CMMC Level 1 or “Basic Cyber Hygiene” consists of 17 controls that dictate some basic security measures that you may already have in place. Your outsourced IT services company should already have most of these controls configured for you. If you have internal IT staff, they need to make sure these controls are configured, tested, and enforced. In most cases these controls/systems are already available to you and just need to be turned on or configured. Depending on which systems you are currently using, meeting the technical requirements of CMMC Level 1 should cost little or nothing at all.
What is CMMC?
Cybersecurity Maturity Model Certification (CMMC) is an updated set of guidelines primarily built upon existing security frameworks, such as the NIST 800-171, to help the DoD identify the security level of GovCons who are competing for contracts. CMMC is broken down into 5 Levels each of which identifies how secure your infrastructure is in order to qualify your eligibility to compete for and perform work on DoD contracts.
When do we need to be CMMC compliant?
The DoD intended to roll out CMMC compliance requirements for new contracts in the beginning of 2021 with the expectation that by the end of 2025 every active DoD contract would have CMMC requirements in place. The CMMC implementation deadlines have changed several times causing confusion and creating a sense of urgency for GovCons to become CMMC ready. In addition, CMMC submissions must be audited by certified third-party assessor organizations(C3PAO) for certification unlike previous self-assessed and self-attested NIST submissions. Delays in the finalization of the CMMC compliance process have removed some pressure, the CMMC certification requirement is inevitable.
At this and you can’t be “certified” and even though the CMMC process timeline has shifted, your company should already have the CMMC level 1 requirements in place. Being CMMC level 1 ready means your company is meeting the practices listed as part of the Federal Acquisition Regulation (FAR) 48 CFR 52.204-21 (which is required on all existing DoD contracts).
What do we have to do to be CMMC level 1 ready?
Depending upon your IT support, you may be ready, or you may have several steps to take to qualify. The list below features some of the Level 1 requirements that your IT Support company or in-house IT staff should be providing for you. While your IT team might be implementing the technical functions, to meet the CMMC certification, your company will need properly documented company policies and procedures that align with the technical requirements. In addition, certification requires appropriate supporting artifacts (evidence or documentation to demonstrate compliance). Your IT team can provide you with reports from their management systems to facilitate gathering that information.
Samples of CMMC Level 1 or “Basic Cyber Hygiene” Controls:
- Access Control & Identification and Authentication Controls o IT infrastructure must prevent unauthorized access
- Use of unique usernames
- Require secure passwords
- Enable higher-level security such as multi-factor authentication
- Media Protection Controls. o Systems and media containing company information, federal contract information (FCI) or controlled unclassified information (CUI) must be protected
- Device Encryption in place on all systems
- Encryption of data at rest
- Physical and Environmental Controls o Physical restrictions to prevent access to your office
- Procedures to document and supervise visitors to your office
- Systems and Communications Protection Controls o Firewalls
- End-point protection tools (Anti-Virus, Anti-Malware, etc.)
- Encryption of data in transit
- System and Information Integrity Controls o Monitoring of systems and data
- Backup of data
The Bottom Line
“Basic Cyber Hygiene” should be an integral part of your company’s infrastructure and implementing and maintain it should be your IT team’s primary mission. We have spoken with companies who have been quoted as much as $20,000 from their incumbent IT services provider for remediation to become CMMC Level 1 ready. This charge was in addition to a significant monthly fee for supporting the company systems. We have also worked with companies who were being up charged $50 or more per month for each user to be CMMC Level 1 ready. While some additional outlay may be justified to offset
the cost of the enhanced security services required to meet higher levels of CMMC, companies should not be paying extra for “Basic Cyber Hygiene.”
If you are currently working with an IT Services company to maintain your IT infrastructure, the cost to meet the CMMC Level 1 technical requirements should be minimal or simply included as part of your existing service plan. Although there may be some scenarios where your company needs to modify which services or licensing you are using, in most cases, those changes/costs should be reasonable. It should not cost you significantly more money for your IT team to provide you with “Basic Cyber Hygiene.” If your provider is telling you that they need to remediate your systems or significantly increase your monthly fees to be CMMC level 1 ready, then you are not working with the right service provider.
Before signing off on a significant “remediation project” to become CMMC Level 1 ready, ask your existing service provider why the services that you are paying them to provide does not meet or exceed “Basic Cyber Hygiene”.
For more information, reach out to Degree Six at firstname.lastname@example.org.