We’re going to start digging through the CMMC levels, starting with CMMC 2.0 Level 1. I will go through the different protection areas and briefly describe what they mean. I don’t intend for this to be a complete guidance, but more an introduction to allow you to be more aware of the areas you’re expected to focus on. As level 1 is the lowest level of protection, it only has 6 areas for the 17 total controls.
First, we have the critical topic of access control, which is just limiting who has access to the protected information. At level 1 companies are expected to have and follow policies that limit and define who has access to the protected information, control connections to external systems, and to ensure that no protected information is contained in any publicly accessible resources like press releases or public web pages.
For the third area, we have media protection. This requirement is for reuse or disposal of storage media that has contained protected information (such as USB drives and hard drives). While this may sound simple, it is expected that more is done than simply deleting files. More in depth guidance can be found here.
I was happy to see the next area show up, as I feel physical protection is too often ignored as part of cybersecurity. There are 4 controls here: limit physical access, have logs of physical access, escort visitors, and manage physical access devices. I don’t feel that physical and cybersecurity should exist as separate silos, and it is good to see steps being made to combine them.
The last two areas, systems & communications protection and system & information security, are probably where the most technical requirements are for level one. First, there is protection and monitoring of the network boundary, and segmentation of the network to separate public and private areas. Next there needs to be some form of malicious code protection (ie anti-virus) and periodic system scans with real time scanning of files when they are downloaded. Finally, there are the vital requirements of keeping your systems, software, and protection methods up to date.
As I said, this is intended to be a brief introduction to give you an idea of the types of requirements you will need to start thinking about. Next will be level two.
Recent Comments