A road map to achieve Level 1 CMMC compliance from IOvations.
Background
Where nefarious cyber actors have, and continue to, target the supply chain of the Department of Defense, there will be mandatory requirements to protect sensitive defense contract information in order to bid on and win future business. This is in response to historically low compliance rates associated with NIST 800-171. Proving compliance with the new certification, called the Cybersecurity Maturity Model Certifications (CMMC), is an effort to ensure every organization working in some capacity for the Defense Department has adequate controls in place for the level of controlled unclassified materials it processes.
Who must comply with the CMMC?
All DoD contractors will eventually be required to obtain a CMMC certification. This includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers. The CMMC Accreditation Body (CMMC AB) will coordinate directly with DoD to develop procedures to certify independent Third-Party Assessment Organizations (CP3AOs) and assessors that will evaluate companies’
CMMC levels
Understanding the CMMC framework; This is a certification process to measure and assess an organizations ability to protect sensitive defense contract information and provides a certification element to verify implementation of the requirements at a “level commensurate with the risk, accounting for flow down to subcontractors in a multi-tier supply chain”.
The CMMC has five levels that reflect the maturity and reliability of an organization’s cybersecurity infrastructure to safeguard sensitive government information on their information systems. The five levels are tiered and build upon each other’s technical requirements. Each level requires compliance with the lower-level requirements and institutionalization of additional processes to implement specific cybersecurity-based practices.
Level 1: A company must perform “basic cyber hygiene” practices, such as using antivirus software or ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” It does not include public information or certain transactional information.
Level 2: a company must document certain “intermediate cyber hygiene” practices to begin to protect any Controlled Unclassified Information (CUI) through implementation of some of the US Department of Commerce National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 Revision 2 (NIST 800-171 r2) security requirements. CUI is “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls,” but does not include certain classified information.
Level 3: A company must have an institutionalized management plan to implement “good cyber hygiene” practices to safeguard CUI, including all the NIST 800-171 r2 security requirements as well as additional standards.
Level 4: A company must have implemented processes for reviewing and measuring the effectiveness of practices as well as established additional enhanced practices detect and respond to changing tactics, techniques and procedures of advanced persistent threats (APTs). An APT is defined as an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors.
Level 5: A company must have standardized and optimized processes in place across the organization and additional enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.
Achieving Level 1 CMMC compliance
Access Control
(AC.1.001) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). Identifying who is allowed to use your company computers & ensure they have their own accounts to log in with is a start. Also, don’t share passwords and don’t write passwords where they can be viewed. Also, when an employee leaves your company, disable their accounts. Lastly, have employees either log out or lock computers when they are not in use. If you don’t disable passwords, use easily guessed passwords or leave computers logged in so that anyone can access your data these will cause a fail.
(AC.1.002). Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Your non information technology employees should only have “user” rights to their computer, not “admin” rights. Generally, organizations should use permissions in your business applications and file shares to limit employees from viewing sensitive information about your federal contracts. If everyone has “admin” rights this will cause a fail here.
(AC.1.003). Verify and control/limit connections to and use of external information systems. Keep your company network and computers separated from other businesses or the home network. Have your own internet router and don’t let other companies share it. Only use company computers for working on Federal contracts, never home computers, and never public computers. If you share a WI-FI network with another business in the same building, so that their computers can communicate with your computers, if someone was network savvy, they could use this to eavesdrop on your internet browsing, or try to hack your computer directly. Also, using a personal laptop or tablet to work on a Federal contract can put sensitive information onto a device that isn’t secure. These two last actions can cause a fail.
(AC.1.004). Control information posted or processed on publicly accessible information systems. If you use cloud storage like Dropbox, OneDrive, and Google Drive, make sure that sharing is not enabled and your account has a good password. Tell your employees not to share their cloud documents with anyone outside of the contract. Also, don’t post sensitive information onto public websites or public media. If when you set up a cloud storage location, and simply share it with “everyone” or use a blank password. Now everyone on the internet can view and download your files. This will cause a fail.
Identification & Authentication.
(IA.1.076). Identify information system users, processes acting on behalf of users, or devices. Use individual accounts for each person in your business, and don’t allow password sharing. Individual accounts let your computers and software know who is logged on so that the appropriate level of access is granted and their actions can be traced back to them. For example, If multiple people know the password for your computer, which has the credentials for your bank stored in the web browser and one day funds are stolen from your bank account, when you review the logs it says that your account did it. It is impossible to determine who stole the funds.
(IA.1.077). Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Ensure that all your company computers and devices require a username and password or other log-on method before they can be accessed. Your company mobile phone should have a pattern or PIN required to unlock it. The computers and devices should lock themselves after 10 or 20 minutes if not used. The password should not be guessable – default passwords should be changed. An example to avoid might be if you have an old manufacturing computer have no password because it controls factory machines and production would be slower if you have to log on to it each day. Or, never changing the default password on your security system.
Media Protection
(MP.1.118). Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. Before letting a computer, mobile device, or thumb drive leave your possession, work with an IT professional to destroy the data on them. There are two safe ways to destroy hard drives: 1) by hammering or crushing the data module, 2) by using a special program to overwrite the data many times. Make sure to shred documents and CDs before you get rid of them. What you want to avoid have happening is selling your old work computers to someone who could then use IT forensic techniques to read the sensitive data stored in them. Or, let someone borrow a thumb drive which previously stored sensitive information (even if it was “deleted”). You don’t want to throw any of these devices in the trash without
destroying the data first.
Physical Protection
(PE.1.131). Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. Identify the areas of your company work spaces that are public and private. Keep your computers, devices, network gear, and sensitive information in the private area. If you don’t have any employees actively supervising the private area, lock the door when you leave. What you don’t want to do is run cables for your internal network to wall jacks in the guest waiting area. You also don’t want to leave the front office unlocked and unsupervised while you are in the shop working. Lastly, don’t leave your laptop on the table, logged on, at Starbucks, while you go to the bathroom.
(PE.1.132). Escort visitors and monitor visitor activity. You need to be able to positively identify anyone who is in your facility and challenge those who don’t have permission to be there. A small company with should know each person on sight. If you see anyone else in your space, you need to stop them, and potentially call the police. Larger companies (where employees don’t know everyone) use employee and visitor badges to show who is allowed to be there. What you don’t want to do is to be not escorting a
utility worker when they come inside to “do repairs”. They could be a bad person trying to steal sensitive information or hack your network. Not calling the police if an unknown person was found wandering around inside your offices.
(PE.1.133). Maintain audit logs of physical access. Use a sign-in and sign-out sheet for employees or visitors. If you can afford it, use cameras around your facility to identify everyone who enters and exits, including your employees. Install electronic locks with individually-assigned keys that keep a record of who went through them. What you want to avoid is finding computers stolen and not having any idea who was in the
building during the last 24 hours.
(PE.1.134). Control and manage physical access devices. Restrict the number of people who can unlock the doors or disable the security system at your business. Lock your doors and windows to protect your computers and documents. If an employee leaves,
change the locks. If you can afford it, use electronic locks that can easily be re- programmed. You don’t want to have never changed the door locks even though you’ve had employees leave in the past. Also, you don’t to leave windows unlocked.
Systems & Communication Protections
(SC.1.175). Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. Just like parts of your facility are “private”, you should treat your company network as private. For very small businesses, the private network is connected to the LAN ports on your internet router. Make sure your firewall stops all traffic from the internet by default, so that internet attacks can’t reach your computers. You don’t want to post the WI-FI password to your internal network in an area that non-employees can see. You need to be using a firewall.
(SC.1.176). Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Very small companies probably shouldn’t try to operate servers that are connected to the internet. Use a web hosting company to host your website. Hire a security specialist if you need to open access from the internet to any of your computers so that they can set it up securely. You don’t want to modify your firewall so that it allows traffic from the internet to go to one of your computers or devices. This is called “opening a port” and exposes your computer to internet attacks.
Systems & Info Integrity
(SI.1.210). Identify, report, and correct information and information system flaws in a timely manner. Enable automatic download and install of system updates / patches on all of your devices. If your scanner, printer, router, or business software hasn’t been updated in a while, you should search for the latest update and install it. You remove apps that are no longer supported by the vendor. What you don’t want to be doing is still be using Windows XP or Windows 7 on your computers. You also don’t want to click cancel every time your system asks for an update. Lastly, you don’t want to have never updated your printer or router.
(SI.1.211). Provide protection from malicious code at appropriate locations within
organizational information systems. Have a working antivirus program on each of your computers. Any reputable antivirus program will work. Use an email service that includes virus removal, such as Office 365. Consider a router with threat protection. You don’t want to ignore warnings from your antivirus that it detects malware. You also don’t want to bypass the inherent protection on your tablet or phone by “jail-breaking” it.
(SI.1.212). Update malicious code protection mechanisms when new releases are available. Make sure your computer antivirus and firewall threat protection is eligible for updates by paying for the subscription. Make sure all of your computers can download the antivirus definitions by giving them regular internet access. You want to avoid having your shop computer hadn’t downloaded new antivirus updates in a year because it isn’t connected to the network. Or you didn’t renew the antivirus subscription so the computers can’t download new definitions.
(SI.1.213). Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Configure your antivirus program to do a full scan weekly, and to provide “active protection”. Don’t cancel the antivirus scans because they make your computer slow!
While most of the guidance to achieve compliance may be something you have in place already. If you want some help with the guidance referenced here please contact the author Jeff Hood at 781-856-1846 or jhood@IOvations.com
