Level 1: Basic cyber hygiene
CMMC level 1 is the most basic level of cyber maturity, it forms the initial building block for basic cybersecurity. The focus of CMMC level 1 practices are to support any organisation implement basic cybersecurity hygiene, addressing the need to protect Federal Contract information (FCI). Defined as ‘Information provided by or generated for the Government under contract not intended for public release’. Level 1 requires an organisation to demonstrates that it performs the practices required at Level 1. As identified in FAR 48 CFR § 52.204-21 – (Basic Safeguarding of Covered Contractor Information Systems), equivalent to 17 practices identified in NIST 800 – 171 r2, listed in the table . Demonstrating that it has applied the practices. By demonstrating that level 1 practices are being performed the organisation is adopting basic cyber security hygiene, for the protection of FCI information which it manages on behalf of the government.
Processes : Performed Level 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
Practices : Basic cyber hygiene Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”)
CMMC Level 1 consist of 6 security domains addressing 9 capabilities with 17 security practices.
Domain Capability Practice Practice Description
Access Control (AC) C001 Establish system access requirements AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).
C002 Control internal system access AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
C004 Limit data access to authorized users and processes AC.1.003 Verify and control/limit connections to and use of external information systems.
AC.1.004 Control information posted or processed on publicly accessible information systems.
Identification & Authentication (IA) C015 Grant access to authenticated entities IA.1.076 Identify information system users, processes acting on behalf of users or devices.
IA.1.077 Authenticate (or verify) the identities of those users, processes or devices, as a prerequisite to allowing access to organizational information systems.
Media Protection (MP) C024 Sanitize media MP.1.118 Sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal or release for reuse.
Physical Protection (PE) C028 Limit physical access PE.1.131 Limit physical access to organizational information systems, equipment and the respective operating environments to authorized individuals.
PE.1.132 Escort visitors and monitor visitor activity.
PE.1.133 Maintain audit logs of physical access.
PE.1.134 Control and manage physical access devices.
System and Communications Protection (SC) C039 Control communications at system boundaries SC.1.175 Monitor, control and protect organizational communications (e.g., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
System & Information Integrity (SI) C040 Identify and manage information system flaws SI.1.210 Identify, report and correct information and information system flaws in a timely manner.
C041 Identify malicious content SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems.
SI.1.212 Update malicious code protection mechanisms when new releases are available.
SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed.
Table: CMMC Level 1 domains, capabilities and practices