CMMC Level 1 Controls & How to Comply with CMMC Level 1
The Cybersecurity Maturity Model Certification Level 1 (CMMC Level 1) is designed to provide basic cybersecurity hygiene which is being performed by designated personnel within the company. Organizations are expected to be able to protect Federal Contract Information (FCI) from a cyber-attack and/or an insider threat. At CMMC Level 1, practices are only required to be performed, no documentation of processes and practices are required at this level. CMMC Level 1 can be broken down in the following control families that reference to NIST 800-53 and 800-171 standards:
CMMC Level 1 Controls
What is the Access Control?
Access Control measures make up 4 of the 17 practices for CMMC level 1. These controls begin within limiting access to authorized users and only grant access to functions, as well as data, that groups of users need. The first thing you should have available is a list of employees, contractors, and other personnel who should have access to your systems, networks, and data. Without this, it’s quite challenging to verify who should and shouldn’t have access. As it relates to granting only functions required, don’t allow everyone to have global administrator access to systems, networks, and data whether on the network or in the cloud. A method to do this can be done by establishing security groups, creating/assign roles, assign permissions to those roles, and assign users to those groups. Some users may need privileged rights to perform admin-like activities such as creating SharePoint sites or deleting files.
For example, you may want to consider creating a group with permission levels to satisfy that requirement versus giving them full admin rights to SharePoint. These access controls don’t just apply to users they can also apply to devices and networks. For instance, do you allow sensitive systems such as your mail server to be accessed from anywhere in the world? Or, do you allow devices not owned by the company to access systems that contain FCI? First, denying access from international sources is fairly easy these days with tools such as firewalls, email filters, and Software as a Service (SaaS) applications such as Office 365.
Lastly, you must train and control FCI from being posted on publicly accessible systems such as websites, forums, social media, etc. This data spill can cause damage to national security as well as put your company at risk.
What is the Identification and Authentication Control?
The Identification and Authentication control is designed to identify users and devices as well as to authenticate them properly to provide access to your organization’s information systems. Although you’re not required to document practices in CMMC Level 1, I highly recommend documenting what devices should be authorized to access information systems and what user is assigned to that device. Many systems you are using to grant users and devices allow you to include whitelisting, which will enforce granting access to networks, systems, and data. Alternatively, many small businesses provide access to their information systems using employees’ personal devices, otherwise called Bring Your Own Device (BYOD) model. This presents many challenges for the protection of FCI, Controlled Unclassified Information (CUI), and your own intellectual property.
There are mobile applications and device management tools, as well as, virtual solutions in the market that can solve this challenge. Allowing unmanaged and non-owned devices to connect to your information systems without tight rules and controls puts you at risk from being compromised by a malicious threat actor or by an employee who may want to leave the company with proprietary information or FCI.
What can I do to help satisfy the Identification and Authentication control?
To help satisfy the Identification and Authentication control, you should do the following:
- Use a naming standard that easily identifies authorized users versus unauthorized users
- Use a centralized system to identify and authenticate your users and grants them proper accesses using secured methods
- Use complex password policies as described in the NIST 800-63B publication
- Ensure devices are identified and registered to authenticate access into information systems
What is the Media Protection Control?
Controlling media is by far one of the most overlooked controls especially as it pertains to paper documents, DVDs, and leased printers. Does your company perform methods that sanitize and properly destroys system media prior to reuse or release? In the past, I’ve performed many penetration tests and one of the go-to techniques is to check the trash. There is usually lots of paper that are printed and discarded daily which, to my surprise, typically contains lots of Private Identifiable Information (PII) and information that probably shouldn’t leave the company.
Although you’re not required to classify and label at CMMC Level 1, we do recommend doing so because how would you be able to distinguish between FCI, CUI, and other proprietary data when information is co-mingling with other data in your information systems. Therefore, I do suggest companies use some type of classification guide to mark and label FCI, CUI, and other sensitive data. This will help employees properly identify FCI and know how to properly handle such information. Now that we know we can easily identify FCI, we can use training methods and proper sanitization methods such as rewriting over the hard-drive multiple times (at least 3 times) prior to reuse, or the incineration of the physical drive itself if releasing for destruction purposes.
Getting Started with Personnel Security
In CMMC Level 1, the practices are concerned with unauthorized access to information systems using physical means such as picking locks, tailgating, stealing access cards, etc. Organizations need to ensure access to the facility and especially their IT networking room and/or data centers are controlled and monitored. Access logs should be documented using electronic or manual means for both employees and visitors entering and leaving the facilities. Visitors are required to be escorted and monitored, especially IT vendors who may be repairing or updating information systems for the organization. An example is Voice over IP systems (VoIP) that are managed by a third-party. Ensuring the technician is escorted and activities are observed reduces the risk of unauthorized access to networks and systems they’re not authorized to access. Penetration testers are notorious for attempting clever ways of gaining physical access. They do this because once physical access is obtained then compromising information systems becomes significantly easier as well as planting devices to ensure they can maintain access to the internal network.
How are system and communication protection implemented?
Implementing system and communication protections are typically done through the use of properly configured host-based and network firewalls, Virtual Private Networks (VPNs), Virtual Local Area Networks (VLANs) via your switches or firewalls, and other segmentation processes such as using cloud resources. The goal is to ensure internal systems only communicate with approved information systems through authorized communication channels and to protect internal information systems in the event a public-facing system is compromised. To accomplish this objective, organizations should control and monitor communication going to and from information systems and ensure the rules established are not being violated. One of those rules being that only approved communications channels and systems should have access to public-facing systems to mitigate the ability of the internal networking being compromised. To accomplish this many organizations will set-up a Demilitarized Zone (DMZ) to put systems required to be publicly available such as websites, timekeeping systems, customer portals, etc. Internal systems should restrict and limit these connections to these assets in the DMZ to prevent a threat actor from gaining unauthorized access to the internal network.
What is system integrity?
System integrity is primarily focused on ensuring unauthorized users are prevented from unlawfully accessing, modifying, transmitting, and deleting information systems. The goal is to put integrity controls in place such as the use of antivirus software, vulnerability detection, email protection, etc. Organizations must ensure they identify information systems that may be vulnerable or an update is available by the vendor providing those information system assets. For example, Adobe announces it released an update due to a few security flaws. it’s your organizational responsibility to ensure the update is performed in a timely manner to avoid being exploited. Just as you’re keeping your applications updated, your security systems must get their updates more frequently than traditional software patches. For instance, your antivirus should be updated, at least, daily although I recommend every 15-30 minutes, this can be automated.
Is a vulnerability scanning system required for CMMC Level 1?
A vulnerability scanning system is not required for CMMC Level 1, however in practice, if you have more than 3 computers or your few computers are remote, it’s more practical to deploy a vulnerability scanner. This will help to ensure those computers are being monitored and controlled for system flaws.
What is the importance of CMMC Level 1?
CMMC Level 1 is considered basic hygiene and may have many of the practices you already employ. Therefore, achieving this level may be very easy to achieve for many organizations. However, if you find gaps overcoming these gaps can be done with very few changes and will bring added security to your organization, your employees, and your customers. It’s important to stay educated on the levels of CMMC and the controls associated with them. Stay tuned as we will be doing a deep dive into CMMC Level 2 and going over ways to comply with the 55 additional practices.
Learn More about CMMC Levels and Controls