The first level of the CMMC framework is intended to serve as an introduction to further CMMC levels. While every organization will ultimately need to achieve a higher level to sign contracts with the DoD, CMMC level one is an important starting point. It is also by far the easiest level to implement, since it consists of only 17 actionable controls. By contrast, level 5, which is the highest level, consists of a whopping 171 controls, including all those of previous levels too.
What are the CMMC controls?
CMMC controls are actionable items spanning people, processes, and technology (PPT) that must be implemented to achieve a certain cybersecurity maturity level. These controls span 17 domains, or categories, such as access control and incident response.
The framework is based on the NIST Special Publication 800-171, which serves as the basis of the current interim DFARS clause. However, CMMC builds upon the NIST framework with the addition of further controls from other sources. It will ultimately replace the DFARS clause.
Establishing robust authentication controls
Authentication controls govern the who and how of accessing sensitive information. The most basic form of authentication is the username and password combination, which has been the standard approach since the dawn of the computing era. However, these measures alone no longer offer satisfactory security at a time when usernames and passwords are often exploited by social engineering attackers. Organizations also need to adopt further measures including zero-trust security and multifactor authentication.
Understanding media sanitization practices
To the layman, media sanitization might seem like nothing more than a matter of formatting a retired computer or other data-bearing device. However, data is easily recoverable in such cases using readily available data recovery software. Data can only be properly deleted if it is overwritten, ideally with multiple passes. Proper media sanitization measures include physical destruction of the device, full disk encryption, or overwriting the entire device with zeros.
Defining physical and logical access controls
Although access controls incorporate authentication controls, they also include physical and other logical measures to prevent access to unauthorized users. For example, physical access controls might include locked doors or Kensington locks for laptops. Logical access controls should be managed centrally so that administrators can instantly revoke access rights to any user accounts that may have been compromised or if the employee has left the company.
Securing networked assets with firewalls
Firewalls are analogous to the fire-proof doors installed to prevent fires spreading through a building. They may be installed on individual endpoints, as is the case with the built-in firewall software included in Windows, or on the network router itself. All networked devices must be protected behind a firewall, but matters are a little more complicated in the age of distributed computing environments that make extensive use of cloud-hosted resources. To expand the reach of their security controls, many organizations now take advantage of managed detection and response (MDR) services, that monitor the flow of all information.
Implementing basic endpoint protection
The most basic form of endpoint protection is antivirus software installed on endpoint devices, such as workstations, laptops, and smartphones. However, antivirus software is only reactive, meaning that it typically only kicks in once malware ends up on the device in the first place. In other words, it is just one of several layers of security that each endpoint needs. These devices should also be fully encrypted if they contain sensitive information, centrally monitored for any potential data breaches or suspicious activities, and protected behind several authentication layers. These controls should apply to any connected device, including IoT systems.
Where to go from CMMC level 1
Only implementing the requirements of CMMC level 1 will not help your business win contracts from the DoD. Level 1 is also unique in that it is not assessed nor documented. That said, it is an important first step towards achieving adequate security standards required to win requests for proposals with the DoD. Fortunately, you probably already have most, if not all, of these controls in place, in which case you should be able to start focusing on CMMC level 2.
Charles IT can help you on your CMMC compliance journey by carrying out a comprehensive assessment of your existing security controls. Call us today to schedule your first consultation!
