What are the CMMC Level 1 Controls?


What are the CMMC Level 1 Controls?

Businesses embarking on their CMMC journey will most likely be aiming for CMMC level three, which is the requirement for handling controlled unclassified information (CUI). However, the demands of level 3 are no easy feat to achieve, hence the importance of the two transitional steps that precede it. Of all the CMMC levels, the first is by far the least demanding, since it only consists of 17 actionable CMMC controls.

What is basic cyber hygiene?

The first level of the CMMC framework relates to what it describes as basic cyber hygiene and is meant to be achievable for small businesses with little or no external assistance. It is also the bare minimum requirement for handling federal contract information (CUI).

Achieving basic cyber hygiene means implementing CMMC controls that provide some degree of resistance against data exfiltration and malicious actors. The 17 practices covered may be performed in an ad-hoc manner and do not need to be audited until reaching level 2.

The entire CMMC framework consists of a total of 171 controls spanning 17 security domains governing people, processes, and technology (PPT). The first level only includes controls from six of these domains, most of which companies should already have in place.

Access control (AC)

Access control governs the restriction of access to specific users and functions, as well as the monitoring and limitation of information that is available in public domains. It is easy to confuse access control with identification and authentication. However, access control mechanisms determine what a user can and cannot do or access by setting things like file, data, or program permissions. As such, it typically comes after authentication and also concerns measures for revoking access to compromised accounts or those belonging to previous employees.

Identification and authentication (IA)

The basic form of identification and authentication is the username and password combination. However, as companies face the rising threat of social engineering attacks, they must also implement multifactor authentication and centralized control over user access rights. The most effective approach is zero trust security, which follows the concept of never trust and always verify.

Media protection (MP)

The first level only includes one control from this domain, which concerns the sanitization of physical data storage media before disposal or reuse. Sanitization measures include physical destruction, full-disk encryption, or overwriting the media to ensure that sensitive data cannot be recovered. Simply formatting the device is not enough, since readily available data recovery software can easily get it back.

Related article: Technology Checklist for CMMC Level 1

Physical protection (PE)

Physical protection might not sound as relevant as it once was given the popularity of cloud computing, but it must not be overlooked. This domain covers the restriction of physical access to data-bearing devices, server rooms, and other facilities, as well as monitoring of said areas. In the case of managed services and cloud computing, the responsibility of physical security falls to them, in which case they will need proof of their efforts.

System and communications protection (SC)

Containing and isolating sensitive data is essential for keeping it safe, and it is a requirement of the third CMMC level. However, even the first level requires certain protections to be put in place for your communications, such as the creation of independent subnetworks, full end-to-end encryption for sensitive communications, and round-the-clock monitoring. Other important measures include using a business-grade virtual private network (VPN) to protect your internet connection and avoiding insecure communications channels like social media or consumer-grade email.

System and information integrity (SI)

Malware exists in many different forms and, contrary to popular belief, true computer viruses are one of the rarer. One of the most common malware threats is malicious code injection, which commonly targets poorly secured apps or configuration files. This is why CMMC level 1 requires a system for routinely scanning, reporting, and remediating against unauthorized system changes and flaws. External vulnerability scanning offers an effective way to monitor systems and networks for anomalous activities, while antivirus software installed on endpoint devices provides a crucial last line of defense.

Charles IT offers expert guidance and dependable security services to help you advance your security maturity, no matter where you are on your CMMC compliance journey. Call today to schedule your first consultation!

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”