Note: Our North Star CMM program is based on what is called the Cybersecurity Maturity Model Certification or CMMC. The last C represents Certification. By focusing on the model we more accurately reflect what we are doing. The last C is dropped off as Certification is a separate business decision from cyber and data protection. An important decision, but separate.
The CMM is a collection of standards and practices to protect the confidential information of clients and the business. Utilizing it makes it easier for you to communicate your needs to product and service providers as well as share and learn effective practices with others. The CMMC was created by the DoD to support the defense industrial base, including supply chain members, it has great value for all businesses.
America’s SBDC has adopted the CMM as the North Star to guide small businesses on the journey of cybersecurity and data breach protection activities.
Basic cyber and data protection revolves around the simple concept of CIA (Confidentiality, Integrity, availability). Confidential information needs to be protected. The information needs to have Integrity. If someone breaks in and alters the data it can be a big problem, we can’t count on it. Information needs to be Available for use. Ransomware and other cyber-attacks prevent us from using our information.
You are in charge of IT for your company. You give a username and password to every employee who uses a company computer for their job.
No one can use a company computer without a username and a password. You give a username and password only to those employees you know have permission to be on the system.
When an employee leaves the company, you disable their username and password immediately.
A coworker from the marketing department tells you their boss wants to buy a new multi- function printer/scanner/fax device and make it available on the company network. You explain that the company controls system and device access to the network, and will stop non-company systems and devices unless they already have permission to access the network. You work with the marketing department to grant permission to the new printer/scanner/fax device to connect to the network, then install it.
You are in charge of payroll for the company and need access to certain company financial information and systems. You work with IT to set up the system so that when users log onto the company’s network, only those employees you allow can use the payroll applications and access payroll data. Because of this good access control, your coworkers in the Shipping Department cannot access information about payroll or paychecks.
You help manage IT for your employer. You and your coworkers are working on a big proposal, and all of you will put in extra hours over the weekend to get it done.
Part of the proposal includes Federal Contract Information, or FCI. FCI is information that you or your company get from doing work for the Federal government.
Because FCI is not shared publicly, you remind your coworkers to use their company laptops, not personal laptops or tablets, when working on the proposal over the weekend.
You are head of marketing for your company and want to become better known by your customers. So, you decide to start issuing press releases about your company projects.
Your company gets Client Contract Information, from doing work for a client. This is information that is not shared publicly. Because you recognize the need to control sensitive information, including confidential information, you carefully review all information before posting it on the company website or releasing it to the public.
You allow only certain employees to post to the website.
This includes contact information that includes confidential information. If a federal contractor Federal Contract Information which may include CUI.
You lead a project with the Department of Defense (DoD) for your small company and want to make sure that all employees working on the project can log on to the company system to see important information about the project.
You also want to prevent employees who are not working on the DoD project from being able to access the information.
You set up the system so that when an employee logs on, the system uniquely identifies each person, then determines the appropriate level of access.
You are in charge of purchasing for your company. You know that some devices, such as laptops, come with a default username and a default password. Last week, your coworker in the Engineering Department received a laptop with the default username “admin” and default password “admin”.
You remind the coworker to be sure to delete the default account details or change the default password to a unique password. You also explain that default passwords are easily found in an internet search engine. So, it would be easy for an unauthorized person to guess and use the default password to gain access to the system.
EXAMPLE:You are moving into a new office. As you pack for the move, you find some of your old CDs in a file cabinet.
When you load the CDs into your computer drive, you see that one has information about an old project your company did for the Department of Defense (DoD).
Rather than throw the CD in the trash, you make sure that it is shredded.
If you are a federal contractor need to consider the responsibility of Federal contract information (FCI)—information you or your company got doing work for the Federal government that is not shared publicly)
You work for a small company as the project manager for a client project.
The project requires special equipment that should be used only by project team members. You work with your boss to put locks on the doors to your area.
This restricts access to the room to only those employees who work on the client project.
You and your coworkers like to have friends and family join you for lunch at the office on Fridays. Your small company is growing, and sometimes it’s hard to know who is coming and going from the lunch area.
You work with your boss, the company founder, and ask all non-employees to sign in at the reception area, then sign out when they leave.
Employees can have badges or key cards that enable tracking and logging access to the company facilities.
EXAMPLE: Coming back from a meeting, you see the friend of a coworker walking down the hallway near your office. You know this person well and trust them, but are not sure why they are in the building. You stop to talk, and the person explains that they are supposed to meet the coworker for lunch, but cannot remember where the lunchroom is. You offer to walk the person back to the reception area to get a visitor badge and wait until someone can escort them to the lunchroom. You report this incident, and the company decides to install a badge reader at the main door so visitors cannot enter without an escort.
A team member retired last week and forgot to turn in company items, including an identification badge
and office keys. The project requires special equipment that should be used only by project team
members. Before you begin looking for a replacement employee, you make sure to change the locks on
the doors to the project area. You also disable the retired team member’s badge.
You are setting up the new network for your company, and want to keep the company’s information and resources safe.
You make sure to buy a router—a hardware device that routes data from a local area network (LAN) to another network connection—with a built-in firewall, then configure it to limit access to trustworthy sites.
Some of your coworkers complain that they cannot get onto to certain websites. You explain that the new network blocks websites that are known for spreading malware.
The head of recruiting wants to launch a website to post job openings and allow the public to download an application form. After some discussion, your team realizes it needs to use a router and firewall to create a DMZ to do this.
You host the server separately from the company’s internal network and make sure the network has the correct security firewall rules. Your company gets a lot of great candidates for open jobs, and the company’s internal network is protected.
You have many responsibilities at your company, including IT.
You know that malware, ransomware, and viruses can be a big problem for small companies.
You make sure to enable all security updates for your software, and purchase the maintenance packages for new hardware and operating systems
You are buying a new computer for your small business and want to protect your company’s information from viruses, spyware, etc.
You buy and install anti-malware software.
You bought a new computer for your small business.
You know that you need to protect your company’s information from viruses, spyware, etc. So, you also purchased and installed anti-malware software.
You configure the software to automatically update to the latest antivirus code and definitions of all known malware
While cleaning up your office, you find your old thumb drive. You are not sure if you should use it.
Then you remember something: Your company just purchased anti-malware software that auto-updates with the latest antivirus code and definitions of all known malware.
With this in mind, you decide to plug in the thumb drive. The new anti-malware software scans the thumb drive, finds a virus, then deletes the file.
Contact us! cmmc@AmericasSBDC.org
To Download the Content Above:
See the DoD’s Cybersecurity Maturity Model Certification (CMMC) documentation here:
If you choose to go the certification route see please find information here:
The North Star CMM is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect confidential information (CI) that resides with the business. Some may belong to business partners, clients, or others.
The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks. The term CUI is defined by the National Archives here.
Although the CMMC itself is organizational focus, much value comes from engaging the business ownership and employees via a certification program for them. As the employees are aware of good cyber hygiene and have the North Star of the CMMC to follow education will make it much easier for them to communicate within, with third-parties helping them, and communicating good practices with others. Continuity will help make it easier to measure effectiveness of approaches to secure the organization and help others in their business eco-system.
Basic Cyber Hygiene
Level 1 requires that an organization performs the specified practices. Because the organization may be able to perform these practices only in an ad-hoc manner and may or may not rely on documentation.
Intermediate Cyber Hygiene
Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and practicing them as documented.
Good Cyber Hygiene
Level 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
Level 5 requires an organization to standardize and optimize process implementation across the organization.