The Cybersecurity Maturity Model Certification (CMMC) has been finalized, and many organizations have started to take a deeper look at their own compliance posture. "What level will I have to comply with?", "How can I ensure I pass my audit?" and "how can I implement the necessary controls?" are all valid questions that many businesses are asking themselves. CMMC compliance is required for any organization that works within the Defense Industrial Base (DIB) but the level of compliance may vary depending on the contract. The CMMC model is divided into three maturity levels: Foundation, Advanced, and Expert. These levels build upon the requirements of the previous one meaning that regardless of where the DoD says you must be, your organization will have to start with the fundamentals. This blog highlights the first level of CMMC compliance and what it means for your organization.
CMMC Level 1 focuses on implementing "basic cyber hygiene" to protect "Federal Contract Information" or FCI. Level 1 encompasses the practices outlined in Federal Acquisition Regulation (FAR) Clause 52.204-21 where FCI is defined as "Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments."
While Level's 2 and 3 of the CMMC model require third-party audits conducted by certified organizations, level 1 only requires a yearly self-assessment. Keep in mind that it is important to accurately report your compliance status and false reporting can lead to consequences down the road. False reporting could lead to legal, financial, and reputational consequences including contract loss.
Examples of FCI:
CMMC level 1 consists of 17 practices divided into 6 domains.
Access Control
Maintain strict control over who has access to FCI by limiting system access to authorized users and controls what types of actions they can execute. It is important to document authorized users and review access periodically as required by CMMC.
Identification and Authentication
You should be able to identify users, devices, and authenticate them to ensure they are who they say they are.
Media Protection
Implement policies for sanitizing or destroying FCI prior to release or disposal.
Physical Protection
You must limit physical access to your organizations systems and equipment to only authorized users. Make sure to also escort visitors in and out of the physical environment and monitor their activity.
System and Communications Protection
Monitor, control, and protect your organizations communications at its external and internal boundaries.
System and Information Integrity
Have policies in place for identifying and remediating vulnerabilities, providing protection against malware, and consistently updating your applications and devices.
The time it takes to implement these practices may vary based on how far an organization already is in implementing them. The practices outlined in FAR 52.204-21 are considered basic and should realistically be implemented in most organizations regardless of whether or not they are required. However, this isn't always the case.
Start by assessing your organizations current security posture and identifying where your gaps lie and what must be done to remediate them. It is impossible to improve without a baseline of where you currently stand. Your organization should also develop a System Security Plan or (SSP) this document outlines how your organization plans to meet CMMC requirements. This document will be required for future audits but will also be helpful in keeping track of how requirements or met.
Many small-medium sized businesses will choose to enlist the help of a managed service provider (MSP) to help them meet compliance requirements. An effective MSP provides the tools, resources, and expertise to implement the required controls and maintain them throughout the duration of your organizations contract. It is important to emphasize that compliance is not a "one and done" process. It requires continual management and monitoring of security controls, making an MSP a valuable partner.
CorpInfoTech, an MSP, enterprise level IT, cybersecurity, and compliance solutions to small-medium sized businesses. Through TAS for CMMC Compliance, we help contractors achieve up to level 2 of the CMMC compliance model. We are committed to CMMC Level 2 and are expected to be one of the first certified MSPs under CMMC - audit completed January 2025.
We've gone through the process, and we've experienced the complexities of CMMC compliance firsthand, which is why CorpInfoTech is uniquely positioned to help your organization achieve and maintain compliance!
Contact us today to start your pathway to CMMC compliance with our TAS for CMMC Compliance!