Update: The Department of Defense (DoD) published CMMC 2.0 in Dec 2021 to “cut the red tape” and condense the requirements of CMMC 1.0. CMMC 2.0 will be a contractual obligation for anyone in the DoD supply chain 9-24 months after the DoD finalizes and publishes the updated certification. Please note, information below is based on CMMC 1.0 and is now out of date. The Carbide Team will post a new blog with updated information when the DoD releases full details about the CMMC 2.0.
If you are a DoD contractor or a subcontractor of a larger enterprise and want to get a share of the multi-billion US government spending, you’ll need at least a CMMC Compliance Level 1.
Over the last few years, the Department of Defense (DoD) developed and began implementing the Cybersecurity Maturity Model Certification (CMMC) framework to gain transparency into the security of its contractors and to protect itself from cybersecurity threats. The certification helps assure the US government that their CMMC compliant contracts will not leak vital information that can compromise national security and the economy.
Although parts of CMMC are still in the works in 2021, the DoD has already started including CMMC requirements in their Requests for Information (RFI) or Requests for Proposals (RFPs). Ultimately, companies that can’t demonstrate the required CMMC certification level will be locked out of the running for new contracts.
Overview of CMMC Audit Preparation
Obtaining a CMMC certification opens the opportunity of winning contracts with the DoD. For organizations that already utilize other security frameworks, reaching CMMC Level 1 or higher will be easier. The certification includes many best practices that are also part of information security requirements set out by NIST (the National Institute of Standards and Technology), ISO 27001, HIPAA, and more. NIST in particular has some heavy overlap with CMMC, which includes the 110 security requirements of NIST SP 800-171 in CMMC Level 3.
In preparation for your CMMC compliance, you need to understand the basics of the CMMC model. There are five levels for CMMC compliance. Depending on the level of compliance you need for your potential contract, there are specific CMMC requirements that accompany those levels, based on a list of standard processes and practices.
You cannot self certify for the CMMC certification like you can for NIST SP 800-171 or certain other frameworks. The DoD has made available a quick assessment guide for CMMC Compliance Level 1. With this guide, you can do an in-house assessment before you go for a CMMC certification. The purpose of the guide is to identify possible readiness gaps you can address before evaluation.
17 Domains of the CMMC Model
The DoD determines the level of CMMC compliance you need to do business with the agency. However, getting a CMMC certification does not guarantee that you can close a deal with the DoD. The DoD evaluates potential contractors based on 17 capability domains:
- Access Control (AC)
- Incident Response (IR)
- Risk Management (RM)
- Asset Management (AM)
- Maintenance (MA)
- Security Assessment (CA)
- Awareness and Training (AT)
- Media Protection (MP)
- Situational Awareness (SA)
- Audit and Accountability (AU)
- Personnel Security (PS)
- System and Communications Protection (SC)
- Configuration Management (CM)
- Physical Protection (PE)
- System and Information Integrity (SI)
- Identification and Authentication (IA)
- Recovery (RE)
DoD CMMC Requirements for Level 1 Compliance
The CMMC Level 1 certification is the foundation that your business needs to aim for. Compliance Level 2 up through Level 5 are based on these security practices, with each higher level adding on additional security controls.
To obtain a Level 1 CMMC certification or Basic Cyber Hygiene Course, you need to assure that the CMMC basic security practices itemized below are enforced:
Level 1 Access Control (AC) 1.001
“Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).“
You need to know who uses your company computers and make sure that they have unique credentials. You also need to be aware of devices, applications, or systems that connect to your network. If an employee leaves the company, you have to terminate their access.
Level 1 AC. 1.002
“Limit information system access to the types of transactions and functions that authorized users are permitted to execute.”
You need to limit your employees’ access so they cannot view any sensitive information that may compromise your security. Non-IT personnel should only be granted “user” access.
Level 1 AC. 1.003
“Verify and control/limit connections to and use of external information systems.”
Do not share a network with other businesses. Make sure you never use public computers or devices on your home network to access federal contracts or files.
Level 1 AC. 1.004
“Control information posted or processed on publicly accessible information systems.”
If you use cloud services, make sure everyone is aware that they should not share their documents with outsiders. It is best to have a review procedure before posting any information on your website or publicly accessible platforms.
Level 1 Identification And Authentication (IA) 1.076
“Verify and control/limit connections to and use of external information systems.”
Tell your team that password sharing is a capital offense and can put your business in danger. Each employee must have a unique account, so accountability can be easily traced if needed.
Level 1 IA. 1.077
“Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.”
Your team should use effective passwords and hard-to-guess usernames to lock and access devices. Make sure all default passwords are changed before use.
Level 1 Media Protection 1.118
“Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.”
Before computers, laptops, tablets, hard drives, thumb drives, or CDs leave the possession of your company, make sure you destroy them properly. You can work with IT professionals to ensure the job is done properly.
Level 1 Physical Protection (PE) 1.131
“Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”
Devices and gadgets containing sensitive information should be in a private area that’s not accessible to guests or the public. Doors should be locked if no one can ensure the security of said devices.
Level 1 PE. 1.132
“Escort visitors and monitor visitor activity.”
Only authorized personnel should be in your office. In case of intruders, be ready to prohibit entry or call the police for assistance.
Level 1 PE. 1.133
“Maintain audit logs of physical access.”
It will be a good practice to have a log of who goes in or out of your facility. If budget allows, you can install CCTVs to help you in this aspect.
Level 1 PE. 1.134
“Control and manage physical access devices.”
Limit the people who can lock and unlock different areas at your place of work. If an employee resigns or is terminated, consider changing locks.
Level 1 System and Communication (SC) Protection 1.175
“Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.“
Your staff should know that access to websites outside of your company network is not allowed. This lowers your risk of cyberattacks.
Level 1 SC. 1.176
“Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.”
If you are a small business, it is not advisable to have your own servers. Security provisions might be better when you use web hosting companies. If you need to access the internet, consult a security expert on how you can do this safely.
Level 1 System and Information Integrity (SI) 1.210
“Identify, report, and correct information and information system flaws in a timely manner.”
When you no longer need certain software or apps, uninstall them. Also, ensure that you automatically update your devices as not doing so can make you more prone to cyber threats.
Level 1 SI. 1.211
“Provide protection from malicious code at appropriate locations within organizational information systems.”
Invest in good antivirus and antimalware software for your computers. Your email service should also have the feature of scanning for potential threats.
Level 1 SI.1.212
“Update malicious code protection mechanisms when new releases are available.”
Better spend on software subscriptions that can save you from all the headaches and risks of losing a contract with the DoD. They’re worth it so don’t rely on free versions of software.
Level 1 SI. 1.213
“Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.”
Turn on the active protection of your antivirus software and make sure you perform regular updates so it is capable of thwarting any evolving threats.
How Carbide Can Help
Achieving CMMC Level 1 compliance is a start toward competing for government contracts — but with help from Carbide, we can help you save time and money reaching compliance Level 1 or higher.
Carbide knows the pain of losing deals because of security issues. Here at Carbide we have made it our mission to create a security management platform that can help you build a security foundation, educate your employees, and sell to large organizations such as the DoD. Our platform is designed to help you achieve compliance with the top security frameworks quickly and efficiently.
Contact us today to learn more about our services.