In January of 2020, the US Department of Defense (DoD) released the highly anticipated Cybersecurity Maturity Model Certification (CMMC) to improve cybersecurity measures that contractors must have when working on DoD contracts. The question for this blog is: DOD’s CMMC and Access Reviews – what is the relationship?
By requiring contractors to meet the minimum requirements outlined in the CMMC, it is expected to reduce the growing number of cybersecurity risks threatening the defense industry. The requirements will also create a unifying set of standards for more than 300,000 contractors to follow when competing for DoD contracts. While the first requests for contract bids containing CMMC requirements were published in September, by 2026, all contracts with the DoD will have CMMC requirements.
The CMMC has five levels, each building upon the requirements outlined in the previous level and designed to reflect the maturity of cybersecurity protocols and a company’s ability to protect sensitive government information. Here is an overview of each level of the CMMC:
- Level 1: Government contractors have basic cybersecurity hygiene practices, such as having antivirus software and regularly changing account passwords.
- Level 2: Government contractors are required to document intermediate cyber hygiene practices, done through the implementation of some cybersecurity requirements outlined in the NIST Special Publication 800-171 Revision 2.
- Level 3: Good cyber hygiene practices must be documented and NIST 800-171 r2 requirements must be completely implemented.
- Level 4: Government contractors must review the effectiveness of cybersecurity techniques, implement additional protective measures, and respond to changes in advanced persistent threats (APTs).
- Level 5: Government contractors must have standardized and efficient processes for dealing with APTs and have implemented advanced cybersecurity measures to protect government information.
CMMC Levels | DoD’s CMMC and Access Reviews
In coordination with the CMMC, as contractors move into levels 2 and 3, they should be implementing access reviews to protect government information (also referred to as CUI, controlled unclassified information). In NIST 800-171 r2, access restrictions should be put in place to limit access and use of external systems, to permit only authorized individuals to make organizational changes, among other controls to limit the access to sensitive information.
With these guidances in place, it is crucial to demonstrate that only the only users able to access information and systems are those who are authorized to do so. This verification gets done through regular access reviews, ensuring that users can only access the information they need to complete their duties. This principle is referred to by the NIST (800-53, PR.AC-6) as the principle of least privilege. Additionally, the NIST recommends that access reviews are conducted at least semi-annually (every six months).
YouAttest 2.0 enables an entity to conduct enterprise-grade access reviews and enforce PoPL, w/ the following features:
- Have multiple Reviewers: Business and System Reviewers
- Integrated RBAC for access and reviews when access policy changes occur
- Automatic Delegation of Business Managers
- Auto-Scheduling of reviews
- Reminders and Status of reviews
- Automated triggers on changes on key account groups and applications
- Full Reports
As DoD contracts continue to require contractors to meet CMMC requirements, it is never too early to implement access reviews. When done correctly, access reviews allow organizations to better protect their data against hackers looking to exploit vulnerabilities. Even if an organization has yet to achieve level 5 CMMC, access reviews will strengthen their cybersecurity policies, especially if they are considered a sub-tier contractor that is an attractive target for cybercriminals.
YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO to platforms like Okta. YouAttest IGA specializes in access reviews for all industries included health care as detailed in our next webinar: YouAttest and HealthCare.