Did the expensive and resource-intensive requirements of Defense Federal Acquisition Regulation Supplement (DFARS) compliance prevent you from bidding on a US Department of Defense (DoD) contract before? Well, you’ll be happy to know that the DoD is now transitioning to the Cybersecurity Maturity Model Certification (CMMC) framework.
The original CMMC model has five cybersecurity maturity levels, with the two lowest levels — CMMC Level 1 and 2 — not requiring DFARS compliance at all. This is because not all DoD contracts involve handling controlled unclassified information (CUI), so Levels 1 and 2 allow non-DFARS-compliant firms to still vie for these contracts.
Why Aim for CMMC Level 1?
As seen in the diagram above, of the different CMMC levels, Level 1 has the least number of security requirements since at this level, DoD contractors only have to safeguard federal contract information (FCI). This makes it the easiest and most cost-efficient one to achieve, which is perfect for small companies.
Further reading: FCI and CUI, What Is the Difference? |
What Are the Different CMMC Level 1 Requirements?
Each CMMC level is characterized by a set of cybersecurity processes and practices, as shown in the diagram below. For Level 1, the “processes” are described as “performed” and “practices” as “basic cyber hygiene.”
Processes: Performed
At Level 1, you are only expected to execute the cybersecurity practices specified for this level (see next section).
Unlike in higher levels, at Level 1, you are not yet required to have your cybersecurity strategies on paper or be assessed by accredited third-party assessors/auditors. Because of this, a CMMC Level 1 supplier may have limited or inconsistent cybersecurity maturity processes.
Practices: Basic Cyber Hygiene
Since this level focuses on the protection of FCI, CMMC Level 1 suppliers are only expected to have limited resistance against data exfiltration and limited resilience against malicious actions. The required CMMC Level 1 controls is equivalent to the 17 basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21.
To help you achieve all 17 controls, we’ve provided a checklist for each item:
1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- Identify the people who are allowed to use your company’s IT resources, then create unique user accounts for each of them.
- Secure each user account with a strong password.
- Ask your employees to log out or lock their computers when these are not in use.
- Disable the user accounts of employees when they leave the company.
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Limit the user accounts with “admin rights” to select personnel in your organization, such as your IT staff.
- Review and limit the employees who can access, view, edit, or share company files and programs, especially those about your federal contract.
3. Verify and control/limit connections to and use of external information systems.
- Only use company computers — never personal or public ones — to work on federal contracts.
- Separate your company network and IT resources from those of other companies or your employees’ homes.
4. Control information posted or processed on publicly accessible information systems.
- If you use a cloud storage service, make sure it can only be accessed using a complex password.
- Do not share documents with anyone outside of the federal contract.
- Make sure your employees do not post sensitive information on public websites or public media.
5. Identify information system users, processes acting on behalf of users, or devices.
- Ensure that the access privileges of each user account is appropriate to their role in the company.
- Do not allow sharing of user accounts or passwords.
6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- Change all default passwords. Secure all company accounts and devices with unique, complex passwords or PINs.
- Program all company computers and devices to automatically lock after 10 or 20 minutes of inactivity.
7. Sanitize or destroy information system media containing FCI before disposal or release for reuse.
- Before discarding or reusing any company computer, mobile gadget, or storage device, work with an IT professional to destroy the FCI it contains.
8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- Identify the areas of your office which are public and private.
- Make sure your computers, devices, network gear, and sensitive information are only in private areas.
- If there are no authorized personnel actively supervising a private area, make sure to lock the door to that area.
9. Escort visitors and monitor visitor activity.
- Identify and supervise visitors.
- Do not allow unauthorized personnel from entering your office.
10. Maintain audit logs of physical access.
- Use a sign-in and sign-out sheet for employees and visitors.
- If you can afford it, install surveillance cameras around your facility and use individually assigned keys and electronic locks that record who used them.
11. Control and manage physical access devices.
- Limit the number of people who can change or disable your office’s security system.
- Protect your company files and computers by keeping your doors and windows locked.
12. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
- Protect your company network with a firewall.
- Don’t post your company Wi-Fi password in an area where unauthorized persons can see it.
13. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- If you don’t have the expertise in operating your own internet-connected servers, then use a web hosting company to host your website.
14. Identify, report, and correct information and information system flaws in a timely manner.
- Regularly install system updates and patches on all of your devices.
- Remove apps that are no longer supported by the vendor.
15. Provide protection from malicious code at appropriate locations within organizational information systems.
- Install a reliable antivirus solution on all company devices.
16. Update malicious code protection mechanisms when new releases are available.
- Regularly update your cybersecurity solutions.
17. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
- Configure your antivirus software to provide “active protection” and conduct full, regular scans.
Do these security requirements sound too technical for you? Don’t worry, the IT experts of Charles IT can help you achieve your CMMC certification. Get started by availing our gap assessment.