Skip to content
All posts

A Day In The Life Of An OSC: Daily Practices For Compliance Readiness

Picture of Raine Streicher By  Raine Streicher  ·  4 minute read

Another workday is starting at Vigilant Corp. Vigilant Corp. is an Organization Seeking Certification (OSC) with Cybersecurity Maturity Model Certification (CMMC). Employees file in through the main entrance, scanning their badges to confirm they have access to enter the premises. One employee—we’ll call her Jaime—proceeds to her workspace in a secure area, scanning her badge again to gain access.

Once at her desk, Jaime boots up her computer and logs in to the company network, responding to a prompt to change her password, as Vigilant employees are required to do regularly. As she reads through her emails, she accepts an invitation for an incident simulation exercise to be held the following week as part of the company’s cybersecurity training. She then notices an email that appears suspicious. It purports to be a request from a company director asking for financial information about one of her defense projects. However, she’s never discussed this particular project with that director before, and she doubts that he would request this type of information in an email. Recalling a tip from management’s daily security post and before doing anything with the email, she IMM’s the director to ask if the request is legitimate. The director responds that he did not send the request; Jaime immediately notifies the IT security team, and puts the message into her junk folder pending further instructions on its disposal.

As she goes about her morning’s work, Jaime accesses a system that processes sensitive data for one of her projects, entering the security code sent to her phone for multifactor authentication (MFA). Her tasks for the day include verifying that her project data was backed up the previous evening and updating a security policy document for the project. Later in the day, she receives a visitor from one of the company’s vendors. She’s called to the front desk to meet the visitor, who has been issued a temporary badge to wear while in the building. She escorts him at all times, ensures he goes only where authorized, and walks him back to the entrance, where he turns in his badge when the visit is over.

When Jaime and her colleagues leave the workplace at the end of the day, they use their badges while exiting. All of their access information throughout the day is stored in the company’s access logs, which are regularly reviewed by the security team.

Compliance is Everyone’s Responsibility

Jaime is only one employee at one of many companies like yours, seeking certification with CMMC. Achieving and maintaining CMMC compliance isn’t a one-time task. It requires continuous commitment to robust security practices, and these practices are best aligned with the requirements of CMMC itself. In order to achieve compliance, your company will be assessed against each of the requirements specified for your level. For Level 1 certification, which is concerned with safeguarding federal contract information (FCI), the requirements are laid out in FAR clause 52.204-21. Level 2, which seeks to protect controlled unclassified information (CUI), incorporates the requirements of NIST SP 800-171 R2. Level 3, providing higher-level protection of CUI against persistent threats, includes the Level 2 requirements as well as additional requirements from NIST SP 800-172.

While much of the daily monitoring and analysis specified in the CMMC requirements might fall to your IT department, the responsibility for compliance doesn’t belong to IT alone. Everyone in the company has a stake in ensuring the organization becomes and remains compliant. CMMC compliance is an ongoing journey that demands consistent, proactive efforts. By incorporating these daily practices, you can safeguard sensitive data, maintain regulatory compliance, build a robust defense against evolving cyber threats, and foster a culture of security excellence.

Daily Practices Promote Compliance

Although the volume of the CMMC requirements may seem daunting, they fall under broad categories, such as access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, risk assessment, security assessment, system and communications protection, and system and information integrity. Building the following practices into your company’s daily routine will enhance your security and help you achieve and maintain compliance.

  1. Promote Security Awareness. Human error remains one of the leading causes of cybersecurity breaches. Foster a culture of cybersecurity responsibility to keep your team vigilant. Reinforce security policies through daily reminders, such as phishing awareness, and encourage employees to report suspicious activities immediately.
  2. Encrypt Data. Data encryption is a cornerstone of CMMC compliance. Ensure that all FCI and CUI are encrypted in transit and at rest, and monitor encryption processes daily to detect potential failures. Store encryption keys securely and make sure they are accessed only by authorized personnel.
  3. Manage Endpoint Security. Endpoints such as laptops, smartphones, and tablets are common attack targets. Protect these devices by ensuring antivirus and endpoint detection tools are up to date. Monitor endpoint behavior for signs of compromise; immediately isolate and examine any suspicious endpoints.
  4. Prepare for Incident Response. Preparedness is essential for minimizing the impact of cybersecurity incidents. Conduct daily checks to ensure your incident response tools are operational, and review and update your incident response plans regularly. Tabletop exercises and other simulations keep your response teams ready and facilitate continuous improvement.
  5. Maintain Compliance Documentation. CMMC requires comprehensive documentation of security practices. Daily efforts should focus on updating policies and procedures that have changed and documenting system changes, access reviews, and security incidents. Keep an audit trail of all updates to demonstrate compliance during assessments.
  6. Monitor and Analyze Logs. CMMC’s audit and accountability requirements mandate continuous monitoring of systems to detect unauthorized access or unusual activities. By regularly reviewing logs from firewalls, servers, and endpoints, you can identify potential security incidents in real time and take prompt corrective actions.
  7. Implement Role-Based Access Control. Restricting access to sensitive information based on job roles is critical to preventing unauthorized access. Review user access permissions daily, monitoring for unusual access patterns. Update access for employees who change roles, and revoke access whenever an employee leaves the company.
  8. Back Up Critical Systems and Data. Regular backups ensure data integrity and availability, key components of CMMC compliance. Automate and verify daily backups of critical systems and data, and test restoration processes periodically to ensure that data can be recovered quickly in case of a cyber incident.
  9. Manage Patches and Updates. Cyber attackers frequently exploit vulnerabilities in outdated software. To mitigate this risk, check for new updates and patches daily. Apply critical updates as soon as possible, and keep an inventory of all systems and software to track patch status.
  10. Perform Vulnerability Scans. Regular vulnerability scanning helps identify weaknesses before attackers can exploit them. Daily scans can highlight misconfigurations or outdated protocols.

CyberNINES can help you build healthy cybersecurity practices and partner with you on your CMMC journey. Send us a contact request at this link, and one of our cybersecurity experts will be happy to answer any questions you might have about daily compliance or other aspects of CMMC.

Next up: Maintaining compliance when working with cloud providers

Resources