The Cybersecurity Maturity Model Certification Level 1 is designed to provide basic cybersecurity hygiene which is being performed by designated personnel within the company. Organizations are expected to be able to protect Federal Contract Information (FCI) from a cyber attack and/or an insider threat. At this level, practices are only required to be performed, no documentation of processes and practices are required at this level. CMMC Level 1 can be broken down in the following control families that reference to NIST 800-53 and 800-171 standards:
Access Control measures makes up 4 of the 17 practices for CMMC level 1. These controls begin within limiting access to authorized users and only grant access to functions, as well as data, that groups of users need. First thing you should have available is a list of employees, contractors, and other personnel who should have access to your systems, networks, and data. Without this, it’s quite challenging to verify who should and shouldn’t have access. As it relates to granting only functions required, don’t allow everyone to have global administrator access to systems, networks, and data whether on the network or in the cloud. A method to do this can be done by establishing security groups, create/assign roles, assign permissions to those roles, and assign users to those groups. Some users may need privileged rights to perform admin-like activities such as creating SharePoint sites or deleting files. For example, you may want to consider creating a group with permission levels to satisfy that requirement versus giving them full admin rights to SharePoint. These access controls don’t just apply to users they can also apply to devices and networks. For instance, do you allow sensitive systems such as your mail server to be accessed from anywhere in the world? Or, do you allow devices not owned by the company to access systems that contain FCI? First, denying access from international sources is fairly easy these days with tools such as firewalls, email filters, and Software as a Service (SaaS) applications such as Office 365. Lastly, you must train and control FCI from being posted on publicly accessible systems such as websites, forums, social media, etc. This data spill can cause damage to national security as well as put your company at risk.
Identification and Authentication
This Identification and Authentication control is designed to identify users and devices as well as authenticate them properly to provide access to your organizations information systems. Although you’re not required to document practices in CMMC Level 1, I highly recommended documenting what devices should be authorized to access information systems and what user is assigned to that device. Many systems you are using to grant users and devices allow you to include whitelisting, which will enforce granting access to networks, systems, and data. Alternatively, many small businesses provide access to their information systems using employees’ personal devices, otherwise called Bring Your Own Device (BYOD) model. This presents many challenges for protection of FCI, Controlled Unclassified Information (CUI), and your own intellectual property. There are mobile application and device management tools, as well as, virtual solutions in the market that can solve this challenge. Allowing unmanaged and non-owned devices connect to your information systems without tight rules and controls puts you at risk from being compromised by a malicious threat actor or by an employee who may want to leave the company with proprietary information or FCI. To satisfy this control, it’s helpful to:
- Use a naming standard that easily identifies authorized users versus unauthorized users
- A centralized system to identify and authenticate your users and grants them proper accesses using secured methods
- Use complex password policies as described in the NIST 800-63B publication
- Devices are identified and registered to authenticate access into information systems
Controlling media is by far one of the most overlooked controls especially as it pertains to paper documents, DVDs, and leased printers. Does your company perform methods that sanitizes and properly destroys system media prior to reuse or release? In the past, I’ve performed many penetration tests and one of the go-to techniques is to check the trash. There is usually lots of paper that is printed and discarded daily which, to my surprise, typically contains lots of Private Identifiable Information (PII) and information that probably shouldn’t leave the company. Although you’re not required to classify and label at CMMC Level 1, we do recommend doing so because how would you be able to distinguish between FCI, CUI, and other proprietary data when information is co-mingling with other data in your information systems. Therefore, I do suggest companies use some type of classification guide to mark and label FCI, CUI, and other sensitive data. This will help employees properly identify FCI and know how to properly handle such information. Now that we know we can easily identify FCI, we can use training methods and proper sanitization methods such as rewriting over the hard-drive multiple times (at least 3 times) prior to reuse, or the incineration of the physical drive itself if releasing for destruction purposes.