Tag: cmmc tier two

  • CMMC Series: Tier Three Overview

    CMMC Series: Tier Three Overview

    We’ve covered tier one and tier two of the Cybersecurity Maturity Model Certification (CMMC) program, and this week we’ll be tackling tier three.

    Before we dive in, we want to mention that we’re covering tier three as it exists currently (in 2022), version 1.0 has five tiers but once version 2.0 of the program releases it will be reduced to three tiers.

    What is currently tiers two and three will just be tier two version 2.0 of CMMC in the future, so it’s still worthwhile to pursue up to tier three in the existing model.

    Tiers four and five in the existing model (or tier three in the future in version 2.0 of CMMC) feature the highest level of protection and may not be necessary for most businesses pursuing Department of Defense (DoD) contracts. It’s estimated less than 1% of businesses will need to pursue beyond tier three.

    If you were to give the first three tiers’ labels, tier one would be considered “basic hygiene”, tier two would be “progressive hygiene” and in tier three you reach “good cyber hygiene”. By tier three your business will be well protected from cyber-attacks.

    Tier one had 17 controls, tier two added 55 more for 72 total, and tier three almost doubles the controls adding another 58 for 130 total.

    Level three expands on Access Control, which adds 8 more controls that focus on encryption and preventing unauthorized access to sensitive systems.

    Next, we see a new control in Asset Management that requests that you develop plans and procedures for handling CUI data.

    Audit and Accountability has 7 new controls that ask you to expand on your logging efforts as well as restrict access to those logs to only authorized users.

    Awareness and Training has one new control and it’s solely around providing and maintaining cyber training for your employees.

    Configuration Management adds three new controls, the CMMC controls in this category are looking for you to tighten up the configurations on your business’s devices, such as preventing downloads of unauthorized software and disallowing users to make security changes on their own.

    In Identification and Authentication we see four controls aimed at tightening up your user security, such as not allowing passwords to be reused and requiring MFA (multi-factor authentication).

    The two controls found in Incident Response ask you to track any incidents that occur and regularly test your organization incident response capabilities.

    Tier three Maintenance adds two new controls, one that asks you to sanitize any equipment of CUI data before it’s removed for maintenance and another that asks you monitor any media meant for testing or diagnostic purposes for malicious code before installing it on your devices.

    Media Protection adds four new controls, they all involve properly marking and restricting access to CUI data.

    Physical Protection in tier three of CMMC adds one control and it asks you to continue expanding on your efforts to prevent physical outside threats to the CUI data your business holds.

    Recovery also adds just one control and it’s aimed at having a schedule for your businesses backups that is strictly maintained and that proper storage capacity for your backups is provided and prioritized.

    Risk Management adds three controls, two are about maintaining risk assessments and developing plans to mitigate any identified risks. The third asks you to manage products not supported by vendors separately, including enforcing access and use restrictions on them. What they mean by this is if your business utilizes an older piece of software you’re not able to discontinue yet – you need to quarantine it to be in compliance with CMMC. Any piece of software not updated is a potential threat vector for your business.

    Security Assessment adds two new controls, they want you to monitor your security controls for ongoing efficacy and also have an independent security assessment conducted to identify any areas of risk that may be missed in your internal efforts.

    Not seen in tiers one or two, tier three introduces the first Situational Awareness control, and it asks that you begin to share cyberthreat intelligence found from reputable sources with your stakeholders. An example would be if there’s been an announcement of a breach occurring with a software your business uses, you would be obligated to share your knowledge of that breach as it becomes available to you.

    System and Communications in tier three adds the most new controls of any category with 15 controls in total. Controls in this category cover items such as ensuring proper information security across your in-house efforts in software engineering and system development to maintaining cryptographic keys for all the cryptography used on your systems. All of the controls are aimed at completing finishing touches when it comes to tightening up the security on your systems.

    Finally, System and Information Integrity adds three new controls. One asks that you beef up your efforts to block spam at all entry points, the second asks that you utilize all available efforts to prevent and detect document forgery and the third asks that you implement “sandboxing” to filter and block potentially malicious emails.

    As you can see, tier three greatly expands on the active role your business will need to take when it comes to cybersecurity measures. Implementing tier three will be made easier though as your business conducts the cumulative process of preparing better cyber readiness.

    For example, in tier two we saw monitoring efforts increase substantially, in tier three you can use the records that have been obtained to fill in the gaps that were uncovered in that process.

    Because such a small portion of businesses will need to obtain tiers four and five, we are not planning to have an in-depth article on those tiers. If you would like to have a consultation with Valley Techlogic on the CMMC process and the maturity level you will need to obtain for your business, you can schedule one here. In next weeks article we’ll talk about the CMMC auditing process and what you’ll need to do to prepare as your audit approaches.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.

  • CMMC Series: Tier Two Overview

    CMMC Series: Tier Two Overview

    This is the third week of our Cybersecurity Maturity Model Certification (CMMC) Series. You can find week one, which was a look at what’s happening with CMMC in 2022 here. Last week, we gave you an overview of tier one which you can review here.

    Tier one in CMMC really covers the basic foundational steps you must take to move on to tier two and tier three. For some contractors, tier one will be enough to keep and maintain compliance with their Department of Defense (DoD) contracts. Every situation is unique, but broadly speaking if you don’t handle Controlled Unclassified Information (CUI) in your business – tier one will probably be the extent that you need to reach.

    If you do handle any CUI data, then we recommend you strive towards tier two or tier three. Many of the protections that come in the later tiers specifically cover how to safeguard this data and it’s in your businesses best interest to meet the requirements. While there are no direct financial penalties at the time of writing for not doing so, the DoD is considering a system of rewarding businesses who achieve greater CMMC maturity levels.

    If you and another business are exactly the same in what you do and, in your pricing, – or even if their pricing is a bit higher than yours – if they have achieved tier three cybersecurity maturity model certification and your business is tier one or not certified at all yet, it’s likely your competitor will win the bid.

    So, what goes into reaching tier two in CMMC?

    Tier two is the next milestone within CMMC, and the difficulty does scale considerably with each level. While tier one had 17 provisions, tier two introduces 55 more for a total of 72 practices you’ll need to cover to meet the requirements (the practices are cumulative).

    In addition to more practices tier two also introduces new domains.

    First there is Access Control, tier two access control looks to limit access to who can log into your organizations systems (and how much they can access when they do).

    Next is Awareness and Training, in tier two you will need to make sure your managers, administrators and anyone else you who would have access to sensitive systems is attending regular cybersecurity training.

    In Audit and Accountability, we look to maintain logs of user activity for review.

    Security Assessment is where we really begin to see accountability being held on organizations, you will need to conduct regular assessments as you work towards your cybersecurity goals and develop cybersecurity plans based on the assessment results.

    Configuration Management covers the need to manage the configurations of your office devices and equipment with cybersecurity best practices in mind.

    Identification and Authentication is similar to access control, but it specifically looks to limit sensitive systems to only those who should have authorization to access them.

    While tier one in CMMC only covered the basics and didn’t address what happens when you have a cyber incident, tier two starts to cover that with the Incident Response control.

    The Maintenance control in tier two actually refers to your devices and how you maintain them, and what you will need to do in case of their failure.

    Media Protection in tier two covers specific provisions around the handling and destruction of removable media, such as flash drives.

    We started looking at Physical Protection in tier one by keeping visitor logs, but tier two asks that you actually begin to escort guests through your facilities and screening personnel.

    Tier one surprisingly doesn’t ask that you backup your data (even though we would always recommend that) – in tier two Recovery you must have a plan for backing up your data.

    In tier two Risk Management, CMMC asks that you begin to conduct risk assessments and fix any vulnerabilities that are uncovered during the process.

    Systems and Communications Protection in tier two includes controlling communications within your organization, not just monitoring them.

    Finally, the System and Information Integrity domain covers actively monitoring your systems for breaches and quickly resolving any that come up.

    As you can see, CMMC maturity tier two dives into the deep end of cybersecurity, but the provisions it covers will make a discernible impact in your cyber readiness throughout your entire business.

    Does your business need to meet the requirements for being certified with CMMC? Valley Techlogic can help, we have experience helping DoD contracted businesses reach their cybersecurity and CMMC goals, as well as helping with the certification process itself. Learn more today in a free consultation.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.