The CCMC Level 1 framework encompasses a comprehensive set of 17 controls designed to ensure robust security practices within an organization.
These controls cover various aspects of information security management, ranging from risk assessment and mitigation to data protection and incident response. By implementing these controls, businesses can establish a strong foundation for safeguarding their sensitive data and systems, while also promoting a culture of security awareness.
Each control is tailored to address specific vulnerabilities and threats, thereby enabling organizations to proactively defend against potential cyber risks and maintain the integrity, confidentiality and availability of their valuable assets.
DOMAIN: Access Control
CONTROL 1: Authorized Access Control
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)
Identify users, processes, and devices that are allowed to use company computers and can log on to the company network. Automated updates and other automatic processes should be associated with the user who initiated (authorized) the process. Limit the devices (e.g., printers) that can be accessed by company computers. Set up your system so that only authorized users, processes, and devices can access the company network.
- Authorized users are identified.
- System access is limited to authorized devices (including other systems).
- System access is limited to processes acting on behalf of authorized users.
- System access is limited to authorized users.
- Devices (and other systems) authorized to connect to the system are identified.
- Processes acting on behalf of authorized users are identified.
CONTROL 2: Transaction and Function Control
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Limit users to only the information systems, roles, or applications they are permitted to use and are needed for their roles and responsibilities. Limit access to applications and data based on the authorized users’ roles and responsibilities. Common types of functions a user can be assigned are create, read, update, and delete.
- The types of transactions and functions that authorized users are permitted to execute are defined
- System access is limited to the defined types of transactions and functions for authorized users
CONTROL 3: External Connections
Verify and control/limit connections to and use of external information systems.
Control and manage connections between your company network and outside networks. Outside networks could include the public internet, one of your own company’s networks that falls outside of your CyberReady Assessment Scope (e.g., an isolated lab), or a network that does not belong to your company.
Tools to accomplish include firewalls and connection allow/deny lists. External systems not controlled by your company could be running applications that are prohibited or blocked.
Control and limit access to corporate networks from personally owned devices such as laptops, tablets, and phones. You may choose to limit how and when your network is connected to outside systems or only allow certain employees to connect to outside systems from network resources.
- Connections to external systems are identified
- The use of external systems is identified
- Connections to external systems are verified
- The use of external systems is verified
- Connections to external systems are controlled/limited
- The use of external systems is controlled/limited
CONTROL 4: Control Public Information
Control information posted or processed on publicly accessible information systems.
Do not allow data to become public – always safeguard the confidentiality of data by controlling the posting of data on company-controlled websites or public forums, and the exposure of data in public presentations or on public displays.
It is important to know which users are allowed to publish information on publicly accessible systems, like your company website, and implement a review process before posting such information. If data is discovered on a publicly accessible system, procedures should be in place to remove that information and alert the appropriate parties.
- Individuals authorized to post or process information on publicly accessible systems are identified
- Procedures to ensure data is not posted or processed on publicly accessible systems are identified
- A review process is in place prior to posting of any content to publicly accessible systems
- Content on publicly accessible systems is reviewed to ensure that it does not include private data
- Mechanisms are in place to remove and address improper posting of private data.
DOMAIN: Identification and Authentication
CONTROL 5: Identification
Identify information system users, processes acting on behalf of users, or devices.
Make sure to assign individual, unique identifiers (e.g., usernames) to all users and processes that access company systems. Authorized devices also should have unique identifiers. Unique identifiers can be as simple as a short set of alphanumeric characters (e.g., SW001 could refer to a network switch, SW002 could refer to a different network switch).
- System users are identified
- Processes acting on behalf of users are identified
- Devices accessing the system are identified
CONTROL 6: Authentication
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Before you let a person or a device have access to your system, verify that the user or device is who or what it claims to be. This verification is called authentication. The most common way to verify identity is using a username and a hard-to-guess password.
Some devices ship with default usernames and passwords. For example, some devices ship so that when you first log on to the device, the username is “admin” and the password is “admin”. When you have devices with this type of default username and password, immediately change the default password to a unique password you create.
Default passwords may be well known to the public, easily found in a search, or easy to guess, allowing an unauthorized person to access your system.
- Identity of each user is authenticated or verified as a prerequisite to system access
- Identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access
- Identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
DOMAIN: Media Protection
CONTROL 7: Media Disposal
Sanitize or destroy information system media containing data before disposal or release for reuse.
"Media" refers to a broad range of items that store information, including paper documents, disks, tapes, digital photography, USB drives, CDs, DVDs, and mobile phones.
It is important to know what information is on media so that you can handle it properly. If there is data, you or someone in your company should either:
- Shred or destroy the device before disposal so it cannot be read; or
- Clean or purge the information if you want to reuse the device.
- System media containing data is sanitized or destroyed before disposal; and
- System media containing data is sanitized before it is released for reuse.
DOMAIN: Physical Protection
CONTROL 8: Physical Protection
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
This addresses the company’s physical space (e.g., office, testing environments, equipment rooms), technical assets, and non-technical assets that need to be protected from unauthorized physical access. Specific environments are limited to authorized employees, and access is controlled with badges, electronic locks, physical key locks, etc.
Output devices, such as printers, are placed in areas where their use does not expose data to unauthorized individuals. Lists of personnel with authorized access are developed and maintained, and personnel are issued appropriate authorization credentials.
- Authorized individuals allowed physical access are identified
- Physical access to organizational systems is limited to authorized individuals
- Physical access to equipment is limited to authorized individuals
- Physical access to operating environments is limited to authorized individuals
CONTROL 9: Escort Visitors
Escort visitors and monitor visitor activity.
Do not allow visitors, even those people you know well, to walk around your facility without an escort. Make sure that all non-employees wear special visitor badges and/or are always escorted by an employee while on the property.
- Visitors are escorted; and
- Visitor activity is monitored.
CONTROL 10: Physical Access Logs
Maintain audit logs of physical access.
Make sure you have a record of who accesses your facility (e.g., office, plant, factory).
You can do this in writing by having employees and visitors sign in and sign out or by electronic means such as badge readers.
Whatever means you use, you need to retain the access records for the time that your company has defined.
- Audit logs of physical access are maintained
CONTROL 11: Manage Physical Access
Control and manage physical access devices.
Identifying and controlling physical access devices (e.g., locks, badges, key cards) is just as important as monitoring and limiting who is able to physically access certain equipment.
Physical access devices are only strong protection if you know who has them and what access they allow.
Physical access devices can be managed using manual or automatic processes such a list of who is assigned what key or updating the badge access system as personnel change roles.
- Physical access devices are identified
- Physical access devices are controlled
- Physical access devices are managed
DOMAIN: System and Communication Protection
CONTROL 12: Boundary Protection
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
Fences, locks, badges, and key cards help keep non-employees out of your physical facilities. Similarly, your company’s IT network or system has boundaries that must be protected. Many companies use a web proxy and a firewall.
When an employee uses a company computer to go to a website, a web proxy makes the request on the user’s behalf, looks at the web request, and decides if it should let the employee go to the website.
A firewall controls access from the inside and outside, protecting valuable information and resources stored on the company’s network. A firewall stops unwanted traffic on the internet from passing through an outside “fence” to the company’s networks and information systems. Internal boundaries determine where data can flow, for instance a software development environment may have its own boundary controlling, monitoring, and protecting the data that can leave that boundary.
You may want to monitor, control, or protect one part of the company network from another. This can also be accomplished with a firewall and limits the ability of attackers and disgruntled employees from entering sensitive parts of your internal network and causing damage.
- External system boundary is defined
- Key internal system boundaries are defined
- Communications are monitored at the external system boundary
- Communications are monitored at key internal boundaries
- Communications are controlled at the external system boundary
- Communications are controlled at key internal boundaries
- Communications are protected at the external system boundary
- Communications are protected at key internal boundaries
CONTROL 13: Public Access System Separation
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Separate the publicly accessible systems from the internal systems that need to be protected. Do not place internal systems on the same network as the publicly accessible systems and block access by default from DMZ networks to internal networks.
One method of accomplishing this is to create a DMZ network, which enhances security by providing public access to a specific set of resources while preventing connections from those resources to the rest of the IT environment.
Some contractors achieve a similar result through the use of a cloud computing environment that is separated from the rest of the company’s infrastructure.
- Publicly accessible system components are identified
- Subnetworks for publicly accessible system components are physically or logically separated from internal networks.
DOMAIN: System and Information Integrity
CONTROL 14: Flaw Remediation Requirement Statement
Identify, report, and correct information and information system flaws in a timely manner.
All software and firmware have potential flaws. Many vendors work to remedy those flaws by releasing vulnerability information and updates to their software and firmware.
Contractors must have a process to review relevant vendor notifications and updates about problems or weaknesses.
After reviewing the information, the company must implement a patch management process that allows for software and firmware flaws to be fixed without adversely affecting the system functionality.
Companies must define the time frames within which flaws are identified, reported, and corrected for all systems. Companies should consider purchasing support from their vendors to ensure timely access to updates.
- Determine the time within which to identify system flaws is specified
- System flaws are identified within the specified time frame
- The time within which to report system flaws is specified
- The system flaws are reported within the specified time frame
- The time within which to correct system flaws is specified
- The system flaws are corrected within the specified time frame
CONTROL 15: Malicious Code Protection
Provide protection from malicious code at appropriate locations within organizational information systems.
Malicious code purposely performs unauthorized activity that undermines the security of an information system. A designated location may be a network device such as a firewall or an end user’s computer.
Malicious code, which can be delivered by a range of means (e.g., email, removable media, or websites), includes the following:
Virus – program designed to damage, steal information, change data, send email, show messages, or any combination of these things.
Spyware – program designed to gather information about a person’s activity in secret, usually installed without the person knowing when they click on a link.
Trojan Horse – type of malware made to look like legitimate software and used by cyber criminals to get access to a company’s systems
Ransomware – type of malware that threatens to publish the contractor’s data or perpetually block access to it unless a ransom is paid.
Use anti-malware tools to stop or lessen the impact of malicious code.
- Designated locations for malicious code protection are identified
- Protection from malicious code at designated locations is provided
CONTROL 16: Update Malicious Code Protection
Update malicious code protection mechanisms when new releases are available.
Malware changes on an hourly or daily basis, and it is important to update detection and protection mechanisms frequently to maintain the effectiveness of the protection.
Example: You have installed anti-malware software to protect a computer from malicious code. Knowing that malware evolves rapidly, you configure the software to automatically check for malware definition updates every day and update as needed.
- Malicious code protection mechanisms are updated when new releases are available
CONTROL 17: System and File Scanning
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Use anti-malware software to scan for and identify viruses in your computer systems and determine how often scans are conducted.
Real-time scans look at the system whenever new files are downloaded, opened, and saved. Periodic scans check previously saved files against updated malware information.
- Frequency for malicious code scans is defined
- Malicious code scans are performed with the defined frequency
- Real-time malicious code scans of files from external sources as files are downloaded opened, or executed are performed