If you work with the Department of Defense in any form, you’ve probably heard the term Cybersecurity Maturity Model Certification (CMMC) mentioned. But what is the CMMC, and how can you meet its standards?
The CMMC is the Department of Defense’s (DoD) response to supply chain attacks and recent cyberattack trends. Previously, those that worked with the DoD were responsible for their own cybersecurity. Now, the CMMC adds a 3rd party assessment of an organization’s cybersecurity, along with a framework to adhere to. All DoD contractors will eventually need to be CMMC certified – no matter where you are along the supply chain. The DoD wants to know that you are following proper cybersecurity procedure.
CMMC 2.0 Levels
The CMMC regulations have five levels that represent various stages of cybersecurity maturity. Each build upon the previous level.
Level 1
In the first level of CMMC, your organization must perform basic cybersecurity practices, such as using antivirus software or ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” It does not include public information or certain transactional information.
Level 2
Requires your organization to document your cybersecurity practices to begin to protect any Controlled Unclassified Information (CUI). CUI is “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls,” but does not include certain classified information. It includes requirements from NIST SP 800-171.
Documenting your practices is essentially what it sounds like – the DoD wants to see that you have recorded what you do to protect your organization. For example – how often is your data backed up? What is are your password requirements for users?
Level 3
Your organization must have a management plan for cybersecurity to safeguard CUI, including all the NIST 800-171 requirements as well as additional standards. This includes goals for your cybersecurity, required training, involvement of stakeholders and resourcing.
The management plan builds on the documentation in level 2 – you have certain procedures, how will you implement them consistently and company-wide? For example, what will be the procedure for training new end users on social awareness, and how will you continue to educate current employees as well?
Level 4
Your organization is required to have a review process to measure effectiveness of your cybersecurity strategy. Additionally, you should have plans for corrective action when effectiveness falls short. Added on level 4 is protecting your organization from advanced persistent threats (APTs). An APT is defined as an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors.
Level 5
Your organization must standardize and optimize processes across your organization, and add enhanced practices that provide more capability to detect and respond to APTs. Managed detection and response (MDR) solutions can be useful in this case.
Preparing Your Organization for CMMC & Attaining Level 1 Compliance
Your organization should become thoroughly familiar with CMMC 2.0 compliance requirements, and then assess your cybersecurity posture in relation to CMMC. Gather all of the information you can, and understand what practices already follow proper procedure, and identify areas for improvement. Consider working with an outside vendor that understands CMMC regulations to help assess your current level and create a security roadmap for you to progress your controls in the future. Your organization should also continue to monitor updates from the DoD Cybersecurity Maturity Model Certification Program.
Step 1: Understand What CMMC Level 1 Compliance Requires
CMMC Level 1 focuses on basic cyber hygiene, suitable for businesses handling Federal Contract Information (FCI) but not sensitive CUI, as stated earlier in the blog. For level 1 compliance, you’ll need to implement 17 specific security practices across several domains, which are foundational cybersecurity measures.
Step 2: Identify the Security Practices to Implement on Key Domains
CMMC 2.0 Level 1 includes security practices from the following domains:
- Access Control (AC): Limit system access to authorized users and devices.
- Identification and Authentication (IA): Ensure that users are properly identified before accessing systems.
- Media Protection (MP): Control and secure media, especially removable media.
- Physical Protection (PE): Restrict physical access to data systems.
- System and Communications Protection (SC): Monitor and control communications at system boundaries.
- System and Information Integrity (SI): Protection against malware and system monitoring in place to detect and address vulnerabilities.
Step 3: Conduct a Self-Assessment
Develop a checklist of the 17 security practices required for level 1. Assess your current environment to identify gaps in your compliance and where you’re missing some security measures. While Level 1 requires minimal documentation compared to higher levels, it’s beneficial to record policies and any relevant actions taken.
Step 4: Implement Basic Cyber Hygiene Practices
- Access Control: Define roles and restrict access to sensitive information.
- User Authentication: Implement strong passwords and consider multi-factor authentication (MFA) for all access points.
- Protect Physical Access: Secure devices physically with locks and monitor access to sensitive areas.
- Limit Data Transfers: Control USB and other removable media use and establish clear guidelines for secure data sharing and transfers.
- Malware Protection: Use reliable antivirus software and keep it up to date. Educate employees on safe online practices.
Step 5: Train Employees on Cybersecurity Basics
CMMC Level 1 compliance depends on cybersecurity training and awareness. Conduct training sessions to help employees understand how to identify phishing attacks, safe internet and email practices, and the importance of securing devices and data. Employees can be your first line of defense against cyberattacks – arm them with the knowledge and skills to combat digital threats.
If you’re in need of security training for your employees, NetGain is offering live cybersecurity awareness training to local organizations as part of our Cybersecurity Public Service Initiative. No cost to you and no string attached! Connect with us for more details and to schedule your training!
Step 6: Monitor and Maintain Compliance
Set a schedule for regular internal audits to ensure ongoing adherence to Level 1 requirements. Cyber threats evolve, so it’s essential to revisit and adjust practices and security policies periodically.
Step 7: Prepare for a Third-Party Assessment
If required by your contracts, Level 1 compliance might need validation by a from a third-party. Gather all documentation, evidence of implementation of the 17 security practices, and records of training sessions for employees. Documentation will help to streamline the process.
Security Beyond CMMC…
It is important to note that CMMC regulations and compliance are only a starting point for your cybersecurity strategy and practices. Beyond being CMMC compliant, it’s imperative your organization stays up to date on the cyber landscape and adapt as needed. Your organization should have an ongoing review process to measure the effectiveness of your cybersecurity strategy. Promoting a culture of cybersecurity awareness and training your organization is a vital step as well. Cyber threats are evolving and digital criminals are getting smarter and trickier – so too should your cyber defense strategy!
