So, as a Department of Defense contractor (Prime or Sub), you have determined that you need to achieve at least Level 1 certification within the Cybersecurity Maturity Model Certification (CMMC) V1.0, though are unsure as to what Level 1 compliance entails. This article marks the first of several that will dive into each of the 6 Domains, 9 Capabilities and 17 Practices required to achieve CMMC Level 1 compliance. As you may know, Level 1 compliance derives from Practices defined within 48 Code of Federal Regulation (CFR) 52.204-21 . CMMC V 1.0 provides a great overview of all of the requirements expected in the 5 levels of CMMC, though the document itself does not really explain in detail how best to achieve compliance. That is where the Appendices to CMMC V1.0 rises to the challenge. In a separate document on the CMMC V1.0 site, you will find the Appendices and this is where you will begin to find some clarity and a more detailed explanation of how best to move forward towards compliance. Here is somewhat of a Table of Contents for the CMMC V1.0 Appendices:
Appendix A – CMMC V1.0 Model Overview (Pg 3 – 38)
Appendix B – Process and Practice Descriptions (Pg 39 – 293)
Appendix C – Glossary (Pg 295 – 321)
Appendix D – Abbreviations and Acronyms (Pg 321 – 322)
Appendix E – Source Mapping (Pg 323 – 330)
Appendix F – References (Pg 331 – 335)
Appendix B represents the longest of the Appendices and this is where you will find the detailed descriptions of how best to move towards compliance. As you will see, each Domain has a two letter designation (I.e. Access Control (AC)). This two letter designation becomes important as you move into the numbering system for the Capabilities, Policies and Practices. Thus, the first Capability for Level 1 compliance, Establish system access capabilities is numbered as (C001). The first Practice for Level 1 compliance under C001 is to, Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and is numbered with the reference number: (AC.1.001) . This reference number for the Practice defines that it is the Access Control Domain (AC), Level 1 (1), combined with the cumulatively numbered Practice (001) (the practices are numbered vertically in each Domain, beginning in Level 1, then moving vertically to Level 2 and so forth). The Practice numbering system then continues counting in sequence for the next Domain, Level 1, picking up where they left off in Level 5 of the previous Domain (See Appendix A). This referencing system continues throughout CMMC and should provide some clarity as you read through the document. You will find each description of the Practice within Appendix B provides the reference number for the Practice, followed by the Practice description, discussion from the source document (many times this will be NIST SP 800-171, Rev 1 or 2), then CMMC Clarification to include an example(s) of how this Practice would be demonstrated within a business and ends with the reference document (in this case, 48 CFR 52.204-21). The clarification description and associated examples can be extremely helpful in understanding what that Practice requires to be compliant.
The first Practice (noted above), AC.1.001 is found on page 48 of the Appendices. The Clarification statement for this Practice states this Practice will require that the company must,
“Control who can use company computers and who can log on to the company network. Limit the services and devices, like printers, that can be accessed by company computers. Set up your system so that unauthorized users and devices cannot get on the company network”. Two examples are provided as follows:
You are in charge of IT for your company. You give a username and password to every employee who uses a company computer for their job. No one can use a company computer without a username and a password. You give a username and password only to those employees you know have permission to be on the system. When an employee leaves the company, you disable their username and password immediately.
A co-worker from the marketing department tells you their boss wants to buy a new multi-function printer/scanner/fax device and make it available on the company network. You explain that the company controls system and device access to the network, and will stop non-company systems and devices unless they already have permission to access the network. you work with the marketing department to grant permission to the new printer/scanner/fax device to connect to the network, then install it.
To assist those that might not be familiar with how best to implement this practice and to build on our body of knowledge, for those that have successfully completed this step, would you add a comment on how you would or have implemented this Practice in your company? A written policy of the above Practice is not required for Level 1 certification, though the Practice must be used consistently within your company.
My next article will address the 2nd Capability within Level 1 compliance, Controlling internal system access (C002).
By Mark Lupo, MBCP, SMP