When I meet with clients I always advise them to focus on one or two key agencies and then keep up with what they are planning in the future. For those of you doing business with the Department of Defense (DoD) or planning in the future here are a few links of information to help you make strategic decisions moving forward.
Department of Defense Small Business Strategy https://business.defense.gov/Portals/57/Documents/Small%20Business%20Strategy.pdf?ver=2019-11-19-115847-510
Most businesses are already at level 1of the CMMC, here are the requirements:
Level 1 – Basic Cyber Hygiene (17 Practices)
Level 1 is equivalent to ALL of the safeguarding requirements from FAR Clause 52.2014-21
AC.1.001: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
AC.1.002: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
AC.1.003: Verify and control/limit connections to and use of external information systems.
AC.1.004: Control information posted or processed on publicly accessible information systems.
Identification and Authentication
IA.1.076: Identify information system users, processes acting on behalf of users, or devices.
IA.1.077: Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
MP.1.118: Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
PE.1.131: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
PE.1.132: Escort visitors and monitor visitor activity.
PE.1.133: Maintain audit logs of physical access.
PE.1.134: Control and manage physical devices.
System and Communications Protection
SC.1.175: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
SC.1.176: Implement subnetworks for publicity accessible system components that are physically or logically separated from internal networks.
System and Information Integrity
SI.1.210: Identify, report and correct information and information system flaws in a timely manner.
SI.1. 211: Provide protection from malicious code at appropriate locations within organizational information systems.
SI.1.212: Update malicious code protection mechanisms when new releases are available.
SI.1.213: Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Cybersecurity Maturity Model Certification (CMMC) Briefing https://www.acq.osd.mil/cmmc/docs/CMMC_v1.0_Public_Briefing_20200131_v2.pdf
Cybersecurity Maturity Model Certification (CMMC) Version 1.0 https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf
If you require additional information about the new Cybersecurity requirements attend one of our training workshops across the state.