Hey everybody, welcome to part nine on “What You Need to Know About CMMC”. I’m Bob Hanley from Sabre Systems and today we are going to continue our discussions on the 17 CMMC domains as we help you in your efforts to become CMMC ready. If you remember, we discussed physical protection last week. Today, we will discuss recovery or RE for short.
Remember, CMMC is about protecting controlled, unclassified information or CUI and that includes limited distribution and for official use only; lim-dis and FOUO. So, where are we in our journey through these CMMC domains? Let’s catch everyone up. In case this is your first time here, we’ve already reviewed eight domains: awareness training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security and physical protection. Hopefully you’re beginning to see how each of these domains connect and relate to each other, they are complementary. So, it is important as we move on, to think in those terms and get that overall understanding of these domains within that context.
As a refresher, CMMC (Cyber Security Maturity Model Certification) has five levels, five being the most stringent. Contractors and subcontractors will all need to have a minimum level one, but prime contractors will need a minimum level three and we’re focused on the levels one, two and three during these vlogs.
RE has two level two, one level three and one level five requirement. We will only discuss these level two and level three requirements today. Recovery – what is it focused on? Well, recovery is focused on specifically the ability to recover from any event that compromises the integrity and availability of data. Backup is required and includes all content, not just CUI. Further, testing backups is now a requirement and should be validated during a CMMC assessment.
So, how many times have you needed to recover data only to find out that your backup didn’t work? Don’t let that happen to you. So, let’s first look at the two level two requirements. The first is about regularly performing and testing data backups. You need to back up systems containing CUI, intellectual property and any other data source that could render your company non-operational in the event of a failure or cyber-attack. You need to have a backup procedure in place where you back up all your data weekly on a separate server. You should set this up to occur at routine intervals. This may take a significant amount of time and resources, so plan ahead of time. You must verify your backups every month. This ensures that your data are correct, it also confirms that you can use the data if you need to recover the systems.
The second practice is about protecting the confidentiality of backed up CUI at their storage locations. You need to protect the confidentiality of backup data. You should encrypt all your CUI when it is saved on an external hard drive. Only people who are on the contract should have access to that hard drive. You must also secure the external hard drive in a physical location accessible only to people with the proper permissions and authorizations. Makes sense, right?
Now let’s look at that one level three requirement. This requirement is about regularly performing complete, comprehensive and resilient data backups as organizationally defined. You should conduct incremental backups nightly and full system backups every weekend or after business hours. It could take quite a bit of time, so normally people wait to the weekend. You need to store your full system backups offline at a different location than your other systems. Doing this provides added protection of your backups from a cyber event or physical disaster that may impact your organization.
Those are the three practices for recovery for levels two and three. Though these practices are somewhat self-explanatory and make for good common sense, there is a deeper level of consistency in these practices with the other domains as we have discussed – they are all interrelated, You’ll start to see that as you see more and more of these vlogs that we discuss things that are consistent with some of the other domains that we’ve talked about.
Okay, so for the end of this week, things you should do/your takeaways: fund your program, I say that every week. Youu need to fund your CMMC program; become familiar with CMMC in general and specifically NIST SP 800-171 and 800-53. In (audio cuts out), we will discuss CMMC practices for risk management or RM.
I look forward to seeing you then. Until then, again this is Bob Hanley from Sabre Systems signing off. Thanks, and have a great week.