Level 1: Basic cyber hygiene

CMMC level 1 is the most basic level of cyber maturity, it forms the initial building block for basic cybersecurity.  The focus of CMMC level 1 practices are to support any organisation implement basic cybersecurity hygiene, addressing the need to protect Federal Contract information (FCI). Defined as ‘Information provided by or generated for the Government under contract not intended for public release’. Level 1 requires an organisation to demonstrates that it performs the practices required at Level 1.  As identified in FAR 48 CFR § 52.204-21 – (Basic Safeguarding of Covered Contractor Information Systems), equivalent to 17 practices identified in NIST 800 – 171 r2, listed in the table .  Demonstrating that it has applied the practices.  By demonstrating that level 1 practices are being performed the organisation is adopting basic cyber security hygiene, for the protection of FCI information which it manages on behalf of the government.

Processes : PerformedLevel 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
Practices : Basic cyber hygieneLevel 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”)

CMMC Level 1 consist of 6 security domains addressing 9 capabilities with 17 security practices.

DomainCapabilityPracticePractice Description
Access Control (AC)C001 Establish system access requirementsAC.1.001Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).
C002 Control internal system accessAC.1.002Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
C004 Limit data access to authorized users and processesAC.1.003Verify and control/limit connections to and use of external information systems.
AC.1.004Control information posted or processed on publicly accessible information systems.
Identification & Authentication (IA)C015 Grant access to authenticated entitiesIA.1.076Identify information system users, processes acting on behalf of users or devices.
IA.1.077Authenticate (or verify) the identities of those users, processes or devices, as a prerequisite to allowing access to organizational information systems.
Media Protection (MP)C024 Sanitize mediaMP.1.118Sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal or release for reuse.
Physical Protection (PE)C028 Limit physical accessPE.1.131Limit physical access to organizational information systems, equipment and the respective operating environments to authorized individuals.
PE.1.132Escort visitors and monitor visitor activity.
PE.1.133Maintain audit logs of physical access.
PE.1.134Control and manage physical access devices.
System and Communications Protection (SC)C039 Control communications at system boundariesSC.1.175Monitor, control and protect organizational communications (e.g., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
SC.1.176Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
System & Information Integrity (SI)C040 Identify and manage information system flawsSI.1.210Identify, report and correct information and information system flaws in a timely manner.
C041 Identify malicious contentSI.1.211Provide protection from malicious code at appropriate locations within organizational information systems.
SI.1.212Update malicious code protection mechanisms when new releases are available.
SI.1.213Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed.

Table:  CMMC Level 1 domains, capabilities and practices