In our previous blog, we discussed what it is going to take to achieve readiness for the Cybersecurity Maturity Model Certification (CMMC). Potential contractors should determine target contracts, identify and address current readiness gaps, and start reviewing and implementing processes and practices. As we continue along the roadmap to Level 1, we will provide *Readiness Notes* to highlight areas of anticipated pitfalls and headaches.
A potential contractor’s cybersecurity maturity is measured against the five levels in the CMMC model. Each level and the corresponding sets of processes and practices across domains are cumulative. For potential contractors, that means encompassing all the requirements of Level 1 before reaching Level 2 and so on. Each level is broken into two parts: processes and practices (defined below). Level 1’s process is performed, and its practice is basic cyber hygiene.
Defining “Process” and “Practice” for Level 1
- Process – a specified procedure that has been clearly defined by management of the potential contractor. Is the process designed in an effective way to meet the CMMC requirement? (Potential contractors seeking Level 1 will not be required to have documented policies and procedures. Level 1 requires only that the practice be performed by the potential contractor).
- Practice – management’s implementation of the established procedure. Is the process operating effectively when performed?
Level 1 is intended to ensure potential contractors are safeguarding Federal Contract Information (FCI). Level 1 focuses on the protection of FCI through the potential contractor’s performance of basic cyber hygiene practices that correspond to the basic safeguarding requirements outlined in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”) .
*Although Level 1 does not require potential contractors to have formally documented processes, having a documented process will aid the potential contractor in getting ready for further Levels. Additionally, assessors will take notes on what the potential contractor says is the process. If the supporting evidence does not match the stated claim, it could cause delay and unnecessary confusion.*
Level 1 Requirements
Potential contractors must meet each requirement as the grading for the certification is pass/fail. No partial credit is given to potential contractors. CMMC Version 1.0 Appendices identifies seventeen requirements within Level 1 as follows:
1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3. Verify and control/limit connections to and use of external information systems.
*Regarding requirements 1-3, 5, 6, 8, NIST CSF maps multiple types of controls to this requirement; however, many organizations’ practices tend to break down in this category. It is not unusual for terminated users to be overlooked when organizations perform access revocations to information systems. Another intricacy is ensuring appropriate separation of duties exists for assigned user roles and responsibilities. Potential contractors must pay extra attention to these during the readiness process since partial credit is not awarded during the certification assessment.*
4. Control information posted or processed on publicly accessible information systems.
5. Identify information system users, processes acting on behalf of users, or devices.
6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
9. Escort visitors and monitor visitor activity.
10. Maintain audit logs of physical access.
11. Control and manage physical access devices.
12. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries of the information systems.
13. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
14. Identify, report, and correct information and information system flaws in a timely manner.
*Some essential practices mapped to this requirement include adequate employee training on identifying and reporting on security incidents. Similarly, vulnerability scanning and risk assessments play an impactful part in this requirement. Both should be ongoing practices that identify mitigating efforts. Potential contractors should focus on making sure that mitigating efforts are reported and implemented within the established timeline. Many organizations fail to execute on this and others simply fail to update supporting evidence.*
15. Provide protection from malicious code at appropriate locations within organizational information systems.
16. Update malicious code protection mechanisms when new releases are available.
17. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Later in this blog series, we will continue to discuss each of the four remaining CMMC levels and suggested steps for achieving CMMC readiness.
For more information regarding CMMC readiness, please contact Director of Cyber Intelligence, Kendall Blaylock, at firstname.lastname@example.org.
Cybersecurity Maturity Model Certification v1.0 (CMMC v1.0)
National Institute of Standards and Technology Cybersecurity Framework (NIST CSF v1.1)