CMMC Level 1 Preperation

Background

This page serves as a Do-It-Yourself guide to help organizations looking to prepare for their CMMC Level 1 certification without the need to hire a consultant. These are general suggestions and will require some work to modify for specific use cases. If you would like us to offer you specific solutions, please take our CMMC Level 1 Self Assessment.

PreRequisites

The following is required before you begin:
 

  1. IT Knowledge: Having a basic level of IT knowledge is critical to implement the controls successfully. 

  2. Define FCI: Define what FCI is for your specific business case.

  3. Establish CMMC Boundary: The following assets need to be created: Network Map, Data Flow Diagram, & Tech/Software Asset Inventory.

  4. Environment Documentation: Create a System Security Plan (SSP) that is bespoke to the organization. Templates are available for free here.

  5. Security Assessment: Identify your current security gaps and place all open issues into a Plan of Action & Milestone (POA&M) document. POA&M templates can be found here.

  6. Create a Plan & Prioritize Resources:  Develop an Org Chart that clearly identifies roles & responsibilities, determine the who, what, why, and where in terms of information access, and determine who in your organization would be able to assist with meeting each control.

What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). 


The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. 


CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.


The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.

Additional Resources:

CMMC Level 1

CMMC Level 1 is the entry point to the 5 level ecosystem. Level 1 is considered to be Basic Cyber Hygiene practices that enable safeguards for Federal Contract Information (FCI) and is made up of 17 controls. The good news for Level 1: You are not required to have documented policies or procedures in order to be certified. You are just required to show the auditor that each control is being performed.

The following are the Level 1 Categories:

  1. Access Control (AC) (4 Controls): Access control is a fundamental component of data security that dictates who's allowed to access and use company information and resources.

  2. Identification & Authentication (IA) (2 Controls): Identification is the ability to identify uniquely a user of a system or an application that is running in the system. Authentication is the ability to prove that a user or application is genuinely who that person or what that application claims to be.

  3. Media Protection (MP) (1 Control): These controls are primarily focused on the security of media storage including who can access the stored content, how transportation is controlled, and the safe use of storage devices.

  4. Physical Protection (PE) (4 Controls): Security measures that are designed to deny unauthorized access to facilities, equipment, and resources and to protect personnel and property.

  5. System & Communications Protection (SC) (2 Controls): These controls are for managing risks from vulnerable
    system configurations, denial of service, data communication, and information transfer both internally and externally.

  6. System & Information Integrity (SI) (4 Controls): These control help provide assurance that the information being accessed has not been tampered with or damaged by an error in the information system.

Process & Timeline

The total timeline from Preparation to Certification is estimated to be 6 - 9 months. Many factors contribute to this estimate including the time it takes the organization to remediate any vulnerabilities found and implement the solutions offered in this DIY guide.

The following is the high-level process:

  1. Preparation: This is the starting point and the basis for this DIY guide. Once all of the items are completed in this guide, your organization will be ready to put the controls into practice.

  2. Practice Period: All gaps have been addressed, solutions are operational, and the organization is in compliance

  3. Assessment: This step requires hiring a C3PAO to perform the assessment and submit their report to the CMMCAB.

  4. Certification: Once the report from the C3PAO is received by the CMMCAB, the AB will go through its process to complete the certification process. 

Control Implementation

Access Control (AC) (4 Controls)

AC.1.001

Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems). (Establish)

What Will The Accessor Look For?

  1. Authorized users are identified.

  2. Processes acting on behalf of authorized users are identified.

  3. Devices (and other systems) authorized to connect to the system are identified.

  4. System access is limited to authorized users.

  5. System access is limited to processes acting on behalf of authorized users.

  6. System access is limited to authorized devices (including other systems).

 

Suggested Solutions:

  1. Create a user list that outlines roles and privileges.

  2. Implement one of the following: MS Active Directory, Azure AD SSO, JumpCloud, MS 365 GCC

Identification & Authentication (IA) (2 Controls)

IA.1.076

Identify information system users, processes acting on behalf of users or devices.

What Will The Accessor Look For?

  1. System users are identified.

  2. Processes acting on behalf of users are identified.

  3. Devices accessing the system are identified.

 

Suggested Solutions:

  1. Create a user list that outlines roles and privileges.

  2. Implement one of the following: MS Active Directory, Azure AD SSO, JumpCloud.

  3. Implement one of the following: MS Intune, AirWatch.

Media Protection (MP) (1 Control)

MP.1.118

Sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal or release for reuse.

What Will The Accessor Look For?

  1. System media containing FCI is sanitized or destroyed before disposal.

  2. System media containing FCI is sanitized before it is released for reuse.


 

Suggested Solutions:

  1. Darik's Boot and Nuke (DBAN)

  2. Lansweeper

  3. Cross-Cut Shredder

Physical Protection (PE) (4 Controls)

PE.1.131

Limit physical access to organizational information systems, equipment and the respective operating environments to authorized individuals.

What Will The Accessor Look For?

  1. Authorized individuals allowed physical access are identified.

  2. Physical access to organizational systems is limited to authorized individuals.

  3. Physical access to equipment is limited to authorized individuals.

  4. Physical access to operating environments is limited to authorized individuals.

 

Suggested Solutions:

  1. Keycard access, locked devices, etc

System & Communications Protection (SC) (2 Controls)

SC.1.175

Monitor, control and protect organizational communications (e.g., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

 

What Will The Accessor Look For?

  1. The external system boundary is defined.

  2. Key internal system boundaries are defined.

  3. Communications are monitored at the external system boundary.

  4. Communications are monitored at key internal boundaries.

  5. Communications are controlled at the external system boundary.

  6. Communications are controlled at key internal boundaries.

  7. Communications are protected at the external system boundary.

  8. Communications are protected at key internal boundaries.

 

Suggested Solutions:

  1. Network Map and Data Flow Diagram

  2. External Communications: Google Reader, Hootsuite, TalkWalker

  3. Implement one of the following Hardware-based Firewalls: WatchGuard, SonicWall, FortiGate, BroadBand Router/Firewall

  4. Implement one of the following: MS Intune, AirWatch, NNT Change Tracker, Cimcor CimTrak

System & Information Integrity (SI) (4 Controls)

SI.1.210

Identify, report and correct information and information system flaws in a timely manner.

What Will The Accessor Look For?

  1. The time within which to identify system flaws is specified.

  2. System flaws are identified within the specified time frame.

  3. The time within which to report system flaws is specified.

  4. System flaws are reported within the specified time frame.

  5. The time within which to correct system flaws is specified.

  6. System flaws are corrected within the specified time frame.

 

Suggested Solutions:

  1. Automated update/patch services 

  2. Implement one of the following: Cimcor CimTrak, RMM

What’s Next - Practice Period

The following is required before you begin:
 

  1. Capture Updates To Documents - SSP and/or POA&M

  2. Change Control & Maintenance Documentation Notes

  3. Update Network Diagram

  4. Update Data Flow Diagram

  5. Create a Controls Responsibility Matrix Document/Spreadsheet

  6. Review Current Flow Down Contract Requirements

  7. Monitor, Log Capture, Report, and Maintain Program

Need Help? Why Us

  1. We are Government Contractors ourselves & going through CMMC certification process.

  2. We have over 8 years of creative compliance experience within the Intelligence and Commercial communities.

  3. We have been successful in receiving multiple ATOs on all classification level environments to include Unclassified, Secret, and Top Secret Networks.

RPO-Registered.png

Reach OUt Today

Thanks for reaching out!

We will be in touch soon