What is CMMC Level 1?

CMMC combines various cybersecurity standards and best practices. CMMC 1 is the first level of maturity for the Cybersecurity Maturity Model Certification (CMMC).

On September 5, 2019, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of its draft Cybersecurity Maturity Model Certification (CMMC).

CMMC stands for Cybersecurity Maturity Model Certification and will encompass multiple maturity levels ranging from “Basic Cybersecurity Hygiene” to “Advanced” for those selling directly or indirectly to the federal government.

CMMC has five (5) levels of maturity to guide the Defense Industrial Base (DIB), or the government contractors selling to and supporting the Department of Defense.

At Level 1, companies are practicing “Basic Cyber Hygiene” and Processes are being performed at least in an ad-hoc manner.

Each CMMC practice is aligned to a Capability, which in turn are aligned to a Domain. In total, across the domains, there are currently (35) practices are aligned to CMMC Level 1.

Practices and Processes

Each CMMC level includes Practices (activities that must be performed) and Processes (the definition of compliance with the defined Practices). To be CMMC Level 1 compliant and approved, companies must prove they have implemented the required Practices and are following the set Processes.

CMMC Level 1 Practices and Descriptions

Per documents published by the Department of Defense (DoD) on September 2019, the thirty-five (35) CMMC Level 1 practices are as follows:

See below in a more natural grouping for understanding the workload expected on your company. Each listing includes a short description (mine), the official description and any regulation references. 

1. Limit Physical Access
   1. “The organization limits physical access to systems, equipment, and the respective operating environment, at least in an ad hoc manner.”
   2. NIST SP 800-171 3.10.1
   3. RMM KIM: SG4.SP2
2. Control Physical Access
   1. “The organization controls and manages physical access to devices, at least in an ad hoc manner.”
   2. NIST SP 800-171 3.10.5
   3. RMM KIM: SG4.SP2
3. Maintain Physical Access Log
   1. “The organization maintains audit logs of physical access, at least in an ad hoc manner.”
   2. NIST SP 800-171 3.10.4
4. Always Escort and Monitor Visitors
   1. “The organization escorts visitors and monitors visitor activity, at least in an ad hoc manner.”
   2. NIST SP 800-171 3.10.3
5. Identify Authorized Users, Processes and Devices
   1. “The organization identifies system users, processes acting on behalf of users, and devices, at least in an ad hoc manner.”
   2. NIST SP 800-171 3.5.1
6. Screen People Before Giving Access to CUI
   1. “Individuals are screened prior to authorizing access to organizational systems containing CUI at least in an ad hoc manner.”
   2. NIST SP 800-171 3.9.1
   3. RMM HRM: SG2.SP1
7. Authenticate System Access
   1. “The identities of users, processes, or devices are authorized (or verified) as a prerequisite to allowing access to organizational systems.”
   2. NIST SP 800-171 3.5.2
8. Limit Unsuccessful Logon Attempts
   1. “Limit unsuccessful logon attempts on a single system to 10 or less.”
   2. NIST SP 800-171 Partial 3.1.8
9. Limit System Access to Authorized Users
   1. “System access is limited to authorized users, processes acting on behalf of authorized users, and devices, at least in an ad hoc manner.”
   2. NIST SP 800-171 3.1.1
10. Limit System Access to Approved Activity
    1. “Limit system access to the types of transactions and functions that authorized users are permitted to execute.”
    2. NIST SP 800-171 3.1.2
11. Separate Public Facing Systems from Internal Systems
    1. “Publicly accessible systems are physically or logically separated from internal networks, at least in an ad hoc manner.
    2. NIST SP 800-171 3.13.5
12. Protect CUI During Personnel Actions
    1. “CUI is protected during personnel actions at least in an ad hoc manner.”
    2. NIST SP 800-171 3.9.2
    3. RMM HRM: SG4.SP2
13. Guidelines in Place
    1. “Guidelines are developed for the use of personally owned or external information systems.”
    2. NIST SP 800-171 Partial 3.1.20
    3. FAR
14. CUI is Identified and Controlled
    1. “CUI posted to publicly accessible systems is identified and controlled.”
    2. NIST SP 800-171 3.1.22
15. Assets are Tracked
    1. “Organizational assets are identified and inventoried (hardware, virtual, software, firmware, and CUI information), at least in an ad hoc manner.”
    2. NIST SP 800-171 3.4.1
    3. RMM ADM: SG1.SP1
16. Software Supported by Original Vendor
    1. “The organization ensures that software is supported by the vendor.”
    2. CIS 7.1: 2.2
17. Protect Communications at System Boundaries
    1. “The organization monitors, controls, and protects communications at system boundaries, at least in an ad hoc manner.
    2. NIST SP 800-171 3.13.1
18. Audit Logs Retained
    1. “Audit logs are created and retained, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.3.1
19. Audit Logs Reviewed
    1. “Audit logs are reviewed, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.3.5
20. System Configuration Baselines in Place
    1. “Configuration baselines for organizational systems are established, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.4.1
    3. RMM KIM: SG5.SP2
21. System Configuration Management Performed
    1. “The organization performs configuration management for organizational systems, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.4.2
    3. RMM KIM SG5.SP2
22. System Maintenance is Performed
    1. “The organization performs maintenance on its organizational systems, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.7.1
    3. RMM TM: SG5.SP2
23. Cybersecurity Objectives Defined
    1. “Cybersecurity objectives are established for the organization, at least in an ad hoc manner.
    2. RMM EF: SG1.SP1
24. Cybersecurity Objectives Implemented
    1. “Cybersecurity objectives are implemented in the organization, at least in an ad hoc manner.”
    2. RMM EF: SG1.SP1
25. Events are Reported
    1. “Events are detected and reported, at least in an ad hoc manner.”
    2. RMM IMC: SG2.SP1
26. Incidents are Declared
    1. “Incidents are declared, at least in an ad hoc manner.”
    2. RMM IMC: SG3:SP1
27. Incidents are Resolved
    1. “Incidents are resolved, at least in an ad hoc manner.”
    2. RMM IMC: SG4:SP1
28. System Flaws are Corrected
    1. “Information system flaws are identified and corrected, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.14.1
29. Properly Sanitize Media Containing CUI
    1. “Non-digital and digital media containing CUI is sanitized or destroyed before disposal or release for reuse, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.8.3
30. Define Security Controls
    1. “Define controls, at least in an ad hoc manner.”
    2. RMM CTRL: SG2.SP1
31. Install Anti-Virus Protection
    1. “Malicious code protection (e.g., anti-virus) is installed on all applicable machines.”
    2. NIST SP 800-171 3.14.2
32. Keep Anti-Virus Protection Updated
    1. “Malicious code protection (e.g., anti-virus) is updated when new releases are available.”
    2. NIST SP 800-171 3.14.4
33. Use Anti-Virus Protection in Real-Time
    1. “Scanning of files downloaded from external sources occurs in real-time.”
    2. NIST SP 800-171 3.14.5
34. Stay Informed on Cyber Threats
    1. “The organization receives cyber threat intelligence from information sharing forums and sources, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.14.3
35. Share Cyber Threat Information with Team
    1. “Threat information is communicated to internal and external stakeholders, at least in an ad hoc manner.”
    2. CSF: RS.CO-5

Summary of Practices

GovCon Chamber of Commerce president Neil McDonnell reviewed this lengthy document to help small businesses understand the process better. These natural groupings should make the information clearer.

Documentation & Knowledge Sharing

1. Guidelines in Place
2. CUI is Identified and Controlled
3. Assets are Tracked
4. Define Security Controls
5. Stay Informed on Cyber Threats
6. Share Cyber Threat Information with Team
7. Cybersecurity Objectives Defined
8. Cybersecurity Objectives Implemented

Physical Access

9. Limit Physical Access
10. Control Physical Access
11. Maintain Physical Access Log
12. Always Escort and Monitor Visitors

System Access

13. Identify Authorized Users, Processes and Devices
14. Screen People Before Giving Access to CUI
15. Protect CUI During Personnel Actions
16. Authenticate System Access
17. Limit Unsuccessful Logon Attempts
18. Limit System Access to Authorized Users
19. Limit System Access to Approved Activity
20. Separate Public Facing Systems from Internal Systems
21. Protect Communications at System Boundaries

Operations & Maintenance

22. Software Supported by Original Vendor
23. System Configuration Baselines in Place
24. System Configuration Management Performed
25. System Maintenance is Performed
26. Install Anti-Virus Protection
27. Keep Anti-Virus Protection Updated
28. Use Anti-Virus Protection in Real-Time
29. Events are Reported
30. Incidents are Declared
31. Incidents are Resolved
32. System Flaws are Corrected
33. Audit Logs Retained
34. Audit Logs Reviewed
35. Properly Sanitize Media Containing CUI

FOR MORE INFORMATION

• CMMC Overview Briefing | September 2019 | Click To Download
• NIST | National Institute of Standards and Technology