Home » Cybersecurity Maturity Model Certification (CMMC) Level 1 Controls

Cybersecurity Maturity Model Certification (CMMC) Level 1 Controls

CMMC Level 1 Controls

The Cybersecurity Maturity Model Certification CCMC Level 1 framework encompasses a comprehensive set of 17 CMMC Level 1 controls designed to ensure robust security practices within an organization.

These controls cover various aspects of information security management, ranging from risk assessment and mitigation to data protection and incident response. By implementing these controls, businesses can establish a strong foundation for safeguarding their sensitive data and critical infrastructure, while also promoting a culture of security awareness.

Tailor each control to address specific vulnerabilities and threats, thereby enabling organizations to proactively defend against potential cyber risks and maintain the integrity, confidentiality and availability of their valuable assets.

DOMAIN: Cybersecurity Maturity Model Certification Access Control

CONTROL 1: Authorized Access Control

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)

  • Identify users, processes, and devices authorized to use company computers and can log on to the company network.
  • Authorize automated updates and other automatic processes and associate them with the user who initiated the process.
  • Set up your system so that only authorized users, processes, and devices can access the company network.
  • Limit devices (e.g., printers) accessed by company computers.

Objectives 

  1. Identify authorized users.
  2. Limit system access to authorized devices (including other systems).
  3. Limit system access to processes acting on behalf of authorized users.
  4. Limit system access to authorized users.
  5. Identify devices (and other systems) authorized to connect to the system.
  6. Identify processes acting on behalf of authorized users.

CONTROL 2: Transaction and Function Control

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

You can also limit users to only the information systems, roles, or applications they are permitted to use and are needed for their roles and responsibilities. In addition, limiting access to applications and data based on the authorized users’ roles and responsibilities. Common types of functions a user can be assigned are create, read, update, and delete.

Objectives 

  1. Define the types of transactions and functions that authorized users are permitted to execute.
  2. Limit the system access to the defined types of transactions and functions for authorized users.

CONTROL 3: Cybersecurity Maturity Model Certification External Connections

Verify and control/limit connections to and use of external information systems.

Control and manage connections between your company network and outside networks. Outside networks could include the public internet, one of your own company’s networks that falls outside of your CyberReady Assessment Scope (e.g., an isolated lab), or a network that does not belong to your company.

Tools to accomplish include firewalls and connection allow/deny lists. External systems not controlled by your company could be running applications that are prohibited or blocked.

Control and limit access to corporate networks from personally owned devices such as laptops, tablets, and phones. You may choose to limit how and when your network is connected to outside systems or only allow certain employees to connect to outside systems from network resources.

Objectives

  1. Connections to external systems are identified
  2. The use of external systems is identified
  3. Connections to external systems are verified
  4. The use of external systems is verified
  5. Connections to external systems are controlled/limited
  6. The use of external systems is controlled/limited

CONTROL 4: Control Public Information for Cybersecurity Maturity Model Certification

Control information posted or processed on publicly accessible information systems.

Do not allow data to become public – always safeguard the confidentiality of data by controlling the posting of data on company-controlled websites or public forums, and the exposure of data in public presentations or on public displays.

It is important to know which users are allowed to publish information on publicly accessible systems, like your company website, and implement a review process before posting such information. If data is discovered on a publicly accessible system, procedures should be in place to remove that information and alert the appropriate parties.

Objectives

  1. Individuals authorized to post or process information on publicly accessible systems are identified
  2. Procedures to ensure data is not posted or processed on publicly accessible systems are identified
  3. Establish review processes is in place prior to posting of any content to publicly accessible systems
  4. Content on publicly accessible systems is reviewed to ensure that it does not include private data
  5. Mechanisms are in place to remove and address improper posting of private data.

DOMAIN: Cybersecurity Maturity Model Certification Identification and Authentication

CONTROL 5: Identification

Identify information system users, processes acting on behalf of users, or devices.

Make sure to assign individual, unique identifiers (e.g., usernames) to all users and processes that access company systems. Authorized devices also should have unique identifiers. Unique identifiers can be as simple as a short set of alphanumeric characters (e.g., SW001 could refer to a network switch, SW002 could refer to a different network switch).

Objective

  1. Identify system users
  2. Identify processes acting on behalf of users
  3. Identify devices accessing the system

CONTROL 6: Authentication

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Before you let a person or a device have access to your system, verify that the user or device is who or what it claims to be. This verification is called authentication. The most common way to verify identity is using a username and a hard-to-guess password.

Some devices ship with default usernames and passwords. For example, some devices ship so that when you first log on to the device, the username is “admin” and the password is “admin”. When you have devices with this type of default username and password, immediately change the default password to a unique password you create.

Default passwords may be well known to the public, easily found in a search, or easy to guess, allowing an unauthorized person to access your system.

Objective

  1. Identity of each user is authenticated or verified as a prerequisite to system access
  2. Identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access
  3. Identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.

Schedule Your Systems Security and Performance Assessment

DOMAIN: Cybersecurity Maturity Model Certification Media Protection

CONTROL 7: Media Disposal in Cybersecurity Maturity Model Certification

Sanitize or destroy information system media containing data before disposal or release for reuse.

“Media” refers to a broad range of items that store information, including paper documents, disks, tapes, digital photography, USB drives, CDs, DVDs, and mobile phones.

It is important to know what information is on media so that you can handle it properly. If there is data, you or someone in your company should either:

  • Shred or destroy the device before disposal so it cannot be read; or
  • Clean or purge the information if you want to reuse the device.

Objective

  1. System media containing data is sanitized or destroyed before disposal; and
  2. System media containing data is sanitized before it is released for reuse.

Schedule Your Systems Security and Performance Assessment

DOMAIN: Cybersecurity Maturity Model Certification Physical Protection

CONTROL 8: Physical Protection

Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

This addresses the company’s physical space (e.g., office, testing environments, equipment rooms), technical assets, and non-technical assets that need to be protected from unauthorized physical access. Specific environments are limited to authorized employees, and access is controlled with badges, electronic locks, physical key locks, etc.

Output devices, such as printers, are placed in areas where their use does not expose data to unauthorized individuals. Lists of personnel with authorized access are developed and maintained, and personnel are issued appropriate authorization credentials.

Objective

  1. Identify authorized individuals allowed physical access
  2. Limit physical access to organizational systems to authorized individuals
  3. Limit physical access to equipment to authorized individuals
  4. Limit physical access to operating environments to authorized individuals

CONTROL 9: Escort Visitors
Escort visitors and monitor visitor activity.

Do not allow visitors, even those people you know well, to walk around your facility without an escort. Make sure that all non-employees wear special visitor badges and/or are always escorted by an employee while on the property.

Objective

  1. Visitors are escorted; and
  2. Visitor activity is monitored.

CONTROL 10: Physical Access Logs

Maintain audit logs of physical access.

Make sure you have a record of who accesses your facility (e.g., office, plant, factory).

You can do this in writing by having employees and visitors sign in and sign out or by electronic means such as badge readers.

Whatever means you use, you need to retain the access records for the time that your company has defined.

Objective

  1. Maintain audit logs of physical access.

CONTROL 11: Manage Physical Access

Control and manage physical access devices.

Identifying and controlling physical access devices (e.g., locks, badges, key cards) is just as important as monitoring and limiting who is able to physically access certain equipment.

Physical access devices are only strong protection if you know who has them and what access they allow.

Physical access devices can be managed using manual or automatic processes such a list of who is assigned what key or updating the badge access system as personnel change roles.

Objective

  1. Identify physical access devices.
  2. Control physical access devices.
  3. Manage physical access devices.

Schedule Your Systems Security and Performance Assessment

DOMAIN: Cybersecurity Maturity Model Certification System and Communication Protection

CONTROL 12: Boundary Protection

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

Fences, locks, badges, and key cards help keep non-employees out of your physical facilities. Similarly, your company’s IT network or system has boundaries that must be protected. Many companies use a web proxy and a firewall.

When an employee uses a company computer to go to a website, a web proxy makes the request on the user’s behalf, looks at the web request, and decides if it should let the employee go to the website.

A firewall controls access from the inside and outside, protecting valuable information and resources stored on the company’s network. A firewall stops unwanted traffic on the internet from passing through an outside “fence” to the company’s networks and information systems. Internal boundaries determine where data can flow, for instance a software development environment may have its own boundary controlling, monitoring, and protecting the data that can leave that boundary.

You may want to monitor, control, or protect one part of the company network from another. This can also be accomplished with a firewall and limits the ability of attackers and disgruntled employees from entering sensitive parts of your internal network and causing damage.

Objective

  • External system boundary is defined
  • Key internal system boundaries are defined
  • Communications are monitored at the external system boundary
  • Communications are monitored at key internal boundaries
  • Communications are controlled at the external system boundary
  • Communications are controlled at key internal boundaries
  • Communications are protected at the external system boundary
  • Communications are protected at key internal boundaries

CONTROL 13: Public Access System Separation

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Separate the publicly accessible systems from the internal systems that need to be protected. Do not place internal systems on the same network as the publicly accessible systems and block access by default from DMZ networks to internal networks.

One method of accomplishing this is to create a DMZ network, which enhances security by providing public access to a specific set of resources while preventing connections from those resources to the rest of the IT environment.

Some contractors achieve a similar result through the use of a cloud computing environment that is separated from the rest of the company’s infrastructure.

Objective

  1. Publicly accessible system components are identified
  2. Subnetworks for publicly accessible system components are physically or logically separated from internal networks.

Schedule Your Systems Security and Performance Assessment

 

DOMAIN: Cybersecurity Maturity Model Certification System and Information Integrity

CONTROL 14: Flaw Remediation Requirement Statement

Identify, report, and correct information and information system flaws in a timely manner.

All software and firmware have potential flaws. Many vendors work to remedy those flaws by releasing vulnerability information and updates to their software and firmware.

Contractors must have a process to review relevant vendor notifications and updates about problems or weaknesses.

After reviewing the information, the company must implement a patch management process that allows for software and firmware flaws to be fixed without adversely affecting the system functionality.

Companies must define the time frames within which flaws are identified, reported, and corrected for all systems. Companies should consider purchasing support from their vendors to ensure timely access to updates.

Objective

  1. Determine the time within which to identify system flaws is specified
  2. Identify system flaws within the specified time frame
  3. Specify the time within which to report system flaws
  4. Report system flaws within the specified time frame
  5. Specify the time within which to correct system flaws
  6. Correct system flaws  within the specified time frame

CONTROL 15: Malicious Code Protection

Provide protection from malicious code at appropriate locations within organizational information systems.

Malicious code purposely performs unauthorized activity that undermines the security of an information system. A designated location may be a network device such as a firewall or an end user’s computer.

Malicious code, which can be delivered by a range of means (e.g., email, removable media, or websites), includes the following:

Virus – program designed to damage, steal information, change data, send email, show messages, or any combination of these things.
Spyware – program designed to gather information about a person’s activity in secret, usually installed without the person knowing when they click on a link.
Trojan Horse – type of malware made to look like legitimate software and used by cyber criminals to get access to a company’s systems
Ransomware – type of malware that threatens to publish the contractor’s data or perpetually block access to it unless a ransom is paid.

Use anti-malware tools to stop or lessen the impact of malicious code.

Objective

  1. Identify designated locations for malicious code protection
  2. Protection from malicious code at designated locations is provided

CONTROL 16: Update Malicious Code Protection

Update malicious code protection mechanisms when new releases are available.

Malware changes on an hourly or daily basis, and it is important to update detection and protection mechanisms frequently to maintain the effectiveness of the protection.

Example: You have installed anti-malware software to protect a computer from malicious code. Knowing that malware evolves rapidly, you configure the software to automatically check for malware definition updates every day and update as needed.

Objective

  1. Malicious code protection mechanisms are updated when new releases are available

CONTROL 17: System and File Scanning

Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Use anti-malware software to scan for and identify viruses in your computer systems and determine how often scans are conducted.

Real-time scans look at the system whenever new files are downloaded, opened, and saved.

Periodic scans check previously saved files against updated malware information.

Objective

  1. Define frequency for malicious code scans.
  2. Perform frequency malicious code scans.
  3. Conduct real-time malicious code scans of files from external sources when those files are downloaded opened, or executed.

Schedule Your Systems Security and Performance Assessment

FAQs

1. What are CMMC controls?

The Cybersecurity Maturity Model Certification (CMMC) establishes a unified standard for implementing cybersecurity measures across the United States Government and its Defense Industrial Base (DIB). It outlines a comprehensive set of guidelines designed to enhance the protection of sensitive government information.

2. What is CMMC Level 1 certification?

CMMC Level 1 represents the foundational tier of cybersecurity measures required for defense contractors to achieve certification under the Cybersecurity Maturity Model Certification framework. It embodies the essential cyber hygiene practices necessary to secure Federal Contract Information (FCI) against cyber threats.

3. What is the difference between CMMC Level 1 and 2?

CMMC 2.0 Level 1 is focused on basic cyber hygiene practices to protect Federal Contract Information (FCI), as mandated by FAR Clause 52.204-21. In contrast, CMMC 2.0 Level 2 (Advanced) necessitates the implementation of more comprehensive cybersecurity measures, including sophisticated access control, incident response, and media protection strategies, to fortify defenses further.

4. Who needs CMMC Level 1?

CMMC 2.0 Level 1 is targeted at Department of Defense (DoD) contractors and subcontractors tasked with handling FCI that is either provided by or generated for the government as part of a contract. This level mandates the execution of fundamental cybersecurity practices to safeguard this information.

Scroll to Top