Are you already CMMC Level 1 compliant? Find out what’s required:

To verify and validate that a contractor is meeting CMMC practices, evidence needs to exist demonstrating that the contractor has fulfilled the objectives of the Level 1 practices below. Because different self-assessment objectives can be met in different ways (e.g., through documentation, computer configuration, network configuration, or training) a variety of techniques may be used, including interviewing, testing, or examining policy, process, and procedure documents; training materials; plans and planning documents; and system, network, and data flow diagrams.

Carefully read each of the Practice Statements and Assessment Objectives below. If you cannot provide evidence demonstrating how your organization meets each of the Assessment Objectives, then you are not currently CMMC Level 1 compliant.

(i) AC.L1-3.1.1 – Authorized Access Control

  1. Authorized users are identified.

  2. Processes acting on behalf of authorized users are identified.

  3. Devices (and other systems) authorized to connect to the system are identified.

  4. System access is limited to authorized users.

  5. System access is limited to processes acting on behalf of authorized users.

  6. System access is limited to authorized devices (including other systems).

(ii) AC.L1-3.1.2 – Transaction & Function Control

  1. The types of transactions and functions that authorized users are permitted to execute are defined.

  2. System access is limited to the defined types of transactions and functions for authorized users.

 

(iii) AC.L1-3.1.20 – External Connections

  1.  Connections to external systems are identified

  2. The use of external systems is identified

  3. Connections to external systems are verified

  4. The use of external systems is verified

  5. Connections to external systems are controlled/limited

  6. The use of external systems is controlled/limited

     

(iv) AC.L1-3.1.22 – Control Public Information

  1.  Individuals authorized to post or process information on publicly accessible systems are identified

  2. Procedures to ensure FCI is not posted or processed on publicly accessible systems are identified

  3. A review process is in place prior to posting of any content to publicly accessible systems

  4. Content on publicly accessible systems is reviewed to ensure that it does not include FCI

  5. Mechanisms are in place to remove and address improper posting of FCI

     

(v) IA.L1-3.5.1 – Identification

  1.  System users are identified

  2. Processes acting on behalf of users are identified

  3. Devices accessing the system are identified

(vi) IA.L1-3.5.2 – Authentication

  1.  The identity of each user is authenticated or verified as a prerequisite to system access

  2. The identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access

  3. The identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access

  

(vii) MP.L1-3.8.3 – Media Disposal

  1. System media containing FCI is sanitized or destroyed before disposal

  2. System media containing FCI is sanitized before it is released for reuse

 

(viii) PE.L1-3.10.1 – Limit Physical Access

  1. Authorized individuals allowed physical access are identified

  2. Physical access to organizational systems is limited to authorized individuals

  3. Physical access to equipment is limited to authorized individuals

  4. Physical access to operating environments is limited to authorized individuals

 

(ix-a) PE.L1-3.10.3 – Escort Visitors

  1. Visitors are escorted

  2. Visitor activity is monitored

(ix-b) PE.L1-3.10.4 – Physical Access Logs

  1. Audit logs of physical access are maintained

 

(ix-c) PE.L1-3.10.5 – Manage Physical Access

  1.  Physical access devices are identified

  2. Physical access devices are controlled

  3. Physical access devices are managed

 

(x) SC.L1-3.13.1 – Boundary Protection

  1.  The external system boundary is defined

  2. Key internal system boundaries are defined

  3. Communications are monitored at the external system boundary

  4. Communications are monitored at key internal boundaries

  5. Communications are controlled at the external system boundary

  6. Communications are controlled at key internal boundaries

  7. Communications are protected at the external system boundary

  8. Communications are protected at key internal boundaries

 

(xi) SC.L1-3.13.5 – Public Access System Separation

  1.  Publicly accessible system components are identified

  2. Subnetworks for publicly accessible system components are physically or logically separated from internal networks

  

(xii) SI.L1-3.14.1 – Flaw Remediation

  1.  The time within which to identify system flaws is specified

  2. System flaws are identified within the specified time frame

  3. The time within which to report system flaws is specified

  4. System flaws are reported within the specified time frame

  5. The time within which to correct system flaws is specified

  6. System flaws are corrected within the specified time frame

 

(xiii) SI.L1-3.14.2 – Malicious Code Protection

  1.  Designated locations for malicious code protection are identified

  2. Protection from malicious code at designated locations is provided

 

(xiv) SI.L1-3.14.4 – Update Malicious Code Protection

  1.  Malicious code protection mechanisms are updated when new releases are available.  

 

(xv) SI.L1-3.14.5 – System & File Scanning

  1.  The frequency for malicious code scans is defined

  2. Malicious code scans are performed with the defined frequency

  3. Real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.

Not compliant? Not to worry, our course can get you CMMC Level 1 compliant quickly and affordably.