Introduction to CMMC Level 1
The Cybersecurity Maturity Model Certification (CMMC) provides a standardized approach for evaluating the cybersecurity posture of defense industrial base (DIB) contractors and subcontractors. The process is designed to ensure that these organizations practice good cyber hygiene and adequately protect sensitive information in accordance with the CMMC framework.
Organizations seeking certification (OSC) must understand what compliance and certification entail before CMMC 2.0 requirements “go live” in May 2023. The following blog outlines CMMC Level 1.
CMMC Level 1 Requirements
CMMC Level 1 requires contractors handling FCI (defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public or simple transactional information) to meet 17 practice requirements from six categories or domains: Access Control, Identification and Authentication, Media Protection, Physical Protection, Systems, and Communication Protection, and System and Information Integrity.
Each of the following must be ‘met’ for a contractor to obtain CMMC Level 1 certification:
AC.L1-3.1.1 (Access Control - Authorized Access Control)
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
2. AC.L1-3.1.2 (Access Control - Transaction and Function Control)
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3. AC.L1-3.1.20 (Access Control - External Connections)
Verify and control/limit connections to and use of external information systems.
4. AC.L1-3.1.22 (Access Control - Control Public Information)
Control information posted or processed on publicly accessible information systems.
5. A.L1-3.5.1 (Identification and Authentication - Identification)
Identify information system users, processes acting on behalf of users, or devices.
6. IA.L1-3.5.2 (Identification and Authentication - Authentication)
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
7. MP.L1-3.8.3 (Media Protection - Media Disposal)
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
8. PE.L1-3.10.1 (Physical Protection - Limit Physical Access)
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
9. PE.L1-3.10.3 (Physical Protection - Escort Visitors)
Escort visitors and monitor visitor activity.
10. PE.L1-3.10.4 (Physical Protection - Physical Access Logs)
Maintain audit logs of physical access.
11. PE.L1-3.10.5 (Physical Protection - Manage Physical Access)
Control and manage physical access devices.
12. SC.L1-3.13.1 (System and Communications Protection - Boundary Protection)
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
13. SC.L1-3.13.5 (System and Communications Protection - Public-Access System Separation)
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
14. SI.L1-3.14.1 (System and Information Integrity - Flaw Remediation)
Identify, report, and correct information and information system flaws in a timely manner.
15. SI.L1-3.14.2 (System and Information Integrity - Malicious Code Protection)
Provide protection from malicious code at appropriate locations within organizational information systems.
16. SI.L1-3.14.4 (System and Information Integrity - Update Malicious Code Protection)
Update malicious code protection mechanisms when new releases are available.
17. SI.L1-3.14.5 (System and Information Integrity - System and File Scanning)
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Assessment
While contractors can use outside support (like a Certified CMMC Professional or even C3PAO), CMMC Level 1 compliance is ultimately self-assessed and the contractor's responsibility. Contractors scope, evaluate, and collect evidence of their compliance using the CMMC Level 1 Assessment Guide, based on the assessment guidelines described in NIST Special Publication (SP) 800-171A Section 2.1 and whose practices align with FAR Clause 52.204-21.
The Assessment Guide contains practice descriptions and provides procedural guidance for evaluating organizational uptake of required practices.
(Self) assessors use assessment methods and objects to determine and record whether an organization conforms to a practice’s assessment objectives. The assessment results are called assessment findings and are used to determine if the practice being evaluated has been satisfied. In other words, the assessment findings help to determine whether the practice meets the requirements or standards set out in the assessment objective. The three possible findings are met, not met, and not applicable. To achieve CMMC Level 1, a contractor needs a finding of met or not applicable on all required practices.
CMMC requires that Level 1 contractors gather information and evidence to verify each practice. Affirmation of compliance must be posted in the Supplier Performance Risk System (SPRS), and increasingly, only CMMC certified contractors will be eligible for Department of Defense (DoD) contracts. Therefore, proof of meeting CMMC practice objectives is critical for the success of Level 1 contractors.
Scope
The scope of the assessment is the information system in its operating environment where sensitive data (FCI) is stored. CMMC applies only to systems components that process, store, or transmit FCI. Assessment scope determines which assets within a contractor's environment will be evaluated and certified. While assessment scope can be limited to specific people, processes, and technology (units) within an organization, FCI is such a broad category of information that many Level 1 contractors may seek to certify their entire environment.
There are three types of assets to consider when scoping for CMMC Level 1 self-assessment: Federal Contract Information (FCI), specialized, and out-of-scope assets.
FCI assets process, store, or transmit FCI. These assets are subject to CMMC assessment.
Out-of-scope assets do not process, store, or transmit FCI. Therefore they fall outside of the CMMC self-assessment scope. There are no documentation requirements for out-of-scope assets.
Specialized Assets, such as government property, internet of things (IoT) and industrial internet of things (IIoT) devices, operational technology (OT), restricted information systems, and test equipment, are also not part of the CMMC self-assessment when properly documented.
To appropriately scope a CMMC Level 1 self-assessment, contractors should consider the people, technology, facilities, and external service providers (ESPs) within their environment that process, store, or transmit FCI. This includes employees, contractors, vendors, servers, client computers, mobile devices, and network appliances.
Identifying all FCI assets within the environment and any external service providers that may have access to FCI is essential to a successful and accurate self-assessment.
How does a contractor meet the required practices? Future blogs will explore this question further, but if you want to know more now, email us or book a meeting!