Understanding the 17 Practices for CMMC Level 1

The Department of Defense (DoD) frequently works with matters of national security. Even when material is unclassified, such as FCI, it may still require safeguarding in accordance with federal regulations. To ensure that all of its contractors are following procedures that will keep that data secure, the DoD created the Cyber Security Maturity Model Certification (CMMC) program.

CMMC 2.0 Level 1 is the foundational tier of this certification program. It’s designed to protect Federal Contract Information (FCI) across all touchpoints. For small to mid-sized DoD contractors, taking the time to understand and implement the 17 CMMC Level 1 practices will open doors to gaining contract work with the DoD and keeping sensitive government information secure.

This article will explore those CMMC Level 1 cybersecurity practices and why they matter for your organization.

What is CMMC Level 1?

CMMC Level 1 is the first tier of the CMMC framework. It’s designed specifically for organizations that handle FCI but do not process any Controlled Unclassified Information (CUI). It’s the level most commonly used by small to mid-sized DoD contractors. It provides robust protection measures that don’t require large cybersecurity resources while still keeping the data secure enough for the type of information shared at this level.

Built from the FAR 52.204-21 15 security practices, designed to establish basic safeguarding of the information systems and media used by DoD-covered contractors, CMMC Level 1 parses into 17 distinct practices. It provides the baseline cybersecurity standards that any contractor working with the DoD must meet if they’re tasked with handling FCI.

What makes CMMC Level 1 so beneficial for small to mid-sized businesses is its self-assessment approach. Higher CMMC levels require third-party certification, but CMMC compliance Level 1 can be reached with an annual self-assessment. This reduces the financial and administrative strain on businesses seeking certification while still keeping the FCI they work with secure.

If you want to learn more about CMMC requirements, Agile IT’s CMMC compliance whitepaper provides detailed information about the certification process and what it means for defense contractors.

Breakdown of the 17 CMMC Level 1 Practices

The CMMC Level 1 checklist consists of 17 distinct cybersecurity practices that cover six important areas of security. Each speaks to a specific vulnerability or class of vulnerabilities and establishes basic safeguarding to mitigate the risks associated with it.

Access Control (AC) – 4 Practices

The Access Control section is the cornerstone of information security. It’s the first, and perhaps most important, step in ensuring that only authorized personnel have access to sensitive data or systems.

• AC.1.001 requires that access to any FCI is limited to only those who have a legitimate business need to access the data.
• AC.1.002 takes that concept further, limiting the actions and operations a user can perform on the data they access to only what their role requires.
• AC.1.003 deals with external information systems, such as cloud service providers, and sets rules regarding how they’re accessed.
• AC.1.004 focuses on how information is posted to publicly facing data to ensure that no sensitive data gets accidentally exposed.

Identification and Authentication (IA) – 2 Practices

The Identification and Authentication section is about properly verifying all users before granting access to any controlled data.

• IA.1.076 provides a basis for accountability by requiring contractors to track all system users, processes acting on behalf of users, or devices connecting to the systems.
• IA.1.077 requires the identity of all users, processes, or devices to be verified before being granted access to information systems.

Media Protection (MP) – 1 Practice

This single item section deals with the security of data at the end of its lifecycle. It requires companies to sanitize or destroy any information systems that contain FCI before they’re disposed of or resold.

Physical Protection (PE) – 4 Practices

The Physical Protection section is about physical access to devices that could allow attackers to bypass technical controls.

• PE.1.131 requires access to the company’s information systems, equipment, and operating environments to be limited to only authorized personnel.
• PE.1.132 says that any visitors who are in areas that contain sensitive information should be escorted and monitored the entire time they’re there.
• PE.1.133 mandates that audit logs of all physical access are maintained so that accountability can be traced during an investigation.
• PE.1.134 lays out how physical access devices such as keys, access cards, and biometric readers are controlled and managed.

System and Communications Protection (SC) – 2 Practices

The two-item System and Communications Protection section covers information and communication systems.

• SC.1.175 requires that communications are monitored, controlled, and protected at external boundaries and key internal boundaries.
• SC.1.1768 says that subnetworks must be created that are physically or logically separated from internal networks.

System and Information Integrity (SI) – 4 Practices

The System and Information Integrity section is about ongoing system maintenance and threat protection.

• SI.1.210 says that all information system flaws must be identified, reported, and corrected in a timely manner.
• SI.1.211 requires that information systems used to process FCI are equipped to handle malicious code that may cause a data breach.
• SI.1.212 says the protection in place for malicious code must be updated to the latest version promptly to minimize security threats.
• SI.1.213 lays out the requirements for periodic system scans and real-time scanning of files that come from external sources.

How to Implement These 17 Practices

The 17 CMMC Level 1 practices were designed with small to mid-sized businesses in mind. While this simplifies the process for businesses of that size, strategic planning is still required to successfully implement them. Companies need to consider their unique constraints and capabilities and develop cost-effective measures that meet the requirements without straining resources.

The first step to compliance is to identify existing security measures and look for areas that need improvement. This means looking over each of the 17 practices and determining where security gaps are in relation to what’s required.

This can be difficult for small to mid-sized businesses because of limited cybersecurity expertise and financial limitations. These obstacles can be overcome in a cost-effective way through strategic partnerships with experienced cybersecurity providers like AgileIT. We specialize in helping businesses navigate the often confusing CMMC requirements.

For companies using Microsoft 365, AgileIT’s guide to CMMC Level 1 mapping explains how the CMMC Level 1 requirements map to features of that platform.

Conclusion

The 17 CMMC Level 1 practices are compliance requirements, but they’re also a ticket to gaining potentially lucrative government contracts. For some companies, this can make or break their business. These basic safeguarding measures may seem daunting at first glance, but with the right partner, they are easily achievable.

Our AgileDefend managed security services can help your business gain CMMC compliance with minimal impact on your core business operations. If you need help with CMMC Level 1 compliance, contact AgileIT today.