While the Cybersecurity Maturity Model Certification (CMMC) is still undergoing construction, many people are left wondering what the final outcome will be and how it will impact their business. While instituting sophisticated cybersecurity policies within any company can feel like a daunting task, CMMC pursues a simple foundation that can help any business protect its information. In this blog, we rethink the practices outlined by CMMC and convert them to basic cyber hygiene techniques that allow organizations to protect the safety of any information they store within their systems.

‍
For a general overview of what CMMC is, please check out: https://www.startproto.com/blog/what-is-cmmc

‍

In cybersecurity, an acronym floats around that outlines the framework for any computer security system. The AAA framework describes the Authentication (to identify), Authorization (to give permission), and Accounting (to log an audit trail) of individuals within systems. Even when proprietary information is on an isolated server locked in a closet, it can still prove difficult to protect. In the normal world, secure access is frequently compromised when someone clicks a link in a phishing email or downloads a poisoned email attachment. This is how malicious software or users get into a computer or even an entire network. Older, unsupported software is particularly vulnerable to these attacks, and even newer systems are vulnerable if they aren’t updated with patches for known security issues. Luckily, we can ease the risk of all these vulnerabilities using Authentication, Authorization, and Accounting (AAA). 

‍

As the assessment portion of CMMC gets hashed out, the mission is to protect information for the U.S. government and U.S. businesses. Using AAA we get a head start on cybersecurity. Here are some of the common mistakes CMMC and other security frameworks are trying to rectify. 

‍

Authentication, or “Identification and Authentication (IA)” as referenced in the CMMC, concentrates on knowing who the user is and confirming it is that user. For example, users with a shared login to a generic email account like “quotes@abc-machine.com” can threaten security because anyone using that account could exploit the system without us knowing exactly who did it. Therefore, separate accounts for each individual user is the best practice for authentication. The second side to authentication is a password and even two-factor passwords. This allows you to know your password but also verify by checking on something you have, like a phone that receives a text. StartProto takes authentication exceptionally seriously by encrypting your password at all times and enabling two-factor authentication.  

‍
Authorization, or “Transaction & Function Control” as referenced in the CMMC, focuses on granting privileges based on who you are.  Authentication allows for authorization because it is known exactly who the user and we can use authorization to define what they should be doing in the system. An example of proper Authorization is setting a rule to define what customer information a user can see.  Enforcement of responsibilities in any application limits what damage can be done if a user's account is compromised. For example, in the StartProto application, managers are able to grant users permission to see certain data and perform specific actions based on what role they are assigned.

‍

Accounting, or “Audit and Accountability (AU)” as mentioned in the CMMC, focuses on logging the actions a user takes. With the proper accounting in place, a hacked account can quickly be identified and stopped. The organization can use accounting to discover the malicious activity and what account it is coming from. Within the StartProto tool, logs are kept of every change and action a user takes. Over time these logs become a method of auditing for security and management purposes.