In CMMC Level 1, the practices are concerned with unauthorized access to information systems using physical means such a picking locks, tailgating, stealing access cards, etc. Organizations need to ensure access to the facility and especially their IT networking room and/or datacenters are controlled and monitored. Access logs should be documented using electronic or manual means for both employees and visitors entering and leaving the facilities. Visitors are required to be escorted and monitored, especially IT vendors who may be repairing or updating information systems for the organization. An example is Voice over IP systems (VoIP) that are managed by a third-party. Ensuring the technician is escorted and activities are observed reduces the risk of unauthorized access to networks and systems they’re not authorized to access. Penetration testers are notorious for attempting clever ways of gaining physical access. They do this because once physical access is obtained then compromising information systems become significantly easier as well as planting devices to ensure they can maintain access to the internal network.
System and Communication Protection
Implementing system and communication protections are typically done through the use of properly configured host-based and network firewalls, Virtual Private Networks (VPNs), Virtual Local Area Networks (VLANs) via your switches or firewalls, and other segmentation processes such as using cloud resources. The goal is to ensure internal systems only communicate with approved information systems through authorized communication channels and to protect internal information systems in the event a public facing system was compromised. To accomplish this objective, organizations should control and monitor communication going to and from information systems and ensure the rules established are not being violated. One of those rules being that only approved communications channels and systems should have access to public facing systems to mitigate the ability of the internal networking being compromised. To accomplish this many organizations will set-up a Demilitarized Zone (DMZ) to put system requiring to be publicly available such as websites, time keeping system, customer portals, etc. Internal systems should restrict and limit these connections to these assets in the DMZ to prevent a threat actor from gaining unauthorized access to the internal network.
System and Information Integrity
System integrity is primarily focused on ensuring unauthorized users are prevented from unlawfully accessing, modifying, transmitting, and deleting information systems. The goal is to put integrity controls in place such as the use of antivirus software, vulnerability detection, email protection, etc. Organizations must ensure they identify information systems that may be vulnerable or an update is available by the vendor providing those information system assets. For example, Adobe announces it released an update due to a few security flaws. it’s your organizational responsibility to ensure the update is performed in a timely manner to avoid being exploited. Just as you’re keeping your applications updated, your security systems must get their updates more frequently than traditional software patches. For instance, your antivirus should be updated, at least, daily although I recommend every 15-30 minutes, this can be automated. Although a vulnerability scanning system is not required for CMMC Level 1, in practice, if you have more than 3 computers or your few computers are remote it’s more practical to deploy a vulnerability scanner to ensure those computers are being monitored and controlled for system flaws.
CMMC Level 1 is considered basic hygiene and may have many of the practices you already employ. Therefore, achieving this level may be very easy to achieve for many organizations. However, if you find gaps overcoming these gaps can be done with very few changes and will bring added security to your organization, your employees, and your customers. Stay tuned as we will be doing a deep dive into CMMC Level 2 and going over ways to comply with the 55 additional practices.