CMMC 2.0 Level 1
Small Business DIY Guide
Background & Why
This page serves as a Do-It-Yourself guide to help organizations looking to prepare for their CMMC 2.0 Level 1 certification WITHOUT the need to hire a consultant.
Why is a cybersecurity compliance organization instructing you on how to achieve CMMC 2.0 Level 1 compliance on your own? We know how difficult it is to be a government contractor since we are DoD contractors ourselves. “Sharing is Caring” is one of our core values. We make every effort to be transparent on how to successfully get any security compliance required to meet contract commitments and CMMC is no exception. The truth is, even with this knowledge provided, not everyone will be able to pull this off and will want assistance from a firm like ours at some point.
Disclaimer: These are general suggestions and will require some work to modify for specific use cases. Please follow at your own risk.
If you have implementation questions or need help understanding any part of this DIY, please send us your questions here: I HAVE A QUESTION
Prerequisites
The following is required before you begin:
IT Knowledge: Having a basic level of IT knowledge is critical to implement the controls successfully.
Define FCI/CUI: Define what FCI & CUI is for your specific business case. Need help with this? Check out this article here.
Establish CMMC Boundary: The following assets need to be created: Network Map, Data Flow Diagram, & Tech/Software Asset Inventory. This will help identify how sensitive data will be handled through the organizations network. Ideally you want to to show the who, the device(s), the location, and where will it be at rest.
Environment Documentation: Create a System Security Plan (SSP) that is bespoke to the organization. Templates are available for free here.
Security Assessment: Identify your current security gaps and place all open issues into a Plan of Action & Milestone (POA&M) document. POA&M templates can be found here.
Create a Plan & Prioritize Resources: Develop an Org Chart that clearly identifies roles & responsibilities, determine the who, what, why, and where in terms of information access, and determine who in your organization would be able to assist with meeting each control.
- Sales Pipeline (ROI): Do you have current or upcoming contracts that require CMMC compliance? If so, identify how data will flow between your organization and the customer.
What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB).
The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.
CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.
The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.
Additional Resources:
CMMC Level 1
CMMC Level 1 is the entry point to the 3 level ecosystem. Level 1 is considered to be Basic Cyber Hygiene practices that enable safeguards for Federal Contract Information (FCI) and is made up of 17 controls. The good news for Level 1 is that it has a short list of controls (compared to the other Levels), making it easier to implement for organizations who don’t currently have a security program in place.
The following are the Level 1 Categories:
Access Control (AC) (4 Controls): Access control is a fundamental component of data security that dictates who’s allowed to access and use company information and resources.
Identification & Authentication (IA) (2 Controls): Identification is the ability to identify uniquely a user of a system or an application that is running in the system. Authentication is the ability to prove that a user or application is genuinely who that person or what that application claims to be.
Media Protection (MP) (1 Control): These controls are primarily focused on the security of media storage including who can access the stored content, how transportation is controlled, and the safe use of storage devices.
Physical Protection (PE) (4 Controls): Security measures that are designed to deny unauthorized access to facilities, equipment, and resources and to protect personnel and property.
System & Communications Protection (SC) (2 Controls): These controls are for managing risks from vulnerable
system configurations, denial of service, data communication, and information transfer both internally and externally.System & Information Integrity (SI) (4 Controls): These control help provide assurance that the information being accessed has not been tampered with or damaged by an error in the information system.
Process & Timeline
The total timeline from preparation to compliance for CMMC 2.0 Lever 1 is estimated to be 1 – 6 months. Many factors contribute to this estimate including the time it takes for the organization to remediate any vulnerabilities found and implement the solutions offered in this DIY guide.
The following is the high-level process:
Assessment: This is the starting point to determine the correct CMMC level your organization should build a program for. The process provides insight into: Current Security Gaps, Current Risk Gaps, Understand the Current Culture, Sales Pipeline, Corporate Structure, and Business Vision.
How To: Create an spreadsheet that includes of the controls listed in this guide. Evaluate each control and list out the solutions that are in place to meet the control. If you don’t have a solution in place or have a partial solution, then mark the control as a GAP. Each GAP should have an ETA and planned solution written down to insure the GAP will be remediated.
Preparation: Once the assessment is completed, it’s time to get to work on all of the items listed here in this guide. Once the security controls have been fulfilled, your organization will be ready to put the new security program into practice.
Practice Period: All gaps have been addressed, solutions are operational, and the organization is in compliance capturing evidence proving full compliance.
Certification: After 6 months of continued practice period, you can perform a new assessment to ensure the organization is in full compliance of CMMC 2.0 Level 1. Self-assessments are sufficient for CMMC 2.0 Level 1 requirements.
Control Implementation
Access Control (AC) (4 Controls)
AC.L1-3.1.1
Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems). (Establish)
What Will An Auditor Look For?
Authorized users are identified.
Processes acting on behalf of authorized users are identified.
Devices (and other systems) authorized to connect to the system are identified.
System access is limited to authorized users.
System access is limited to processes acting on behalf of authorized users.
System access is limited to authorized devices (including other systems).
- Screenshot showing users groups and memberships are created and in use.
Suggested Solutions:
Planning Solution: Create a user list that outlines roles and the associated privileges to perform within their roles.
Tech Solution:Setup a central user management system and translate users/roles into the tool. There are many tools out there and the following are the most common:
- MS Active Directory/Azure AD with SSO (single sign on) (part of MS 365 E3, E5, and GCC packages)
- JumpCloud
- Okta
AC.L1-3.1.2
Limit information system access to the types of transactions and functions that authorized users are permitted to execute. (Control)
What Will An Auditor Look For?
The types of transactions and functions that authorized users are permitted to execute are defined.
System access is limited to the defined types of transactions and functions for authorized users.
- Screenshot showing users groups and memberships are created and in use
Suggested Solutions:
Planning Solution: Establish secure baseline configurations. Example: What does a standard user need access to? What does a manager need access to? What will a remote employee need access to?
Tech Solution: Implement one of the following (if you haven't already from AC.1.001):
- MS Active Directory/Azure AD with SSO (single sign on) (part of MS 365 E3, E5, and GCC packages)
- JumpCloud
- OktaTech Solution:Implement one of the following (end user device management):
- NNT Change Tracker
- MS InTune
- Cimcor CimTrak
- RMM (N-Able, ConnectWise, Ninja, etc)Tech Solution:Implement one of the following Hardware-based Firewalls if you don't have one with your current router. (Note for cloud based environments (AWS/Azure) you will need to enable firewall services offered by the vendor):
- WatchGuard
- SonicWall
- FortiGate
AC.L1-3.1.20
Verify and control/limit connections to and use of external information systems. (Limit)
What Will An Auditor Look For?
Connections to external systems are identified.
The use of external systems is identified.
Connections to external systems are verified.
The use of external systems is verified.
Connections to external systems are controlled/limited.
The use of external systems is controlled/limited.
- Data Flow Diagram created
- Screen shot of firewall rules in place.
Suggested Solutions:
Planning Solution: Create an access control list. For example, if you have a Customer Portal, ensuring that every user is accounted for and their access is documented.
Planning Solution: User roles and privileges are defined.
- Planning Solution: Create a technology and data flow map to show all of the devices, services, and the users associated.
AC.L1-3.1.22
Control information posted or processed on publicly accessible information systems. (Limit)
What Will An Auditor Look For?
Connections to external systems are identified.
The use of external systems is identified.
Connections to external systems are verified.
The use of external systems is verified.
Connections to external systems are controlled/limited.
The use of external systems is controlled/limited.
- Change management processes identified
- Screen shot of Access Control settings for external system.
Suggested Solutions:
Planning Solution: Create an access control list. For example, if you have a CMS for your company website, make sure you identified users and what they have access to. Determine how changes are made (who approves them) and what does the work flow look like?
Planning Solution:User roles and privileges are defined.
- Technical Solution: Implement a DNS protection tool like:
- CloudFlare
- OpenDNS
- Webroot
Identification & Authentication (IA) (2 Controls
IA.L1-3.5.1
Identify information system users, processes acting on behalf of users or devices.
What Will An Auditor Look For?
System users are identified.
Processes acting on behalf of users are identified.
Devices accessing the system are identified.
- Screenshot of your Active Directory settings.
Suggested Solutions:
Planning Solution: Create a user list that outlines roles and privileges.
Tech Solution: Implement one of the following Active Directory solutions:
- MS Active Directory/Azure AD with SSO (single sign on) (part of MS 365 E3, E5, and GCC packages)
- JumpCloud
- OktaTech Solution: Implement one of the following end user management solutions:
- NNT Change Tracker
- MS InTune
- Cimcor CimTrak
- RMM (N-Able, ConnectWise, Ninja, etc)
IA.L1-3.5.2
Authenticate (or verify) the identities of those users, processes or devices, as a prerequisite to allowing access to organizational information systems.
What Will An Auditor Look For?
The identity of each user is authenticated or verified as a prerequisite to system access.
The identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access.
The identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
Screenshot showing configuration settings.
Suggested Solutions:
Planning Solution: Create a user list that outlines roles and privileges.
Tech Solution: Implement one of the following (if you haven't already from AC.1.001):
- MS Active Directory/Azure AD (part of MS 365 E3, E5, and GCC packages)
- JumpCloud
- OktaTech Solution:Implement one of the following (end user device management):
- NNT Change Tracker
- MS InTune
- Cimcor CimTrak
- RMM (N-Able, ConnectWise, Ninja, etc)
Media Protection (MP) (1 Control)
MP.L1-3.8.3
Sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal or release for reuse.
What Will An Auditor Look For?
System media containing FCI is sanitized or destroyed before disposal.
System media containing FCI is sanitized before it is released for reuse.
Suggested Solutions:
Tech Solution: Using a tool to be able to wipe a media device locally or remotely and having a cross cutting shredder. Here are some suggestions for tools:
- Darik's Boot and Nuke (DBAN)
- Lansweeper
- DriveStrike
Physical Protection (PE) (4 Controls)
PE.L1-3.10.1
Limit physical access to organizational information systems, equipment and the respective operating environments to authorized individuals.
What Will An Auditor Look For?
Authorized individuals allowed physical access are identified.
Physical access to organizational systems is limited to authorized individuals.
Physical access to equipment is limited to authorized individuals.
Physical access to operating environments is limited to authorized individuals.
Suggested Solutions:
Planning Solution: Keycard access, locked devices, etc
PE.L1-3.10.3
Escort visitors and monitor visitor activity.
What Will An Auditor Look For?
Visitors are escorted.
Visitor activity is monitored.
Suggested Solutions:
Planning Solution: Visitor Log book - Evidence of visitor management and logging visitor activities.
PE.L1-3.10.4
Maintain audit logs of physical access.
What Will An Auditor Look For?
Determine if audit logs of physical access are maintained.
Suggested Solutions:
Planning Solution: Visitor Log book - Evidence of visitor management and logging visitor activities.
Tech Solution: System logs - Windows, RMM, etc
PE.L1-3.10.5
Control and manage physical access devices.
What Will An Auditor Look For?
Physical access devices are identified.
Physical access devices are controlled.
Physical access devices are managed.
Solution:
Planning Solution: Technology asset inventory and awareness of location
Tech Solution:
- MS Intune
- AirWatch
- NinjaRMM
System & Communications Protection (SC) (2 Controls)
SC.L1-3.13.1
Monitor, control and protect organizational communications (e.g., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
What Will An Auditor Look For?
The external system boundary is defined.
Key internal system boundaries are defined.
Communications are monitored at the external system boundary.
Communications are monitored at key internal boundaries.
Communications are controlled at the external system boundary.
Communications are controlled at key internal boundaries.
Communications are protected at the external system boundary.
Communications are protected at key internal boundaries.
Suggested Solutions:
Planning Solution: Network Map and Data Flow Diagram
Tech Solution: External Communications: - Google Reader
- Hootsuite
- TalkWalkerTech Solution: Implement one of the following Hardware-based Firewalls:
- WatchGuard
- SonicWall
- FortiGate
- BroadBand Router/FirewallTech Solution: Implement one of the following:
- MS Intune
- AirWatch
- NNT Change Tracker
- Cimcor CimTrak
- NinjaRMM
SC.L1-3.13.5
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
What Will An Auditor Look For?
Publicly accessible system components are identified.
Subnetworks for publicly accessible system components are physically or logically separated from internal networks.
Suggested Solutions:
Planning Solution: Network Map and Data Flow Diagram
Tech Solution: Implement one of the following Hardware-based Firewalls:
- WatchGuard
- SonicWall
- FortiGate
- BroadBand Router/FirewallTech Solution:
- MS Intune
- AirWatch
- NNT Change Tracker
- Cimcor CimTrak
- NinjaRMM
System & Information Integrity (SI) (4 Controls)
SI.L1-3.14.1
Identify, report and correct information and information system flaws in a timely manner.
What Will An Auditor Look For?
The time within which to identify system flaws is specified.
System flaws are identified within the specified time frame.
The time within which to report system flaws is specified.
System flaws are reported within the specified time frame.
The time within which to correct system flaws is specified.
System flaws are corrected within the specified time frame.
Suggested Solutions:
Planning Solution: Automated update/patch services
Tech Solution: Implement one of the following:
- Cimcor CimTrak
- NinjaRMM
- MS Intune
SI.L1-3.14.2
Provide protection from malicious code at appropriate locations within organizational information systems.
What Will An Auditor Look For?
Designated locations for malicious code protection are identified.
Protection from malicious code at designated locations is provided.
Suggested Solutions:
Tech Solution: Implement one of the following:
- MalwareBytes
- SentinelOne
- ESETTech Solution: Implement one of the following Hardware-based Firewalls:
- WatchGuard
- SonicWall
- FortiGate
- BroadBand Router/Firewall
SI.L1-3.14.4
Update malicious code protection mechanisms when new releases are available.
What Will An Auditor Look For?
Determine if malicious code protection mechanisms are updated when new releases are available.
Solution:
Tech Solution: Implement one of the following:
- MalwareBytes
- SentinelOne
- ESETTech Solution: Automatic updates/patches
SI.L1-3.14.5
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed.
What Will An Auditor Look For?
The frequency for malicious code scans is defined.
Malicious code scans are performed with the defined frequency.
Real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
Suggested Solutions:
Tech Solution: Implement one of the following:
- MalwareBytes
- SentinelOne
- ESET
What’s Next - Practice Period
Now what? This is when your security program can begin operating knowing that all of the controls have been met. When a security program is operational, activity will be captured via logs to prove that a real program exists (Just like an accounting ledge).
As you go through your security program operation, make sure to be mindful of the following items:
Capture Updates To Documents – SSP and/or POA&M
Change Control & Maintenance Documentation Notes
Update Network Diagram
Update Data Flow Diagram
Create a Controls Responsibility Matrix Document/Spreadsheet
Review Current Flow Down Contract Requirements
Monitor, Log Capture, Report, and Maintain Program
Frequently Asked Questions
No. CMMC Level 1 is focused to be just the starting point within the maturity model. Level 2 & Level 3 will require a 3rd party auditor.
NIST-800-171 closely aligns with CMMC Level 2 requirements. If you are currently a DoD contractor, then you should be aware that your organization must already be NIST-800-171 compliant. Learn more here: CLICK ME
It depends on the contract and the work being performed. Unofficially since NIST-800-171 is a current requirement, chances are CMMC Level 2 will be the most commonly required CMMC practice level. Again this is just an opinion vs fact.
Yes. Sign up to receive an email notification once the guide is up: Click Me