Cybersecurity Maturity Model Certification Level 1 (CMMC level 1)

The Cybersecurity Maturity Model Certification Level 1 is designed to help organizations establish the framework for cybersecurity maturity. This certification level requires that an organization have a documented risk management plan with defined roles and responsibilities, along with written policies on data classification and protection. The goal of this certification is not only to protect against cyber threats but also maintain compliance standards set by legislation such as HIPAA, PCI DSS, or GDPR.

The Cybersecurity Maturity Model Certification levels are based on a system increasing from level one (least) to five (most).

The CMMC is designed to certify and measure the levels of maturity in an organization’s Cybersecurity Program.

The ultimate goal of the Cybersecurity Maturity Model Certification is to provide protection for two types of information:

• Confidential digital information such as private emails, financial records, and data collected through work.
• Non-digital assets that are physically present at your site or elsewhere (e.g., research files).

CMMC level 1 Process Maturity and Practice

Processes: Performed

Level 1 is the entry level certification. Institutions at this level may or may not follow a written cyber security policy, but are able to demonstrate their compliance with specific best practices.

Practices: Basic Cyber Hygiene

Basic Level 1 includes only those practices corresponding to the minimum system safeguarding requirements offered in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”)

CMMC level 1 Assessment and Certification

The CMMC assessment process provides a way to confirm that contractors meet the basic safeguarding requirements for FCI specified in FAR Clause 52.204-21, with certified assessors using the same methods across all assessments. When an applicant is assessed and deemed at Level 1, other entities can be assured of meeting practices set forth by this certification – governments sponsors looking to hire subcontractors are no exception!

• Contractor Size – The CMMC assessment methodology is designed so that all contractors can achieve the highest level of security. No matter what size, constraints or complexity a contractor has to work with – they will be able to meet and maintain their high standards for data protection
• Assessment Scope – Prior to a CMMC assessment, the contractor must define an appropriate scope for the assessment that will represent the boundary on which their certification is valid. Additional guidance can be found in future versions of this guidebook and through working with our experts at your service center.

CMMC level 1 Assessment Criteria and Methodology

• Criteria – An assessment of a practice begins with an objective. Objective criteria are provided for each Level 1 practice and based on existing standards such as NIST SP 800-171, which is authoritative in providing the basis to assess practices.
• Methodology – The primary deliverable of an assessment is a thorough, objective report that summarizes the findings associated with your business practices. Because these assessments are so detailed and rigorous, it’s important to have evidence from Level 1 Practices in order for you to be verified by a Certified Assessor. Your objectives can be met in many different ways, including documentation, computer configuration, network configurations and training. Certified Assessors are required to use a variety of techniques when determining if the contractor meets your Level 1 practices from NIST SP 800-171A. The assessors will follow guidance provided by that document with regard to which assessment methods they should use:

Organizations should not feel constrained by the assessment procedures in this publication when determining how to perform an assessment. Organizations [Certified Assessors] have flexibility and can decide which methods will provide them with the desired results. This determination is based on their budget constraints, as well as level of assurance needed for assessing a site or object

Who Is Interviewed – The Certified Assessor has discussions with individuals within the contractor to understand if a practice has been addressed. Interviews of applicable staff (possibly at different organizational levels) determine whether Level 1 practices are implemented as well as if adequate resources, training, and planning have occurred for individuals to perform the practices.

What Is Examined – The examination process often includes inspection, observation and analysis of assessment objects. These items can include documents, mechanisms or activities.

For some practices, the Certified Assessor reviews documentation to determine if assessment objectives are met. Interviews with contractor staff may identify the documents they use and can provide insight on what is needed for evidence. Documents need to be in their final forms; working papers (e.g., drafts) of documentation are not eligible as evidence because they have not yet been finalized and could still change before being submitted officially.

• policy, process, and procedure documents
• training materials;
• plans and planning documents; and
• system-level, network, and data flow diagrams.

The list of documents is not exhaustive. For a truly complete assessment, it’s best to observe how staff are following processes and view hardware or configuration information associated with the safeguards in place.

By testing their implementation, contractors are able to identify any discrepancies in the process. Interviews provide information on how staff believe a particular practice is done and documentation provides evidence of this intent, but seeing it happen for oneself can confirm that it’s being executed appropriately. This ensures there will be no discrepancy between what was intended and what is actually performed by contractor staff – making all three sources complementary rather than at odds with one another when evaluating an organization’s progress towards compliance.

A CMMC practice or process can be evaluated on one of three levels. The assessment will consist of a finding that the measure is either MET, NOT MET, or NOT APPLICABLE to achieve Level 1 status for this specific category.

 

 

CMMC Level 1 Practice Descriptions

• Identifier and Practice Statement: is headed by the practice identifier in the format Domain.Level.Number (e.g., AC.1.001) and followed by the CMMC practice statement.
• Assessment Objectives [NIST SP 800-171A]: identifies the specific list of objectives that must be met to receive MET for the practice as defined in NIST SP 800-171A.
• Potential Assessment Methods and Objects [NIST SP 800-171A]: defines the nature and the extent of the Certified Assessor’s actions as defined in NIST SP 800-171A. The methods include examine, interview, and test. Assessment objects identify the items being assessed and can include specifications, mechanisms, activities, and individuals.
• Discussion [NIST SP 800-171 R2]: contains discussion written by NIST2 for the associated NIST SP 800-171 security requirement. CMMC Level 1 aligns with FAR Clause 52.204-21, which focuses on FCI, and the NIST text has been modified to reflect this.

CMMC level 1 Access Control Practices

• AC.1.001 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
• AC.1.002 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
• AC.1.003 – Verify and control/limit connections to and use of external information systems.
• AC.1.004 – Control information posted or processed on publicly accessible information systems.

CMMC level 1 Identification and Authentication (IA)

• IA.1.076 – Identify information system users, processes acting on behalf of users, or devices.
• IA.1.077 – Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

CMMC level 1 Media Protection (MP)

• MP.1.118 – Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

CMMC level 1 Physical Protection (PE)

• PE.1.131 – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
• PE.1.132 – Escort visitors and monitor visitor activity
• PE.1.133 – Maintain audit logs of physical access.
• PE.1.134 – Control and manage physical access devices.

CMMC level 1 System and Communications Protection (SC)

• SC.1.175 – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
• SC.1.176 – Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

CMMC level 1 System and Information Integrity (SI)

• SI.1.210 – Identify, report, and correct information and information system flaws in a timely manner.
• SI.1.211 – Provide protection from malicious code at appropriate locations within organizational information systems.
• SI.1.212 – Update malicious code protection mechanisms when new releases are available.
• SI.1.213 – Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.