CMMC Level 1 requirements?

CMMC Level 1 requirements?

The CMMC repeatedly states that CMMC Level 1 maturity is “performed”.  Not documented, not managed, and definitely not optimized.   When they say performed, the intention is that a company has implemented security and can show an auditor their security, but there isn’t supporting documentation or improvement around it.

Implementing each security requirement for CMMC Level 1

Here are tips for how a very small business could do security for each Level 1 requirement. To be sure, I recommend working with a cybersecurity firm, but in the meantime, these easy suggestions will get you moving in the right direction.

CMMC AC.1.001 – Who is allowed access? What devices are connected?

Requirement text: “Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).“

How to pass? Identify who is allowed to use your company computers and create their own accounts to log on. When an employee leaves your company, disable their accounts. Approve all devices connected to your network and know who their owners are.

How can you fail this? Disabling passwords, or leaving computers logged in so that anyone can access your data. Allowing employees to connect their own wireless access points.

Note: If you use a Managed Service Provider (an IT company that operates your network for you), they could lower your security rating if they are not secure. Your contract with the MSP should have language about them meeting CMMC Level 1 requirements too.

CMMC AC.1.002 – Assign “user” rights to most accounts

Requirement text: “Limit information system access to the types of transactions and functions that authorized users are permitted to execute.”

How to pass? Your non-IT employees should only have “user” rights to their computer, not “admin” rights. Use permissions in your business programs and file shares to limit employees from viewing sensitive information about your federal contracts.

How to fail this? Everyone has “administrator” rights on computers and devices.

CMMC AC.1.003 – Don’t share your neighbor’s network

Requirement text: “Verify and control/limit connections to and use of external information systems.”

How to pass? Keep your company network and computers separated from other businesses or the home network. Have your own internet router and don’t let other companies share it. Only use company computers for working on Federal contracts, never home computers, and never public computers.

How to fail? Sharing a WI-FI network with another business in the same building, so that their computers can communicate with your computers. If someone was network savvy, they could use this to eavesdrop on your internet browsing, or try to hack your computer directly. Using a personal laptop or tablet to work on a Federal contract. This puts sensitive information onto a device that isn’t secure.

CMMC AC.1.004 – Don’t share your data with the world

Requirement text: “Control information posted or processed on publicly accessible information systems.”

How to pass? If you use cloud storage like Dropbox, OneDrive, and Google Drive, make sure that anonymous access (no password required) is not enabled and your account has a good password. Tell your employees not to share their cloud documents with anyone outside of the contract. Don’t post sensitive information onto public websites or public media.

How to fail? This requirement seems so easy, yet it is the cause of many recent headaches for the DoD. When you set up a cloud storage location, simply share it with “everyone” or use a blank password. Now everyone on the internet can view and download your files.

CMMC IA.1.076 – Make accounts for each employee

Requirement text: “Identify information system users, processes acting on behalf of users, or devices.”

How to pass? Use individual accounts for each person in your business, and don’t allow password sharing. Individual accounts let your computers and software know who is logged on so that the appropriate level of access is granted and their actions can be traced back to them.

How to fail? Multiple people know the password for your computer, which has the credentials for your bank stored in the web browser. One day, funds are stolen from your bank account. When you review the logs, it says that your account did it. It is impossible to determine who stole the funds.

CMMC IA.1.077 – Change the default passwords

Requirement text: “Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.”

How to pass? Ensure that all your company computers and devices require a username and password or another log-on method before they can be accessed. Your company mobile phone should have a pattern or PIN required to unlock it. The computers and devices should lock themselves after 10 or 20 minutes if not used. The password should not be guessable – default passwords should be changed.

How to fail? Letting your very old manufacturing computer have no password because it controls factory machines and production would be slower if you have to log on to it each day. Never changing the default password on your security system.

CMMC MP.1.118 – Crush it, shred it, or overwrite it before you trash it

Requirement text: “Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.”

How to pass? Before letting a computer, mobile device, or thumb drive leave your possession, work with an IT professional to destroy the data on them. There are three safe ways to destroy hard drives: 1) by hammering or crushing the data module, 2) by using a special program to overwrite the data many times, or 3) encrypting the drive with a long (16+ character) key. Make sure to shred documents and CDs before you get rid of them.

How to fail? Selling your old work computers to someone who uses IT forensic techniques to read the sensitive data stored in them. Let someone borrow a thumb drive which previously stored sensitive information (even if it was “deleted”). Throw any of these devices in the trash without destroying the data first.

CMMC PE.1.131 – Get away from my computer!

Requirement text: “Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

How to pass? Identify the areas of your company workspaces that are public and private. (It is OK for everything to be private). Keep your computers, devices, network gear, and sensitive information in the private area. If you don’t have any employees actively supervising the private area, lock the door when you leave.

How to fail? Running cables for your internal network to wall jacks in the guest waiting area. Leaving the front office unlocked and unsupervised while you are in the shop working. Leaving your laptop on the table, logged on, at Starbucks, while you go to the bathroom.

CMMC PE.1.132 – Stop unauthorized people and supervise visitors

Requirement text: “Escort visitors and monitor visitor activity.”

How to pass? You need to be able to positively identify anyone who is in your facility and challenge those who don’t have permission to be there. A very small company with 4 employees should know each person on sight. If you see anyone else in your space, you need to stop them, and potentially call the police. Larger companies (where employees don’t know everyone) use employee and visitor badges to show who is allowed to be there.

How to fail: Not escorting a utility worker when they come inside to “do repairs”. They could be a bad person trying to steal sensitive information or hack your network. Not calling the police if an unknown person was found wandering around inside your offices.

CMMC PE.1.133 – Who was here yesterday?

Requirement text: “Maintain audit logs of physical access.”

How to pass? Use a sign-in and sign-out sheet for employees or visitors (complimentary template here). If you can afford it, use cameras around your facility to identify everyone who enters and exits, including your employees. Install electronic locks with individually-assigned keys that keep a record of who went through them.

How to fail? Finding computers stolen and not having any idea who was in the building during the last 24 hours.

CMMC PE.1.134 – I’m going to need your key back…

Requirement text: “Control and manage physical access devices.”

How to pass? Restrict the number of people who can unlock the doors or disable the security system at your business. Lock your doors and windows to protect your computers and documents. If an employee leaves, change the locks. If you can afford it, use electronic locks that can easily be re-programmed.

How to fail? Never change the door locks even though you’ve had employees leave in the past. Leave the windows unlocked.

CMMC SC.1.175 – Keep your computers inside the firewall

Requirement text: “Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.“

How to pass? Just like parts of your facility are “private”, you should treat your company network as private. For very small businesses, the private network is connected to the LAN ports on your internet router. Make sure your firewall stops all traffic from the internet by default, so that internet attacks can’t reach your computers.

How to fail? Posting the WI-FI password to your internal network in an area that non-employees can see. Not using a firewall.

CMMC SC.1.176 – Just because you can, doesn’t mean you should…

Requirement text: “Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.”

How to pass? Very small companies probably shouldn’t try to operate servers that are connected to the internet. Use a web hosting company to host your website. Hire a security specialist if you need to open access from the internet to any of your computers so that they can set it up securely.

How to fail? Modify your firewall so that it allows traffic from the internet to go to one of your computers or devices. This is called “opening a port” and exposes your computer to internet attacks.

CMMC SI.1.210 – Install updates!

Requirement text: “Identify, report, and correct information and information system flaws in a timely manner.”

How to pass? Enable automatic download and install of system updates/patches on all of your devices. If your scanner, printer, router, or business software hasn’t been updated in a while, you should search for the latest update and install it. You remove apps that are no longer supported by the vendor.

How to fail? You are still using Windows XP or Windows 7 on your computers. You click cancel every time your system asks for an update. You’ve never updated your printer or router.

CMMC SI.1.211 – Use antivirus systems

Requirement text: “Provide protection from malicious code at appropriate locations within organizational information systems.”

How to pass? Have a working antivirus program on each of your computers. Any reputable antivirus program will work. Use an email service that includes virus removal, such as Office 365. Consider a router with threat protection like the Sonicwall SOHO.

How to fail? Ignore warnings from your antivirus that it detects malware. Bypass the inherent protection on your tablet or phone by “jail-breaking” it.

CMMC SI.1.212 – Subscribe for threat protection

Requirement text: “Update malicious code protection mechanisms when new releases are available.”

How to pass? Make sure your computer antivirus and firewall threat protection is eligible for updates by paying for the subscription. Make sure all of your computers can download the antivirus definitions by giving them regular internet access.

How to fail? Your shop computer hasn’t downloaded new antivirus updates in a year because it isn’t connected to the network. Or you didn’t renew the antivirus subscription so the computers can’t download new definitions.

CMMC SI.1.213 – Enable antivirus scans

Requirement text: “Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.”

How to pass? Configure your antivirus program to do a full scan weekly, and to provide “active protection”.

How to fail? Cancel the antivirus scans because they make your computer slow.

December 28, 2020//in Featured, General Security, Headline /by Kellep Charles

CMMC Level 1 requirements?

The CMMC repeatedly states that CMMC Level 1 maturity is “performed”.  Not documented, not managed, and definitely not optimized.   When they say performed, the intention is that a company has implemented security and can show an auditor their security, but there isn’t supporting documentation or improvement around it.

Implementing each security requirement for CMMC Level 1

Here are tips for how a very small business could do security for each Level 1 requirement. To be sure, I recommend working with a cybersecurity firm, but in the meantime, these easy suggestions will get you moving in the right direction.

CMMC AC.1.001 – Who is allowed access? What devices are connected?

Requirement text: “Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).“

How to pass? Identify who is allowed to use your company computers and create their own accounts to log on. When an employee leaves your company, disable their accounts. Approve all devices connected to your network and know who their owners are.

How can you fail this? Disabling passwords, or leaving computers logged in so that anyone can access your data. Allowing employees to connect their own wireless access points.

Note: If you use a Managed Service Provider (an IT company that operates your network for you), they could lower your security rating if they are not secure. Your contract with the MSP should have language about them meeting CMMC Level 1 requirements too.

CMMC AC.1.002 – Assign “user” rights to most accounts

Requirement text: “Limit information system access to the types of transactions and functions that authorized users are permitted to execute.”

How to pass? Your non-IT employees should only have “user” rights to their computer, not “admin” rights. Use permissions in your business programs and file shares to limit employees from viewing sensitive information about your federal contracts.

How to fail this? Everyone has “administrator” rights on computers and devices.

CMMC AC.1.003 – Don’t share your neighbor’s network

Requirement text: “Verify and control/limit connections to and use of external information systems.”

How to pass? Keep your company network and computers separated from other businesses or the home network. Have your own internet router and don’t let other companies share it. Only use company computers for working on Federal contracts, never home computers, and never public computers.

How to fail? Sharing a WI-FI network with another business in the same building, so that their computers can communicate with your computers. If someone was network savvy, they could use this to eavesdrop on your internet browsing, or try to hack your computer directly. Using a personal laptop or tablet to work on a Federal contract. This puts sensitive information onto a device that isn’t secure.

CMMC AC.1.004 – Don’t share your data with the world

Requirement text: “Control information posted or processed on publicly accessible information systems.”

How to pass? If you use cloud storage like Dropbox, OneDrive, and Google Drive, make sure that anonymous access (no password required) is not enabled and your account has a good password. Tell your employees not to share their cloud documents with anyone outside of the contract. Don’t post sensitive information onto public websites or public media.

How to fail? This requirement seems so easy, yet it is the cause of many recent headaches for the DoD. When you set up a cloud storage location, simply share it with “everyone” or use a blank password. Now everyone on the internet can view and download your files.

CMMC IA.1.076 – Make accounts for each employee

Requirement text: “Identify information system users, processes acting on behalf of users, or devices.”

How to pass? Use individual accounts for each person in your business, and don’t allow password sharing. Individual accounts let your computers and software know who is logged on so that the appropriate level of access is granted and their actions can be traced back to them.

How to fail? Multiple people know the password for your computer, which has the credentials for your bank stored in the web browser. One day, funds are stolen from your bank account. When you review the logs, it says that your account did it. It is impossible to determine who stole the funds.

CMMC IA.1.077 – Change the default passwords

Requirement text: “Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.”

How to pass? Ensure that all your company computers and devices require a username and password or another log-on method before they can be accessed. Your company mobile phone should have a pattern or PIN required to unlock it. The computers and devices should lock themselves after 10 or 20 minutes if not used. The password should not be guessable – default passwords should be changed.

How to fail? Letting your very old manufacturing computer have no password because it controls factory machines and production would be slower if you have to log on to it each day. Never changing the default password on your security system.

CMMC MP.1.118 – Crush it, shred it, or overwrite it before you trash it

Requirement text: “Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.”

How to pass? Before letting a computer, mobile device, or thumb drive leave your possession, work with an IT professional to destroy the data on them. There are three safe ways to destroy hard drives: 1) by hammering or crushing the data module, 2) by using a special program to overwrite the data many times, or 3) encrypting the drive with a long (16+ character) key. Make sure to shred documents and CDs before you get rid of them.

How to fail? Selling your old work computers to someone who uses IT forensic techniques to read the sensitive data stored in them. Let someone borrow a thumb drive which previously stored sensitive information (even if it was “deleted”). Throw any of these devices in the trash without destroying the data first.

CMMC PE.1.131 – Get away from my computer!

Requirement text: “Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

How to pass? Identify the areas of your company workspaces that are public and private. (It is OK for everything to be private). Keep your computers, devices, network gear, and sensitive information in the private area. If you don’t have any employees actively supervising the private area, lock the door when you leave.

How to fail? Running cables for your internal network to wall jacks in the guest waiting area. Leaving the front office unlocked and unsupervised while you are in the shop working. Leaving your laptop on the table, logged on, at Starbucks, while you go to the bathroom.

CMMC PE.1.132 – Stop unauthorized people and supervise visitors

Requirement text: “Escort visitors and monitor visitor activity.”

How to pass? You need to be able to positively identify anyone who is in your facility and challenge those who don’t have permission to be there. A very small company with 4 employees should know each person on sight. If you see anyone else in your space, you need to stop them, and potentially call the police. Larger companies (where employees don’t know everyone) use employee and visitor badges to show who is allowed to be there.

How to fail: Not escorting a utility worker when they come inside to “do repairs”. They could be a bad person trying to steal sensitive information or hack your network. Not calling the police if an unknown person was found wandering around inside your offices.

CMMC PE.1.133 – Who was here yesterday?

Requirement text: “Maintain audit logs of physical access.”

How to pass? Use a sign-in and sign-out sheet for employees or visitors (complimentary template here). If you can afford it, use cameras around your facility to identify everyone who enters and exits, including your employees. Install electronic locks with individually-assigned keys that keep a record of who went through them.

How to fail? Finding computers stolen and not having any idea who was in the building during the last 24 hours.

CMMC PE.1.134 – I’m going to need your key back…

Requirement text: “Control and manage physical access devices.”

How to pass? Restrict the number of people who can unlock the doors or disable the security system at your business. Lock your doors and windows to protect your computers and documents. If an employee leaves, change the locks. If you can afford it, use electronic locks that can easily be re-programmed.

How to fail? Never change the door locks even though you’ve had employees leave in the past. Leave the windows unlocked.

CMMC SC.1.175 – Keep your computers inside the firewall

Requirement text: “Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.“

How to pass? Just like parts of your facility are “private”, you should treat your company network as private. For very small businesses, the private network is connected to the LAN ports on your internet router. Make sure your firewall stops all traffic from the internet by default, so that internet attacks can’t reach your computers.

How to fail? Posting the WI-FI password to your internal network in an area that non-employees can see. Not using a firewall.

CMMC SC.1.176 – Just because you can, doesn’t mean you should…

Requirement text: “Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.”

How to pass? Very small companies probably shouldn’t try to operate servers that are connected to the internet. Use a web hosting company to host your website. Hire a security specialist if you need to open access from the internet to any of your computers so that they can set it up securely.

How to fail? Modify your firewall so that it allows traffic from the internet to go to one of your computers or devices. This is called “opening a port” and exposes your computer to internet attacks.

CMMC SI.1.210 – Install updates!

Requirement text: “Identify, report, and correct information and information system flaws in a timely manner.”

How to pass? Enable automatic download and install of system updates/patches on all of your devices. If your scanner, printer, router, or business software hasn’t been updated in a while, you should search for the latest update and install it. You remove apps that are no longer supported by the vendor.

How to fail? You are still using Windows XP or Windows 7 on your computers. You click cancel every time your system asks for an update. You’ve never updated your printer or router.

CMMC SI.1.211 – Use antivirus systems

Requirement text: “Provide protection from malicious code at appropriate locations within organizational information systems.”

How to pass? Have a working antivirus program on each of your computers. Any reputable antivirus program will work. Use an email service that includes virus removal, such as Office 365. Consider a router with threat protection like the Sonicwall SOHO.

How to fail? Ignore warnings from your antivirus that it detects malware. Bypass the inherent protection on your tablet or phone by “jail-breaking” it.

CMMC SI.1.212 – Subscribe for threat protection

Requirement text: “Update malicious code protection mechanisms when new releases are available.”

How to pass? Make sure your computer antivirus and firewall threat protection is eligible for updates by paying for the subscription. Make sure all of your computers can download the antivirus definitions by giving them regular internet access.

How to fail? Your shop computer hasn’t downloaded new antivirus updates in a year because it isn’t connected to the network. Or you didn’t renew the antivirus subscription so the computers can’t download new definitions.

CMMC SI.1.213 – Enable antivirus scans

Requirement text: “Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.”

How to pass? Configure your antivirus program to do a full scan weekly, and to provide “active protection”.

How to fail? Cancel the antivirus scans because they make your computer slow.