Don’t Fixate on CMMC Maturity Level: Start With Foundational Best Practices

August 26, 2021

There’s a lot of buzz about the Cybersecurity Maturity Model Certification (CMMC) regulations introduced by the Department of Defense (DoD).  Rightfully so- it’s a BIG deal.  However, contractors would be better served spending more energy on starting to take action vs. trying to determine when the program will become effective or apply to their specific organization or contract.  No matter what, there are some basic security practices to implement now.

Start by addressing these common issues:

Lack of documentation

Policies and procedures are required for almost everything (for CMMC ML 3+). Document prescribed activities, responsible users, frequency of operations, audit requirements, to formalize and standardize organizational activities.

Management of assets (data and systems)

Know what you’re assigned to protect. Start by developing and maintaining an inventory. Then, identify your risk level and risk tolerance and assign appropriate security controls.

Limiting access control

Access to systems should be granted on a “need to know” basis. Maintain access logs, define separation of duties, and review/monitor audit logs to enforce access control requirements. Unrestricted user access can lead to accidental data exposure.

Implementing awareness and training to all employees

According to Cybint, 95% of cybersecurity breaches are caused by human error (Varonis blog). Without effective employee training, security tools and IT policies will have limited impact.

Leveraging an expert resource such as Aronson LLC can help guide your organization through the technical and management processes to implement a sound security strategy efficiently. Aronson is a Registered Provider Organization (RPO) with the CMMC-AB, the accreditation body responsible for managing the CMMC program. We partner with government contractors (and their IT/cybersecurity vendors) to enable you to achieve the maturity required to successfully demonstrate CMMC compliance and obtain the desired certification. Contact our CMMC advisory team to learn more.