Understanding CMMC L1

For the last couple of years, the Department of Defense (DoD) and other stakeholders have worked on a new program that safeguards Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This program called Cybersecurity Maturity Model Certification (CMMC) expands across the entire Defense Industrial Base (DIB). This new cybersecurity initiation is the first of its kind for critical infrastructure companies.

The levels of CMMC range between 1 and 5, with 5 being the most advanced. This blog breaks down Level 1 (L1) and provides insight on your L1 readiness.

Although there are many technical aspects of CMMC it is just as important to create an organizational culture that is cyber prepared and threat-resistant. Many elements of CMMC certification include personnel training and individual participation in cyber defense. Many cyberattacks have proven to be as simple as someone falling victim to malware via email, and CMMC practices help prevent that mistake. Level 1 certification is not as technical as the other levels because it does not have official documented processes, but this does not mean your organization should avoid building towards that goal. If you plan to bid on contracts containing CUI you will be required to show documented processes with a minimum certification of Level 2. Starting with L1 provides you with an opportunity to achieve that threat-resistant environment and helps defend your company against bad actors.

Something to take into consideration in working towards CMMC certification is working with a Registered Provider Organization (RPO). Although it is not a requirement for you to work with an RPO there are a few important aspects to take into consideration when deciding to pursue CMMC readiness alone or with professional RPO services. Although cybersecurity is a priority in many organizations, it is a reality that resources are limited. When designating the time, money, personnel, and technology to achieve a CMMC certifications it is important to assess a cost benefit analysis. Not only does an RPO have the experts and tools necessary to streamline your certification process, but they also have the relationships in place to understand what your CMMC Third Party Assessor Organization (C3PAO) is looking for in their audit. We have taken the time to create a checklist of how you can prepare for CMMC Level 1 and provide you with the full list of domains, capabilities, and controls that must implement in L1.

Level 1 Organizational Checklist

• Learn about CMMC and why it matters for you

• Learn about the 6 domains used in L1

• Break down the capabilities and the 17 practices for L1

• Assess your current cyber hygiene environment and existing resources

• Plan for the needed changes based on your assessment and what you have learned about L1

• Implement the changes and plan for a maturity process

Level 1 has a total of 17 controls, also referred to as practices. These practices derive from capabilities which belong to specific domains. There are a total of 17 domains in CMMC and 6 domains are included in L1. For you to achieve CMMC level 1 certification you must meet all of these standards that we have prepared for you here. Level 1 Performed : Basic Cyber Hygiene Domains in L1

• Access Control (AC) : 3 capabilities 4 practices

• Identification & Authentication (IA) : 1 capability 2 practices

• Media Protection (MP) : 1 capability 1 practice

• Physical Protection (PE) : 1 capability 4 practices

• System & Communications Protection (SC) : 1 capability 2 practices

• System & Information Integrity (SI) : 2 capabilities 4 practices

Capabilities in L1 Access Control AC

1. Establish system access capabilities (C001)

2. Control internal system access (C002)

3. Limit data access to authorized users and processes (C004)

Identification & Authentication IA

1. Grant access to authenticated entities (C015)

Media Protection MP

1. Sanitize Media (C024)

Physical Protection PE

1. Limit physical access (C028)

System & Communications Protection SC

1. Control communications at system boundaries (C039)

System & Information Integrity SI

1. Identify and manage information system flaws (C040)

2. Identify malicious content (C041)

Practices ***potentially make collapsible*** Access Control AC

1. AC.1.001 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)

2. AC.1.002 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

3. AC.1.003 – Verify and control and/or limit connections to, and use of, external information systems.

4. AC.1.004 – Control Information Posted or Processed on Publicly Accessible Information Systems

Identification & Authentication IA

1. IA.1.076 – Identify Information System Users, Processes Acting on Behalf of Users and Devices

2. IA.1.077 – Authenticate ( or verify ) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems

Media Protection MP

1. MP.1.118 – Sanitize or destroy information system media containing Federal contract information before disposal or release for reuse

Physical Protection PE

1. PE.1.131 – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

2. PE.1.132 – Escort Visitors and Monitor Visitor Activity

3. PE.1.133 – Maintain Audit Logs of Physical Access

1. PE.1.134 – Control and Manage Physical Access Devices

System & Communications Protection SC

1. SC.1.175 – Monitor, control, and protect organizational communications (i.e., Information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems.

2. SC.1.176 – Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

System & Information Integrity SI

1. SI.1.210 – Identify, Report and Correct Information and Information Flaws in a Timely Manner

2. SI.1.211 – Provide protection from malicious code at appropriate locations within organizational information systems.

3. SI.1.212 – Update Malicious Code Protection Mechanisms When New Releases are Available.

1. SI.1.213 – Perform periodic scans of information systems and real-time scans of files from external sources as files are downloaded, opened or executed.

As we wrap up our L1 readiness we encourage you stay up to date and follow our blogs on CMMC best practices and updates.