What is CMMC Level 1?

Sep 09, 2019

 

CMMC combines various cybersecurity standards and best practices. CMMC 1 is the first level of maturity for the Cybersecurity Maturity Model Certification (CMMC).

On September 5, 2019, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of its draft Cybersecurity Maturity Model Certification (CMMC).

CMMC stands for Cybersecurity Maturity Model Certification and will encompass multiple maturity levels ranging from “Basic Cybersecurity Hygiene” to “Advanced” for those selling directly or indirectly to the federal government.

CMMC has five (5) levels of maturity to guide the Defense Industrial Base (DIB), or the government contractors selling to and supporting the Department of Defense.

At Level 1, companies are practicing “Basic Cyber Hygiene” and Processes are being performed at least in an ad-hoc manner.

Each CMMC practice is aligned to a Capability, which in turn are aligned to a Domain. In total, across the domains, there are currently (35) practices are aligned to CMMC Level 1.

Practices and Processes

Each CMMC level includes Practices (activities that must be performed) and Processes (the definition of compliance with the defined Practices). To be CMMC Level 1 compliant and approved, companies must prove they have implemented the required Practices and are following the set Processes.

CMMC Level 1 Practices and Descriptions

Per documents published by the Department of Defense (DoD) on September 2019, the thirty-five (35) CMMC Level 1 practices are as follows:

See below in a more natural grouping for understanding the workload expected on your company. Each listing includes a short description (mine), the official description and any regulation references. 

  1. Limit Physical Access
    1. “The organization limits physical access to systems, equipment, and the respective operating environment, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.10.1
    3. RMM KIM: SG4.SP2
  2. Control Physical Access
    1. “The organization controls and manages physical access to devices, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.10.5
    3. RMM KIM: SG4.SP2
  3. Maintain Physical Access Log
    1. “The organization maintains audit logs of physical access, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.10.4
  4. Always Escort and Monitor Visitors
    1. “The organization escorts visitors and monitors visitor activity, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.10.3
  5. Identify Authorized Users, Processes and Devices
    1. “The organization identifies system users, processes acting on behalf of users, and devices, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.5.1
  6. Screen People Before Giving Access to CUI
    1. “Individuals are screened prior to authorizing access to organizational systems containing CUI at least in an ad hoc manner.”
    2. NIST SP 800-171 3.9.1
    3. RMM HRM: SG2.SP1
  7. Authenticate System Access
    1. “The identities of users, processes, or devices are authorized (or verified) as a prerequisite to allowing access to organizational systems.”
    2. NIST SP 800-171 3.5.2
  8. Limit Unsuccessful Logon Attempts
    1. “Limit unsuccessful logon attempts on a single system to 10 or less.”
    2. NIST SP 800-171 Partial 3.1.8
  9. Limit System Access to Authorized Users
    1. “System access is limited to authorized users, processes acting on behalf of authorized users, and devices, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.1.1
  10. Limit System Access to Approved Activity
    1. “Limit system access to the types of transactions and functions that authorized users are permitted to execute.”
    2. NIST SP 800-171 3.1.2
  11. Separate Public Facing Systems from Internal Systems
    1. “Publicly accessible systems are physically or logically separated from internal networks, at least in an ad hoc manner.
    2. NIST SP 800-171 3.13.5
  12. Protect CUI During Personnel Actions
    1. “CUI is protected during personnel actions at least in an ad hoc manner.”
    2. NIST SP 800-171 3.9.2
    3. RMM HRM: SG4.SP2
  13. Guidelines in Place
    1. “Guidelines are developed for the use of personally owned or external information systems.”
    2. NIST SP 800-171 Partial 3.1.20
    3. FAR
  14. CUI is Identified and Controlled
    1. “CUI posted to publicly accessible systems is identified and controlled.”
    2. NIST SP 800-171 3.1.22
  15. Assets are Tracked
    1. “Organizational assets are identified and inventoried (hardware, virtual, software, firmware, and CUI information), at least in an ad hoc manner.”
    2. NIST SP 800-171 3.4.1
    3. RMM ADM: SG1.SP1
  16. Software Supported by Original Vendor
    1. “The organization ensures that software is supported by the vendor.”
    2. CIS 7.1: 2.2
  17. Protect Communications at System Boundaries
    1. “The organization monitors, controls, and protects communications at system boundaries, at least in an ad hoc manner.
    2. NIST SP 800-171 3.13.1
  18. Audit Logs Retained
    1. “Audit logs are created and retained, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.3.1
  19. Audit Logs Reviewed
    1. “Audit logs are reviewed, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.3.5
  20. System Configuration Baselines in Place
    1. “Configuration baselines for organizational systems are established, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.4.1
    3. RMM KIM: SG5.SP2
  21. System Configuration Management Performed
    1. “The organization performs configuration management for organizational systems, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.4.2
    3. RMM KIM SG5.SP2
  22. System Maintenance is Performed
    1. “The organization performs maintenance on its organizational systems, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.7.1
    3. RMM TM: SG5.SP2
  23. Cybersecurity Objectives Defined
    1. “Cybersecurity objectives are established for the organization, at least in an ad hoc manner.
    2. RMM EF: SG1.SP1
  24. Cybersecurity Objectives Implemented
    1. “Cybersecurity objectives are implemented in the organization, at least in an ad hoc manner.”
    2. RMM EF: SG1.SP1
  25. Events are Reported
    1. “Events are detected and reported, at least in an ad hoc manner.”
    2. RMM IMC: SG2.SP1
  26. Incidents are Declared
    1. “Incidents are declared, at least in an ad hoc manner.”
    2. RMM IMC: SG3:SP1
  27. Incidents are Resolved
    1. “Incidents are resolved, at least in an ad hoc manner.”
    2. RMM IMC: SG4:SP1
  28. System Flaws are Corrected
    1. “Information system flaws are identified and corrected, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.14.1
  29. Properly Sanitize Media Containing CUI
    1. “Non-digital and digital media containing CUI is sanitized or destroyed before disposal or release for reuse, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.8.3
  30. Define Security Controls
    1. “Define controls, at least in an ad hoc manner.”
    2. RMM CTRL: SG2.SP1
  31. Install Anti-Virus Protection
    1. “Malicious code protection (e.g., anti-virus) is installed on all applicable machines.”
    2. NIST SP 800-171 3.14.2
  32. Keep Anti-Virus Protection Updated
    1. “Malicious code protection (e.g., anti-virus) is updated when new releases are available.”
    2. NIST SP 800-171 3.14.4
  33. Use Anti-Virus Protection in Real-Time
    1. “Scanning of files downloaded from external sources occurs in real-time.”
    2. NIST SP 800-171 3.14.5
  34. Stay Informed on Cyber Threats
    1. “The organization receives cyber threat intelligence from information sharing forums and sources, at least in an ad hoc manner.”
    2. NIST SP 800-171 3.14.3
  35. Share Cyber Threat Information with Team
    1. “Threat information is communicated to internal and external stakeholders, at least in an ad hoc manner.”
    2. CSF: RS.CO-5

Summary of Practices

GovCon Chamber of Commerce president Neil McDonnell reviewed this lengthy document to help small businesses understand the process better. These natural groupings should make the information clearer.

Documentation & Knowledge Sharing

  1. Guidelines in Place
  2. CUI is Identified and Controlled
  3. Assets are Tracked
  4. Define Security Controls
  5. Stay Informed on Cyber Threats
  6. Share Cyber Threat Information with Team
  7. Cybersecurity Objectives Defined
  8. Cybersecurity Objectives Implemented

Physical Access

  1. Limit Physical Access
  2. Control Physical Access
  3. Maintain Physical Access Log
  4. Always Escort and Monitor Visitors

System Access

  1. Identify Authorized Users, Processes and Devices
  2. Screen People Before Giving Access to CUI
  3. Protect CUI During Personnel Actions
  4. Authenticate System Access
  5. Limit Unsuccessful Logon Attempts
  6. Limit System Access to Authorized Users
  7. Limit System Access to Approved Activity
  8. Separate Public Facing Systems from Internal Systems
  9. Protect Communications at System Boundaries

Operations & Maintenance

  1. Software Supported by Original Vendor
  2. System Configuration Baselines in Place
  3. System Configuration Management Performed
  4. System Maintenance is Performed
  5. Install Anti-Virus Protection
  6. Keep Anti-Virus Protection Updated
  7. Use Anti-Virus Protection in Real-Time
  8. Events are Reported
  9. Incidents are Declared
  10. Incidents are Resolved
  11. System Flaws are Corrected
  12. Audit Logs Retained
  13. Audit Logs Reviewed
  14. Properly Sanitize Media Containing CUI


FOR MORE INFORMATION

  • CMMC Overview Briefing | September 2019 | Click To Download
  • NIST | National Institute of Standards and Technology 

 

Join the GovCon Chamber of Commerce
Close

50% Complete

Two Step

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.