Skip to content
  • There are no suggestions because the search field is empty.

How to run a CMMC report in Nipper (v2)

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework for US defense contractors. It combines different standards and requirements to measure the cybersecurity maturity of the defense supply chain.

Nipper includes a CMMC Report module which provides objective evidence against compliance with CMMC levels 1-3. The scope of Nipper audits is limited to network device configurations, and so the CMMC Report includes only Security Practices which can be automated given this fact.

Note: The CMMC report requires an additional license feature. For more information, contact your Solutions Advisor.
 

Running a CMMC Report

  1. To begin, go to FileNew Report.
  2. Add one or more devices to the audit using Add File, Add Directory, Add Network or Network CSV methods.
  3. On the Reporting Options screen, select the CMMC report check box. If this is not available, your active license does not support the CMMC feature. 
  4. On this screen, you can also select the CMMC Level against which to report, and configure settings for the CMMC report. 
    Select a CMMC Level to report against. The report will contain information about CMMC Practices of the selected level and lower. 
    Running_a_CMMC_Report_2
  5. Click on Settings to show settings for the CMMC report. 
    The Coverage tab includes settings related to the scope of the report. The CMMC Assessment Level setting here is the same as the Level selector shown in the report list. The settings CMMC Pre-Assessment and Include Practices with Evidence from Other Report Types are detailed below.
    1. The Policy tab allows the user to set values matching the intended device policy. Some CMMC Practices will report issues when a device configuration has values that don't conform to these settings. This enables the user to verify that audited devices correctly implement the organizational security policy. 
    2. The Practice Content tab enables customization of the information included with each Practice in the report. Each section can be enabled or disabled independently.
  6. Begin the report generation by pressing the Next button. 
    1. After a short time generating, your report is then available.

CMMC Pre-Assessment

The CMMC Pre-Assessment setting adds additional information from other Nipper report types. When this setting is enabled, some CMMC Practices include an additional section, Pre-Assessment Additional Information. This includes references to sections of the Security Audit and Configuration Report that may be useful in carrying out a CMMC Pre-Assessment.

Security Audit and Configuration Report are enabled by this setting, making the report self-contained.

 

Practices with Evidence from Other Report Types

The setting Practices with Evidence from Other Report Types enables a number of CMMC Practices for which the CMMC Report does not provide direct evidence, but other Nipper report types can. These Practices include a table of references to sections in other reports. If those report types are run concurrently with the CMMC Report, these references will be hyperlinked.

Unlike the CMMC Pre-Assessment setting, the other report types are not enabled automatically, but can be included for maximum coverage of these additional CMMC Practices.