The new compliance requirement for businesses working with the U.S. Department of Defense (DoD) is the Cybersecurity Maturity Model Certification (CMMC). The CMMC model is designed to protect Federal Contract Information (FCI) that is by default in all federal government contracts and covered defense information, which is often technical information that is provided by the government or may be produced by the defense contractor.
The model consists of five levels, with each higher level incorporating increasing levels of security. These levels are based on practices that are grouped into 17 domains; at the basic level, there is Level 1 with 17 practices across six domains, at Level 5, there are 171 practices spread across all 17 domains. The goal is for all 300,000 companies in the defense industrial base to be audited and certified compliant to one of the CMMC levels by 2026. The CMMC compliance certification will be a baseline requirement; with the appropriate certification level, there will be access to DoD contracts; without certification, a company will be deemed unqualified.
This article is focused on CMMC Level 1; Level 1 will be the most common level constituting about 80 percent, or 240,000 companies, in the defense industrial base. This discussion will focus on two of the six domains in Level 1. These domains are physical protection (PE) and systems and information integrity (SI). In terms of the CMMC model, physical protection is focused on controlling, managing, and monitoring physical access to FCI, and by extension, the company's controlled information. Systems and information integrity is focused on ensuring the organization's information management system resources are continuously updated and monitored to reduce the risk of compromise.
As mentioned in the last column, the foundation for system access control is identity management, which is the ability to uniquely identify all system users. Through user identification, access to system resources, both physical and electronic, can be controlled and monitored. In many ways, access control is a key concept in terms of physical protection. As with access control, the principle of least privilege is a control used in establishing and maintaining physical protection. The rule states that there should be no universal access and that all users are to be restricted to only the applications and tools that they need to do their job. In terms of physical protection to meet this requirement, ensure access to physically controlled information and to spaces, documents, cabinets, and machinery is restricted to only the individuals that need it for their job. This control is the focus of practice PE.1.131, which is to "limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals."
Other physical protection practices are the requirement to escort and monitor visitors and their activity (PE.1.132), and to establish, maintain, and to audit the visitor logs or visitor sign-in sheets (PE.1.133). These controls are met by recording and restricting access to company facilities and places where controlled information is stored or worked; it would also include critical equipment or access to utilities or monitoring equipment. The goal is to control access to those elements that, if tampered with, would have a detrimental impact on the company. The last practice, in terms of Level 1 physical protection, is focused on maintaining control of the organization's physical access devices, defined as keys, keycards, codes, biometric access, etc. (PE.1.134). The goal is a holistic approach in terms of physical access control, which is controlling access and controlling the devices that allow access. It does little good if the house has sophisticated alarms and monitoring devices if the front door key is under the front doormat.
The next Level 1 practice is systems and information integrity (SI). At Level 1, this domain is focused on ensuring the integrity of the system software and monitoring. The first practice in this domain is focused on Identifying, reporting, and correcting information and information system flaws in a timely manner (SI.1.210). Few, if any, organizations have the ability to access operating system software and applications for errors and flaws. What all organizations can do to meet this practice requirement is to ensure their software is up to date and current. All software has errors and flaws; these are vulnerabilities that are corrected through the manufacturer's updates and patch releases. A fundamental of basic cyber-hygiene is to ensure that all software is current.
The next three practices are focused on malicious code protections or installing, using, and ensuring the antivirus software is current and up to date. The requirement is for the installation of antivirus software (SI.1.211), ensuring the software is current and updated (SI.1.212); the software conducts periodic scans of the system and scans files as they are downloaded, opened, and executed (SI.1.213). To meet this requirement is simply to make sure your antivirus software is on, the automatic update option is on, and that the antivirus software periodically scans your files and scans downloads.
The practices outlined here and in the last article are the foundations for basic cyber-hygiene, which are the foundation for CMMC Level 1. These practices do not require a staff of IT professionals; they are implemented through common-sense procedures, the installation of common software, and the use of elementary administrative controls. Implementing these controls will reduce your organization's exposure to vulnerabilities and will go a long way in terms of ensuring compliance to the Level 1 CMMC model.
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171 Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at email@example.com.