Ready. Set. Cybersecurity. (CMMC ML 1 & Small Business Resources)
For some small businesses, securing your information systems (and your proprietary data) might seem complicated and expensive, but it doesn't have to be. After all, cybersecurity can simply be described as implementing practices, procedures, and technologies to protect the confidentiality, integrity, and availability of data (i.e., to help prevent unauthorized access to data and cyberattacks).
A cybersecurity program can begin with, for example, creating information security policies, using strong passwords, using multi-factor authentication, encrypting data, limiting access to files, training employees (e.g., for phishing and scam emails), installing anti-virus software, and creating a cyber incident response plan. To be sure, there are a number of ways to get started. A simple Google search for "cybersecurity best practices" (in quotes) will yield thousands of results.
Interestingly, the Department of Defense's ("DoD") recent Cybersecurity Maturity Model Certification ("CMMC"), which will be a required certification for companies who want to business with the DoD, is a newer model that blends cyber practices with levels of maturity. The model is broken down into five maturity levels, the first of which is "Basic Cyber Hygiene." This basic level contains just 17 practices (and no maturity processes) that are easy to digest for even the smallest organization.
Here are the CMMC Maturity Level 1 requirements and the corresponding page number from the CMMC Appendices, where you will find a CMMC clarification, examples, and references for each practice. This document also contains the CMMC Model Matrix (beginning on page A-2).
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). (B-10)
Limit information system access to the types of transactions and functions that authorized users are permitted to execute. (B-11)
Verify and control/limit connections to and use of external information systems. (B-12)
Control information posted or processed on publicly accessible information systems. (B-14)
Identify information system users, processes acting on behalf of users, or devices. (B-89)
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. (B-90)
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. (B-133)
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (B-149)
Escort visitors and monitor visitor activity. (B-150)
Maintain audit logs of physical access. (B-151)
Control and manage physical access devices. (B-152)
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (B-205)
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. (B-207)
Identify, report, and correct information and information system flaws in a timely manner. (B-237)
Provide protection from malicious code at appropriate locations within organizational information systems. (B-238)
Update malicious code protection mechanisms when new releases are available. (B-240)
Perform periodic scans of the information system and real- time scans of files from external sources as files are downloaded, opened, or executed. (B-243)
Regardless of whether you are doing business with the DoD, the basic requirements above can serve as a great starting point. Depending on the needs of your organization, however, you may need to implement additional safeguards to protect your (or third-party) data. For example, defense contractors who anticipate handling "Controlled Unclassified Information" would need to have, at minimum, "Good Cyber Hygiene" (CMMC Maturity Level 3), which consists of 130 practices and 3 maturity processes.
Below you will find a list of online resources to assist in your efforts to implement a cybersecurity program for your organization. The list is not exhaustive, but just a starting point.
. . .