CMMC 2.0 has been announced recently, and with it a new set of CMMC Compliance standards. If you are unfamiliar with CMMC, it is Cybersecurity Maturity Model Certification, and is intended to create a unified standard of cybersecurity for Department of Defense contractors, and subcontractors, to protect sensitive information. In short, the intent is to minimize the data breaches within the Defense Industrial Base (DIB) that are occurring at an alarming rate as technology advances. As of 2021, the average cost of a single data breach was $4 million, with the most costly being approximately ten times that amount. Luckily, there are simple yet effective ways to lower the possibility of costly data breaches and the potential compromise of Defense information.
While the 3 Maturity Levels (ML) of CMMC can be overwhelming and incredibly in-depth for those unfamiliar with basic cyber resilience. ML1 covers basic cyber hygiene and is the foundation for ML2. The three CMMC controls required by ML1 are Access Control, Physical Protection, and System and Information Integrity. These can be implemented whether you are a DoD contractor seeking CMMC certification or someone looking to improve your company’s cybersecurity. Below are three of three items every organization can implement immediately to improve cyber resilience.
Authentication and MFA
Controlling who can access information is arguably the most important practice of cybersecurity. By limiting who can access information, you are cutting down the flow of information to unknown sources. Implementing authentication on an account level as well as a computer level can help secure both. In addition to requiring basic username and password, MFA or Multi-Factor Authentication should be implemented for every system. MFA can be configured with a mobile application, such as Google or Microsoft Authenticator, or a one-time-use code received by SMS or phone call.
Access control, as previously discussed, covers the non-physical aspect of information access. However, there is also a need for Physical Protection, or PP, of information to maximize basic cybersecurity. Some ways to do this is to restrict physical access to systems and equipment by always escorting visitors around the facility. If an escort is not possible then always monitor their activity. Along with physically escorting visitors it is important that they sign a log that includes any equipment the visitor brings into the facilities. This log should be maintained as defined in your access control policies.
System Updates and Maintenance
Access Control, and Physical Protection are important to basic cyber hygiene, but neither of them do much good if you have poor System and Information Integrity (SI). SI Includes flaw remediation, malicious code protection and updates, and System and File Scanning. Identifying, reporting, and correcting information flaws in the system, particularly doing so quickly, is important to system integrity. Scanning systems periodically and performing real-time scans of files is one way of securing your systems and data. Maintenance of systems is fundamental to the protection of company and defense data.
These three basic cybersecurity protocols are just a few of the controls that are a part of CMMC compliance, but they are an integral part of the foundation of a solid cyberdefense. And with the near-daily introduction of new technologies, and a tandem growth of high-tech crime, it is more important now than ever to have reliable cybersecurity. That is why implementing these controls now, and others like it, can make a difference in how secure your company’s information is, and reduce the risk of costly data breaches. A Registered Practitioner (RP) and at a Registered Practitioner Organization (RPO) can help your business navigate through the CMMC compliance levels to stop these data breaches. Choosing a Managed Service and Security Provider (MSSP) with a holistic approach to these basic requirements will accelerate risk reduction and protect data. To find out more about selecting the right RP and RPO, see our article 3 Criteria to Evaluate an MSP for CMMC Certification.
Peter Frasco is the owner and CEO of Intelligent Integration Technologies and CMMC Registered Practitioner with over 30 years of experience in Information Technology and Cybersecurity including work for the US Army as a Chief Warrant Officer, Silicon Valley Startups, and BlackBerry during their pivot to a cybersecurity powerhouse.