CMMC Level 1 Checklist

CMMC 2.0 Level 1 applies to DoD contractors that handle FCI to develop or deliver a product or service to the Department. See the CMMC Level 1 checklist to learn more

‍Last updated Oct 29, 2024.  

As per the CMMC 2.0. Final Rule, published in October 2024, all DoD contractors must meet Cybersecurity Maturity Model Certification (CMMC) compliance requirements for CUI protection to remain eligible for DoD contracts. From December 15, 2024, when the Final Rule will come into effect, all DoD contractors and subcontractors that handle Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) must work towards obtaining a CMMC certification of an appropriate Level.  

The current CMMC 2.0 framework measures cybersecurity maturity at three levels - Foundational (Level 1), Advanced (Level 2), and Expert (Level 3). Each of the CMMC levels is based on various considerations, including regulations, implementation complexity, type and sensitivity of the information, threats, costs, etc.  

The Final Rule continues with a four-phased approach to CMMC certification, offering a clear timeline for each Level’s rollout.

CMMC Level 1 and Level 2 self-assessments are expected to start in Phase 1, around Q1 2025.   CMMC Level 1 organizations should already have established internal practices to ensure that their CMMC Level 1 program’s requirements are met. To assist you in understanding the requirements and organizing your compliance efforts, we’ve developed this CMMC Level 1 Checklist.  

How to Determine Your CMMC Level?

The contents of an organization’s prime contracting or sub-contracting agreement will contain the DFARS 252.204-7021 contract clause. This contract clause will dictate the minimum CMMC maturity level an organization must have achieved prior to being awarded the contract.  

CMMC 2.0 Level 1 (Foundational) applies to DoD contractors and subcontractors that handle FCI to develop or deliver a product or service to the Government. Under Level 1, organizations must implement 17 basic cybersecurity controls specified in FAR Clause 52.204-21.  

CMMC Level 2 (Advanced) applies to current and potential DoD contractors and subcontractors that handle Controlled unclassified information (CUI), Controlled technical information (CTI), and ITAR or export-controlled data. To achieve Level 2, organizations must implement all 110 security controls listed in NIST SP 800-171,  

CMMC Level 3 (Expert) is reserved for cases where significant security threats, including advanced persistent threats (APTs), must be considered. The “Expert” level of CMMC compliance sees contractors implementing all 110 controls of NIST SP 800-171 and specific controls in NIST SP 800-172 for triannual C3PAO assessments. The enhanced security controls outlined by NIST SP 800-172 add another level of protection for CUI associated with critical government programs or high-value federal assets.

What Is CMMC Maturity Level 1?

CMMC Level 1 is the lowest of the CMMC certification levels. Its requirements consist of basic cybersecurity practices of 17 security controls extracted from the following six CMMC security families:

• Access Control
• Identification And Authentication
• Media Protection
• Physical Protection
• Systems and Communication Protection
• System and Information Integrity
 

These security controls are also the Basic Safeguarding requirements imposed on covered contractor information systems as a part of the Federal Acquisitions Regulation (FAR) 52.204-21.

What is Federal Contract Information (FCI)?

Federal Contract Information (FCI) is confidential data marked as not intended for public release and acquired by contractors working with US federal agencies. Government agencies and contractors rely on FCI for decision-making, planning, and executing various tasks. This data plays a crucial role in the daily operations of the government and its contractors, offering valuable insights, guidance, and updates for federal activities.  

FCI represents an extensive range of data, which includes:

• detailed procurement strategies;
• precise contract agreements;
• specific technical specifications;
• advanced research data;
• comprehensive financial information, and
• crucial policy directions.
 

CMMC 2.0. Level 1 Control Requirements

Access Controls

• 1.001 – Limit information system access to authorized users, process acting on behalf of authorized users, or devices (including other information systems)
• 1.002 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute
• 1.003 – Verify and control/limit connections to and use of external information systems
• 1.004 – Control information posted or processed on publicly accessible information systems
 

To successfully meet this requirement, all authorized users must have accounts protected with a username, strong password, and MFA. Organizations also must implement role-based access controls (RBAC) for all systems handling FCI. Additionally, they must maintain an active log of all assets (people, processes, and technologies) authorized to access organizational resources.  

It's important to keep track of who is allowed to post or manage information on public systems. There should be clear guidelines to prevent FCI from being shared on these platforms and a review process before any content is made public. Regularly check all public content to make sure no FCI is shared, and have a quick way to remove any incorrect or unauthorized FCI if needed.

Identification and Authorization

• 1.076 – Identify information system users, processes acting on behalf of users, or devices
• 1.077 – Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems
   

Organizations need to assign unique IDs to users and devices that can access their assets. This helps link each user and device to specific actions. To perform this, organizations must have a consistent way of creating these IDs across the system. For instance, when setting up a user account in Azure AD or Google Workspace, the organization should follow its established standards for user IDs.

Media Protection

• 1.118 – Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse

The information systems media include mobile devices, portable storage devices, and digital storage components found in devices. Proper media protection practices would prevent the retrieval or reconstruction of sensitive information from the device.  

‍NIST SP 800-88 provides guidance on best practices for media sanitation.  

To satisfy this control, the organization should create a media sanitation procedure that requires all system media to be either cleared, purged, or destroyed before reuse or disposal. Devices intended for re-use, such as endpoints and mobile devices, should be wiped clean, making any data unrecoverable. Devices intended for disposal should be restored to factory settings, wiped clean of all previously stored data, and properly destroyed prior to disposal to ensure the data cannot be recovered.

Physical Access

• 1.131 – Limit physical access to organization information systems, equipment, and the respective operating environments to authorized individuals
• 1.132 – Escort visitors and monitor visitor activity
• 1.133 – Maintain audit logs of physical access devices
• 1.134 – Control and manage physical access devices

To execute physical access control requirements, the organization should create a list identifying all individuals permitted to access organizational spaces, including detailed information about areas with enhanced access restrictions. Additionally, the organization must implement physical barriers, such as fences, secure doors, and windows, to prevent unauthorized access to its devices and facilities.

System and Communications Protection

• 1.175 – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems
• 1.176 – Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
   

To implement these controls, organizations must develop documentation that outlines the flow of information and data across the network, highlighting both external and critical internal access boundaries (e.g., cloud applications, endpoints, etc.)  

Organizations need to enable endpoint firewalls on devices connecting to information systems. It is also necessary to protect against dangerous web domains and applications, including those hosting phishing scams, exploits, and other malicious content. Utilize technologies such as web filtering to block web traffic to low-reputation sources based on the domain or hostname.

System and Information Integrity

• 1.210 – Identify, report, and correct information and information system flaws promptly
• 1.211 – Protect malicious code at appropriate locations within organizational information systems
• 1.212 – Update malicious code protection mechanisms when new releases are available
• 1.213 – Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed
   

Organizations need to develop policies and procedures to check vendor resources for available patches. It is also required to create processes to evaluate the updates for severity and determine deadlines for remediating flaws. Consider using automated solutions and antimalware products to identify threats accurately.  

It's important to create and keep an up-to-date inventory of all assets that can access the organization’s resources. This helps identify potential entry points into the information system that could be used to introduce malicious code. Protection measures should cover areas like servers, workstations, mobile devices, and network appliances such as firewalls and switches.  

The organization needs to configure antivirus to enable real-time scans of the environment. The scans should be conducted when external devices are introduced, files are downloaded, or emails containing attachments are received.  

The organization needs to determine the frequency at which its environment will be scanned for malicious code (computer viruses, worms, Trojan horses, logic bombs, spyware) and define that frequency in its documented policies and procedures. Best practice recommendations are to have the antivirus solution conduct a full system scan at least once daily. Additionally, the antivirus solution should conduct real-time scans on all emails, files, attachments, and downloads.

CMMC Level 1 Self-Assessment

For CMMC Level 1, every organization with the FAR 52.204-21 requirements in their contracts has to:

• Conduct a CMMC Level 1 self-assessment to determine their conformity.
• Be evaluated against the corresponding NIST SP 800-171A assessment objectives per Table 1 in §170.15(c)(1)(ii).
• Submit an annual self-affirmation of the organization’s 100% (!) compliance to FAR 52.204-21 security requirements to DoD’s Supplier Performance Risk System (SPRS) (c.f., §170.22, Affirmation ).
   

The self-assessment results in SPRS shall include, at minimum, the following items:  

(A) CMMC Level

(B) Assessment Date  

(C) Assessment Scope  

(D) All industry CAGE code(s) associated with the information system(s) addressed by the CMMC Assessment Scope  

(E) Compliance result.  

Please note that there are two NOs in CMMC Level 1 Self Assessment:

• NO POA&Ms are permitted for CMMC Level 1.
• NO 3rd-party conformity assessment and certification is necessary for Level 1.
   

If an organization fails to meet CMMC Level 1 compliance, standard contractual penalties will apply. Additionally, the organization will not be eligible for new contracts requiring CMMC Level 1 or higher until they successfully complete a valid self-assessment for Level 1, as stated in §170.15(a)(1)(ii).

Boost Your CMMC Level 1 Compliance with Planet 9

With the broad scope of practice controls under CMMC 2.0, DoD contractors and subcontractors may seek guidance from CMMC specialists. Planet 9 can support your CMMC Level 1 compliance efforts with the following services:

• Scope your environment to determine the boundaries where Federal Contract Information (FCI) is stored, processed, and exchanged;
• Understand the applicable CMMC Level 1 requirements;
• Conduct readiness assessment;
• Identify and address gaps in your CMMC Level 1 status to understand what you need to improve to meet compliance;
• Conduct a comprehensive CMMC Level 1 self-assessment.

Book a free consultation to learn more, or contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!