Oxalis Achieves CMMC Level 2 Certification

Strengthening Our Commitment to Defense and Regulated Industries

Oxalis is proud to announce we have achieved Cybersecurity Maturity Model Certification (CMMC) Level 2, a critical milestone that validates our ability to securely handle Controlled Unclassified Information (CUI) and positions us to deepen our support for the defense industrial base, MRO providers, and maritime operators.

This certification reinforces what our clients already know: Oxalis is built for highly regulated environments. It demonstrates our commitment to delivering technology solutions that meet the highest security standards while enabling the digital transformation our defense industrial base partners need to remain competitive and mission-ready.

“For nearly a decade, Oxalis has been committed to serving organizations where security and compliance aren’t optional—they’re mission-critical. Achieving CMMC Level 2 certification validates our security-first culture and opens new opportunities to support the defense industrial base. This isn’t just about expanding our market; it’s about proving we can be trusted with the sensitive information that keeps our nation secure.”

Jonathan Malanche, CEO

Oxalis

What is CMMC and Why Does it Matter

The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s unified standard for implementing cybersecurity across the defense industrial base (DIB). Created to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), CMMC ensures that all contractors and subcontractors handling DoD information maintain robust cybersecurity practices.

CMMC Level 2 represents an advanced security posture required for organizations that create, process, store, or transmit CUI. It encompasses 110 security controls aligned with NIST SP 800-171 Rev. 2, covering critical areas including: 

  • Access control and authentication 
  • Incident response and recovery 
  • System and communications protection 
  • Risk assessment and continuous monitoring 
  • Configuration management and media protection 

Achieving CMMC Level 2 certification requires a rigorous third-party assessment by a Certified Third-Party Assessment Organization (C3PAO). 

Understanding Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is unclassified information that the U.S. government creates, possesses, or that an entity creates or possesses on behalf of the government, which requires safeguarding and dissemination controls. 

CUI is not classified information, but it still demands protection. It includes technical drawings, engineering specifications, operational reports, procurement data, and other sensitive materials shared between the DoD and its contractors. The DoD CUI Program standardizes how this information is marked, handled, and protected across the defense ecosystem. 

Achieving CMMC Level 2 compliance allows Oxalis to work directly with sensitive defense information, support system modernization efforts, and provide the deep technical integration our clients need, without compromising security or compliance. 

What This Means for Oxalis Clients

CMMC Level 2 certification expands Oxalis’ ability to serve the DIB in several critical ways:

  • Eligibility for DoD Contracts. Starting in late 2025, most DoD contracts involving CUI require full Level 2 certification from a third-party assessment. Oxalis’ certification ensures we can continue bidding on and supporting contracts that involve sensitive defense information. 
  • Deeper Integration with Mission-Critical Systems. Our certification enables us to work within or adjacent to DoD environments, supporting everything from ERP implementations and cloud migrations to IT modernization and digital transformation initiatives. 
  • Supply Chain Security. By achieving CMMC Level 2, Oxalis strengthens the overall security posture of the defense supply chain. Our clients can trust that their sensitive information is protected when working with us, reducing risk across their own compliance posture. 

Reinforcing our Goal in Providing Solutions Built for Highly-Regulated Environments

CMMC Level 2 certification is a natural extension of Oxalis’ core mission: helping government, defense, healthcare, and other highly regulated organizations modernize their operations without compromising security, speed, or compliance. 

From our partnerships with Atlassian (including FedRAMP and Atlassian Government Cloud) and IFS, to our proprietary solutions like YardOS, we design every engagement and product with the unique demands of regulated sectors in mind. Our team understands that in defense and government work, there’s no room for error; every system must be secure, auditable, and future-ready. 

“The defense industrial base faces evolving cyber threats every day. CMMC Level 2 isn’t a one-time achievement – it’s a commitment to continuous security improvement. Our team has embedded these controls into our DNA, from product development to client engagements. This certification gives our DIB partners confidence that when they work with Oxalis, they’re working with a team that takes security as seriously as they do.” 

Micah J. Waldstein, VP 

Oxalis

At Oxalis, we’ve spent years building deep expertise in highly regulated industries. We’ve supported various defense agencies, partnered with IFS to modernize naval MRO operations, and helped organizations across the defense industrial base navigate complex digital transformations. In every one of those engagements, trust is the foundation. 

CMMC Level 2 certification formalizes that trust at the system level. 

For our existing clients, it means they can bring Oxalis deeper into sensitive environments, knowing we have the certified security posture to operate there responsibly. For prospective clients evaluating technology partners for DoD work, it removes a critical barrier — Oxalis is now verified as a compliant organization capable of handling CUI within the defense supply chain.

Critical Vulnerability – Jira Server and Data Center – Authentication Bypass in Seraph – CVE-2022-0540

On April 20th 2022, Atlassian released a security advisory for Jira and Jira Service Management, regarding an authentication bypass vulnerability in its web authentication framework, Jira Seraph.

Please Note: JIRA Cloud customers are NOT affected by this vulnerability.

Summary of this issue CVE-2022-0540

Although the vulnerability is in the core of Jira, it affects first and third-party apps that specify roles-required at the webwork1 action namespace level and do not specify it at an action level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.

Jira on its own is not vulnerable, but having installed plugins that leverage the particular functionality creates the vulnerability. Thus, for an installation to be vulnerable, you must be using a vulnerable version of Jira or Jira Service Management and have one of the specific plugins installed and active. Unfortunately for most users, some of the vulnerable plugins include plugins installed and enabled by default, specifically the Mobile Application for Jira add on.

What is the Issue?

A remote attacker can exploit a vulnerability (CVE-2022-0540) in affected Server and Data Center versions of Jira and Jira Service Management by requesting a specially crafted URL which bypasses authentication and authorization requirements in WebWork actions. Any first or third party applications that specify roles-required at the webwork1 action namespace level and do not specify it at an action level are vulnerable. Atlassian rates this vulnerability as critical.

Which Jira versions are affected?

The affected versions of Jira Core Server, Jira Software Server, and Jira Software Data Center are:

  • All versions before 8.13.18
  • 8.14.x
  • 8.15.x
  • 8.16.x
  • 8.17.x
  • 8.18.x
  • 8.19.x
  • 8.20.x before 8.20.6
  • 8.21.x

Fixed Jira versions

  • 8.13.18
  • 8.20.6
  • 8.22.0

Which Jira Service Management versions are affected?

The affected versions of Jira Service Management Server and Jira Service Management Data Center are:

  • All versions before 4.13.18
  • 4.14.x
  • 4.15.x
  • 4.16.x
  • 4.17.x
  • 4.18.x
  • 4.19.x
  • 4.20.x before 4.20.6
  • 4.21.x

Fixed Jira Service Management versions

  • 4.13.18
  • 4.20.6
  • 4.22.0

Which Apps Are Affected with CVE-2022-0540?

Atlassian provided an expandable table for the affected apps in the “Determining which apps are affected” section of the Atlassian advisory notice.

Two of the applications that can result in a vulnerable configuration are Atlassian plugins which are included by default in Jira and Jira service management – Insight Asset Management for Jira Service Management, which has been included in all versions of JSM since version 4.15.0 and Mobile Plugin for Jira which has been included in all 8.x releases of Jira and 4.x releases of Jira Service Management. This means that most users of Jira and Jira Service Management are vulnerable to this security advisory.

What you should do?

Installing a fixed version of Jira or Jira Service Management is the surest way to remediate CVE-2022-0540. Once a fixed version has been installed, all apps in your instance are protected against CVE-2022-0540 and no further action is required. Please reach out to Oxalis if you’re affected by vulnerability and would like assistance.

Not Ready to upgrade, or can’t upgrade quickly?

There are various reasons why you may not be able to quickly upgrade to a fixed version of Jira or Jira Service Management, such as:

  • Outdated DB – There are many older platforms that Jira no longer supports, which would block a potential upgrade to the latest version. Check out the list of Atlassian support platforms for the latest versions here.
  • Marketplace App compatibility – There are thousands of third party applications in the Atlassian ecosystem, and many systems have at least several downloaded on their system. These Apps usually lag behind the latest Jira versions for compatibility if major changes are made, and need to be reviewed before performing the upgrade. 
  • Change Management overhead – Many organizations have a robust change management process in place which may cause a delay in a system upgrade. While we do recommend having a robust change management process in place, there must be bypasses specifically for situations such as this security vulnerability. 

If you cannot upgrade Jira or Jira Service Management, you can take one of the following actions –

  • Upgrade vulnerable plugins to non-impacted versions.
  • Disable vulnerable plugins – note that this will remove provided functionality and should be considered a worst-case option. For JSM, disabling Insight Asset Management may have the further impact of removing all service management functionality.

How to avoid future risks?

Migrate to Atlassian Cloud

At the beginning of 2021, Atlassian announced their journey to cloud, showing their dedication to the Cloud products and services. Even though they will be decommissioning their Server offering, their Data Center platform will continue to be supported. There are many considerations to take into account before deciding to migrate to Atlassian Cloud, but it is certainly worth considering, as it is clear that Atlassian is focusing their efforts towards the Cloud.

  • Not a Lift-and-Shift – Migrating from Server/Data Center to Atlassian Cloud is not simply a lift-and-shift effort. There are many differences between the on-premise and cloud versions of Atlassian’s applications, along with differences in the Marketplace Apps. A short discovery effort is recommended to plan and map your migration effort to ensure success. You can learn more about our migration approach here.
  • Compliance – It’s possible Atlassian Cloud may not meet your compliance needs. Currently, Atlassian Cloud does NOT meet the following compliance standards:
    • HIPAA
    • FedRAMP Moderate
    • NIST 800.53
    • Review Atlassian’s cloud roadmap to see when they plan on meeting these compliance standards.
  • Trust – Atlassian’s team is dedicated to keeping the trust of their customers, and has you covered. Review information about security, reliability, privacy, and compliance for their products and services here.

Stay Up To Date

Staying on the most recent version continues to be the best strategy. With stability, it can be easy to end up just staying with what works and getting out of date. For Oxalis customers on Server and Data center versions of Atlassian products, we perform regular updates which in this case means users were on fixed versions since February, 2022

Build Security at Depth

While implementing zero trust architectures can be challenging, choosing architectural patterns that allows for isolation and segmentation of infrastructure components provides both reduced blast radius and limits exploitation.

Recommended blog posts

We are here to help

If you need help understanding if you’re at risk with CVE-2022-0540, hardening your existing infrastructure, are looking for ongoing maintenance help, or want to move to a more compliant infrastructure, our award winning team is here to help. As a group of technology consultants and product leaders that operate in various high-compliant industries, Oxalis has a strong focus on security. We don’t just care when vulnerabilities occur, it’s a key piece of how we operate as a firm.  

DevSecOps Security Best Practices – Webinar [ON-DEMAND]

On March 30th 2022, we held a webinar on DevSecOps security best practices. Participants had the opportunity to hear from Oxalis on how to improve the security of their software development processes and reduce risk exposure. Topics included:

  • [4:07] Software security background
  • [4:48] DevSecOps builds upon DevOps
  • [12:20] DevSecOps introduction
  • [14:13] Full lifecycle security
  • [20:42] Stepping into DevSecOps
  • [23:38] Software Supply Chain Management
  • [28:22] Static Code Analysis
  • [31:01] Build Artifact Analysis
  • [34:15] Integrating into the CI/CD Pipeline
  • [39:25] Sample DevSecOps Toolchain
  • [44:41] How to get started

Did you miss our DevSecOps Webinar? Access the On Demand version now

Recommended blog posts

5 “Do-Now” Business Cybersecurity Changes

As technology gets smarter, so do hackers. Your data could be at risk without even knowing it. Don’t wait until it is too late to institute change, we have highlighted the top 5 cybersecurity changes for your business or organization to institute today. 

1. Enable IAM MFA

The easiest way to increase the security of your data is to control how your users can access it. Single-sign on passwords is obsolete, opening doors for hackers to enter through. Creating a Multi-Factor Authentication creates more barriers to entry for hackers. It becomes more difficult to gain access to a user’s sensitive accounts when there are multiple steps before gaining the ability to accessing data. This is incredibly important to institute for Identity and Access Management Users are known as IAM users within Amazon Web Service platforms. Introducing multiple steps of authentication before allowing access is imperative for IAM users who possess greater access and increased editing capabilities within the platform, which are very lucrative to hackers. Get more information.  

Cybersecurity strategies

2. Turn on CloudTrail. Now.

CloudTrail is a very beneficial feature within Amazon Web Services. This feature creates an access history of your AWS account, allowing an ongoing record of your valuable projects. This also helps to increase the security within AWS accounts as it increases viability. CloudTrail helps you spot errors faster and smarter. CloudTrail also increases functionality such as downloading, searching, archiving or responding to account activities. Why wait? Download your free trial of CloudTrail today! 

3. Your sensitive data may not be safe, can you plug the leak? 

Hackers can often infiltrate systems without notice until it is too late. You run the risk of exposing your data to various threats, without even knowing it. Do not wait for an attack to happen, enhance your security today. Prepare for the possible outcome of the risks you face, don’t wait until it is too late. 

4. Do a quick scan

It is important to understand your security protocols from an overarching perspective. Continually checking your systems will promote familiarity and consistency, helping you better spot and limit the abilities of unwanted users accessing your sensitive information. Regularly scanning your systems quickly on a foundational level will help you maintain security with ease. Get started.

Cybersecurity strategies for your company

5. Lockdown your ACLs. Don’t be the one to make your S3 bucket public.

The AWS S3 bucket saves your data to a public cloud, allowing increased accessibility and heighten security. However, it can be easy to accidentally make sensitive information available publicly for external users. Creating and securing Access Control Lists, or ACLs, within AWS limits accidental mistakes. These lists delegate access to buckets and objects, allowing you to expressly control who gets to see what. This will also help to decrease access to fraudulent accounts that attempt to access from within internal domains or accreditations. Talk to an expert.

Time to take the Business Cybersecurity Changes

It is important to institute a cybersecurity roadmap for your business before your sensitive information is in the wrong hands. Comprehensive assessments are sometimes needed to better understand your company’s security structure. Security is no longer a “one and done” situation. Now is the time to emphasize the operational effectiveness of your data security. Learn how Oxalis can help you cover your blind spots, keeping data in your own hands. In case you need help with Atlassian, feel free to contact us.

Recommended blog post

Contact us