It has been quoted by the Department of Defence (DoD) that cybercrime cost the economy $600 billion in 2016. Amongst the economic costs to the economy, there are also opportunity costs that come in the form of threats to national security. These factors, amongst other things, spawned the creation of the Cybersecurity Maturity Model Certification (CMMC). In this article, we will be exploring the CMMC Level 1 controls.
The DoD in partnership with stakeholders in the Defence Industry Base (DIB) conducted a gap analysis of the defense industry supply chain with regards to cybersecurity resilience. In their analysis, a serious revision was done over adopting vendors and other third parties into the supply chain. It has now become mandatory that any vendor or otherwise that interfaces with the DIB or the DoD must acquire Cybersecurity Maturity Model Certification.
Cybersecurity Maturity Model Certification
The CMMC is a model created by the DoD in conjunction with stakeholders within the DIB. The model itself is an amalgamation of various frameworks and standards primarily, but not limited to, the NIST SP 800 and the CFR (electronic code of federal regulation).
In general, a maturity model designates the level of best practice that is integrated within an organization’s culture based on several factors, and the CMMC does so within the discipline of cybersecurity.
CMMC provides a benchmark for organizations to ascertain their cybersecurity capabilities against the practices and processes laid out by the model, in the next section we will look at what is meant by practices and process.
Domains
The CMMC model framework maps out the domains into a set of processes and practices, which are then broken down into 5 levels, this article will discuss the CMMC level 1 controls. The domains are the categories of the framework, of which there are 17, as stated by the organization:
“The majority of these domains originate from the security-related areas in Federal Information Processing Standards (FIPS) publication 200 and the related security requirement families from NIST SP 800-171.”
“The 17 Domains” Image Source: Cyber Security Maturity Model Certification Version 1.0, January 30, 2020, page 7.
The domains have within them the necessary processes and practices an organization must integrate/implement to achieve compliance with the various levels of the model. The level of compliance depends on the sensitivity of information the organization processes along the DoD supply chain
It may seem a little complicated at first, but it will make more sense as you read on.
Level One Processes and Practices
As briefly explained above the processes and practices are the baselines for the cybersecurity maturity of an organization, with each level showcasing higher maturity, which are nestled within the separate domains (picture below).
Whilst the practices are actionable steps to be implemented, the processes show an integration of cybersecurity within the culture of the organization and are not measurable by a simple implementation checklist.
“CMMC Model Framework (Simplified Hierarchical View)”, Image Source: Cyber Security Maturity Model Certification Version 1.0, January 30, 2020, page 3.
Having said that the CMMC level 1 controls do not assess for process maturity as the process itself is dictated by the implementation of the practices, more on this below.
Level one process “performed”: Processes maturity is not assessed for level one as it is decided by the implementation of the practices. The nature of the practices means the organization:
“May only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation” – CMMC page 5
Level one practices “basic cyber hygiene”: The first level only involves the protection of Federal Contract Information (FCI), and so the practices correspond to the “basic safeguarding requirements” laid out in 48 CFR 52.204-21.
What Is Cyber Hygiene
Essentially cyber hygiene is similar to any kind of hygiene, its the daily practice of taking care of those things that could deteriorate over time if not given the proper attention, like brushing your teeth twice a day.
Cyber hygiene is no different, it is the fundamental practice of maintaining a healthy security environment. Some of the practices may include proper inventory of software and hardware assets, continuous scanning of system vulnerabilities, etc. Read our complete guide on cyber hygiene here.
Download our CMMC Whitepaper: Best Cybersecurity Practices for DoD Contractors
CMMC Level 1 Controls
Now that we have discussed the basic overview of the model, the domains, and the processes and practices, let’s look at what the CMMC level 1 controls entail.
As mentioned prior, each of the levels is decided by the sensitivity of the information processed on the DoD supply chain. Naturally, level one is the most basic compliance level, but even if your organization deals in increasingly sensitive information the maturity model compounds cumulatively.
Meaning that the processes and practices of previous levels must be implemented/integrated if your organization wishes to advance to the maximum maturity level, in other words knowing level one is the first step and a must.
Out of all the 17 domains, only 6 of them are involved in level one certification those are:
- Access Control (AC)
- Identification and Authentication (IA)
- Media Protection (MP)
- Physical Protection (PE)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Access Control
The access control domain requires your organization to track who has access to the systems and network. This also includes the limitation of responsibilities of users of the network, such as who has administrative privileges. Access also encompasses remote access and internal system access.
The level one practices that fall under this domain are, as quoted by the CMMC:
- AC.1.001: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- What to do?: Use password/PIN protection on all devices and systems
- AC.1.002: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- What to do?: Controlled user rights, i.e proper use of admin privileges etc.
- AC.1.003: Verify and control/limit connections to and use of external information systems.
- What to do?: Use organizational wifi/connectivity only (no public or unauthorized)
- AC.1.004: Control information posted or processed on publicly accessible information systems.
- What to do?: Limit sharing capabilities and use password protection on things like cloud services.
Identification and Authentication
This domain encompasses those practices that have to do with roles within your organization. The organization must ensure that access to systems and networks can be traced and authenticated for reporting and accountability purposes.
The level one practices that fall under this domain, as quoted by the CMMC are:
- IA.1.076: Identify information system users, processes acting on behalf of users, or devices.
- What to do?: Don’t allow password sharing and create individual accounts for all personnel.
- IA.1.077: Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- What to do?: Change default passwords and ensure all devices mobile, desktop, etc. are all password protected.
Media Protection
This domain within the model requires that organizations have a strong handle on the identification, tracking, and maintenance of all media within the organization. Additionally, the organization should instill policy for the protection, sanitation, and transportation of the media. An example of this could be USB drives that have to leave the premise of the organization, or that are no longer needed and should be disposed of properly.
The level one practice that fall under this domain, as quoted by the CMMC are:
- MP.1.118: Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
- What to do? Shred any physical documents that are no longer of use, or perform multiple data erasures before disposing of it.
Physical Protection
This domain regards the physical security of your organization. Your organization must ensure that all measures are taken to secure physical assets such as server rooms, desktop terminals, physical data storage locations, visitors, etc. This domain is often overlooked within the overall structure of organizational security, for example, are visitors being supervised when visiting the premises, or are they left to their own devices? This could pose a serious threat if the visitor is a bad actor in disguise.
The level one practices that fall under this domain, as quoted by the CMMC are:
- PE.1.131: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- What to do?: Designate public and private areas within the organization, where devices are only accessible to authorized personnel.
- PE.1.132: Escort visitors and monitor visitor activity.
- PE.1.133: Maintain audit logs of physical access.
- What to do?: Use sign in, sign out sheets for employees, or a keycard system that can log physical access to the building, also use of CCTV is encouraged.
- PE.1.134: Control and manage physical access devices.
- What to do?: restrict the amount of personnel that can unlock areas or disable security parameters (such as CCTV or electronic locks).
Systems and Communication Protection
In this domain, organizations should implement security protocols to protect communication channels at the system boundary level. Software like firewalls provide a boundary level defense for incoming communication to and from the organization’s network. Utilizing technology at the boundary level can demonstrate to the DoD that the organization has the necessary controls in place to direct, track, and manage communications.
The level one practices that fall under this domain, as quoted by the CMMC are:
- SC.1.175: Monitor, control, and protect organizational communications (What to do?: information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
- What to do?: Ensure that firewalls block traffic from the internet by default, and that all devices and terminals of the organization fall within the boundaries of the firewall.
- SC.1.176: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- What to do?: SMEs or an organization with limited resources should not attempt to run their servers that are directly connected to the internet. Web hosting should be done through a hosting company with integrated security. If the organization does need to set up open access to the internet on their devices be sure to hire a specialist to ensure it is done so securely, contact RSI Security today for all your cybersecurity needs.
System and Information Integrity
The final domain that falls under CMMC level 1 controls is system and information integrity. Essentially this domain requires the organization to manage and correct flaws within the information system. This could mean identifying hazardous and/or malicious content with the system, applying email protection, monitoring your systems and networks, and general data management practice such as deleting unnecessary data and maintaining appropriate documentation.
The level one practices that fall under this domain, as quoted by the CMMC are:
- SI.1.210: Identity, report, and correct information and information system flaws in a timely manner.
- What to do?: Update, update, update. Ensuring the organization updates systems with the latest patches, the organization could also enable an auto-updater for devices and operating systems to limit the possibility for hackers to exploit outdated devices and systems. It is also necessary to remove apps that are no longer being supported by the vendors.
- SI.1.211: Provide protection from malicious code at appropriate locations within organizational information systems.
- What to do?: Ensure that all computers on the network have antivirus installed, preferably from a reputable source. Utilize emailing platforms that have inbuilt virus removal, such as Office 365. Given the company resources, it may also be useful to use routers that have threat detection capabilities.
- SI.1.212: Update malicious code protection mechanisms when new releases are available.
- What to do?: Ensure that the antivirus and firewalls are eligible for updates. This is usually available through paid services and reputable antivirus/anti-malware etc. software.
- SI.1.213: Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
- What to do?: Enable virus scanning capabilities on antivirus software and ensure the scans are run frequently enough (weekly).
C3PAO and Closing Remarks
As the DoD is transitioning from NIST 800 SP self-certification to the new CMMC model, they will be requiring vendors and all businesses to be certified through Certified Third-Party Assessment Organizations (C3PAO).
RSI Security will be undergoing the process to become C3PAO, but it is never too early to get in touch with us, your security is our top priority. Whether or not you need assistance with CMMC, RSI Security offers a host of cybersecurity services, book a free consultation today!