CMMC Level 1

CMMC Level 1 Explained

In this post we explain CMMC Level 1 requirements.

Join our newsletter:
CMMC has five maturity levels. Level 1 is the lowest level. Level 1 CMMC requirements seek to ensure that a contractor can “safeguard federal contract information”. This is achieved by requiring contractors to practice “Basic Cyber Hygiene”. It is expected that most DoD contractors will only need to earn a level 1 CMMC certification.

Who does CMMC Level 1 Apply to?

CMMC applies to U.S. Department of Defense contractors who store, process or transmit Federal contract information (FCI). Every company required to earn a CMMC certification will need to implement the practices associated with CMMC level 1.
CUI Levels

CMMC Level 1 Practices

There are seventeen practices associated with CMMC level 1. An organization with a level 1 CMMC requirement is required to perform all 17 practices. The CMMC practices for level 1 were drawn from the security controls in FAR 52.204-21.
CMMC Level 1

The 17 CMMC level 1 practices are:

  • AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

  • AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

  • AC.1.003 Verify and control/limit connections to and use of external information systems.

  • AC.1.003 Verify and control/limit connections to and use of external information systems.

  • AC.1.004 Control information posted or processed on publicly accessible information systems.

  • IA.1.076 Identify information system users, processes acting on behalf of users, or devices.

  • IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

  • MP.1.118 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

  • PE.1.131 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

  • PE.1.132 Escort visitors and monitor visitor activity.

  • PE.1.133 Maintain audit logs of physical access.

  • PE.1.134 Control and manage physical access devices.

  • SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

  • SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

  • SI.1.210 Identify, report, and correct information and information system flaws in a timely manner.

  • SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems.

  • SI.1.212 Update malicious code protection mechanisms when new releases are available.

  • SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Controls per CMMC level

CMMC level 1 Process Maturity

Contractors with CMMC level one are only required to “perform” the 17 practices prescribed by CMMC level 1. No documentation or written policies are required for the implementation of these practices.
CMMC Maturity Requirements
 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.