Justin Sloan

I’m not a compliance professional. I’m just an IT guy doing the work inside a TSP.

6 minute read

We talked before about CMMC and why it matters to your household goods transportation business. But knowing that you need cybersecurity isn’t the same as knowing what it looks like in practice. You can’t just say “we’re careful with data” anymore. You need concrete controls tied to evidence.

All of the CMMC Level 1 requirements are considered “basic” controls derived from DFAR 52.204-21. They might sound technical, but they’re often about common-sense practices implemented consistently. Let’s break down each one, making it clear how it applies to a transportation company like yours.

Remember: These aren’t just “nice to haves.” They are becoming requirements for winning and keeping DoD contracts.

(1) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices.

  • What it means: Only people who need access to certain data or systems should have it.
  • Practical Example: Not every dispatcher needs access to financial records. Separate accounts for dispatchers, drivers, billing, staff, management, etc., with permissions tailored to their roles. If possible, separate roles that process government information from those that do not.
  • Considerations: (a) Do you have a list of your users? (b) Do users have to login to computers and accounts?

(2) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

  • What it means: Even if someone has access, they shouldn’t be able to do everything.
  • Practical Example: A driver’s account should allow them to update shipment status, but not to change billing information.
  • Considerations: (a) Are users limited to just their assigned role? (b) Are users restricted from accessing data or applications they don’t need for their specific job?

(3) Verify and control/limit connections to and use of external information systems.

  • What it means: Be careful about what connects to your network. Think websites visited, software downloaded, and cloud services used.
  • Practical Example: Block access to known malicious websites. Require approval before installing new software. Carefully vet any cloud-based software you use to store or process data.
  • Considerations: (a) Do you have a firewall that denies inbound connections by default? (b) Is your network limited to only authorized systems? (c) Are connections to external systems authenticated?

(4) Control information posted or processed on publicly accessible information systems.

  • What it means: If you have a website or public-facing systems, ensure sensitive data isn’t accidentally exposed.
  • Practical Example: Don’t publish shipment details or customer information on your website. Review website content regularly for accidental disclosures.
  • Considerations: (a) Do you have a documented method to approve information for public release? (b) Do you have a documented method to review publicly posted information for accuracy?

(5) Identify information system users, processes acting on behalf of users, or devices.

  • What it means: Know who and what is on your network.
  • Practical Example: Maintain a list of all user accounts and company-owned devices connected to your network.
  • Considerations: (a) Are individual user accounts unique? (b) Are device identifiers unique? (c) Do you have a list of all shared accounts?

(6) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

  • What it means: Don’t just assume someone is who they say they are.
  • Practical Example: Strong passwords (long, complex, unique). Multi-factor authentication (MFA) whenever possible – a code sent to a phone in addition to a password.
  • Considerations: (a) Are users required to use MFA? (b) Are processes acting on behalf of users required to authenticate?

(7) Sanitize or destroy information system media containing HHG ToS information before disposal or release for reuse.

  • What it means: When you get rid of old computers or hard drives, make sure the data is gone completely.
  • Practical Example: Don’t just delete files. Use a secure data wiping tool that overwrites the data multiple times. Physically destroy hard drives if you’re not sure.
  • Considerations: (a) Are storage devices wiped prior to disposal?

(8) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

  • What it means: Who can walk into your office and get near your servers or computers?
  • Practical Example: Locked doors, security cameras, keeping server rooms secure, and restricting access to designated personnel.
  • Considerations: (a) Do you store and process controlled information only in secured areas? (b) Is physical access to secured areas limited (locks, guards, etc.) and monitored (access logs, cameras, etc.)?

(9) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

  • What it means: Track who comes and goes, and keep an eye on them while they’re there.
  • Practical Example: Sign-in sheets for visitors, security badges, and cameras in common areas.
  • Considerations: (a) Are visitors monitored and escorted? (b) Are visitors clearly distinguishable from employees? (c) Are visitor access records retained? (d) Are keys inventoried and managed?

(10) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

  • What it means: Protect data in transit – both coming into and going out of your network.
  • Practical Example: Firewalls, intrusion detection systems, and email filtering to block malicious attachments and phishing attempts.
  • Considerations: (a) Do you have a firewall? (b) Are connections denied by default? (c) Is data encrypted in transit when required or prudent?

(11) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

  • What it means: Keep your public-facing systems (like your website) separate from your internal data.
  • Practical Example: Using a Demilitarized Zone (DMZ) – a separate network segment – for your website and email servers. (This is more technical and may require IT expertise).
  • Considerations: (a) Are public-facing systems physically or logically segmented?

(12) Identify, report, and correct information and information system flaws in a timely manner.

  • What it means: Find and fix vulnerabilities before hackers can exploit them.
  • Practical Example: Regular software updates, vulnerability scans, and a process for reporting security concerns.
  • Considerations: (a) Do you have a documented policy for remediating system flaws? (b) Are system flaws required to be remediated within a specific time frame? (c) Are remediation records maintained?

(13) Provide protection from malicious code at appropriate locations within organizational information systems.

  • What it means: Prevent viruses, malware, and other harmful software from getting onto your systems.
  • Practical Example: Anti-virus software on all computers, firewalls, and intrusion detection systems.
  • Considerations: (a) Do you have a list of devices that must be protected with anti-malware solutions? (b) Do edge devices have anti-virus protection installed and activated? (c) Do your edge devices have an active local firewall?

(14) Update malicious code protection mechanisms when new releases are available.

  • What it means: Keep your anti-virus software up-to-date!
  • Practical Example: Automated updates for anti-virus and other security software.
  • Considerations: (a) Do you have automatic updates enabled for your anti-malware solution?

(15) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

  • What it means: Regularly check your systems for vulnerabilities and scan files for malware.
  • Practical Example: Scheduled vulnerability scans and real-time anti-virus scanning of downloaded files.
  • Considerations: (a) Are files scanned by anti-virus on demand?

Where to Start?

This list might seem overwhelming. Start small. Focus on the basics – strong passwords, multi-factor authentication, and up-to-date anti-virus software. Document your policies and procedures. If you can confidently answer yes to all of the consideration questions, you are in good shape for CMMC Level 1.

And remember, getting CMMC compliant is a journey, not a destination.

Tags:

Updated:

You may also enjoy

You don’t need a title to lead.

1 minute read

Here is something worth thinking about as a leader in your organization: every person on your team is already leading every single day. The question is just ...

Let’s get serious.

2 minute read

There’s a version of this story that nobody talks about at conferences. The IT manager who actually understands the problem, who has read the framework, who ...

What are Specialized Assets?

1 minute read

The scoping designation of “Specialized Asset” is reserved for specific categories of devices or systems that may handle CUI but cannot feasibly meet all sta...