How to achieve Level 1 CMMC

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

are you having a hard time determining how to get started with preparing your company finesse SP 800 171 compliance if you are a small business and are unsure where to begin then keep watching and we'll help you get started welcome to the baseline channel and let's get you started on the right path if you are a government contractor then you'd have probably been hearing a lot about the nist SP 801 71 and the cybersecurity maturity model certification or CMM sync if you are not familiar with these two documents then please take a look at our videos regarding them both the new guidance for the CM MC was made available to the public on 30 august 2019 the new guidance provided more detailed information on the five levels of the CM MC according to the guidance there are 35 controls that must be implemented for at least conducted on an as-needed basis during this video we will select five of the 35 controls and provide guidance on how to implement them in your network the first control we will explore is control 31.1 limit information system access to authorized users processes acting on behalf of authorized users or devices or at least on an as-needed basis this means that you should only allow authorized users access to your systems and/or devices the following scenario will describe one method of how to get compliant with this control you have a new employee arriving for their first day at work at your company in order to make this control you should do the following when creating your user account the supervisor of the new employee should approve the creation of the employees user account in writing the supervisor should be provided with the user request form that details what the employee will be doing and what accesses the employee will need in order to conduct their daily duties finally the company will maintain a listing of each authorized individual along with all the accesses that each individual is authorized to have this control focuses on how each user account is authorized created maintained and monitored until each employee leaves the company the second control we will explore is 3.1 limit unsuccessful login attempts this is one of the simpler controls to implement a great example of this control is the pin on your debit card if you type in the wrong pin at an ATM it will eventually lock you out of your account after a predetermined number of attempts and you will have to contact your bank in order to unlock it this is the exact same control and you will have to set up your authentication system to do the same for example if you use passwords to log in you should configure all user accounts to lock out after a predetermined number of attempts the third control we will explore is control 3.1 dot 22 control information posted for process on publicly accessible information systems when this control refers to publicly accessible systems it is referencing your company website and company social media accounts your company should designate a webmaster to keep these sites updated to meet this control your company should also designate someone else to authorize what can be posted on these sites and ensure that no cui is posted on these sites you can simply identify both individuals in writing and develop a documented process of how each will perform their duties in addition ensure that all authorized individuals are trained annually on cui procedures and ensure the public systems are reviewed periodically to ensure no cui has been posted on them the fourth control we will explore is control 33.1 create protect and retain information system audit records to the extent needed to enable the monitoring analysis investigation and reporting of unlawful unauthorized or inappropriate information system activity this is one of the more complex technical controls because there are many moving parts required in order to meet compliance everything a user does while using a computer can be tracked and analyzed you can track all activities like when users log in what files are accessed what websites are visited what files were created deleted an exception the first part of this control is creation in order to track or monitor these activities you must first ensure the auditing feature is in a or turn on for all hardware and software applications so that the systems will generate the logs these logs are called audit logs and audit law is another name for an activity log the second part of this control is protection you must protect these logs from being access modify or changed by unauthorized individuals this can be accomplished by sending logs real-time or as the activities occur to a location where only authorized individuals have access for example you can set up a lock server with the third party organization and configure your log system to send the files to this file server this process ensures that the activities of your system administrator who by the way has all of the power to do anything what your systems are also tracked so that if this person were to do something malicious he or she would not be able to delete the logs or to hide their malicious actions the logs should also be encrypted to protect the integrity of the information the third part of this control is to retain the logs in order to meet the intent you will need to develop a predetermined time frame to keep the logs for example six months before deleting the old logs together you meet the intent of this control just in case someone commits a malicious act or an attack the logs can be used to conduct the investigation to determine what happened who did it and so on the fifth control we'll explore is controlled 3.14 dot for update malicious code protection mechanisms when new releases are available in order to meet the intent of this control you must have some type of malicious code protection on your system an example of malicious code would be a virus malicious code is basically code that can harm your system using an anti-virus solution would be a protected measure to defend your systems against malicious code the intent of this particular control is for you to make sure that if you use an anti-virus or other malicious code protection defense then you must monitor the updates through the developer and make sure that you apply any updates when they are made available for example if you use Norton AntiVirus you should make sure you are always updating it to use the most current version in summary we'd like to recap what we talked about the new CMMC guidance has provided an initial baseline fun Intendant of 35 controls to achieve a level 1 certification we briefly covered five of the 35 controls and provided examples of how to meet the intent if you have any questions about the five controls we've covered or any of the 35 controls you can email us with questions at information at baseline be a calm please don't forget to hit the like button and subscribe please post any questions or inputs below and we'll address them in a future video thank you

Info

Channel: Baseline Corporation

Views: 954

Rating: undefined out of 5

Keywords: CMMC, NIST 800-171, NIST, NIST SP 800-171, Cyber Security Maturity Model Certification, Government Contracting

Id: beTj8Sfzi7M

Channel Id: undefined

Length: 7min 18sec (438 seconds)

Published: Wed Sep 25 2019