CMMC Level 1 Preparation
Background
This page serves as a Do-It-Yourself guide to help organizations looking to prepare for their CMMC Level 1 certification without the need to hire a consultant. These are general suggestions and will require some work to modify for specific use cases.
PreRequisites
The following is required before you begin:
IT Knowledge: Having a basic level of IT knowledge is critical to implement the controls successfully.
Define FCI/CUI: Define what FCI & CUI is for your specific business case.
Establish CMMC Boundary: The following assets need to be created: Network Map, Data Flow Diagram, & Tech/Software Asset Inventory.
Environment Documentation: Create a System Security Plan (SSP) that is bespoke to the organization. Templates are available for free here.
Security Assessment: Identify your current security gaps and place all open issues into a Plan of Action & Milestone (POA&M) document. POA&M templates can be found here.
Create a Plan & Prioritize Resources: Develop an Org Chart that clearly identifies roles & responsibilities, determine the who, what, why, and where in terms of information access, and determine who in your organization would be able to assist with meeting each control.
What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB).
The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level.
CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.
The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.
Additional Resources:
CMMC Level 1
CMMC Level 1 is the entry point to the 5 level ecosystem. Level 1 is considered to be Basic Cyber Hygiene practices that enable safeguards for Federal Contract Information (FCI) and is made up of 17 controls. The good news for Level 1: You are not required to have documented policies or procedures in order to be certified. You are just required to show the auditor that each control is being performed.
The following are the Level 1 Categories:
Access Control (AC) (4 Controls): Access control is a fundamental component of data security that dictates who’s allowed to access and use company information and resources.
Identification & Authentication (IA) (2 Controls): Identification is the ability to identify uniquely a user of a system or an application that is running in the system. Authentication is the ability to prove that a user or application is genuinely who that person or what that application claims to be.
Media Protection (MP) (1 Control): These controls are primarily focused on the security of media storage including who can access the stored content, how transportation is controlled, and the safe use of storage devices.
Physical Protection (PE) (4 Controls): Security measures that are designed to deny unauthorized access to facilities, equipment, and resources and to protect personnel and property.
System & Communications Protection (SC) (2 Controls): These controls are for managing risks from vulnerable
system configurations, denial of service, data communication, and information transfer both internally and externally.System & Information Integrity (SI) (4 Controls): These control help provide assurance that the information being accessed has not been tampered with or damaged by an error in the information system.
Process & Timeline
The total timeline from Preparation to Certification is estimated to be 6 – 9 months. Many factors contribute to this estimate including the time it takes the organization to remediate any vulnerabilities found and implement the solutions offered in this DIY guide.
The following is the high-level process:
Assessment: This is the starting point to determine the correct CMMC level your organization should build a program for. The process provides insight into: Current Security Gaps, Current Risk Gaps, Understand the Current Culture, Business Pipeline, Corporate Structure, and Business Vision.
Preparation: Once the assessment is completed, it’s time to get to work on all of the items listed here in this guide. Once the security controls have been fulfilled, your organization will be ready to put the new security program into practice.
Practice Period: All gaps have been addressed, solutions are operational, and the organization is in compliance capturing evidence proving full compliance.
Certification (Self Assessed): After 6 months of continued practice period, you can perform a new assessment to ensure the organization is in full compliance to officially declare CMMC Level 1 certification.
Control Implementation
Access Control (AC) (4 Controls)
AC.1.001
Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems). (Establish)
What Will The Accessor Look For?
Authorized users are identified.
Processes acting on behalf of authorized users are identified.
Devices (and other systems) authorized to connect to the system are identified.
System access is limited to authorized users.
System access is limited to processes acting on behalf of authorized users.
System access is limited to authorized devices (including other systems).
Suggested Solutions:
Create a user list that outlines roles and privileges.
Implement one of the following: MS Active Directory, Azure AD SSO, JumpCloud, MS 365 GCC
AC.1.002
Limit information system access to the types of transactions and functions that authorized users are permitted to execute. (Control)
What Will The Accessor Look For?
The types of transactions and functions that authorized users are permitted to execute are defined.
System access is limited to the defined types of transactions and functions for authorized users.
Suggested Solutions:
Establish secure baseline configurations
Implement one of the following: MS Active Directory, Azure AD SSO, JumpCloud, MS 365 GCC
Implement one of the following: NNT Change Tracker, MS InTune, Cimcor CimTrak, RMM (N-Able, ConnectWise, Ninja, etc)
Implement one of the following Hardware-based Firewalls: WatchGuard, SonicWall, FortiGate
AC.1.003
Verify and control/limit connections to and use of external information systems. (Limit)
What Will The Accessor Look For?
Connections to external systems are identified.
The use of external systems is identified.
Connections to external systems are verified.
The use of external systems is verified.
Connections to external systems are controlled/limited.
The use of external systems is controlled/limited.
Suggested Solutions:
Create an access control list. For example, if you have a Customer Portal, ensuring that every user is accounted for and their access is documented.
User roles and privileges are defined.
AC.1.004
Control information posted or processed on publicly accessible information systems. (Limit)
What Will The Accessor Look For?
Connections to external systems are identified.
The use of external systems is identified.
Connections to external systems are verified.
The use of external systems is verified.
Connections to external systems are controlled/limited.
The use of external systems is controlled/limited.
Suggested Solutions:
Create an access control list. For example, if you have a CMS for your company website, make sure you identified users and what they have access to.
User roles and privileges are defined.
Identification & Authentication (IA) (2 Controls
IA.1.076
Identify information system users, processes acting on behalf of users or devices.
What Will The Accessor Look For?
System users are identified.
Processes acting on behalf of users are identified.
Devices accessing the system are identified.
Suggested Solutions:
Create a user list that outlines roles and privileges.
Implement one of the following: MS Active Directory, Azure AD SSO, JumpCloud.
Implement one of the following: MS Intune, AirWatch.
IA.1.077
Authenticate (or verify) the identities of those users, processes or devices, as a prerequisite to allowing access to organizational information systems.
What Will The Accessor Look For?
The identity of each user is authenticated or verified as a prerequisite to system access.
The identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access.
The identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
Suggested Solutions:
Create a user list that outlines roles and privileges.
Implement one of the following: MS Active Directory, Azure AD SSO, JumpCloud.
Implement one of the following: MS Intune, AirWatch.
Media Protection (MP) (1 Control)
MP.1.118
Sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal or release for reuse.
What Will The Accessor Look For?
System media containing FCI is sanitized or destroyed before disposal.
System media containing FCI is sanitized before it is released for reuse.
Suggested Solutions:
Darik's Boot and Nuke (DBAN)
Lansweeper
Cross-Cut Shredder
Physical Protection (PE) (4 Controls)
PE.1.131
Limit physical access to organizational information systems, equipment and the respective operating environments to authorized individuals.
What Will The Accessor Look For?
Authorized individuals allowed physical access are identified.
Physical access to organizational systems is limited to authorized individuals.
Physical access to equipment is limited to authorized individuals.
Physical access to operating environments is limited to authorized individuals.
Suggested Solutions:
Keycard access, locked devices, etc
PE.1.132
Escort visitors and monitor visitor activity.
What Will The Accessor Look For?
Visitors are escorted.
Visitor activity is monitored.
Suggested Solutions:
Visitor Log book - Evidence of visitor management and logging visitor activities.
System & Communications Protection (SC) (2 Controls)
SC.1.175
Monitor, control and protect organizational communications (e.g., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
What Will The Accessor Look For?
The external system boundary is defined.
Key internal system boundaries are defined.
Communications are monitored at the external system boundary.
Communications are monitored at key internal boundaries.
Communications are controlled at the external system boundary.
Communications are controlled at key internal boundaries.
Communications are protected at the external system boundary.
Communications are protected at key internal boundaries.
Suggested Solutions:
Network Map and Data Flow Diagram
External Communications: Google Reader, Hootsuite, TalkWalker
Implement one of the following Hardware-based Firewalls: WatchGuard, SonicWall, FortiGate, BroadBand Router/Firewall
Implement one of the following: MS Intune, AirWatch, NNT Change Tracker, Cimcor CimTrak
SC.1.176
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
What Will The Accessor Look For?
Publicly accessible system components are identified.
Subnetworks for publicly accessible system components are physically or logically separated from internal networks.
Suggested Solutions:
Network Map and Data Flow Diagram
Implement one of the following Hardware-based Firewalls: WatchGuard, SonicWall, FortiGate, BroadBand Router/Firewall
MS Intune, AirWatch, NNT Change Tracker, Cimcor CimTrak
System & Information Integrity (SI) (4 Controls)
SI.1.210
Identify, report and correct information and information system flaws in a timely manner.
What Will The Accessor Look For?
The time within which to identify system flaws is specified.
System flaws are identified within the specified time frame.
The time within which to report system flaws is specified.
System flaws are reported within the specified time frame.
The time within which to correct system flaws is specified.
System flaws are corrected within the specified time frame.
Suggested Solutions:
Automated update/patch services
Implement one of the following: Cimcor CimTrak, RMM
SI.1.211
Provide protection from malicious code at appropriate locations within organizational information systems.
What Will The Accessor Look For?
Designated locations for malicious code protection are identified.
Protection from malicious code at designated locations is provided.
Suggested Solutions:
Implement one of the following: MalwareBytes, SentinelOne, ESET
Implement one of the following Hardware-based Firewalls: WatchGuard, SonicWall, FortiGate, BroadBand Router/Firewall
SI.1.212
Update malicious code protection mechanisms when new releases are available.
What Will The Accessor Look For?
Determine if malicious code protection mechanisms are updated when new releases are available.
Solution:
Implement one of the following: MalwareBytes, SentinelOne, ESET
Automatic updates/patches
SI.1.213
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed.
What Will The Accessor Look For?
The frequency for malicious code scans is defined.
Malicious code scans are performed with the defined frequency.
Real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
Suggested Solutions:
Implement one of the following: MalwareBytes, SentinelOne, ESET
What’s Next - Practice Period
The following is required before you begin:
Capture Updates To Documents – SSP and/or POA&M
Change Control & Maintenance Documentation Notes
Update Network Diagram
Update Data Flow Diagram
Create a Controls Responsibility Matrix Document/Spreadsheet
Review Current Flow Down Contract Requirements
Monitor, Log Capture, Report, and Maintain Program
WHY US?
- We Are Proven: We have a deep track record of success and numerous clients who will be happy to speak to our team’s expertise and willingness to go the extra mile. This has helped us receive the award as the Top Cybersecurity Firm in Baltimore.
- We Speak Your Language: Our communication style humanizes our technical solutions, leading to greater cultural acceptance and adherence.
- We Are Focused: We are driven by one overarching goal – Security Compliance Certification for our client partners.
- We Never Lose: 100% of the clients who complete the steps in our process achieve compliance.
