When the Department of Defense revamped its cybersecurity program, it created the “Cybersecurity Maturity Model Certification” (CMMC). The DoD and its contractors are required to follow the CMMC, and businesses may be assigned a “level” of certification.
These levels correlate with how well a business is prepared to handle cyber threats against unclassified but sensitive information. The CMMC Level 1 certification simply means that a business has implemented various security controls recommended by NIST. Note that this does not mean that the business necessarily has documented their practices or even that all employees follow them. It means that their processes predominately align with NIST’s security objectives.
A Level 1 certification is the first step contractors take in ascending the ranks to the highest possible CMMC level 5.
CMMC Level 1 Certification and Preparation
Remember, there has been no official guidance released for certification, nor has there been any agency licensed to certify businesses. However, there are clear steps that businesses can take to better posture themselves for future certification.
To ensure that time is wisely spent, a prominent cybersecurity firm should be consulted regarding your preparation curriculum. Although the security controls designated as “critical” by FAR have been required for contractors since 2016, getting this certification is a way to distinguish that your company follows them.
Before getting into the list of requirements, you should note that all subcontractors and service managers you may employ must also meet all CMMC Level 1 qualification.
Now, let’s go over some steps to prepare. First, you’ll need to explain to your employees what the controls are and why they must comply with them. Remember, people are most comfortable continuing to do what they know, even if it’s not correct. It’s imperative to both provide employees with reading materials and training as well as enforce these controls.
While CMMC Level 2 and beyond typically require in-house cybersecurity staff, Level 1 does not. These controls may take awhile for companies to follow who have not traditionally followed them. However, following them shouldn’t add any additional expenses and, if anything, should lower operating costs.
It’s always safest to partner with another company who is well-versed in the CMMC. It’s quite a lot of text to digest and could be misinterpreted by those who aren’t seasoned in the security field.
What Are the CMMC Level 1 Controls?
There are 17 primary controls you should know before embarking on your certification journey. Remember that these controls are nuanced and complex; we’re simply summarizing what you should expect to see. Always double-check with actual NIST and FAR standards.
Your company will need to prevent non-employees from accessing systems; using decent passwords is often a good fix. You’ll also need to follow the principle of least privilege. That means that users should only have access to information and functions that they need to perform for business purposes.
Next, you’ll need to ensure that only your company’s network may be used by company devices. You’ll also need to make sure that you aren’t accidentally leaking sensitive information through publicly accessible sites. Part of this level also involves ensuring users are accountable; each user should have a distinctly logged account on all of your information systems.
This is likely common sense, but you must change default passwords used on all devices and systems. All the sensitive data you utilize must be securely destroyed regardless of medium. To keep data secure, you’ll also need to have a reliable antivirus and enable regular scans and threat updates.
Finally, you’ll need to keep tabs on who goes in and out of your building. Nobody unauthorized should be permitted to get past your lobby. All visitors should be escorted, and nobody who doesn’t need to access systems should be able to get physically close to them.
Implementing Each Security Requirement for CMMC Level 1
Because CMMC is new, being ready for certification can give your business a huge boost above the competition. However, that requires your company to be truly ready for the process of certification.
Trusted cybersecurity companies like TrustNet can help get you on track for certification. In the meantime, any security issues at your company can be corrected to avoid costly data breaches.
It’s logical to want to keep things in-house to keep costs down. In this instance, however, it would be more costly to not take advantage of a trusted service to help your company out. In the long term, you can ensure that your business is well-positioned to win contracts and stay secure in the process!