What Is the CMMC?  Our North Star

The CMMC is a collection of standards and practices to protect the confidential information of clients and the business. Utilization it makes it easier for you to communicate your needs to product and service providers as well as share and learn effective practices with others.

Created originally to support the Defense Industry, including supply chain members, it has great value for all businesses. 

America’s SBDC has adopted the  CMMC (Cybersecurity Maturity Model Certification) as the North Star to guide small businesses on the journey of cybersecurity and data breach protection activities. It was created by the Department of Defense. See private sector and defense applications below.

CMMC
Level 1

Basic Cyber Hygiene

Processes: Performed

Level 1 requires that an organization performs the specified practices. Because the organization may be able to perform these practices only in an ad-hoc manner and may or may not rely on documentation.

CMMC
Level 2

Intermediate Cyber Hygiene

Processes: Documented

Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and practicing them as documented.

CMMC
Level 3

Good Cyber Hygiene

Processes: Managed

Level 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.

CMMC
Level 4

Reviewed

Processes: Proactive

Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.

CMMC
Level 5

Advanced/Proactive

Processes: Optimizing

Level 5 requires an organization to standardize and optimize process implementation across the organization.

Private Sector

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect confidential information (CI) that resides on with the business. Some may belong to business partners, clients, or others.

Defense Industrial Base

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks. The term CUI is defined by the National Archives here.

The following information addresses CMMC Level 1 – Basic Cyber Hygiene 

The information below presents Level 1 of the CMMC in the form of official CMMC clarification and is meant to help business managers understand what needs to be done in common language.  Examples are provided to put this information in context. Other examples are forthcoming by industry.  As you read through this information consider your story. What would you use as an example and send it to us at cmmc@americassbdc.org 

EXAMPLE 1

You are in charge of IT for your company. You give a username and password to every employee who uses a company computer for their job.

No one can use a company computer without a username and a password. You give a username and password only to those employees you know have permission to be on the system.

When an employee leaves the company, you disable their username and password immediately.

 

EXAMPLE 2

A coworker from the marketing department tells you their boss wants to buy a new multi- function printer/scanner/fax device and make it available on the company network. You explain that the company controls system and device access to the network, and will stop non-company systems and devices unless they already have permission to access the network. You work with the marketing department to grant permission to the new printer/scanner/fax device to connect to the network, then install it.

EXAMPLE 3

You are in charge of payroll for the company and need access to certain company financial information and systems. You work with IT to set up the system so that when users log onto the company’s network, only those employees you allow can use the payroll applications and access payroll data. Because of this good access control, your coworkers in the Shipping Department cannot access information about payroll or paychecks

 

EXAMPLE:

You are in charge of payroll for the company and need access to certain company financial information and systems. 

You work with IT to set up the system so that when users log onto the company’s network, only those employees you allow can use the payroll applications and access payroll data. 

Because of this good access control, your coworkers in the Shipping Department cannot access information about payroll or paychecks

 

EXAMPLE:

You are the head of marketing for your company and want to become better known by your customers. So, you decide to start issuing press releases about your company projects.

Your company gets Federal Contract Information, or FCI, from doing work for the Federal government. FCI is information that is not shared publicly. Because you recognize the need to control sensitive information, including FCI, you carefully review all information before posting it on the company website or releasing to the public.

You allow only certain employees to post to the website.

EXAMPLE:

You are head of marketing for your company and want to become better known by your customers. So, you decide to start issuing press releases about your company projects.

Your company gets Client Contract Information, from doing work for a client. This is information that is not shared publicly. Because you recognize the need to control sensitive information, including confidential information, you carefully review all information before posting it on the company website or releasing it to the public.

You allow only certain employees to post to the website.

EXAMPLE:

You are in charge of purchasing for your company. You know that some devices, such as laptops, come with a default username and a default password. Last week, your coworker in the Engineering Department received a laptop with the default username “admin” and default password “admin”.

You remind the coworker to be sure to delete the default account details or change the default password to a unique password. You also explain that default passwords are easily found in an internet search engine. So, it would be easy for an unauthorized person to guess and use the default password to gain access to the system.

EXAMPLE:You are moving into a new office. As you pack for the move, you find some of your old CDs in a file cabinet.

When you load the CDs into your computer drive, you see that one has information about an old project your company did for the Department of Defense (DoD).

Rather than throw the CD in the trash, you make sure that it is shredded.

EXAMPLE:

You work for a small company as the project manager for a client project.

The project requires special equipment that should be used only by project team members. You work with your boss to put locks on the doors to your area.

This restricts access to the room to only those employees who work on the client project.

EXAMPLE:

You and your coworkers like to have friends and family join you for lunch at the office on Fridays. Your small company is growing, and sometimes it’s hard to know who is coming and going from the lunch area.

You work with your boss, the company founder, and ask all non-employees to sign in at the reception area, then sign out when they leave.

Employees can have badges or key cards that enable tracking and logging access to the company facilities.

EXAMPLE:

You are setting up the new network for your company, and want to keep the company’s information and resources safe.

You make sure to buy a router—a hardware device that routes data from a local area network (LAN) to another network connection—with a built-in firewall, then configure it to limit access to trustworthy sites.

Some of your coworkers complain that they cannot get onto to certain websites. You explain that the new network blocks websites that are known for spreading malware

EXAMPLE:

You are setting up the new network for your company, and want to keep the company’s information and resources safe.

You make sure to buy a router—a hardware device that routes data from a local area network (LAN) to another network connection—with a built-in firewall, then configure it to limit access to trustworthy sites.

Some of your coworkers complain that they cannot get onto to certain websites. You explain that the new network blocks websites that are known for spreading malware

EXAMPLE:

The head of recruiting wants to launch a website to post job openings and allow the public to download an application form. After some discussion, your team realizes it needs to use a router and firewall to create a DMZ to do this.

You host the server separately from the company’s internal network, and make sure the network has the correct security firewall rules. Your company gets a lot of great candidates for the open jobs, and the company’s internal network is protected.

EXAMPLE:

You have many responsibilities at your company, including IT.

You know that malware, ransomware, and viruses can be a big problem for small companies.

You make sure to enable all security updates for your software, and purchase the maintenance packages for new hardware and operating systems

EXAMPLE:

You are buying a new computer for your small business and want to protect your company’s information from viruses, spyware, etc.

You buy and install anti-malware software.

EXAMPLE:

You bought a new computer for your small business.

You know that you need to protect your company’s information from viruses, spyware, etc. So, you also purchased and installed anti-malware software.

You configure the software to automatically update to the latest antivirus code and definitions of all known malware

EXAMPLE:

While cleaning up your office, you find your old thumb drive. You are not sure if you should use it.

Then you remember something: Your company just purchased anti-malware software that auto-updates with the latest antivirus code and definitions of all known malware.

With this in mind, you decide to plug in the thumb drive. The new anti-malware software scans the thumb drive, finds a virus, then deletes the file.

Above information provided by RightExposure

Content Supporting Levels 2 and 3 of the CMMC Coming Soon.

Thank you to our Sponsors

Add your logo and link through as a sponsor.  Contact us today. Sponsors will appear first of June.

Questions?

Contact us at: cmmc@americassbdc.org or call 202-839-5563

America’s SBDC is the association that represents America’s nationwide network of Small Business Development Centers (SBDCs).

Contact your local SBDC for no-cost business consulting and low-cost business training.

© 2020 America’s SBDC