How to Prepare for CMMC Level 1
CMMC Level 1 is the lowest level of security controls required for a defense contractor to earn Cybersecurity Maturity Model Certification. This is considered the basic cybersecurity hygiene needed to safeguard Federal Contract Information (FCI).
What is Federal Contract Information (FCI)?
Federal Contract Information, from 48 Code of Federal Regulations (CFR) 52.204-21, is information that is not intended for public release. FCI is provided by the Department of Defense (DoD), or created under a contract, to develop or deliver a product or provide a service to the DoD. Not included under the FCI umbrella is information that’s provided by the DoD to the public (e.g., on public websites), or simple transactional information (e.g., information to process payments).Get Started Today
CMMC Level 1 Requirements
CMMC Level 1 represents the 17 “foundational” controls based on FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. CMMC Level 1 will be required for anyone who obtains a DoD contract but does not produce solely Commercial Off the Shelf (COTS) products. The vast majority of DOD contracts will require this level of compliance.
There are 17 controls that must be met to achieve CMMC Level 1, all of which are mapped directly to the Federal Acquisition Regulation (FAR) 52.204.21.
CMMC Level 1 Practices
Here is how the 17 controls are broken down:
Access Control (AC)
- 1.001 – Limit information system access to authorized users, process acting on behalf of authorized users, or devices (including other information systems)
- 1.002 – Limit information system access to the types of transactions and functions that authorized uses are permitted to execute
- 1.003 – Verify and control/limit connections to and use of external information systems
- 1.004 – Control information posted or processed on publicly accessible information systems
Identification and Authentication (IA)
- 1.076 – Identify information system users, processes acting on behalf of users, or devices
- 1.077 – Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems
Media Protection (MP)
- 1.118 – Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse
Physical Protection (PP)
- 1.131 – Limit physical access to organization information systems, equipment, and the respective operating environments to authorized individuals
- 1.132 – Escort visitors and monitor visitor activity
- 1.133 – Maintain audit logs of physical access devices
- 1.134 – Control and manage physical access devices
System and Communications Protection (SC)
- 1.175 – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems
- 1.176 – Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
System and Information Integrity (SI)
- 1.210 – Identify, report, and correct information and information system flaws in a timely manner
- 1.211 – Provide protection from malicious code at appropriate locations within organizational information systems
- 1.212 – Update malicious code protection mechanisms when new releases are available
- 1.213 – Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed
CMMC Level 1 and Self-Assessment
Under CMMC 2.0 Compliance CMMC Level 1 there will be no certification assessment by a third party required as this level does not involve sensitive national security information. Instead, the contractor will be required to conduct a self-assessment on an annual basis. These annual self assessments will have to be accompanied by an affirmation from a senior company official that the company is meeting requirements and who will be liable under the False Claims Act.