Are you getting ready to start down the path of getting your CMMC certification?
Based on our recent NIST 800-171 / CMMC projects, here are the 21 most common technology projects that we see companies needing to implement in order to comply.
- Windows 10 on all PCs where possible. In-support versions of all server OS and software (e.g., SQL Server).
- If older computers are still required (e.g., to drive equipment), very strict network segmentation and no/limited Internet access.
- All computers and servers configured (at least partially) to the appropriate STIGs
- There will be a TON of new GPOs that need to be added. If you're not on a domain, plan to add one.
- 2FA everywhere: local access, VPN/remote access, OWA, etc.
- More refined network segmentation. Some companies opt to deploy a NAC.
- Secure file sharing system (if they're sharing data internally or with external parties)
- Tons of physical security controls (cameras, locks, sometimes badges, systems for tracking visitors, etc.)
- Managed encryption everywhere
- Mobile device management -- definitely on phones and tablets, ideally on workstations too
- Generally, no cloud services handling CUI unless you're in Microsoft 365 GCC High
- Wifi access points using FIPS 140-2 encryption
- HDD shredding, usually through a NAID-certified service
- Business-class firewall with security services enabled and reviewed
- At a minimum, firewall logging to a SIEM, with either a SOC service or anomaly detection algorithms
- EDR solution or MDR solution on top of the antivirus that you should already have.
- Blocking file sharing services / apps
- Migrating all users to Standard accounts
- USB lockdown and other DLP measures
- Offsite backup
- Segregation of data in the ERP system and in shared drives
Want help with your NIST 800-171 / CMMC project? Learn more about what we do here.
