We are already half-way through 2020. And that means you can’t put off Cybersecurity Maturity Model Certification (CMMC) preparation any longer. We here at V2 Systems are going to help with a short guide for getting the bare basics together, so that you’ll at least be prepared for Level 1 certification. Here’s a quick rundown of everything.
CMMC Level 1 Has 17 Controls.
We spoke about the different levels of CMMC in our previous blog. There are 5 levels in total, and each level is made up of numerous security actions that need to be performed in order to achieve certification for that level. The controls in Level 1 come directly from Federal Acquisition Regulation (FAR) 52.204-21, and are considered both basic and essential. Here is the general outline for CMMC Level 1, which makes up about 15% of all 5 CMMC levels:
- Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify and control/limit connections to and use of external information systems.
- Control information posted or processed on publicly accessible information systems.
- Identify information system users, processes acting on behalf of users or devices.
- Authenticate (or verify) the identities of those users, processes or devices as a prerequisite to allowing access to organizational information systems.
- Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
- Limit physical access to organizational information systems, equipment and the respective operating environments to authorized individuals.
- Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
- Maintain audit logs of physical access.
- Control and manage physical access devices.
- Monitor, control and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- Identify, report, and correct information and information system flaws in a timely manner.
- Provide protection from malicious code at appropriate locations within organizational information systems.
- Update malicious code protection mechanisms when new releases are available.
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed.
Everyone Should Have CMMC Level 1
CMMC Level 1 is a pretty basic security practice by now. Just looking at the list above, you can see it covers everything from locking office doors, to escorting guests and using strong passwords. It shouldn’t take much effort to reach Level 1, and if you’re not quite there yet, it costs very little, if not almost nothing, to do so. An MSSP can absolutely help you reach the goals listed in Level 1, and that’s where V2 Systems can be a tremendous asset. Keep in mind that if you want to be NIST 800-171 compliant, you have to be at least CMMC Level 3.
Doing work for the Department of Defense is no joke. It’s a job that needs to be taken seriously, no matter the size of your organization. Let us help your image so that the DoD will take you seriously, too.
Since 1995, Manassas Park, VA-based V2 Systems has employed local systems administrators, network engineers, security consultants, help desk technicians and partnering companies to meet a wide range of clients’ IT needs, from research, to implementation, to maintenance. Concentrate on your VISION…We’ll handle the TECHNOLOGY!