CMMC Level 1 Preparation

Background

This page serves as a Do-It-Yourself guide to help organizations looking to prepare for their CMMC Level 1 certification without the need to hire a consultant. These are general suggestions and will require some work to modify for specific use cases.

PreRequisites

The following is required before you begin: 

  1. IT Knowledge: Having a basic level of IT knowledge is critical to implement the controls successfully. 

  2. Define FCI/CUI: Define what FCI & CUI is for your specific business case.

  3. Establish CMMC Boundary: The following assets need to be created: Network Map, Data Flow Diagram, & Tech/Software Asset Inventory.

  4. Environment Documentation: Create a System Security Plan (SSP) that is bespoke to the organization. Templates are available for free here.

  5. Security Assessment: Identify your current security gaps and place all open issues into a Plan of Action & Milestone (POA&M) document. POA&M templates can be found here.

  6. Create a Plan & Prioritize Resources:  Develop an Org Chart that clearly identifies roles & responsibilities, determine the who, what, why, and where in terms of information access, and determine who in your organization would be able to assist with meeting each control.

What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). 

The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. 

CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.

The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.

 

Additional Resources:

CMMC Level 1

CMMC Level 1 is the entry point to the 5 level ecosystem. Level 1 is considered to be Basic Cyber Hygiene practices that enable safeguards for Federal Contract Information (FCI) and is made up of 17 controls. The good news for Level 1: You are not required to have documented policies or procedures in order to be certified. You are just required to show the auditor that each control is being performed.

The following are the Level 1 Categories:

  1. Access Control (AC) (4 Controls): Access control is a fundamental component of data security that dictates who’s allowed to access and use company information and resources.

  2. Identification & Authentication (IA) (2 Controls): Identification is the ability to identify uniquely a user of a system or an application that is running in the system. Authentication is the ability to prove that a user or application is genuinely who that person or what that application claims to be.

  3. Media Protection (MP) (1 Control): These controls are primarily focused on the security of media storage including who can access the stored content, how transportation is controlled, and the safe use of storage devices.

  4. Physical Protection (PE) (4 Controls): Security measures that are designed to deny unauthorized access to facilities, equipment, and resources and to protect personnel and property.

  5. System & Communications Protection (SC) (2 Controls): These controls are for managing risks from vulnerable
    system configurations, denial of service, data communication, and information transfer both internally and externally.

  6. System & Information Integrity (SI) (4 Controls): These control help provide assurance that the information being accessed has not been tampered with or damaged by an error in the information system.

Process & Timeline

The total timeline from Preparation to Certification is estimated to be 6 – 9 months. Many factors contribute to this estimate including the time it takes the organization to remediate any vulnerabilities found and implement the solutions offered in this DIY guide.

 

The following is the high-level process:

  1. Assessment: This is the starting point to determine the correct CMMC level your organization should build a program for. The process provides insight into: Current Security Gaps, Current Risk Gaps, Understand the Current Culture, Business Pipeline, Corporate Structure, and Business Vision.

  2. Preparation: Once the assessment is completed, it’s time to get to work on all of the items listed here in this guide. Once the security controls have been fulfilled, your organization will be ready to put the new security program into practice.

  3. Practice Period: All gaps have been addressed, solutions are operational, and the organization is in compliance capturing evidence proving full compliance.

  4. Certification (Self Assessed): After 6 months of continued practice period, you can perform a new assessment to ensure the organization is in full compliance to officially declare CMMC Level 1 certification.

Control Implementation

Access Control (AC) (4 Controls)

AC.1.001

Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems). (Establish)

What Will The Accessor Look For?

  1. Authorized users are identified.

  2. Processes acting on behalf of authorized users are identified.

  3. Devices (and other systems) authorized to connect to the system are identified.

  4. System access is limited to authorized users.

  5. System access is limited to processes acting on behalf of authorized users.

  6. System access is limited to authorized devices (including other systems).

 

Suggested Solutions:

  1. Create a user list that outlines roles and privileges.

  2. Implement one of the following: MS Active Directory, Azure AD SSO, JumpCloud, MS 365 GCC


 

AC.1.002

Limit information system access to the types of transactions and functions that authorized users are permitted to execute. (Control)

What Will The Accessor Look For?

  1. The types of transactions and functions that authorized users are permitted to execute are defined.

  2. System access is limited to the defined types of transactions and functions for authorized users.

Suggested Solutions:

  1. Establish secure baseline configurations

  2. Implement one of the following: MS Active Directory, Azure AD SSO, JumpCloud, MS 365 GCC

  3. Implement one of the following: NNT Change Tracker, MS InTune, Cimcor CimTrak, RMM (N-Able, ConnectWise, Ninja, etc)

  4. Implement one of the following Hardware-based Firewalls: WatchGuard, SonicWall, FortiGate


 

AC.1.003

Verify and control/limit connections to and use of external information systems. (Limit)

 

What Will The Accessor Look For?

  1. Connections to external systems are identified.

  2. The use of external systems is identified.

  3. Connections to external systems are verified.

  4. The use of external systems is verified.

  5. Connections to external systems are controlled/limited.

  6. The use of external systems is controlled/limited.

 

Suggested Solutions:

  1. Create an access control list. For example, if you have a Customer Portal, ensuring that every user is accounted for and their access is documented.

  2. User roles and privileges are defined.


 
 

AC.1.004

Control information posted or processed on publicly accessible information systems. (Limit)

What Will The Accessor Look For?

  1. Connections to external systems are identified.

  2. The use of external systems is identified.

  3. Connections to external systems are verified.

  4. The use of external systems is verified.

  5. Connections to external systems are controlled/limited.

  6. The use of external systems is controlled/limited.

Suggested Solutions:

  1. Create an access control list. For example, if you have a CMS for your company website, make sure you identified users and what they have access to.

  2. User roles and privileges are defined.


 

Identification & Authentication (IA) (2 Controls

 

IA.1.076

Identify information system users, processes acting on behalf of users or devices.

What Will The Accessor Look For?

  1. System users are identified.

  2. Processes acting on behalf of users are identified.

  3. Devices accessing the system are identified.

 

Suggested Solutions:

  1. Create a user list that outlines roles and privileges.

  2. Implement one of the following: MS Active Directory, Azure AD SSO, JumpCloud.

  3. Implement one of the following: MS Intune, AirWatch.


 
 

IA.1.077

Authenticate (or verify) the identities of those users, processes or devices, as a prerequisite to allowing access to organizational information systems.


What Will The Accessor Look For?

  1. The identity of each user is authenticated or verified as a prerequisite to system access.

  2. The identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access.

  3. The identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.


Suggested Solutions:

  1. Create a user list that outlines roles and privileges.

  2. Implement one of the following: MS Active Directory, Azure AD SSO, JumpCloud.

  3. Implement one of the following: MS Intune, AirWatch.


 

Media Protection (MP) (1 Control)

 

MP.1.118

Sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal or release for reuse.

What Will The Accessor Look For?

  1. System media containing FCI is sanitized or destroyed before disposal.

  2. System media containing FCI is sanitized before it is released for reuse.

Suggested Solutions:

  1. Darik's Boot and Nuke (DBAN)

  2. Lansweeper

  3. Cross-Cut Shredder


 

Physical Protection (PE) (4 Controls)

 

PE.1.131

Limit physical access to organizational information systems, equipment and the respective operating environments to authorized individuals.

What Will The Accessor Look For?

  1. Authorized individuals allowed physical access are identified.

  2. Physical access to organizational systems is limited to authorized individuals.

  3. Physical access to equipment is limited to authorized individuals.

  4. Physical access to operating environments is limited to authorized individuals.

Suggested Solutions:

  1. Keycard access, locked devices, etc


 

PE.1.132

Escort visitors and monitor visitor activity.

What Will The Accessor Look For?

  1. Visitors are escorted.

  2. Visitor activity is monitored.

Suggested Solutions:

  1. Visitor Log book - Evidence of visitor management and logging visitor activities.


 
 

PE.1.133

Maintain audit logs of physical access.

What Will The Accessor Look For?

  1. Determine if audit logs of physical access are maintained.

Suggested Solutions:

  1. Visitor Log book - Evidence of visitor management and logging visitor activities.

  2. System logs - Windows, RMM, etc


 
 

PE.1.134

Control and manage physical access devices.

 

What Will The Accessor Look For?

  1. Physical access devices are identified.

  2. Physical access devices are controlled.

  3. Physical access devices are managed.

Solution:

  1. Technology asset inventory and awareness of location

  2. MS Intune, AirWatch


 

System & Communications Protection (SC) (2 Controls)

SC.1.175

Monitor, control and protect organizational communications (e.g., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

 

What Will The Accessor Look For?

  1. The external system boundary is defined.

  2. Key internal system boundaries are defined.

  3. Communications are monitored at the external system boundary.

  4. Communications are monitored at key internal boundaries.

  5. Communications are controlled at the external system boundary.

  6. Communications are controlled at key internal boundaries.

  7. Communications are protected at the external system boundary.

  8. Communications are protected at key internal boundaries.

 

Suggested Solutions:

  1. Network Map and Data Flow Diagram

  2. External Communications: Google Reader, Hootsuite, TalkWalker

  3. Implement one of the following Hardware-based Firewalls: WatchGuard, SonicWall, FortiGate, BroadBand Router/Firewall

  4. Implement one of the following: MS Intune, AirWatch, NNT Change Tracker, Cimcor CimTrak


 
 

SC.1.176

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

What Will The Accessor Look For?

  1. Publicly accessible system components are identified.

  2. Subnetworks for publicly accessible system components are physically or logically separated from internal networks.

Suggested Solutions:

  1. Network Map and Data Flow Diagram

  2. Implement one of the following Hardware-based Firewalls: WatchGuard, SonicWall, FortiGate, BroadBand Router/Firewall

  3. MS Intune, AirWatch, NNT Change Tracker, Cimcor CimTrak


 

System & Information Integrity (SI) (4 Controls)

 

SI.1.210

Identify, report and correct information and information system flaws in a timely manner.

What Will The Accessor Look For?

  1. The time within which to identify system flaws is specified.

  2. System flaws are identified within the specified time frame.

  3. The time within which to report system flaws is specified.

  4. System flaws are reported within the specified time frame.

  5. The time within which to correct system flaws is specified.

  6. System flaws are corrected within the specified time frame.

Suggested Solutions:

  1. Automated update/patch services 

  2. Implement one of the following: Cimcor CimTrak, RMM


 
 

SI.1.211

Provide protection from malicious code at appropriate locations within organizational information systems.

What Will The Accessor Look For?

  1. Designated locations for malicious code protection are identified.

  2. Protection from malicious code at designated locations is provided.

Suggested Solutions:

  1. Implement one of the following: MalwareBytes, SentinelOne, ESET

  2. Implement one of the following Hardware-based Firewalls: WatchGuard, SonicWall, FortiGate, BroadBand Router/Firewall


 
 

SI.1.212

Update malicious code protection mechanisms when new releases are available.

What Will The Accessor Look For?

  1. Determine if malicious code protection mechanisms are updated when new releases are available.

Solution:

  1. Implement one of the following: MalwareBytes, SentinelOne, ESET

  2. Automatic updates/patches


 

SI.1.213

Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed.

What Will The Accessor Look For?

  1. The frequency for malicious code scans is defined.

  2. Malicious code scans are performed with the defined frequency.

  3. Real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.

Suggested Solutions:

  1. Implement one of the following: MalwareBytes, SentinelOne, ESET


 

What’s Next - Practice Period

The following is required before you begin:

  1. Capture Updates To Documents – SSP and/or POA&M

  2. Change Control & Maintenance Documentation Notes

  3. Update Network Diagram

  4. Update Data Flow Diagram

  5. Create a Controls Responsibility Matrix Document/Spreadsheet

  6. Review Current Flow Down Contract Requirements

  7. Monitor, Log Capture, Report, and Maintain Program

WHY US?

  1. We Are Proven: We have a deep track record of success and numerous clients who will be happy to speak to our team’s expertise and willingness to go the extra mile. This has helped us receive the award as the Top Cybersecurity Firm in Baltimore.

  2. We Speak Your Language: Our communication style humanizes our technical solutions, leading to greater cultural acceptance and adherence.

  3. We Are Focused: We are driven by one overarching goal – Security Compliance Certification for our client partners.

  4. We Never Lose: 100% of the clients who complete the steps in our process achieve compliance.

 

RPO Registered

Reach OUt Today