Use the CMMC model to set-up and evaluate your cybersecurity efforts!
At this beginning of this year, the Department of Defense (DoD) rolled out a new framework to better address constantly changing technology and new threats.
If you’re looking to place a bid to work with the DoD, you’ll need to make sure you’re in compliance with the Cybersecurity Maturity Model Certification (CMMC).
The CMMC is to ensure companies have the appropriate levels of cybersecurity practices and processes in place. There are five certification levels, with the first level addressing basic cybersecurity processes and the fifth level looking at standardized processes that proactively detect and respond to threats.
Even if you’re not looking to become a DoD contractor, the CMMC model is a good tool for any company to strengthen its cybersecurity processes, whether you’re a beginner or pro.
Below we break down all five levels of the CMMC model, discuss why each step is important and include a checklist for step 1!
Level 1: Basic Cyber Hygiene (performed)
A company must perform basic cyber hygiene practices, such as using antivirus software or ensuring employees change passwords regularly. These processes should be practiced on routine basis.
Why this is important
When companies enforce a routine cybersecurity check, not only will it help protect your company’s sensitive information from hackers and viruses, it will also help the maintenance of computers and software so they run smoothly.
How to get started
If your company doesn’t have any cybersecurity policies or checks in place, we recommend starting with the following:
-
Work with your HR department to give new employees an IT training
-
Ensure that every company computer and device has anti-malware software installed and a multi-factor authentication
-
Send alerts to all employees reminding them to change their passwords every 90 days
-
Share trainings with employees to continue to educate them on what cybersecurity attacks look like
-
Schedule quarterly technology check-ins and updates with each department and check backups
Level 2: Intermediate Cyber Hygiene (documented)
A company must document all cyber hygiene practices to protect sensitive information. In other words, a written policy must be updated and available to everyone in the company.
Why this is important
Having documentation of your cybersecurity processes will help your team ensure that all practices are being carried out on a routine basis. Some of these processes include audit log reviews, event detection/reporting, analyzing triaging events, incident response, Incident root cause analysis (RCA), regular data backup and testing and encrypted session for device management.
Level 3: Good Cyber Hygiene (managed)
A company must have an institutionalized management plan to implement cyber hygiene practices. This plan should address missions, goals, project plans, resourcing, required training and involvement of stakeholders.
Why this is important
Data breaches are common. Having a risk mitigation plan will help your team plan for and immediately respond to threats as they happen, which will help minimize damage.
Level 4: Proactive (reviewed)
Once practices are outlined and implemented, a company must have a process to review and measure the effectiveness of practices and share results with senior management. In addition, there should be policies in place to detect and respond to ever-evolving threats. At this level, the DoD wants to see procedures for responding to advanced persistent threats (APTs), or an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors.
Why this is important
As technology advances, so do threats. Hackers and identity thieves are always finding new and smarter ways to gain access to information. It’s important to continue checking for vulnerabilities in your systems and continue to update processes.
Level 5: Advanced/Progressive (optimized)
A company must have a standardized, documented approach in place across the organization and additional enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.
Why this is important
APT hackers are much more sophisticated than regular hackers and aren’t easy to catch. Whether you’re a small or large company, optimizing your plans to quickly identify and address all threats will save your company time and money.
If you’re looking to be certified as a DoD contractor and need more information on CMMC, check out the full FAQ here.
For other small and large companies looking to review your cybersecurity plans, Three Wire can help you.
As an IT and cybersecurity company that works with multiple government agencies, including the DoD, we can ensure our client’s cybersecurity policies are up to par with our country’s national security policies. Whether you’re looking for help to implement basic cybersecurity processes, or you’re looking to create a more sophisticated plan to prepare for major attacks, our IT team has mastered each step mentioned above.
Since 2006, we’ve worked with companies to help them choose the right technology. In our experience, we’ve seen companies lose billions of dollars every year due to IT downtime, poor performance or a combination of both due to a cyber-attack. With the CMMC made publicly available, there’s no reason why you can’t take advantage of this model at your company.
If you have questions or you’re interested in contacting a member of our team, email us at info@threewiresys.com