Understanding CMMC L1
For the last couple of years, the Department of Defense (DoD) and other stakeholders have worked on a new program that safeguards Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This program called Cybersecurity Maturity Model Certification (CMMC) expands across the entire Defense Industrial Base (DIB). This new cybersecurity initiation is the first of its kind for critical infrastructure companies.
The levels of CMMC range between 1 and 5, with 5 being the most advanced. This blog breaks down Level 1 (L1) and provides insight on your L1 readiness.
Although there are many technical aspects of CMMC it is just as important to create an organizational culture that is cyber prepared and threat-resistant. Many elements of CMMC certification include personnel training and individual participation in cyber defense. Many cyberattacks have proven to be as simple as someone falling victim to malware via email, and CMMC practices help prevent that mistake. Level 1 certification is not as technical as the other levels because it does not have official documented processes, but this does not mean your organization should avoid building towards that goal. If you plan to bid on contracts containing CUI you will be required to show documented processes with a minimum certification of Level 2. Starting with L1 provides you with an opportunity to achieve that threat-resistant environment and helps defend your company against bad actors.
Something to take into consideration in working towards CMMC certification is working with a Registered Provider Organization (RPO). Although it is not a requirement for you to work with an RPO there are a few important aspects to take into consideration when deciding to pursue CMMC readiness alone or with professional RPO services. Although cybersecurity is a priority in many organizations, it is a reality that resources are limited. When designating the time, money, personnel, and technology to achieve a CMMC certifications it is important to assess a cost benefit analysis. Not only does an RPO have the experts and tools necessary to streamline your certification process, but they also have the relationships in place to understand what your CMMC Third Party Assessor Organization (C3PAO) is looking for in their audit. We have taken the time to create a checklist of how you can prepare for CMMC Level 1 and provide you with the full list of domains, capabilities, and controls that must implement in L1.
Level 1 Organizational Checklist
Learn about CMMC and why it matters for you
Learn about the 6 domains used in L1
Break down the capabilities and the 17 practices for L1
Assess your current cyber hygiene environment and existing resources
Plan for the needed changes based on your assessment and what you have learned about L1
Implement the changes and plan for a maturity process
Level 1 has a total of 17 controls, also referred to as practices. These practices derive from capabilities which belong to specific domains. There are a total of 17 domains in CMMC and 6 domains are included in L1. For you to achieve CMMC level 1 certification you must meet all of these standards that we have prepared for you here. Level 1 Performed : Basic Cyber Hygiene Domains in L1
Access Control (AC) : 3 capabilities 4 practices
Identification & Authentication (IA) : 1 capability 2 practices
Media Protection (MP) : 1 capability 1 practice
Physical Protection (PE) : 1 capability 4 practices
System & Communications Protection (SC) : 1 capability 2 practices
System & Information Integrity (SI) : 2 capabilities 4 practices
Capabilities in L1 Access Control AC
Establish system access capabilities (C001)
Control internal system access (C002)
Limit data access to authorized users and processes (C004)
Identification & Authentication IA
Grant access to authenticated entities (C015)
Media Protection MP
Sanitize Media (C024)
Physical Protection PE
Limit physical access (C028)
System & Communications Protection SC
Control communications at system boundaries (C039)
System & Information Integrity SI
Identify and manage information system flaws (C040)
Identify malicious content (C041)
Practices ***potentially make collapsible*** Access Control AC
AC.1.001 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)
AC.1.002 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
AC.1.004 – Control Information Posted or Processed on Publicly Accessible Information Systems
Identification & Authentication IA
IA.1.076 – Identify Information System Users, Processes Acting on Behalf of Users and Devices
Media Protection MP
Physical Protection PE
PE.1.131 – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
PE.1.132 – Escort Visitors and Monitor Visitor Activity
PE.1.133 – Maintain Audit Logs of Physical Access
System & Communications Protection SC
SC.1.175 – Monitor, control, and protect organizational communications (i.e., Information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems.
System & Information Integrity SI
SI.1.210 – Identify, Report and Correct Information and Information Flaws in a Timely Manner
SI.1.211 – Provide protection from malicious code at appropriate locations within organizational information systems.
SI.1.212 – Update Malicious Code Protection Mechanisms When New Releases are Available.
As we wrap up our L1 readiness we encourage you stay up to date and follow our blogs on CMMC best practices and updates.