The Cybersecurity Maturity Model Certification (CMMC) framework is the basis for Department of Defense (DoD) efforts to safeguard controlled unclassified information (CUI) across its vast worldwide supply chain. This framework comprises 171 practices that are stacked across 17 domains and 43 capabilities, each of which belongs to one of the maturity levels in the model.
CMMC standards also cover backup disaster recovery practices that every DoD contractor and supplier should meet. The CMMC Recovery Domain specifically addresses how backups and recovery activities should be conducted.
CMMC Recovery Domain
The CMMC Recovery Domain tasks are all about how to keep organizations running so it can accomplish its objective, fulfill its business function, and/or provide its services. This includes making sure systems are up and running properly after a disruption (such as a cyber assault, IT outage, or natural disaster), as well as preventing the loss of critical data.
You can't protect the government's data and intellectual property if you don't have a recovery strategy in place that covers the most common outage risks your company faces. A lack of defense data may endanger national security or the safety of our military troops. This is why it’s so important to meet CMMC recovery requirements, and what makes the CMMC Recovery Domain mandatory.
What are the CMMC Recovery Domain practices?
In CMMC, the Recovery Domain practices mainly fall under managing either backups or information security continuity. To meet CMMC Recovery Domain requirements, you must conduct the following:
Regularly perform and test backups
Backups are essential to recover data in the event of a hardware or software failure, ransomware assault, or other problems. To ensure you don't lose any data you can't afford to do without, you must follow a backup schedule depending on your company’s specific needs.
A CMMC-capable IT services provider can provide you with more information in determining your optimal backup schedule. Aside from scheduling backups, you should also test them at specific intervals to verify that they are correct and reliable. And so as to not leave anything to chance, make sure to follow this procedure for all of your data, and not just CUI and federal contract information (FCI).
Protect the confidentiality of backup CUIs
Treat CUIs as if they were classified. Access to them should be on a per-need basis, and their storage locations should have ample security. Some common examples of storage solutions that can be configured for CUIs are network attached storage (NAS) drives, cloud backups, File Transfer Protocol (FTP) services, and even simple flash drives. Make sure these storage devices are configured to meet FIPS 140-2 encryption standards. Physical security of all storage spaces where CUI is kept should also be enforced to ensure confidentiality while the data is at rest.
Make sure that backups are stored safely
When attackers penetrate computers, they usually make significant modifications to settings and software. Intruders have also been known to make minute changes in data stored on infected machines, potentially jeopardizing organizational effectiveness if the data is polluted. So when the attackers are discovered, it may be virtually impossible for organizations without a trustworthy data recovery capability to eliminate all traces of the intruder's presence on the machine.
It’s always smart to assume the worst-case scenario, especially since DoD suppliers and contractors work with such sensitive data. Use the best available tools and procedures to regularly backup data and enable recovery no matter what happens. You'll need routine backups that include complete system data to safeguard files from malware and other physical threats such as fire or water damage. Also, you’ll need to ensure that all backups have at least one off-site destination to ensure that any on-site issues don’t affect your data.
Ensure data processing facilities meet organizational standards
Aside from meeting your own data storage and management needs, you should ensure that your partner data processing facilities are up to standard. This guideline concerns itself mostly with payment facilities, as many DoD suppliers and contractors use third-party payment processors to handle financial transactions.
Processing facilities should ideally meet the enrollment and identity proofing standards of NIST SP 800-63-3 digital identity guidelines. These guidelines will assure you that your partner processing facilities can be held accountable for any issues you have with transactions and data processing. Meeting these standards also ensures that your data is protected and recoverable in the event of downtime or a data loss event.
Consult with Charles IT’s team of CMMC experts to ensure that your organization meets Department of Defense standards at all times. Contact us today to learn more!