What are the CMMC Level 1 Controls?

Cybercrime is a growing threat to the U.S. economy and national security. The Department of Defense (DoD) reported that cybercrime cost the economy $600 billion in 2016 alone. Beyond financial losses, cyber threats also create significant risks to national security. These challenges led to the creation of the Cybersecurity Maturity Model Certification (CMMC), a framework designed to strengthen cybersecurity across the Defense Industrial Base (DIB). In this article, we focus on CMMC Level 1 controls and what they mean for contractors and vendors.

To assess the cybersecurity resilience of the defense supply chain, the DoD partnered with stakeholders in the DIB to conduct a thorough gap analysis. This analysis identified critical areas where vendors and third-party partners needed to improve security practices. As a result, it is now mandatory for all vendors interacting with the DoD or the DIB to achieve CMMC Level 1 certification, ensuring baseline protection of Federal Contract Information (FCI).

 

Understanding the Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) was created by the DoD in partnership with stakeholders across the Defense Industrial Base (DIB). It combines multiple cybersecurity frameworks and standards, including NIST SP 800 and the Code of Federal Regulations (CFR), to provide a unified approach to securing sensitive defense information.

A maturity model measures how well an organization has integrated best practices into its culture. The CMMC applies this approach specifically to cybersecurity, helping organizations assess their readiness to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

For organizations aiming for CMMC Level 1 certification, the model establishes baseline practices and processes that ensure fundamental cybersecurity hygiene. In the next section, we will explore what is meant by these practices and processes, and how they form the foundation of CMMC Level 1 controls.

CMMC Domains and Their Role in Level 1 Controls

The CMMC framework organizes cybersecurity requirements into 17 domains, each representing a specific area of security practices. These domains are structured into a set of processes and practices and are grouped across five maturity levels. In this article, we focus specifically on the CMMC Level 1 controls, which provide the baseline cybersecurity requirements for all DoD contractors handling Federal Contract Information (FCI).

According to the CMMC documentation:
“The majority of these domains originate from the security-related areas in Federal Information Processing Standards (FIPS) publication 200 and the related security requirement families from NIST SP 800-171.”

Each domain contains the necessary practices and processes an organization must implement to meet compliance requirements for its intended maturity level. The required level of compliance depends on the sensitivity of the information the organization processes along the DoD supply chain.

While the structure may seem complex initially, understanding the 17 domains provides a clear roadmap for achieving CMMC Level 1 certification and establishing a foundation for stronger cybersecurity practices.

CMMC Level 1 Processes and Practices

CMMC Level 1 controls establish the foundational cybersecurity practices that all organizations handling Federal Contract Information (FCI) must implement. These practices are organized within the 17 CMMC domains, and they serve as the baseline for the organization’s cybersecurity maturity. Higher levels build on these practices with more advanced processes and integrations.

In the CMMC framework, practices are actionable steps that an organization must implement, while processes reflect how cybersecurity is integrated into the organizational culture. Processes are not measured by a simple checklist, but by the consistent execution and adoption of practices.

For Level 1, processes are not formally assessed. Instead, the focus is on performing the required practices. According to the CMMC:
“May only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation.” – CMMC Version 1.0, Page 5

The Level 1 practices correspond to basic cyber hygiene, aimed at protecting Federal Contract Information (FCI). These practices align with the basic safeguarding requirements specified in 48 CFR 52.204-21. By successfully implementing these practices, an organization achieves CMMC Level 1 certification, establishing a foundation for stronger cybersecurity across the DoD supply chain.

What Is Cyber Hygiene and Why It Matters for CMMC Level 1

Cyber hygiene refers to the routine practices that help maintain a secure and healthy IT environment, similar to how daily personal hygiene prevents illness. Just as brushing your teeth twice a day keeps your mouth healthy, regular cyber hygiene practices protect an organization’s systems and data from deterioration and vulnerabilities over time.

In the context of CMMC Level 1, cyber hygiene forms the foundation of basic safeguarding practices. These practices include tasks such as maintaining an accurate inventory of software and hardware assets, performing continuous vulnerability scanning, applying security patches, and managing user access controls. By consistently implementing these measures, organizations can meet the CMMC Level 1 requirements and ensure the protection of Federal Contract Information (FCI).

For a deeper dive, read our complete guide on cyber hygiene to learn how these practices support stronger cybersecurity across all CMMC levels.

CMMC Level 1 Controls: The Six Core Domains

After understanding the CMMC model, its domains, and the associated processes and practices, it’s important to explore the specific CMMC Level 1 controls. These controls define the baseline cybersecurity requirements for organizations handling Federal Contract Information (FCI) along the DoD supply chain.

CMMC Level 1 represents the most basic compliance level. Even for organizations handling more sensitive data, the maturity model builds cumulatively, meaning that practices and processes from Level 1 must be implemented before progressing to higher levels. In other words, mastering Level 1 controls is the essential first step toward full CMMC compliance.

Of the 17 CMMC domains, only six domains are assessed for Level 1 certification:

1. Access Control (AC) – Restricting access to FCI to authorized users only.
2. Identification and Authentication (IA) – Ensuring proper identity verification for users and systems.
3. Media Protection (MP) – Safeguarding FCI stored on digital and physical media.
4. Physical Protection (PE) – Securing physical access to areas where FCI is processed or stored.
5. System and Communications Protection (SC) – Implementing basic network and system protections to prevent unauthorized access.
6. System and Information Integrity (SI) – Monitoring systems for vulnerabilities, malware, and integrity issues.
   

Understanding these six domains and implementing the corresponding practices forms the foundation of CMMC Level 1 certification.

CMMC Level 1: Access Control Domain

The Access Control (AC) domain ensures that only authorized users, devices, and processes can access your organization’s systems and networks. This includes managing administrative privileges, limiting access based on user responsibilities, and securing both remote and internal system connections. Proper access control is a key component of CMMC Level 1 compliance.

The Level 1 practices under the Access Control domain, according to the CMMC, include:

1. AC.1.001 – Limit system access to authorized users, processes, or devices
   Implementation: Use strong password or PIN protection on all devices and systems.
2. AC.1.002 – Limit access to authorized transactions and functions
   Implementation: Enforce controlled user rights, such as proper use of administrative privileges.
3. AC.1.003 – Verify and control connections to external information systems
   Implementation: Use only organizational Wi-Fi and connectivity; avoid public or unauthorized networks.
4. AC.1.004 – Control information posted or processed on publicly accessible systems
   Implementation: Limit sharing capabilities and use password protection on cloud services and other public systems.
   

Implementing these practices ensures that access to sensitive data is tightly controlled, forming a critical part of CMMC Level 1 controls.

CMMC Level 1: Identification and Authentication (IA) Domain

The Identification and Authentication (IA) domain ensures that all users, processes, and devices accessing your organization’s systems can be uniquely identified and verified. This is critical for accountability, reporting, and maintaining the integrity of CMMC Level 1 controls. Proper IA practices prevent unauthorized access and help protect Federal Contract Information (FCI).

The Level 1 practices under the IA domain, according to the CMMC, include:

1. IA.1.076 – Identify users, processes, or devices
   Implementation: Create individual accounts for all personnel and prohibit password sharing.
2. IA.1.077 – Authenticate users, processes, or devices
   Implementation: Change default passwords on all devices (mobile, desktop, etc.) and ensure all devices are password-protected before granting access to organizational systems.

Following these IA practices ensures that only authenticated personnel and devices can access sensitive information, reinforcing the foundation of CMMC Level 1 compliance.

CMMC Level 1: Media Protection (MP) Domain

The Media Protection (MP) domain ensures that organizations can identify, track, and safeguard all media, including both digital and physical formats. This includes policies for protecting, sanitizing, and securely transporting media—such as USB drives or storage devices that leave the premises or are no longer needed.

Level 1 practice:

1. MP.1.118 – Sanitize or destroy media containing Federal Contract Information (FCI) before disposal or reuse
   Implementation: Shred physical documents no longer in use, and perform multiple secure data erasures on digital media before disposal.

CMMC Level 1: Physical Protection (PE) Domain

The Physical Protection (PE) domain focuses on safeguarding physical assets, such as server rooms, desktop terminals, and storage locations. It also addresses visitor management to prevent unauthorized access or insider threats.

Level 1 practices:

1. PE.1.131 – Limit physical access to information systems and equipment
   Implementation: Designate public and private areas where devices are only accessible to authorized personnel.
2. PE.1.132 – Escort and monitor visitors
   Implementation: Ensure all visitors are supervised while on premises.
3. PE.1.133 – Maintain audit logs of physical access
   Implementation: Use sign-in/sign-out sheets, keycard logs, or CCTV to track access.
4. PE.1.134 – Control and manage physical access devices
   Implementation: Restrict the number of personnel who can disable security systems (e.g., CCTV or electronic locks)
   

CMMC Level 1: System and Communications Protection (SC) Domain

The System and Communications Protection (SC) domain requires organizations to secure communication channels at system boundaries. This includes firewalls, subnetting, and other measures to prevent unauthorized access to networks and systems.

Level 1 practices:

1. SC.1.175 – Monitor, control, and protect organizational communications at external and key internal boundaries
   Implementation: Configure firewalls to block unauthorized internet traffic and ensure all devices are within the protected network boundaries.
2. SC.1.176 – Implement subnetworks for publicly accessible system components
   Implementation: Avoid directly connecting internal servers to the internet. Use secure web hosting or consult cybersecurity specialists (e.g., RSI Security) to safely manage open access if required.

CMMC Level 1: System and Information Integrity (SI) Domain

The System and Information Integrity (SI) domain ensures that organizations manage flaws, vulnerabilities, and malicious content within information systems. This includes patch management, antivirus protection, monitoring, and general data hygiene.

Level 1 practices:

1. SI.1.210 – Identify, report, and correct system flaws in a timely manner
   Implementation: Regularly update systems, enable auto-updaters, and remove unsupported applications.
2. SI.1.211 – Protect against malicious code
   Implementation: Install reputable antivirus software and use secure email platforms with built-in malware protection.
3. SI.1.212 – Update malicious code protection mechanisms
   Implementation: Ensure antivirus and firewalls are kept current with the latest updates.
4. SI.1.213 – Perform periodic and real-time system scans
   Implementation: Enable frequent virus scans (at least weekly) and scan files from external sources as they are downloaded, opened, or executed.

CMMC Level 1 Certification and C3PAO Guidance

As the DoD transitions from NIST SP 800-171 self-assessments to the CMMC framework, all vendors and contractors must now obtain certification through a Certified Third-Party Assessment Organization (C3PAO). This ensures that cybersecurity practices are independently validated and meet the required CMMC Level 1 controls for protecting Federal Contract Information (FCI).

RSI Security is in the process of becoming a certified C3PAO, providing trusted guidance for organizations seeking CMMC Level 1 compliance. Whether you are preparing for your first assessment or looking to strengthen your cybersecurity posture, our team offers a full range of services to help you achieve compliance efficiently and effectively.

Don’t wait until the deadline, book a free consultation with RSI Security today to start your journey toward CMMC Level 1 certification and secure your place in the DoD supply chain.

Download Our CMMC Checklist