If you are reading this article, you are probably the owner of a small DoD contracting company. You’ve heard something about the CMMC (Cybersecurity Maturity Model Certification) either through your prime contractor or the SBA education office. You might be frustrated at yet another computer requirement, or you might be excited at the opportunity to distinguish your company from your competitors.
How to prepare for CMMC Level 1 certification
First, the standard disclaimer. As I write this article in 2020:
- The CMMC is still in draft form. We are following the latest guidelines but they might change.
- The CMMC Accreditation Body is still being formed.
- There are no CMMC auditors yet.
- There is no way for companies to get certified yet.
- This article is privately written and isn’t official guidance from any of the above organizations.
However, the good news is that for level 1 of the CMMC, the requirements haven’t changed much between the early drafts and our current draft. They are the same critical items that are called out in existing Federal regulations. So we are still in familiar territory.
What are the CMMC Level 1 requirements?
The CMMC Draft 0.7 repeatedly states that CMMC Level 1 maturity is “performed”. Not documented, not managed, and definitely not optimized. When they say performed, the intention is that a company has implemented security, and can show an auditor their security, but there isn’t supporting documentation or improvement around it.
An example of performing: Joe, the owner of PipeMaker, Inc., has three computers in his office, one for him, one for his wife, and one for the bookkeeper. Upon hearing about the CMMC, Joe calls a cyber security company and hands them a print-out of this blog, and of the latest CMMC release. They spend some time upgrading computers and making security improvements, then leave. Joe isn’t really sure what they did, but he follows their guidance about using strong passwords and locking the door to his office when he leaves.
Easy enough, right? But sadly, most small businesses I’ve seen don’t even meet this level of security. To be compliant with level 1, you need to WANT to be secure, and not take shortcuts. This is the difference between your accounts using the password Summer1! and having a complex password like 42small**DWARVEZ. It doesn’t cost much more, you just need to make the effort.
Implementing each security requirement for CMMC Level 1
Here are tips for how a very small business could do security for each Level 1 requirement. To be sure, I recommend working with a cyber security firm, but in the meantime, these easy suggestions will get you moving in the right direction.
CMMC P1001 Enable passwords or PINs…
“Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).“
How to pass? Identify who is allowed to use your company computers and create them their own accounts to log on. Don’t share passwords and don’t write passwords where they can be viewed. When an employee leaves your company, disable their accounts. Log out or lock computers when they are not in use.
How can you fail this? Disabling passwords, using easily guessed passwords, or leaving computers logged in so that anyone can access your data.
CMMC P1002 Operate as a user…
“Limit information system access to the types of transactions and functions that authorized users are permitted to execute.”
How to pass? Your non-IT employees should only have “user” rights to their computer, not “admin” rights. Use permissions in your business programs and file shares to limit employees from viewing sensitive information about your federal contracts.
How to fail this? Everyone has “administrator” rights on computers and devices.
CMMC P1003 Don’t covet your neighbor’s network…
“Verify and control/limit connections to and use of external information systems.”
How to pass? Keep your company network and computers separated from other businesses or the home network. Have your own internet router and don’t let other companies share it. Only use company computers for working on Federal contracts, never home computers, and never public computers.
How to fail? Sharing a WI-FI network with another business in the same building, so that their computers can communicate with your computers. If someone was network savvy, they could use this to eavesdrop on your internet browsing, or try to hack your computer directly. Using a personal laptop or tablet to work on a Federal contract. This puts sensitive information onto a device that isn’t secure.
CMMC P1004 Don’t share your data with the world…
“Control information posted or processed on publicly accessible information systems.”
How to pass? If you use cloud storage like Dropbox, OneDrive, and Google Drive, make sure that sharing is not enabled and your account has a good password. Tell your employees not to share their cloud documents with anyone outside of the contract. Don’t post sensitive information onto public websites or public media.
How to fail? This requirement seems so easy, yet it is the cause of many recent headaches for the DoD. When you set up a cloud storage location, simply share it with “everyone” or use a blank password. Now everyone on the internet can view and download your files.
CMMC P1076 One account per person…
“Identify information system users, processes acting on behalf of users, or devices.”
How to pass? Use individual accounts for each person in your business, and don’t allow password sharing. Individual accounts let your computers and software know who is logged on so that the appropriate level of access is granted and their actions can be traced back to them.
How to fail? Multiple people know the password for your computer, which has the credentials for your bank stored in the web browser. One day, funds are stolen from your bank account. When you review the logs, it says that your account did it. It is impossible to determine who stole the funds.
CMMC P1077 Change the default passwords…
“Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.”
How to pass? Ensure that all your company computers and devices require a username and password or other log-on method before they can be accessed. Your company mobile phone should have a pattern or PIN required to unlock it. The computers and devices should lock themselves after 10 or 20 minutes if not used. The password should not be guessable – default passwords should be changed.
How to fail? Letting your very old manufacturing computer have no password because it controls factory machines and production would be slower if you have to log on to it each day. Never changing the default password on your security system.
CMMC P1118 Crush it, shred it, or overwrite it…
“Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.”
How to pass? Before letting a computer, mobile device, or thumb drive leave your possession, work with an IT professional to destroy the data on them. There are two safe ways to destroy data: 1) by hammering or crushing the data module, 2) by using a special program to overwrite the data many times. Make sure to shred documents and CDs before you get rid of them.
How to fail? Selling your old work computers to someone who uses IT forensic techniques to read the sensitive data stored in them. Let someone borrow a thumb drive which previously stored sensitive information (even if it was “deleted”). Throw any of these devices in the trash without destroying the data first.
CMMC P1131 Get away from my computer!
“Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”
How to pass? Identify the areas of your company work spaces that are public and private. (It is OK for everything to be private). Keep your computers, devices, network gear, and sensitive information in the private area. If you don’t have any employees actively supervising the private area, lock it.
How to fail? Running cables for your internal network to wall jacks in the guest waiting area. Leaving the front office unlocked and unsupervised while you are in the shop working. Leaving your laptop on the table, logged on, at Starbucks, while you go to the bathroom.
CMMC P1132 Stop, thief!
“Escort visitors and monitor visitor activity.”
How to pass? You need to be able to positively identify anyone who is in your facility and challenge those who don’t have permission to be there. A very small company with 4 employees should know each person on sight. If you see anyone else in your space, you need to stop them, and potentially call the police. Larger companies use employee and visitor badges to show who is allowed to be there.
How to fail: Not escorting a utility worker when they come inside to “do repairs”. They could be a bad person trying to steal sensitive information or hack your network. Not calling the police if an unknown person was found wandering around inside your offices.
CMMC P1133 Do we have video from last night?
“Maintain audit logs of physical access.”
How to pass? Use cameras around your facility to identify everyone who enters and exits, including your employees. Install electronic locks with individually-assigned keys that keep a record of who went through them. Use a sign-in and sign-out sheet for employees or visitors.
How to fail? Finding computers stolen and not having any idea who was in the building during the last 24 hours.
CMMC P1134 I’m going to need your key back…
“Control and manage physical access devices.”
How to pass? Use electronic locks that can easily be re-programmed. Disable keycards, change the combo, or change the locks whenever someone no longer needs access.
How to fail? Allow un-trusted people to make copies of your keys. Never change the door locks even though you’ve had employees leave in the past.
CMMC P1175 Stay on the right side of Captain America’s shield…
“Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.“
How to pass? Just like parts of your facility are “private”, you should treat your company network as private. For very small businesses, the private network is connected to the LAN ports on your internet router. Make sure your firewall stops all traffic from the internet by default, so that internet attacks can’t reach your computers.
How to fail? Posting the WI-FI password to your internal network in an area that non-employees can see. Not using a firewall.
CMMC P1176 Just because you can, doesn’t mean you should…
“Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.”
How to pass? Very small companies probably shouldn’t try to operate servers that are connected to the internet. Use a web hosting company to host your website. Hire a security specialist if you need to open access from the internet to any of your computers so that they can set it up securely.
How to fail? Modify your firewall so that it allows traffic from the internet to go to one of your computers or devices. This is called “opening a port” and exposes your computer to internet attacks.
CMMC P1177 Install updates!
“Identify, report, and correct information and information system flaws in a timely manner.”
How to pass? Enable automatic download and install of system updates / patches on all of your devices. If your software hasn’t been updated in a while, you manually download the latest version and install it. You remove apps that are no longer supported by the vendor.
How to fail? You are still using Windows 7 on your computers. You click cancel every time your system asks for an update.
CMMC P1211 Use antivirus systems
“Provide protection from malicious code at appropriate locations within organizational information systems.”
How to pass? Have a working antivirus program on each of your computers. Any reputable antivirus program will work. Use an email service that includes virus removal, such as Office 365. Consider a router with threat protection like the Sonicwall SOHO.
How to fail? Ignore warnings from your antivirus that it detects malware. Bypass the inherent protection on your tablet or phone by “jail-breaking” it.
CMMC P1212 Subscribe for malware protection…
“Update malicious code protection mechanisms when new releases are available.”
How to pass? Make sure your computer antivirus and firewall threat protection is eligible for updates by paying for the subscription. Make sure all of your computers can download the antivirus definitions by giving them regular internet access.
How to fail? Your shop computer hasn’t downloaded new antivirus updates in a year because it isn’t connected to the network. Or you didn’t renew the antivirus subscription so the computers can’t download new definitions.
CMMC P1213 Let your antivirus do its job…
“Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.”
How to pass? Configure your antivirus program to do a full scan weekly, and to provide “active protection”.
How to fail? Cancel the antivirus scans because they make your computer slow.
The Level 1 CMMC requirements are easier the smaller your company is.
With only a few computers to worry about, you can meet the intention of level 1 pretty easily.
If I were to make a buy list for a small business that needs Level 1, I would start with these purchases (not sponsored). A few years ago, some of these products didn’t even exist for the small business market. I’m very excited that we can take advantage of them now.
Bear with me, I am one of those rare cyber-security people who appreciate Microsoft products. All Apple fans please comment with your preferences!
- Microsoft 365 Business subscription (about $240 per user per year), this gives you the latest Windows, Office 365 for email and file, Windows Defender antivirus, threat protection policies, and domain management.
- A Sonicwall SOHO wireless router (about $650), these have a firewall, wireless networking, and a threat management subscription that protects you from bad websites.
- Google Nest Cameras ($200-$400 per camera) and “Nest x Yale” electronic door locks ($279) for physical security and logging.
Now go forth and be secure!
I’ve personally seen companies fail every one of these basic security requirements during my career. It seems like a no-brainer to be cyber-secure, but in many cases, the business owner sabotaged themselves by just not caring. They would have hired an expert electrician if they needed wiring fixed, gone to a good doctor if they were sick, or taken their car to the dealership for repairs, but when it came to their computers, they tried to get by with the absolute minimum.
Care a little, spend a little, be conscientious, and use good passwords. Your company can be CMMC level 1!
What do you think? Would you give different cyber-security advice to the very small businesses? What products would you recommend?
Please join in the discussion if you have tips, ideas, or horror stories of companies that did security wrong.