Contractors working with the Department of Defense (DoD) often have to deal with confidential information. In such cases, they need clear guidelines to make sure the information isn’t lost, stolen, or misused.
Businesses that want to maintain their digital safety standards to work as government contractors need to have the proper certification. The Cybersecurity Maturity Model Certification (CMMC) offers a set of guidelines that companies working with the government can follow to protect the data they’re working with.
Published by the National Institute of Standards and Technology (NIST), the standards were created for defense contractors working with controlled unclassified data. They outline the requirements that must be met before a contract can be secured.
What Is CUI?
Digital information is becoming essential for all parts of life. This reality is true even for government operations.
Information collected by the government is highly sensitive. For this reason, the DoD identifies critical information that hasn’t been classified as “controlled unclassified information” (CUI). CUI may not be as vital as classified information, but it has been deemed important enough to require higher levels of control.
Protecting CUI is essential for contractors working with the federal government. This requirement is why the CMMC model was created. Contractors need to understand the evolution of CMMC to identify which level of compliance they wish to target.
The Three Levels of CMMC 2.0
CMMC 1.0 offered a means for government contractors to demonstrate one of five levels of competence for their IT security policies. The guidelines offer a clear picture of what the DoD’s expectations for contractors are. CMMC 2.0 simplified this to only three levels, which are labeled Foundational, Advanced, and Expert.
CMMC Level 1 compliance — Foundational — is the first step in meeting compliance standards. This level of compliance requires an annual self-assessment in which contractors must determine which practices they are most capable of before being given access to government data.
What Is CMMC Level 1 Compliance?
CMMC Level 1 compliance is the lowest compliance required by the DoD for working as a contractor. Managed security services providers and others in IT and security can provide evidence of meeting their obligations by evaluating their maturity with each control metric.
Those who want to maintain CMMC compliance must start at Level 1 to ensure they meet the minimum requirements for working with the DoD. This compliance is especially important for contracts that are classified under national security protocols.
Understanding the CMMC Level 1 compliance requirements is key to reaching Level 1 certification.
What Are the CMMC Level 1 Compliance Requirements?
While CMMC Level 1 compliance is the most simple maturity level to achieve, there are strict requirements for contractors who want to maintain their government partnerships.
Basic cyber hygiene is essential for protecting valuable assets and making sure systems aren’t being accessed or monitored by unauthorized users. This hygiene requires continuous oversight and a clear picture of long-term security targets.
There are a total of 17 controls across six domains for achieving CMMC Level 1 compliance. At this level, services must demonstrate that they have basic knowledge of cybersecurity best practices and have a clear understanding of the mechanisms for managing digital security. These mechanisms include:
Access Control (AC)
Access Control (AC) is a standard part of digital security. This domain requires a clear understanding of which users have access to systems, when, and for what reasons.
Organizations must be able to clearly define the requirements for system access, who is authorized, and in what circumstances. This definition includes both human users and automated services.
- AC.1.001: Established system access requirements for IT infrastructure
- AC.1.002: Control access to internal system functions and capabilities
- AC.1.003: Limiting access to only authorized users and verified internal systems
- AC.1.004: Control of information accessible to the public
With access control systems in place, IT directors and cybersecurity professionals can manage user privileges, remote connections, and internal networks.
Contractors must resolve these issues before they can move on to individual-level user management. Each user must have a unique account with a strong password that can be tracked and managed.
Identification and Authentication (IA)
The identification and authentication (IA) domain highlights expectations for individual responsibilities and behaviors. Compliance means making sure individuals have the authorization to use only the services that they need for their specific roles.
CMMC Level 1 compliance requires having data tracking abilities in place to reinforce best practices and hold those who fail to do so accountable.
- IA.1.076: Having high-level oversight over user-accessed data
- IA.1.077: Using verification systems to ensure only authorized users can gain access
Well-defined identification and authentication practices should be used in as many situations as possible. Securing users, devices, and accounts across the network requires clearly defined rules regarding passwords. Making passwords both unique and complex is essential for maintaining digital security.
Media Protection (MP)
Media protection refers to the methods used to keep important digital assets safe from harm. This work includes tracking, managing, and maintaining media over time, which requires strict policies for storage and transportation. Proper disposal techniques go a long way in protecting digital assets from misuse.
- MP.1.118: Proper care and disposal of media associated with government work or operations
Complete media protection is one of the most important principles outlined in CMMC Level 1 compliance guides. When getting rid of old devices, drives, and equipment, companies should take care to ensure they maintain compliance. Shredding, wiping, and proper disposal are the only ways to protect CUI properly.
Physical Protection (PE)
Limiting physical access to data is essential for controlling unclassified information. For most organizations, this means keeping track of access to network infrastructure and equipment. Identifying potential vulnerabilities and taking the necessary steps to protect against them makes it easier to maintain CMMC Level 1 compliance.
- PE.1.131: Identify private vs. public areas and limit access to computers, user-level devices, and other network equipment
- PE.1.132: Distinguish visitors who don’t have permanent physical access with identifying badges or escorts
- PE.1.133: Keep track of data access metrics for ongoing audits
- PE.1.134: Maintain control of devices used to physically access systems and services
Having a good understanding of which areas need the most protection lets IT directors and security professionals focus their resources where they’re important. Only authorized individuals should be able to actively work in private or restricted areas. These locations should be prioritized when creating a digital security roadmap.
System and Communication Protection (SC)
Having secure communication channels between users is essential for CMMC Level 1 compliance. Insecure systems can be easily accessed by unauthorized users to steal information and intercept communications.
The System and Communication Protection (SC) domain requires IT systems to be protected with passwords, firewalls, and other barriers to entry.
- SC.1.175: Using proper network management capabilities and components for prohibiting access to restricted systems
- SC 1.176: Create a clear separation between private systems and public-facing systems
SC is largely concerned with protecting the boundaries of an information ecosystem. IT directors and security professionals working with CUI should determine how well their internal systems are at protecting valuable data from potential attacks.
System and Information Integrity (SI)
IT systems need ongoing maintenance to function properly. This reality is especially true for network security and data storage. The System and Information Integrity (SI) domain is used to determine how well IT directors and security personnel track and respond to problems that arise within their digital ecosystem.
- SI.1.210: Identify and respond to software and firmware issues within an adequate time frame
- SI.1.211: Protect valuable IT assets by finding and removing malicious software before it causes harm
- SI.1.212: Keep defensive tools and software up to date with the latest release
- SI.1.213: Perform periodic scans to find and isolate malicious code
Enforcing standards and maintaining safe digital practices makes it easier to identify malicious code and take the necessary steps to properly deal with it.
Adopting formal standards for addressing issues, outlining purpose, and limiting scope will allow IT directors and security professionals to reinforce best practices while documenting the actions that they take to improve ongoing operations.
Maintain CMMC Level 1 Compliance with Touchstone Security
Is your IT ecosystem CMMC compliant? If you’re a DoD contractor or thinking about becoming one, then it might be difficult to maintain the proper IT infrastructure. Touchstone Security is your managed security services provider. Our platform was designed to give you the core features necessary to secure your IT environment.
Touchstone Security’s military-trained staff has the experience needed to complete any project, no matter how difficult. Our responsive team is here to give you the support you need to complete critical tasks and maintain digital standards.
We’ve worked with Fortune 500 companies around the globe to deliver advanced IT services that conform to security expectations.
Touchstone has many solutions for companies working with sensitive information. Our services range from ransomware and spyware removal to backup and disaster recoveries.
We offer CMMC compliance services for businesses that want to obtain or maintain government contracts. Our team understands each level of CMMC and can offer advice for certification.
Find out how Touchstone Security can improve your digital ecosystem. Contact Touchstone for a CMMC assessment today.