Cybersecurity and Data Protection's the CMMC

asbdc sbdc cybersecurity and data protection

The CMMC is a collection of standards and practices to protect the confidential information of clients and the business. Utilizing it makes it easier for you to communicate your needs to product and service providers as well as share and learn effective practices with others. Created originally to support the Defense Industry, including supply chain members, it has great value for all businesses. 

America’s SBDC has adopted the  CMMC as the North Star to guide small businesses on the journey of cybersecurity and data breach protection activities.

Examples are provided to put this information in context. Other examples are forthcoming by industry.  As you read through this information consider your story. What would you use as an example and send it to us at cmmc@americassbdc.org. 

As you read the examples create one that makes sense to you. We are gathering them to be considered as formal examples for others. 

Send examples to cmmc@AmeriacsSBDC.org 

CMMC Level 1, Basic Cyber Hygiene 

Protecting Confidential Information


The following slides provide clarifications of the CMMC Basic Cyber Hygiene, Level 1.

EXAMPLE 1:

You are in charge of IT for your company. You give a username and password to every employee who uses a company computer for their job.

No one can use a company computer without a username and a password. You give a username and password only to those employees you know have permission to be on the system.

When an employee leaves the company, you disable their username and password immediately.

 

Example 2

A coworker from the marketing department tells you their boss wants to buy a new multi- function printer/scanner/fax device and make it available on the company network. You explain that the company controls system and device access to the network, and will stop non-company systems and devices unless they already have permission to access the network. You work with the marketing department to grant permission to the new printer/scanner/fax device to connect to the network, then install it.

Example 3

You are in charge of payroll for the company and need access to certain company financial information and systems. You work with IT to set up the system so that when users log onto the company’s network, only those employees you allow can use the payroll applications and access payroll data. Because of this good access control, your coworkers in the Shipping Department cannot access information about payroll or paychecks.

EXAMPLE:

You help manage IT for your employer. You and your coworkers are working on a big proposal, and all of you will put in extra hours over the weekend to get it done.

Part of the proposal includes Federal Contract Information, or FCI. FCI is information that you or your company get from doing work for the Federal government.

Because FCI is not shared publicly, you remind your coworkers to use their company laptops, not personal laptops or tablets, when working on the proposal over the weekend.

[ • Secure Remote Access learn more here ]

EXAMPLE:

You help manage IT for your employer. You and your coworkers are working on a big proposal, and all of you will put in extra hours over the weekend to get it done.

Part of the proposal includes Federal Contract Information or FCI. FCI is information that you or your company get from doing work for the Federal government.

Because FCI is not shared publicly, you remind your coworkers to use their company laptops, not personal laptops or tablets, when working on the proposal over the weekend

EXAMPLE:

You are head of marketing for your company and want to become better known by your customers. So, you decide to start issuing press releases about your company projects.

Your company gets Client Contract Information, from doing work for a client. This is information that is not shared publicly. Because you recognize the need to control sensitive information, including confidential information, you carefully review all information before posting it on the company website or releasing it to the public.

You allow only certain employees to post to the website.

[ • Email Authentication learn more here ]

EXAMPLE:

You are in charge of purchasing for your company. You know that some devices, such as laptops, come with a default username and a default password. Last week, your coworker in the Engineering Department received a laptop with the default username “admin” and default password “admin”.

You remind the coworker to be sure to delete the default account details or change the default password to a unique password. You also explain that default passwords are easily found in an internet search engine. So, it would be easy for an unauthorized person to guess and use the default password to gain access to the system.

EXAMPLE:You are moving into a new office. As you pack for the move, you find some of your old CDs in a file cabinet.

When you load the CDs into your computer drive, you see that one has information about an old project your company did for the Department of Defense (DoD).

Rather than throw the CD in the trash, you make sure that it is shredded.

EXAMPLE:

You work for a small company as the project manager for a client project.

The project requires special equipment that should be used only by project team members. You work with your boss to put locks on the doors to your area.

This restricts access to the room to only those employees who work on the client project.

CONTROL WHO HAS ACCESS TO FACILITY

EXAMPLE:

You and your coworkers like to have friends and family join you for lunch at the office on Fridays. Your small company is growing, and sometimes it’s hard to know who is coming and going from the lunch area.

You work with your boss, the company founder, and ask all non-employees to sign in at the reception area, then sign out when they leave.

Employees can have badges or key cards that enable tracking and logging access to the company facilities.

[ • Physical Security learn more here ]

PHYSICAL ACCESS DEVICES

EXAMPLE:

A team member retired last week and forgot to turn in company items, including an identification badge

and office keys. The project requires special equipment that should be used only by project team

members. Before you begin looking for a replacement employee, you make sure to change the locks on

the doors to the project area. You also disable the retired team member’s badge.

EXAMPLE:

You are setting up the new network for your company, and want to keep the company’s information and resources safe.

You make sure to buy a router—a hardware device that routes data from a local area network (LAN) to another network connection—with a built-in firewall, then configure it to limit access to trustworthy sites.

Some of your coworkers complain that they cannot get onto to certain websites. You explain that the new network blocks websites that are known for spreading malware.

Watch this video • Ransomware

EXAMPLE:

The head of recruiting wants to launch a website to post job openings and allow the public to download an application form. After some discussion, your team realizes it needs to use a router and firewall to create a DMZ to do this.

You host the server separately from the company’s internal network and make sure the network has the correct security firewall rules. Your company gets a lot of great candidates for open jobs, and the company’s internal network is protected.

[ • Ransomware PDF learn more here ]

PATCH MANAGEMENT

EXAMPLE:

You have many responsibilities at your company, including IT.

You know that malware, ransomware, and viruses can be a big problem for small companies.

You make sure to enable all security updates for your software, and purchase the maintenance packages for new hardware and operating systems

EXAMPLE:

You are buying a new computer for your small business and want to protect your company’s information from viruses, spyware, etc.

You buy and install anti-malware software.

EXAMPLE:

You bought a new computer for your small business.

You know that you need to protect your company’s information from viruses, spyware, etc. So, you also purchased and installed anti-malware software.

You configure the software to automatically update to the latest antivirus code and definitions of all known malware

EXAMPLE:

While cleaning up your office, you find your old thumb drive. You are not sure if you should use it.

Then you remember something: Your company just purchased anti-malware software that auto-updates with the latest antivirus code and definitions of all known malware.

With this in mind, you decide to plug in the thumb drive. The new anti-malware software scans the thumb drive, finds a virus, then deletes the file.

You may be ready now to take a more formal approach, work with others and to follow the North Star.

Check out the CMMC tool to help prepare for an assessment by hitting this button.

Private Sector

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled confidential information (CI) that resides on with the business. Some may belong to business partners, clients, or others.

Defense Industrial Base

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks. The term CUI is defined by the National Archives here.

Focus on Employee Awareness

Although the CMMC itself is organizational focus, much value comes from engaging the business ownership and employees via a certification program for them. As the employees are aware of good cyber hygiene and have the North Star of the CMMC to follow education will make it much easier for them to communicate within, with third-parties helping them, and communicating good practices with others. Continuity will help make it easier to measure effectiveness of approaches to secure the organization and help others in their business eco-system.

ASBDC Activities Focus on Levels 1 – 3 Support

CMMC
Level 1

Basic Cyber Hygiene

Processes: Performed

Level 1 requires that an organization performs the specified practices. Because the organization may be able to perform these practices only in an ad-hoc manner and may or may not rely on documentation.

CMMC
Level 2

Intermediate Cyber Hygiene

Processes: Documented

Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and practicing them as documented.

CMMC
Level 3

Good Cyber Hygiene

Processes: Managed

Level 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.

CMMC
Level 4

Reviewed

Processes: Proactive

Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.

CMMC
Level 5

Advanced/Proactive

Processes: Optimizing

Level 5 requires an organization to standardize and optimize process implementation across the organization.