What is CMMC?
If you’re wondering about the different levels of CMMC, you probably already have a good idea of what the program is and why it is important to your business. In case you don’t already know, the CMMC (Cybersecurity Maturity Model Certification) is a set of security standards and requirements mandated by the Department of Defense for all vendors. The CMMC aims to reduce the risk that comes with contractors and ensure that they are following best practices when it comes to their information technology.
What are the levels of CMMC?
Each level of CMMC requires a different set of standards and requirements in order to meet that level. As the levels increase, the requirements become increasingly complex. The CMMC includes five different levels, with level 1 being the most basic and level 5 being the most advanced.
What CMMC level does my company need?
To find out which CMMC Maturity Level your organization needs, we recommend that you proactively reach out to your prime contractor. You can also determine your CMMC requirements by simply looking at the data markings and classification you already receive as part of your contract work. If it's Controlled Unclassified Information (CUI), you will have to meet at least level 3. If it's just FCI, you will need ML Level 1 or Level 2.
CMMC Level 1 - Basic Hygiene
For CMMC Maturity Level (ML1), there are six practice areas that organizations need to implement in their operations and management. These six practice areas include:
- Controlling access to IT systems and FCI data.
- Identifying and authenticating users and devices.
- Architecting and Protecting Networks and Subnetworks.
- Ensuring endpoints are patched, scanned, and protected.
- Controlling and limiting physical access to facilities.
- Ensuring media components are properly sanitized when removed from the IT system.
CMMC Level 1 - Practice Areas 1 and 2:
Identity, Credential, and Access Management (ICAM) basics are a key requirement at this stage of the process. You need to ensure that the right person has the right access to the right data at the right time. This is important for company employees and contractors who need access to the FCI data being processed and stored by the organization. As with ICAM basics, it is important to determine the Access Management Model you want to use and for specific data sets.
You also need to identify and track the unique identifiers of each employee, such as account names, devices, etc. ICAM practices need to be identified at all points in your systems. This includes but is not limited to each:
- Desktop
- Server
- VPN
- Network Device
- Printers
- IP Cameras
CMMC Level 1 - Practice Area 3:
When preparing your system architecture for CMMC, keep in mind that system architectures need to account for subnets if your organization has multiple working systems. Publicly available systems, such as hosted websites or FTP servers, must be segregated from internal networks where hosts like fileservers and application servers exist. In addition, at each boundary point, your organization is required to have technical tools in place to monitor and protect inbound and outbound communications. This will generally resemble some sort of Access Control List (ACL), but the name of the tool used may vary. This is usually the case if your organization has built-in a commercial cloud.
CMMC Level 1 - Practice Area 4:
Each system must undergo flaw remediation (a combination of normal patching and Vulnerability Management) on a regular basis, and all hosts must have malicious code protection in place. These malicious code protections must update regularly and scan in real-time all files retrieved from outside the system. This includes files from other company subnets which are not protected under CMMC requirements and must also be fully scanned periodically for malware.
Organizations are expected to have defined time frames for identifying and remediating system flaws and vulnerabilities based on the perceived impact of the flaw. Assessors will expect to see these documented and will review the practices in place for investigating and remediating flaws. Assessors will also expect to see the associated records maintained and up to date for system configuration management.
CMMC Level 1 – Practice Area 5:
Physical access is an often overlooked component in cybersecurity. In the case of CMMC, physical access control to system components and facilities must be implemented. This is expected for all workstations where someone can access the CMMC network. This also includes any printers, scanners, or other IOT devices on the network, all servers, and any rooms or buildings that hold physical copies of data (paper, disc, etc.). Visitor logs must be retained, and visitors must be escorted at all times. Finally, the technology that controls access devices such as keys, key fobs, and biometric scanners must also be accounted for and controlled by the company.
CMMC Level 1 – Practice Area 6:
In the case of Media that has stored or processed Federal data (FCI) will need to be sanitized following DoD guidelines before it is sent for disposal or approved for re-use. For example, after decommissioning a server with drives in a serviceable condition, the organization must ensure proper disposal of that data. CMMC assessors will expect to see records (internal or external certificates) of sanitization following NIST SP 800-88 practices. This framework highlights the shred/destroy option if media are not re-used and the clean and purge options for media which will be re-used.
In the case of CMMC, media refers to both digital and non-digital media. Some examples of media can be important printed materials with sensitive data, thumb drive files, mobile devices, and more.
Next Steps:
Now that you understand the basics of the requirements for level one, you can determine your ability to obtain CMMC Level 1 Maturity.
More about our CMMC RPO Advisory Services
Contact our CMMC experts.