CMMC includes 17 capability domains and five (5) processes. Level 1 contains NO processes and only six (6) capability domains. In a recent CMMC webinar that BEI participated in, Katie Arrington, CISO for the Under Secretary of Defense for Acquisition & Sustainment and self-proclaimed “mommy” of CMMC said that 96% of contracts would require only Level 1 certification. So almost everyone in the govcon world needs to address Level 1 – let’s get going!
What does CMMC Level 1 include?
CMMC Level 1 is all about protecting Federal Contract Information—FCI. According to Federal Acquisition Regulation 48 CFR 52.204-21, FCI means “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.”
The six (6) domains covered in Level 1 certification include 17 practices, all gleaned from CFR 52.204-21. You need to perform the practices but only document them when required. However, you will have to prove you are performing the essential practices needed to safeguard your information systems when your CMMC Certified Third-Party Assessment Organization (C3PAO) comes to certify you.
The six (6) domains included in CMMC Level 1 are Access Control, Identification & Authentication, Media Protection, Physical Protection, System & Communications Protection, and Systems & Information Integrity. We’ll consider which Level 1 practices are required by each domain.
There are four (4) practices in this domain. CMMC identifies them as AC.1.001, AC.1.002, AC.1.003, and AC.1.004.
AC.1.001: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Keep in mind, these systems aren’t the library or your house. No one should be able to walk-up and access your computers. None of your devices should plug directly into your network. What might this include or look like?
- Create a user name and password for new users to use on company assets
- Remember to terminate users in your information systems by removing their access
- Only allow company assets (computers, printers, scanners) to connect to your network
AC.1.002: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Think about this the same way you would about basic need-to-know rules. Maybe Bob from Accounting should be able to see payroll files, and Sue in Human Resources should not. Therefore ou can establish these access controls through role or account-based access policies and account creation. Be mindful and purposeful with your account creation and only give people access to things they need to complete their specific job functions and role.
AC.1.003: Verify and control/limit connections to and use of external information systems.
Connections to external systems is a task for your information systems security officer or your IT department. It’s multi-faceted. You need to educate your employees about what information systems they can use to work on FCI information—not via their personal devices. It means keeping uncontrolled applications and devices (like personal laptops, phones or tablets) from connecting to your company network. This connection could be a separate Internet circuit with WiFi in your office for people to use. It also means limiting access from company computers and systems to external systems that you can’t control.
AC.1.004: Control information posted or processed on publicly accessible information systems
This is all about respecting the nature of FCI. This information isn’t for the public, so don’t make it public. If you control public-facing and accessible information systems like a website, you must ensure FCI is protected.
Identification and Authentication
There are two (2) practices in this domain. CMMC identifies them as IA.1.076 and IA.1.077.
IA.1.076: Identify information system users, processes acting on behalf of users, or devices
This one makes me think about one of the songs on Wa Wa Wubzy about kids being unique. The song goes, “Kate is Kate and that is great, Pete is Pete and that is neat!” It’s silly but helpful. Everyone should have their own unique ID. No one should be sharing common logins. This may seem fairly standard, but we still see shared logins in healthcare or with certain shared machines like a conference room desktop. Everyone needs to be able to login to those machines as their unique self.
IA.1.077: Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
This one may seem redundant or sounds like Authentication 101. It was basically covered in the previous control by creating that unique account for each user and then under the Access Control practices. However, you also need to remember to remove default usernames and passwords for systems.
There is only one (1) practice in this domain. CMMC identifies it as MP.1.118.
MP.1.118: Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
Remember that scene in Office Space where the guys are going to town on the printer? Kicking and destroying the printer with a baseball bat might be cathartic, but it’s not quite far enough. A computer hard drive or removable media can either be cleaned or purged to reuse, or it needs to be destroyed. There are so many services today that will destroy hard drives and other media for you. It’s inexpensive and you can receive a Certificate of Destruction to prove the media was destroyed. Think of it as an insurance policy.
There are four (4) practices in this domain. CMMC identifies them as PE.1.131, PE.1.132, PE.1.133, and PE.1.134.
PE.1.131: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
This is easy – Lock your door. If you have removable media, you should also put it behind a locked door.
PE.1.132 Escort visitors and monitor visitor activity.
Of course you aren’t going to let strangers walk around your office. But what about your cleaning crew? Do they have the keys to your locked office? What about your CEO’s brother—does he get free roaming rights? Anyone who is not an employee needs to be monitored and/or escorted.
PE.1.133: Maintain audit logs of physical access.
Typically this is a written sign-in sheet for guests with in and out times and electronic access cards for your employees. You can imagine other variations, but you need to log who is coming and going in your space.
PE.1.134: Control and manage physical access devices.
Those of us in the security world have a ranking system of physical access devices. Card readers trump all because they tell you who is entering the space. Cards and fobs are getting easier to copy, but they are still not as easy to copy as a key and nothing is easier to give away than a combo. Keys and combos aren’t all bad. They are a great added layer to card readers. Think of it like physical security multi-factor authentication! Regardless of what you use, you need to manage physical access devices and track who has access.
System and Communications Protection
There are two (2) practices in this domain. CMMC identifies them as SC.1.175 and SC.1.176.
SC.1.175: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
The examples given by DoD in CMMC include both a firewall and a web proxy. This control is meant to keep people from accessing systems or websites you don’t want them to and it also stops undesirable traffic from the internet or even another part of your network. Which flows nicely into the next control…
SC.1.176: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Subnetworks are often referred to as DMZs (demilitarized zone) and sometimes called perimeter networks or screened subnets. A lot of times companies will place a firewall between areas of the internal network to protect an area of the network. The DMZ area might contain a mail or FTP server (yes people still use these) or even a web server. While the other area of the network would have your intranet and workstations. On your home network, if you work there, you might consider setting up a DMZ to put devices on like your Xbox. It’s possible you don’t need a DMZ, but just be able to explain why.
System and Information Integrity
There are four (4) practices in this domain. CMMC identifies them as SI.1.210, SI.1.211, SI.1.212, SI.1.213.
SI.1.210: Identify, report, and correct information and information system flaws in a timely manner.
You need to ensure you are installing security patches and critical updates for your operating system, software, and hardware. You should turn some of this on automatically and ensure you receive updates from vendors about any vulnerabilities that need to be patched immediately.
SI.1.211: Provide protection from malicious code at appropriate locations within organizational information systems.
Make sure you have a good anti-virus and anti-malware software installed on all your devices. Don’t use free software—you get what you pay for!
SI.1.212: Update malicious code protection mechanisms when new releases are available.
Turn on updates for anti-malware and AV software. That’s it. Very simple.
SI.1.213: Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
In the previous control, you set your anti-virus and anti-malware software to update regularly. This will update virus signatures in case anything new comes into your system. However, you should also scan your system regularly to see if any existing files contain anything malicious and you should scan devices like USB drives before accessing their contents.
Is Level 1 really that easy?
Our hope is Level 1 doesn’t sound too complicated. It’s not a huge hurdle. Chances are you are already doing most of these things and might just need a few tweaks. If you noticed a gaping hole, it’s probably not a difficult fix, especially if you have kept things simple. We are always around to answer questions as they come up, so please don’t hesitate to reach out to us.