human Oversight: Document human oversight mechanisms for AI-assisted decisions
  • Transparency: Maintain transparency records showing how AI systems make recommendations