What Is CMMC?
Cybersecurity Maturity Model Certification, or CMMC, is the new security framework that will soon be required for any and all Defense Contractors. Big or small, the CMMC will for the first time establish a required baseline for cybersecurity practices within the entire Department of Defense (DoD) supply chain. Gone are the days of “whack-a-mole,” ad-hoc cybersecurity within an organization; CMMC is designed to hold all Defense Contractors to a sustainable standard. Many organizations with (or without) current contracts may wonder how to implement, create, and most importantly, maintain security procedures. Level 1 CMMC requirements in particular adhere to 17 practices – some of which are obvious, some less so. Here are six safeguards recommended by Tetra Defense that can help your organization strengthen its security, and eventually earn the CMMC seal of approval.
1. Take Inventory
CMMC Policies and Practices will require organizations to maintain an effective, efficient count of all devices, servers, and accounts. There’s no acceptable “guestimating” process when it comes to national security; any forgotten or unattended entrances to your network are there to be exploited. Our cybersecurity advisors recommend implementing what’s called an “Active Directory;” essentially a central management system for login account credentials, workstations, and web servers. The goal is to take inventory of your cyber stock at a glance to avoid password sharing and excessive permission to employees. CMMC will require physical proof of not only inventory, but also procedures in place to maintain knowledge of your organization’s situation. Being able to clearly see your inventory will prepare your organization for making informed decisions about your security.
2. Add Fuel to the Firewall
If you don’t already have a firewall, you should invest in one. Firewalls essentially act as a vital separator between public internet systems and your internal network. Some may argue that common-sense internet practices elude the need for a firewall, but as the threat landscape constantly expands to more dangerous territory, firewalls are one of the most reliable defenses. Your desired CMMC level will not be earned without proof of communication controls and system boundaries, and firewalls are a great “Exhibit A.”
3. Lather, Rinse, Repeat
In addition to seeing, or at least being aware of the number of devices, computers, or access points within your organization, the DoD wants to ensure proper hygiene of these items. Sustainable scanning practices will help your organization keep accurate account of looming threats. Tetra recommends implementing an anti-malware system that can regularly scan to keep track of the health of your devices — even while you may be off the clock.
4. Get a Shredder. A Good One.
While this may seem obvious, you’d be surprised by how many conflicts can arise from careless disposal of sensitive paperwork. If your organization processes any Federal Contract Information (FCI), the DoD will want to safeguard this information at all costs. While a threat actor may not go through the painstaking work of literally “piecing together” sensitive data, both CMMC and Tetra recommend using a shredder as a required defense.
5. This Won’t Self-Destruct
In addition to properly destroying your paperwork, the CMMC will require proof of properly erasing electronic media. The goal here is to protect FCI from getting into the wrong hands (or the wrong hard drives) at all costs. The DoD refers to this practice as “Sanitize Media,” and that’s an apt name considering the wide spread of malicious systems that can pose threats to national security. In order to prove your responsible use of devices containing federal information, Tetra recommends creating a protocol for destroying media and wiping devices clean of any data before disposing of them.
6. Lock It Up
Cybersecurity isn’t just abstract, digital precautions. To ensure comprehensive safety under the DoD, the CMMC will require physical safety measures as well. In fact, this guiding principal outlined in CMMC is called “Limit Physical Access.” Proof of this measure will come in the form of your organization’s physical infrastructure or layout. Do you have designated spaces for devices? Do these spaces have doors? Do these spaces require keys? Who can access these spaces? Is there a record of who accessed them? Do visitors have an escort when near these spaces? Tetra recommends taking all these questions into account when preparing a Physical Security Protocol. This will not only prepare you for CMMC, but these tangible safeguards are sure to provide peace of mind as well.
CMMC & You
Your journey towards CMMC is sure to go beyond a simple “To-Do” list. CMMC is specially designed to encourage sustainable security practices across the nation. The DoD correctly sees the need for a high standard of safety and raises it through comprehensive CMMC requirements. Start securing your organization with these six safeguards, and allow Tetra to assist with your next steps.