CMMC 2.0 Overview
In this article, we have broken down the main concepts of the CMMC Level 1 with a few examples and contexts. The total requirements for Level 1 will add up to 17 specific requirements. For example, Access Control (AC) has four practices AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, and AC.L1-3.1.22. In Level 1 of the CMMC, the compliance requirements are equivalent to the requirements listed in FAR 48 CFR 52.204-21. This level is considered the “basic cybersecurity hygiene” of an organization. All CMMC Level 1 practices are required to do business with the federal government. CMMC Level 1 is all about protecting Federal Contract Information (FCI).
Small businesses with level 1 compliance requirements have six additional security practices to follow. A security practice in terms of technology would be referring to “this part of security.” It’s like someone saying, “Here’s the context of my issue, and it’s in the banking industry.” The practice would be the specific area, say the mortgage department. Each in CMMC is given a unique label. For example, IA.L1-3.5.1 is the specific practice to identify information system users or processes acting on behalf of users or devices.
Self-Assessment and Compliance
In cybersecurity, you have different areas of concern within your security model. It would be best to have security adherence to the 17 practices required in level 1 for all your business units. The compliance is shown by entering a score in the Supplier Performance Risk System (SPRS); the score entered by a senior company official indicates that your organization complies. This score needs to be maintained and updated at least once per year
AC – Access Control
Your ability to ensure who has controllable access to your business’ systems is essential for your protection. In this step, it’s necessary to ask, “Who can log into my computers, get into the places I store my information or get on the network that we use for Wi-Fi?” Can any action such as a download, an approval process, or a transaction be performed on technology within your organization without first having to enter clearance credentials? Any point of digital or physical entry to information should be in compliance word protected and have different levels of access on a need-to-know basis. Not all information should be accessible to everyone. Creating tiers and access levels within your company is very important to protecting privacy. This has become increasingly important since many organizations allow work-from-home options. 95% of security professionals report facing additional challenges due to this.
IA – Identification and Authentication
Each user should have a unique log-in. While it may be convenient for some people to share logins, you don’t know who is responsible for the malicious activity when something terrible happens. According to a Microsoft Multi-Factor Authentication Report, compromised identity credentials being used by bad actors were not able to be identified for an average of 100 days after being compromised! This can create issues in many areas of your company and is an easy way for someone to wreak havoc without being traced. Every user should have a standard account with different identities if other roles are needed. Have you ever noticed how social media pages and websites have roles for Admin, Editor, Moderator, or Contributor associated with them? This makes it easier to classify what access permissions each person can. Most major software has documentation regarding roles and access levels that would be an excellent resource to investigate based on the technology you are utilizing within your business.
MP – Media Protection
Is there a process for ensuring that equipment has been disposed of properly with encryption or has undergone physical destruction? A sanitization process needs to be in place for any systems that have been used to house Federal contract information before it can be repurposed or thrown away. This also includes physical files! So, don’t forget to shred those documents during your spring cleaning!
PE – Physical Protection
This involves each piece of equipment being protected. Can people come and go without being noticed or monitored? Are visitor badges issued and identities logged? Are there cables in public access points that someone could easily connect into the network with? Your space, who is in it, and what comes in and out of it must be secured and documented.
SC – System and Communications Protection
This practice comes down to ensuring you have good boundaries that can be tracked and separate your systems from outside use. Do you have an approval process to provide anything that gets shared digitally is appropriate to be made available? Any posts on your blog, social media, or even pictures taken in the office should have a protocol of behaviors and reviews to ensure that sensitive information is not shared. In 2018, a photo taken inside a Hawaii Emergency Agency with a password publicly viewable created a powerful spark of concern regarding agency protection! This should not be the norm for your business, to begin with! However, knowing that media created inside your company could make a security risk, having a culture that takes this seriously in a review process is incredibly important. If you have a Wi-Fi network that guests can access, it should not be the same network you are running your internal network. You should also be able to have the ability to monitor any information that is transmitted or received from your network and its devices.
SI – System and Information Integrity
We’ve all heard of email phishing schemes! It would help if you had good antivirus protection to ensure that nothing can be removed or added to your devices without your knowledge. Any attempted data breaches or identified malicious files within your organization should be reported to the DoD Cyber Crime Center.
What’s Next to Get CMMC Level 1 Compliant?
To provide the proper documentation signifying the Level 1 CMMC requirements have been met, a senior member of your organization needs to attest that the Level 1 requirements are met, and an SPRS score needs to be entered. The federal government has an excellent video tutorial on entering and several downloadable PDF help files.
If you need help navigating the CMMC compliance process, entering an SPRS score, or need assistance creating a valid POA&M, Cubed Corps Cyber Security can support you in this process. Contact us today to get started!