The Cybersecurity Maturity Model Certification (CMMC) architecture should be familiar to contractors and subcontractors operating for the US Department of Defense (DoD). It refers to the Department of Defense’s requirements for developing cybersecurity policies for contractors. The Defense Federal Acquisition Regulation Supplement (DFARS) adherence criteria are supplemented and overlapped by these recommendations.
What Does CMMC Level 3 Entail?
The framework has five CMMC security maturity levels, but we’ll concentrate on the third. Organizations with a CMMC Level 3 certification must adhere to safeguarding controlled unclassified information (CUI). A Level 3 accreditation requires managing more private data sets than previous levels.
Organizations must have Good Cyber Hygiene and effectively manage cybersecurity activities to earn Level 3 accreditation. This entails adhering to Level 1–Fundamental Cyber Hygiene (including 17 essential safeguarding criteria outlined in FAR 48 CFR 52.204-21) and Level 2–Intermediate Cybersecurity Hygiene (consists of a supplemental 55 cybersecurity measures).
How Do CMMC Level 3 Certification Requirements and DFARS Requirements Intersect?
Because some CMMC Level 3 criteria overlap with DFARS standards, businesses striving for Level 3 must apply NIST 800-171 (110 security measures) and CMMC security measures (additional 20 controls). In reality, following NIST 800-171 makes meeting the CMMC Level 3 criteria much more accessible.
Vendors must deal with suppliers that fulfill DFARS and CMMC criteria since these accreditation criteria are passed down to them. Contractors must also alert the DoD and grant access to their CUI-handling systems in the event of a security incident, all of which must be done in accordance with DFARS’ mandated reporting processes.
What Are the Prerequisites for CMMC Level 3?
To learn about the CMMC regulation Level 3 controls, use this checklist:
Wireless access security.
This entails using identification and encryption technologies to protect wireless network access.
Protocols for remote access.
This includes cryptographic measures that preserve the secrecy of users’ online entry sessions if they’re using a home workstation or another location.
Separation of roles and responsibilities among workers.
To reduce harmful behaviors, tasks must be carefully allocated among staff. If important responsibilities are not clearly defined and only one person is entrusted with doing them from beginning to end, individuals may commit mistakes and/or fraud.
Access for authorized and nonprivileged users.
Nonprivileged users should not be able to execute privileged functions. Only entitled users should access select functions, particularly security activities, and security processes must be recorded in audit logs.
Only a small number of authorized individuals should have access to audit logs, audit parameters, and other audit administration functions.
User sessions are automatically terminated.
The sessions of users must be ended in accordance with the policies of the organization. To prevent attackers from misusing unattended sessions, this policy should specify the situations and specific triggers that will justify immediately terminating a user’s session.
Control how mobile devices are connected.
This necessitates the establishment of rules for the correct usage and setup of portable devices by businesses. All devices must be recognized, authorized, and executing the most up-to-date software for their computer systems. They must also have antivirus programs activated and device settings that prohibit unwanted functionality.
For privileged users, remote execution is possible.
Privileged users must be able to run privileged instructions and have remote access to security-relevant data, but only under tight conditions. These users must be recognized, as well as the modifications they make.
Encryption of CUI on portable devices.
CUI must be protected utilizing container-based encryption techniques on all mobile devices and mobile platforms.
This also entails implementing an encryption system to safeguard CUI as it travels via multiple media devices.