The CMMC Level 1, 17 Practices Identified and Explained
Welcome to this final entry regarding the 17 Practices within CMMC Level 1 compliance. This article identifies the 6 Domains, containing 9 Capabilities and requiring 17 Practices to be active and integrated within the company operations in order to comply with 48 CFR 52.204-21 and to reach CMMC Level 1 compliance. There are no Processes required to be documented within Level 1, only Practices. These Domains, Capabilities and Practices for Level 1 are laid out in the format below with links to each of the blog posts that correspond to the Practice within Level 1. We hope you find this arrangement helpful.
I. Domain – Access Control (AC)
a. 3 Capabilities, 4 Practices
1. Establish system access capabilities (C001)
– AC.1.001 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)
2. Control internal system access (C002)
– AC.1.002 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
– AC.1.003 – Verify and control and/or limit connections to, and use of, external information systems.
3. Limit data access to authorized users and processes (C004)
– AC.1.004 – Control Information Posted or Processed on Publicly Accessible Information Systems
II. Domain – Identification and Authentication (IA)
a. 1 Capability, 2 Practices
1. Grant access to authenticated entities (C015)
– IA.1.076 – Identify Information System Users, Processes Acting on Behalf of Users and Devices
– IA.1.077 – Authenticate ( or verify ) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems
III. Domain – Media Protection (MP)
a. 1 Capability, 1 Practice
1. Sanitize Media (C024)
– MP.1.118 – Sanitize or destroy information system media containing Federal contract information before disposal or release for reuse
IV. Domain – Physical Protection (PE)
a. 1 Capability, 4 Practices
1. Limit physical access (C028)
– PE.1.131 – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
– PE.1.132 – Escort Visitors and Monitor Visitor Activity
– PE.1.133 – Maintain Audit Logs of Physical Access
– PE.1.134 – Control and Manage Physical Access Devices
V. Domain – System and Communication Protections (SC)
a. 1 Capability, 2 Practices
1. Control communications at system boundaries (C039)
– SC.1.175 – Monitor, control, and protect organizational communications (i.e., Information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems.
– SC.1.176 – Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
VI. Domain – System and Information Integrity (SI)
a. 2 Capabilities, 4 practices
1. Identify and Manage Information System Flaws (C040)
– SI.1.210 – Identify, Report and Correct Information and Information Flaws in a Timely Manner
2. Identify Malicious Content (C041)
– SI.1.211 – Provide protection from malicious code at appropriate locations within organizational information systems.
– SI.1.212 – Update Malicious Code Protection Mechanisms When New Releases are Available.
– SI.1.213 – Perform periodic scans of information systems and real-time scans of files from external sources as files are downloaded, opened or executed.
And there you have it. The 17 Practices required for CMMC Level 1 compliance. As you review these and have questions, please consider the UGA SBDC a resource in helping you navigate and identify the necessary resources to attain compliance and be ready for your Level 1 assessment by one of the C3PAO’s. We wish you the best in your quest to reach compliance and stand ready to assist in any way we can.
Until next time…
Mark Lupo, MBCP, SMP