Are you a small business currently fulfilling a Department of Defense (DoD) government contract or do you plan to bid on a contract solicitation in the coming years? Are you a subcontractor to a larger prime that has secured a DoD contract? Are you aware of the current cybersecurity requirements expected of DoD contractors and those that will be implemented later this year?
If you are not familiar with the Cybersecurity Maturity Model Certification (CMMC), now is the time to get familiar with the expectations you will need to fulfill in order to continue or secure DoD contracting going forward. On 31 January 2020, the Office of the Under Secretary of Defense for Acquisition & Sustainment released Version 1.0 of the Cybersecurity Maturity Model Certification, a major benchmark by DoD to strengthen the cyber posture of the DoD supply chain. Here are a couple of blogs that provide some overviews of the CMMC:
For additional information, just do a Google search for the Cybersecurity Maturity Model Certification and there is a plethora of articles on the subject.
The focus of this and a few succeeding articles will be to explore and detail the requirements to achieve Level 1 compliance within CMMC, referred to as Basic Cyber Hygiene. So, Level 1 compliance requires a company to show proof to a third party certifying entity that the business has implemented and practices on a day to day basis the basic safeguarding requirements contained within the 48 Code of Federal Regulation (CFR) 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. The way CMMC is set up, you have 17 Domains, within which there are certain Capabilities expected within each Domain. Within the Capabilities are Processes integrated within the contracting company’s SOP and within each Process are multiple Practices. Information security requirements increase depending on the sensitivity of the information being used, stored and/or transmitted in the fulfillment of the contract by the DoD contracting company, and these requirements are phased in through Levels 1 through 5, Level 1 being the least stringent.
Within Level 1, there are 6 Domains, containing 9 Capabilities and requiring 17 Practices to be active within the company in order to comply with 48 CFR 52.204-21. There are no Processes required to be documented within Level 1, only Practices. These Domains, Capabilities and Practices for Level 1 are laid out in this format:
I. Domain – Access Control (AC)
a.. 3 Capabilities, 4 Practices
II. Domain – Identification and Authentication (IA)
a. 1 Capability, 2 Practices
III. Domain – Media Protection (MP)
a. 1 Capability, 1 Practice
IV. Domain – Physical Protection (PE)
a. 1 Capability, 4 Practices
V. Domain – System and Communication Protections (SC)
a. 1 Capability, 2 Practices
VI. Domain – System and Information Integrity (SI)
a. 2 Capabilities, 4 practices
In future articles, we will explore what is required for a business to be in compliance with each of the 17 practices within Level 1 of CMMC. If you have questions related to CMMC compliance or would like assistance as you prepare your business for CMMC compliance, please contact the UGA SBDC at this link and someone will be back in touch with you as soon as possible.
Until next time…
By Mark R. Lupo, MBCP, SMP