Welcome to the first installment of our series on the Cybersecurity Maturity Model Certification (CMMC), a novel area of cybersecurity shepherded by the US Department of Defense (DoD). In this guide, we’ll break down everything you need to know about CMMC Level 1. For information about later levels of the CMMC, see our upcoming guides to levels 2, 3, 4, and 5.
Overview of CMMC Level 1 Requirements
The key to complying with CMMC requirements at all levels is understanding exactly what is required. To that end, this blog (and the whole series) is built around descriptions of all practices for each given level, sourced directly from CMMC Volume 1.02 from March 2020.
Especially since this is the first article in the series, we’ll begin with a robust overview of the CMMC Framework, including baseline definitions and concepts that apply across all levels. The structure below breaks down as follows:
- Overall CMMC 101
- Deep-dive into Level 1
- Guide to Level 1 compliance
Let’s get started!
CMMC 101: The Entire Framework
The CMMC Framework is published by the Office of the Under Secretary of Defense for Acquisition and Sustainment, also known as OUSD(A&S). The OUSD(A&S) collaborated with various DoD stakeholders, including University Affiliated Research Centers (UARCs) and Federally Funded Research and Development Centers (FFRDs) to create the framework.
The CMMC exists in order to prevent theft and loss of sensitive information that adversely impacts the DoD. In particular, it safeguards the Defense Industrial Base sector (DIB) and the broader supply chain of DoD contractors from cybercrime targeting sensitive information.
To that end, the main kinds of information the CMMC protects are:
- Federal Contract Information (FCI) – information that is provided for or generated by government agencies, under contract, and not intended for publication or public access.
- Controlled Unclassified Information (CUI) – information that is not classified per se but still not disclosed nor disseminated due to various laws, regulations, or policies. This excludes information classified by the Atomic Energy Act and several Executive Orders.
The CMMC also exists to address and integrate various requirements and prescriptions from other regulatory documents governing cybersecurity for government agencies and contractors.
For example, Federal Acquisition Regulation (FAR) Clause 52.203-21 specifies requirements for safeguarding FCI. Further, the National Institute for Standards and Technology (NIST) Special Publication 800-171 (SP 800-171) details security requirements for CUI, related to specifications in the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012.
Through a system of interlocking cybersecurity domains and maturity levels, the CMMC ensures that DoD contractors meet all requirements necessary to protect their many stakeholders.
Core Domains and Capabilities
At the core of the CMMC framework are 17 key cybersecurity domains. These domains are based loosely on NIST’s Federal Information Processing Standards Publication 200 (FIPS), as well as SP 800-171. Each domain contains one or more capabilities, totaling 43, which inform the specific practices required within a domain for a given maturity level (see below).
The domains and their relevant capabilities break down as follows:
- Access Control (AC) – Controlling access to systems, across 4 capabilities:
- Establish requirements for system access
- Control and restrict internal system access
- Control and restrict remote system access
- Limit access based on authorization
- Asset Management (AM) – Accounting for and managing assets, per 1 capability:
- Identify and document all physical and digital assets
- Manage inventory of identified and documented assets
- Audit and Accountability (AU) – Defining audit standards across 4 capabilities:
- Define requirements for audits
- Perform rigorous auditing and tests
- Protect any and all audit information
- Manage and regularly review audit logs
- Awareness and Training (AT) – Requiring training for personnel, per 2 capabilities:
- Conduct activities to foster security awareness
- Conduct regular and rigorous security training
- Configuration Management (CM) – Controlling security settings, per 2 capabilities:
- Establish baseline configurations across devices and software
- Manage the maintenance of and changes to configurations
- Identification and Authentication (IA) – Ensuring proper ID controls, with 1 capability:
- Grant access only to authenticated users
- Incident Response (IR) – Specifying protocols for a response, comprising 5 capabilities:
- Plan detailed incident response protocols
- Monitor for, detect, and report security events
- Respond to incidents as they occur, per plans
- Review efficacy of response post-incident
- Test incident response system regularly
- Maintenance (MA) – Defining maintenance standards, including just 1 capability:
- Manage the maintenance of systems and security
- Media Protection (MP) – Standardizing safeguards for media, across 4 capabilities:
- Identify media and mark for control level
- Protect all media marked for control
- Sanitize media regularly and after use
- Protect media during transportation
- Personnel Security (PS) – Ensuring staff contributes to security, per 2 capabilities:
- Screen personnel thoroughly and carefully
- Protect CUI during all interactions with personnel
- Physical Protection (PE) – Controlling physical access to media, per 1 capability:
- Restrict physical access to sensitive assets
- Recovery (RE) – Establishing readiness for post-incident recovery, with 1 capability:
- Establish and maintain back-ups across systems
- Manage continuity of information security
- Risk Management (RM) – Implementing robust risk mitigation through 2 measures:
- Identify risks through monitoring and analysis
- Manage and proactively mitigate identified risks
- Manage risks specific to supply chain
- Security Assessment (CA) – Reviewing security regularly, comprising 3 capabilities:
- Manage security plan encompassing all systems
- Define particular controls to implement, per plan
- Perform regular code reviews and audits
- Situational Awareness (SA) – Fostering heightened awareness, per one capability:
- Implement a threat monitoring system
- Systems and Communications Protection (SC) – Ensuring safeguards for systems, especially in intersections of communication, across 2 capabilities:
- Define requirements for security across all systems and communications
- Monitor, restrict, and control communications at boundaries of the system
- System and Information Integrity (SI) – Maintaining integrity by way of 4 capabilities:
- Monitor and manage any and all flaws in information systems
- Identify and manage malware and other harmful content
- Perform regular system- and network-wide monitoring
- Safeguard email using advanced protections
The capabilities for each domain are fleshed out across 171 practices. In addition to capabilities, domains also comprise a number of processes. And all of these categories are distributed across the 5 maturity levels in accordance with the respective focus of each.
Levels, Focuses, Processes, and Practices
An organization is not expected to adopt the entirety of the CMMC in one fell swoop. Instead, organizations undergo an ongoing process of maturity, by which they gradually increase the scope of their cyberdefenses. Along the way, their maturity is measured and assigned a level.
Each Maturity Level of the CMMC is characterized by a focus, as well as a particular approach to processes and practices. The focus determines the purpose of the level, whereas the process measures the institutionalization of the framework, and practices measure implementation.
The breakdown of levels is as follows:
- Maturity Level 1 – Focused on the safeguarding of FCI:
- Processes are performed but, importantly, not assessed.
- Practices constitute “Basic Cyber Hygiene.”
- Maturity Level 2 – Focused on preliminary CUI protections:
- Processes are documented and assessed for implementation.
- Practices constitute “Intermediate Cyber Hygiene.”
- Maturity Level 3 – Focused on cementing full control and protection of CUI:
- Processes are managed, including a resource plan for maintenance.
- Practices constitute “Good Cyber Hygiene.”
- Maturity Level 4 – Focused on defending against Advanced Persistent Threats (APT):
- Processes are reviewed and measured to ensure effectiveness
- Practices move from “Hygiene” to “Proactive” cybersecurity.
- Maturity Level 5 – Focused on fully optimizing FCI, CUI, and APT protections:
- Processes are optimizing, continually, and expanding across all systems.
- Practices move into an “Advanced” or “Progressive” posture.
Levels are cumulative, and ascension to the next level assumes maintenance of all requirements of previous levels. An institution must demonstrate both the process and practice measures of a given level in order to reach certification at that level. Maturity levels can apply to the organization as a whole and to independent divisions or sectors within the organization.
Understanding CMMC Level 1 Controls
If all this information seems overwhelming, don’t worry. The CMMC Maturity Level 1 is the simplest of all levels, by a variety of measures. It’s intended as an introduction to the framework.
Firstly, its focus pertains to only FCI, foregoing the more complicated nature of CUI until later levels. Secondly, Level 1 comprises just 17 of the 171 total practices, distributed across just 6 of the 17 domains. All of the practices come from a single source, FAR Clause 52.204-21. Thirdly, and most importantly, process institutionalization at Level 1 is not assessed.
Based on the basic nature of this level’s controls, an organization first implementing them is likely to approach some or all in an ad hoc manner, without proper documentation.
Let’s take a closer look at the actual practices for level 1, broken down by domain, as detailed in the CMMC Version 1.02. All subsections below refer directly to descriptions from this text.
Level 1 Access Control Practices
There are 4 AC practices required at Level 1:
- AC.1.001 – Restrict access to information systems by user, limiting it only to authorized users, users or processes acting on their behalf, or other authorized systems.
- AC.1.002 – Restrict access to information systems by function, including only those functions authorized or otherwise permitted (for authorized users).
- AC.1.003 – Verify, control, and restrict, up to a certain limit, all use of and connection to external information systems (for all users and functions).
- AC.1.004 – Monitor and limit (control) information that is posted on publicly accessible media, including any and all public-facing information systems.
Level 1 Identification and Authentication Practices
There are 2 IA practices required at Level 1:
- IA.1.076 – Identify any and all users of information systems, including processes, devices, and systems acting on behalf of authorized (or unauthorized) users.
- IA.1.077 – Verify the identity of such users prior to granting access to information systems.
Level 1 Media Protection Practice
There is just 1 MP practice required at Level 1:
- MP.1.118 – Prior to disposal or release leading to reuse, sanitize or otherwise destroy any and all traces of FCI on information systems media.
Level 1 Physical Protection Practices
There are 4 PE practices required at Level 1:
- PE.1.131 – Restrict all physical access to organizational information systems, including respective equipment and operating environments, to only authorized individuals.
- PE.1.132 – Escort and carefully monitor the activities of any and all visitors.
- PE.1.133 – Maintain thorough logs of all physical access to information systems.
- PE.1.134 – Control any and all devices used to enable physical access to systems.
Level 1 System and Communications Protection Practices
There are 2 SC practices required at Level 1:
- SC.1.175 – Monitor and safeguard organizational communications, including all ingoing and outgoing information, at external and internal boundaries of information systems.
- SC.1.176 – Implement independent subnetworks for system components that are publicly accessible, separating them logically or physically from other networks.
Level 1 System and Information Integrity Practices
There are 4 SI practices required at Level 1:
- SI.1.210 – Routinely scan for, identify, report on, and immediately correct system flaws.
- SI.1.211 – Implement protections against any and all malicious code in the appropriate locations and contexts within information systems, as defined by the organization.
- SI.1.212 – Regularly update mechanisms designed to protect against malicious code.
- SI.1.213 – Scan information systems periodically; scan files from external sources both periodically and at the moment(s) in which they are downloaded, opened, executed, etc.
How to Meet CMMC Level 1 Requirements
As noted above, Level 1 is unique in that process institutionalization is not assessed. All its practices correspond to FAR Clause 52.204-21, much of which you may already be compliant with. And they simply need to be implemented (not documented) in order for you to be certified.
However, no matter how basic the level’s requirements are, you do still need to get certified, particularly by a Certified Third Party Assessment Organization (C3PAO). This status is determined by the CMMC Accreditation Body. RSI Security is a C3PAO happy to help.
RSI Security’s dedicated CMMC services suite includes everything you need for all levels of CMMC certification, beginning with Level 1. Not only will our experts assist you in preparation for compliance; as a C3PAO, we can also take care of the certification itself.
Safeguard FCI, Professionally
At RSI Security, we know that compliance is not the end of cyberdefense; it’s just the beginning. Our talented team of experts has over a decade of experience providing cybersecurity solutions to businesses across all industries, including DoD contractors. We’re happy to help with not just CMMC certification, but any and all cybersecurity issues you’re dealing with.
We know how important it is for DoD contractors to stay safe, for the security of not just your own company, but also the entire DIB sector — and, by extension, the entire country. So, to see just how simple CMMC Level 1 can be, how robust your organization’s cyberdefenses can get, and how safe your assets and stakeholders can be, contact RSI Security today!