CMMC Level 1 Overview - Basic Cyber Hygiene

CMMC Level 1 Overview - Basic Cyber Hygiene

CMMC Level 1 l focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as information necessary to process payments.”  

This level consists of 6 Domains, containing 9 Capabilities and requiring 17 Practices to be active and integrated within the company operations in order to comply with 48 CFR 52.204-21.  There are no Processes required to be documented at this level, only Practices. These Domains, Capabilities and Practices for Level 1 are identified below: 

I. Domain – Access Control (AC) 
a. 3 Capabilities, 4 Practices 
1. Establish system access capabilities (C001) 
– AC.1.001 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)  
2. Control internal system access (C002) 
– AC.1.002 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute. 
– AC.1.003 – Verify and control and/or limit connections to, and use of, external information systems. 
3. Limit data access to authorized users and processes (C004) 
– AC.1.004 – Control Information Posted or Processed on Publicly Accessible Information Systems 

II. Domain – Identification and Authentication (IA) 
a. 1 Capability, 2 Practices 
1. Grant access to authenticated entities (C015) 
– IA.1.076 – Identify Information System Users, Processes Acting on Behalf of Users and Devices 
– IA.1.077 – Authenticate ( or verify ) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems 

III. Domain – Media Protection (MP) 
a. 1 Capability, 1 Practice 
1. Sanitize Media (C024) 
– MP.1.118 – Sanitize or destroy information system media containing Federal contract information before disposal or release for reuse 

IV. Domain – Physical Protection (PE) 
a. 1 Capability, 4 Practices 
1. Limit physical access (C028) 
– PE.1.131 – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. 
– PE.1.132 – Escort Visitors and Monitor Visitor Activity 
– PE.1.133 – Maintain Audit Logs of Physical Access 
– PE.1.134 – Control and Manage Physical Access Devices 

V. Domain – System and Communication Protections (SC) 
a. 1 Capability, 2 Practices 
1. Control communications at system boundaries (C039) 
– SC.1.175 – Monitor, control, and protect organizational communications (i.e., Information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems. 
– SC.1.176 – Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks 

VI. Domain – System and Information Integrity (SI) 
a. 2 Capabilities, 4 practices 
1. Identify and Manage Information System Flaws (C040) 
  – SI.1.210 – Identify, Report and Correct Information and Information Flaws in a Timely Manner  
2. Identify Malicious Content (C041) 
– SI.1.211 – Provide protection from malicious code at appropriate locations within organizational information systems. 
– SI.1.212 – Update Malicious Code Protection Mechanisms When New Releases are Available. 
– SI.1.213 – Perform periodic scans of information systems and real-time scans of files from external sources as files are downloaded, opened or executed. 








 


    • Related Articles

    • Identification and Authentication: SP 800-171 Security Family 3.5

       For most systems, identification and authentication is often the first line of defense. Identification is the means of verifying the identity of a user, process, or device, typically as a prerequisite for granting access to resources in a system. ...

    • Access Control: SP 800-171 Security Family 3.1

      Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to:       • use information,       • use information processing services, and       • enter company facilities.  System-based ...

    • Physical Protection: SP 800-171 Security Family 3.10

      The term physical and environmental security refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment. Physical and environmental requirements cover three ...

    • Media Protection: SP 800-171 Security Family 3.8

      Media protection is a requirement that addresses the defense of system media, which can be described as both digital and non-digital. Examples of digital media include: diskettes, magnetic tapes, external/removable hard disk drives, flash drives, ...

    • CMMC MP.2.121 - Control Use of Removable Media

      Requirement text: MP.2.121: Control the use of removable media on system components. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 In contrast to requirement MP.2.119, which restricts user access to media, this requirement restricts the use of ...