CMMC Access Control Registration & De-registration

In this video, I am interviewing Sara Spencer, CEO of SolonTek. We had a discussion over the following Subjects:
-CMMC Access Control Registration & De-registration
-Difference between the different levels of access control Level 1 – Level 5
-Who needs access control Level 1, Level 2 & Level 3?
-Establish system access requirements

The CMMC maturity level an organization must achieve to do work for the DoD depends upon the sensitivity of the DoD information it will work with. The following summary of the process and practice standards for each of CMMC’s five levels will help you identify the appropriate CMMC level for your business.

CMMC Level 1

Processes: Performed

Level 1 requires that an organization performs the specified practices. Because the organization may be able to perform these practices only in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.

Practices: Basic Cyber Hygiene

Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.

CMMC Level 2

Processes: Documented

Level 2 requires that an organization establish and document practices and policies to guide the implementation of its CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and practicing them as documented.

Practices: Intermediate Cyber Hygiene

Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level is a transitional stage, a subset of the practices reference the protection of CUI.

CMMC Level 3

Processes: Managed

Level 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.

Practices: Good Cyber Hygiene

Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as 20 additional practices to mitigate threats. Any contractor with a DFARS clause n their contract will need to at least meet Level 3 requirements. Note that DFARS clause 252.204-7012 applies, and specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting.

CMMC Level 4

Processes: Reviewed

Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level can take corrective action when necessary and inform higher-level management of status or issues regularly.

Practices: Proactive

Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTP) used by APTs.

CMMC Level 5

Processes: Optimizing

Level 5 requires an organization to standardize and optimize process implementation across the organization.

Practices: Advanced/Proactive

Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.