CMMC Requirements For Small Businesses

Level 1: Basic Cyber Hygiene

In order to achieve Level 1, Federal Contract Information (FCI) must be safeguarded as well as basic cybersecurity practices should be implemented. It is worth noting that the requirements at this level are comparable to those set forth in NIST SP 800-171, which includes controls such as access control, incident response, system integrity, and security monitoring.

Examples of controls within level 1 include the following:

• As a standard, antivirus software should be used.
• Passwords should be changed on a regular basis.

Level 2: Intermediate Cyber Hygiene

As part of Level 2, organizations must implement a more comprehensive set of cybersecurity practices beyond Level 1 in order to protect Controlled Unclassified Information (CUI). A number of additional controls are introduced from NIST SP 800-171B, as well as the practice of establishing and maintaining asset inventories, implementing configuration management processes, and conducting regular security awareness training in order to enhance security awareness.

Examples of controls within level 2 include the following:

• After an inactive period of time, lock user sessions to prevent them from being accessed by others
• You should restrict the number of times a user can log in to their account to a set number
• You should only use privileged accounts when they are absolutely necessary

Level 3: Good Cyber Hygiene

Generally speaking, level 3 is aimed at protecting a company's cyber security data and requires that a cyber security management plan be established and maintained by the company. In addition, Level 3 builds on the requirements of Levels 1 and 2 and introduces additional practices from NIST SP 800-171A. Level 3 requires the implementation of more advanced controls, such as incident response testing, media protection, and system and communications protection requirements.

Examples of controls within level 3 include the following:

• Develop and implement predefined procedures for responding to declared incidents in accordance with predefined policies and procedures.
• Identify, analyze, and triage events in order to enable the resolution of incidents and the declaration of incidents.
• Protect your email account with DNS or asymmetric cryptography by using DNS.
• Make sure that risk mitigation plans are developed and implemented.
• Data backups should be performed and tested on a regular basis.

Level 4: Proactive

Level 4 introduces a proactive approach to cybersecurity and is designed to protect CUI against advanced persistent threats. Specifically, it requires organizations to review and enhance their cybersecurity capabilities in order to ensure that CUI is protected as well as the ability to defend against sophisticated cyber threats. In order to reach level 4, there have to be enhanced requirements for access control, auditing, and accountability, as well as maintenance of security baselines.

It is mandatory for organizations seeking certification at Level 4 to implement processes for reviewing and assessing the effectiveness of controls, as well as establishing processes for detecting and responding to changing tactics, techniques, and procedures associated with Advanced Persistent Threats (APT). It is important to recognize that a sophisticated APT is a malicious actor with sophisticated levels of expertise as well as significant resources available to create multiple attack vectors.

Level 5: Advanced/Progressive

As one of the most advanced cybersecurity postures, Level 5 represents an organization's commitment to standardizing and optimizing its cybersecurity processes in order to maintain its cyber-safety posture. By implementing highly advanced security practices, including continuous monitoring, advanced threat hunting, and real-time incident response capabilities, it aims to reduce the risk of advanced persistent threats, which are threats that can compromise CUI.

To achieve Level 5 certification, an organization must have standard and optimized processes in place across the organization and additional enhanced practices to provide the organization with the most sophisticated detection and response capabilities for APTs.

In addition to CMMC Level 4 and 5, organizations need to comply with CMMC C034-P1163 in order to be able to create, maintain, and leverage a written security strategy and roadmap. As part of the CMMC audit, cybersecurity business plans and strategies will be subject to scrutiny within scope of the audit.

It is important to remember that the specific requirements within each level are detailed in the CMMC framework documentation. Within the CMMC framework documentation, organizations will find a comprehensive breakdown of the controls and practices they need to implement in order to achieve certification at each level.

Furthermore, it is crucial for small businesses to stay informed about any changes or new requirements that may occur as a result of the CMMC framework, as it is subject to updates and revisions.

For the most accurate and up-to-date information regarding CMMC requirements for small businesses, we highly recommend visiting the official CMMC website or consulting with a certified CMMC assessor to ensure that you receive the most accurate and up-to-date information possible.

If you are looking for a solution to assist with CMMC audit logging and metrics management then our CMMC solution for small businesses is available to trial for 14 days completely free.

If you enjoyed this article why not read Linux command cheat sheet or Kibana vs Grafana next?