Last Updated on June 29, 2021
Government staffing agencies that want to do business with the US Department of Defense (DoD) will soon need to comply with the Cybersecurity Maturity Model Certification (CMMC) standard at the level specified in their contract. Further, they will face an audit to verify compliance.
What cybersecurity controls are new DoD contracts likely to require for staffing firms? Will you definitely need to comply with CMMC Level 1, the “basic cyber hygiene” level? What might this mean for SMB firms that don’t have robust security postures today?
Pivot Point Security CISO and Managing Partner, John Verry, discussed this issue in a recent episode of The Virtual CISO Podcast. This show specifically targets the information needs of government staffing agencies around CMMC.
John points out that compliance with the 17 CMMC Level 1 controls really isn’t new for many government staffing agencies. This essential security level has been mandated since 2016 by the DoD, the General Services Administration (GSA) and NASA, under 48 CFR 52.204-21, Basic Safeguarding of Contractor Information Systems. CMMC just breaks up 2 of these original 15 controls up into 2 parts.
If you’re doing business with the DoD in any capacity whatsoever, you’ll need to prove to an independent auditor that you comply with CMMC Level 1 (or higher), because by definition you’ll be handling Federal Contract Information (FCI).
Does CMMC Level 1 compliance require you to create a System Security Plan and/or attest to your security controls in the government’s SPRS database?
“You’re only going to see SPRS in a contract that includes [one of the DFARS clauses] 7019, 7020 or 7021, which all are definitively CUI [i.e., CMMC Level 3],” notes John. “So if you’re just at CMMC Level 1, SPRS doesn’t come into play.”
But that doesn’t mean that CMMC Level 1 compliance will be a slam-dunk for SMBs. Some of the mandated controls include:
- Appropriate access controls (e.g., passwords and/or PINs) on all systems and devices
- Proper use of user and administrator privileges
- Limits on the use of public wi-fi
- Sanitizing or destroying digital media containing FCI before disposal or reuse
- Limiting physical access to your IT systems
- Escorting visitors and monitor their activity (including logging who visits and when)
- Keeping formal track of keys and other “physical access devices”
Anyone responsible for information security or compliance at a government staffing agency should not miss this special podcast with John Verry.