Welcome back to part seven of “What you need to know about CMMC”. I’m Bob Hanley from Sabre Systems and today we will continue our discussions on the 17 CMMC domains as we help you in your cyber preparation. If you remember, we discussed media protection last week. Today we’ll change our focus and we will discuss personnel security, or PS for short. Remember, CMMC is about protecting controlled unclassified information, or CUI, which includes lim-dis, and FOUO – limited distribution and for official use only.
Let’s catch everyone up – we’ve already reviewed six domains: awareness training, configuration management, identification and authentication, incident response, maintenance and media protection. Hopefully, you are beginning to see how each domain connects and relates to each other. They are complimentary. So, it is important as we move on to think in those terms and get that overall understanding of these domains within that context. As a refresher, CMMC has five maturity levels with five being the most stringent. Contractors and subcontractors will all need to have a minimum level one, but prime contractors will need to have a minimum level three. You do get bonus points as level four and level five are achieved. If you are a prime contractor, you also have to ensure that your subs are compliant, so please remember that.
PS has only two level two requirements with no level 1, 3, 4 or five requirements. So, today we will discuss these level two requirements. PS is focused on understanding your people, ensuring you know how to identify concerns handling CUI, as well as ensuring your staff and team are trained to identify potential insider threats. Remember, people are your biggest risk, whether that’s intentional or unintentional.
The first level two practice is about screening individuals prior to authorizing access to organizational systems containing CUI. So, make sure all employees who need access to CUI have been properly screened before they get access. Know your people. Base the types of screening on the requirements defined for that specific level of access that they will need to view CUI. Screening may include activities such as background checks, interviews, drug testing. Always follow appropriate laws, policies, regulations and criteria to determine the level of access required for each position. As with all screening and monitoring of people, understand warning signs: changes in people’s activities, personalities, actions, habits, etc. that could be a flag in the screening process.
The second practice, and the last one that we’re actually going to talk about today because today’s a very short segment, is about ensuring that organizational systems containing CUI are protected during and after personnel actions, such as terminations or transfers. When someone leaves your company, you need to remove them from any physical CUI access list. You must also contact them immediately and ask them to turn in their computers and other IT, potentially smartphones, etc. for proper handling, and disabling of all accounts. Make sure they return all their identification and access cards and make sure they attend an exit interview where you remind them of their obligations not to discuss CUI, even after the transfer, termination, or for whatever reason they leave your organization or company.
So, that’s it. two very simple controls and practices that we needed to discuss today. Not very complex, but it is another stepping-stone on the way to getting your CMMC compliance. Oh, make sure you follow these don’t, don’t assume that they’re not critical to the overall process even though there are only two in the PS category. They are very straightforward, but don’t overlook them. And as always, things you should continue to do: fund your cyber program, become familiar with CMMC in general, and with NIST SP 800-171 and 800-53. In our next review, we will discuss CMMC practices for physical protection, or PE. I look forward to seeing you then and in between stay cyber safe. Thank you.