CMMC Level 1 Capabilities and Practices
Per the draft Cybersecurity Maturity Model Certification Model (CMMC) there will be 27 Capabilities composed of 35 Practices that companies must demonstrate in order to achieve a level 1 certificate. For more information on how the CMMC Framework is organized and what capabilities and practices are visit our last blog. Level 1 is the lowest maturity level and according to information provided at listening tours by DoD, will be the minimum required maturity certificate in order to do any business with the DoD.
Granted the requirements are still in draft form but it’s hard to see how the DoD can legally base the ability of a company to bid or not bid on a contract based on what appears to be the theme of level 1; the phrase “at least in an ad hoc manner.” The legal definition of ad hoc, and I’m assuming that’s the one that matters if contracts are on the line, is “for this purpose only.” I’m sure that more will be coming on this phrase since most if not all cybersecurity controls are for this purpose only.
For most established companies with an IT staff even somewhat on the ball, the Level 1 Certificate should be easily obtainable. For smaller companies or those without a dedicated IT staff it may be a little more challenging. Audit logs and detection and reporting are just a couple of areas where small companies relying on Jane or Jim who happens to be good at computers to run their IT along with their real job might encounter some problems.Ascolta’s Greenfield will solve the Level 1 through Level 3 certification problems for companies by providing a fully engineered, protected, capable and documented environment that meets all the Capabilities, Practices and Processes required for a third-party to successfully issue a certification.
Below are the Domains, Capabilities and Practices for CMMC Level 1. There are no Processes listed in Level 1. An Excel spreadsheet containing all five levels is available here.
DOMAIN: ACCESS CONTROL (AC)
Capability 1: Establish internal system access requirements
System access is limited to authorized users, processes acting on behalf of authorized users, and devices, at least in an ad hoc manner.
Capability 2: Control internal system access
Limit system access to the types of transactions and functions that authorized users are permitted to execute.
Limit unsuccessful logon attempts on a single system to 10 or less.
Capability 4: Identify access requirements for each class of data accessible from the internal network
Guidelines are developed for the use of personally owned or external information systems.
Capability 5: Limit access to data to authorized users and processes acting on behalf of authorized users.
CUI posted to publicly accessible systems is identified and controlled.
DOMAIN: ASSET MANAGEMENT (AM)
Capability 1: Identify assets
Organizational assets are identified and inventoried (hardware, virtual, software, firmware, and CUI information), at least in an ad hoc manner.
The organization ensures that software is supported by the vendor.
DOMAIN: AUDIT AND ACCOUNTABILITY (AA)
Capability 4: Auditing is performed
Audit logs are created and retained, at least in an ad hoc manner.
Capability 7: Audit logs are reviewed
Audit logs are reviewed, at least in an ad hoc manner.
DOMAIN: AWARENESS AND TRAINING (AT)
DOMAIN: CONFIGURATION MANAGEMENT (CM)
Capability 3: Configuration baselines are established
Configuration baselines for organizational systems are established, at least in an ad hoc manner.
Capability 5: Configuration management is performed
The organization performs configuration management for organizational systems, at least in an ad hoc manner.
DOMAIN: CYBERSECURITY GOVERNANCE (CG)
Capability 1: Define cybersecurity objectives
Cybersecurity objectives are established for the organization, at least in an ad hoc manner.
Capability 3: Manage cybersecurity plans
Cybersecurity objectives are implemented in the organization, at least in an ad hoc manner.
DOMAIN: IDENTIFICATION AND AUTHORIZATION (IDA)
Capability 1: System users, processes and devices are identified before access is granted
The organization identifies system users, processes acting on behalf of users, and devices, at least in an ad hoc manner.
The identities of users, processes, or devices are authenticated (or verified) as a prerequisite to allowing access to organizational systems.
DOMAIN: INCIDENT RESPONSE (IR)
Capability 1: Detect and report events
Events are detected and reported, at least in an ad hoc manner.
Capability 3: Declare and report incidents
Incidents are declared, at least in an ad hoc manner.
Capability 5: Develop and implement a response to a declared incident
Incidents are resolved, at least in an ad hoc manner.
DOMAIN: MAINTENANCE (MA)
Capability 1: Maintenance is performed
The organization performs maintenance on its organizational systems, at least in an ad hoc manner.
DOMAIN: MEDIA PROTECTION (MP)
Capability 3: Media is sanitized
Non-digital and digital media containing CUI is sanitized or destroyed before disposal or release for reuse, at least in an ad hoc manner.
DOMAIN: PERSONNEL SECURITY (PS)
Capability 1: Screen personnel
Individuals are screened prior to authorizing access to organizational systems containing CUI at least in an ad hoc manner.
Capability 2: Protect CUI during personnel actions
CUI is protected during personnel actions at least in an ad hoc manner.
DOMAIN: PHYSICAL PROTECTION (PP)
Capability 4: Limit physical access to organizational systems, equipment, and respective operation environments based on defined physical security access requirements
The organization limits physical access to systems, equipment, and the respective operating environment, at least in an ad hoc manner.
The organization controls and manages physical access to devices, at least in an ad hoc manner.
Capability 5: Monitor physical facilities for adherence to physical security access requirements
The organization escorts visitors and monitors visitor activity, at least in an ad hoc manner.
The organization maintains audit logs of physical access, at least in an ad hoc manner.
DOMAIN: RECOVERY (RE)
DOMAIN: RISK MANAGEMENT (RM)
DOMAIN: SECURITY ASSESSMENT (SAS)
Capability 4: Define
Define controls, at least in an ad hoc manner.
DOMAIN: SITUATIONAL AWARENESS (SA)
Capability 2: Implement threat monitoring based on defined requirements
The organization receives cyber threat intelligence from information sharing forums and sources, at least in an ad hoc manner.
Capability 4: Communicate threat information to stakeholders
Threat information is communicated to internal and external stakeholders, at least in an ad hoc manner.
DOMAIN: SYSTEM AND COMMUNICATIONS PROTECTION (SCP)
Capability 2: Control communications at system boundaries
The organization monitors, controls, and protects communications at system boundaries, at least in an ad hoc manner.
Publicly accessible systems are physically or logically separated from internal networks, at least in an ad hoc manner.
DOMAIN: SYSTEM AND INFORMATIONAL INTEGRITY (SII)
Capability 1: Information system flaws are identified and corrected
Information system flaws are identified and corrected, at least in an ad hoc manner.
Capability 3: Malicious content is being identified
Malicious code protection (e.g., anti-virus) is installed on all applicable machines.
Malicious code protection (e.g., anti-virus) is updated when new releases are available.
Scanning of files downloaded from external sources occurs in real-time.