CMMC 2.0 Insights
Level 1
CMMC Level 1 Practices
CMMC Reference Guide
Find the 17 overviews on the right, click to see details, rate the CMMC notes, press ">" in the upper right to continue to the next practice.
NOW AVAILABLE:
CERTIFIED CMMC PROFESSIONAL COURSE (CCP)
Who is This Course For?
-
Licensed Training Providers (LTPs)
-
Certified Third-Party Assessor Organizations (C3PAOs)
When educating people on a complex, multi-dimensional topic, the best place to start is with its key, foundational information. That’s exactly what Celerium’s Certified CMMC Professional Course (CCP) does – it conveys the fundamental knowledge needed to train professionals supporting the implementation of CMMC.
Sponsored by Celerium
CMMC Insights:
Training on Implementation by Implementers
These online-only courses provide CMMC training to companies looking to comply with CMMC. The courses are created by an experienced team of cybersecurity implementers with years of experience on NIST standards.
Implementing CMMC will be different for every company. And with the U.S. government doubling down on cybersecurity, it's important to get it right. So where is the best place to start?
Our CMMC Insights courses were created to help companies looking to comply with CMMC understand how to implement the practices. Our team has years of experience implementing NIST 800-53.
One-year access to the learning portal is provided, and we will provide updates on changes to CMMC as clarity is provided on items such as reciprocity. Don't wait -- get started on your CMMC assessment preparation now.
Presented by
CMMC Academy Sponsors
international alliance members
|
Practice: AC.L1-3.1.1
|
CAPABILITY: C001 Establish system access requirements
|
|
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following · The list of active accounts along with the name of individuals associated with the account. · The list of permissions and rights associated with a group account or role. · Documentation of individuals terminated, transferred within the organization, or assigned a new role in the organization. The above information may be compared with system and application accounts to verify the actual accounts and associated permissions were implemented as described in the company's documented procedure.
|
Practice: AC.L1-3.1.2
|
CAPABILITY: C002 Control Internal system access
|
|
Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following · Access control list that limit access to systems (network and servers). · Access control list for applications and data based on role and/or identity. · Access control list that show the type of access permitted, for example, administrator rights vs. user rights to view, edit, update, or delete records. · Provisioning processes and associated examples of approval by an identified individual with the authority to approve access with evidence such as an email or signature on a form.
|
Practice: AC.L1-3.1.20
|
CAPABILITY: C004 Limit data access to authorized users and processes
|
|
Verify and control/limit connections to and use of external information systems. |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following · Documentation, such as diagram or security plan to verify if the organization has identified a system boundary and that connections to external systems have been identified. · Account management process and connection agreements to determine if the use of external system is restricted to authorized individuals and system interconnections . · Policy and procedures on personally owned systems and the security standards set by the organization and determine if controls exist to restrict unauthorized connections to identified access points to systems.
|
Practice: AC.L1-3.1.22
|
CAPABILITY: C004 Limit data access to authorized users and processes
|
|
Control information posted or processed on publicly accessible information systems |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following · List of users authorized to post or process information on public facing systems · Training records to demonstrate employees receive training that non-public information such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) must not be posted on public facing systems. · Evidence that content on a public facing system is reviewed and approved prior to posting, for example, a change record or audit log. · Evidence that public facing systems are periodically reviewed for authorized content, for example, a review log.
|
Practice: IA.L1-3.5.1
|
CAPABILITY: C015 Grant access to authenticated entities
|
|
Identify information system users, processes acting on behalf of users, or devices. |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following · Service or group accounts used by the organization · Policy or procedures on method(s) used to uniquely identify and authenticate users. · Organizational procedures to remove access to service or group accounts when an individual terminates or due to change in job responsibilities e.g., an individual is transferred to another business unit.
|
Practice: IA.L1-3.5.2
|
CAPABILITY: C015 Grant access to authenticated entities
|
|
Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems. |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following · An account provision process to examine identified methods of authentication. · The use of unique accounts for new employees and contractors · The use and assignment of initial passwords · A password reset function for initial use · The requirement for password complexity, such as 12 characters, a mix of upper and lower case letters, number, and special characters.
|
Practice: MP.L1-3.8.3
|
CAPABILITY: C024 Sanitize Media
|
|
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following · Processes or procedures to identify Federal Contract Information or Controlled Unclassified Information (CUI). · An inventory of process/or tools used to sanitize media before it is released for reuse or destroyed for disposal. · Documentation that shows who approved and who sanitized the media or a signed form that verifies the media was destroyed securely.
|
Practice: PE.L1-3.10.1
|
CAPABILITY: C028 Limit Physical access
|
|
Limit Physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following · Lists of personnel with authorized physical access/credentials who are identified and reviewed periodically for appropriate access – may also be asked how often the review is performed and to provide evidence of reviews. · Identified areas that control physical access to organizational systems, production systems, equipment or as defined by company policy. · Physical security protections used to monitor and restrict access to controlled areas, such as guards, cameras, locks, badges etc. · The location of output devices such as printers are placed in areas that do not expose data to unauthorized employees.
|
Practice: PE.L1-3.10.3
|
CAPABILITY: C028 Limit Physical access
|
|
Escort visitors and monitor visitor activity. |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following · Policy or procedures related to physical protections to determine if all visitors to sensitive areas are escorted by an authorized employee and monitored e.g., access control device, guard, camera etc. · Visitor logs, access control system logs, or documentation of validation (testing).
|
Practice: PE.L1-3.10.4
|
CAPABILITY: C028 Limit Physical access
|
|
Maintain audit logs of physical access. |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following · Physical access audit logs such as: a written log of persons accessing a facility or an audit log from an automated system that records the identificaiton of personnel entering the facility and areas where sensitive systems may be located (i.e., non-public or restricted areas). · Organization related documents or records related to physical access control to identify length of time audit logs are maintained.
|
Practice: PE.L1-3.10.5
|
CAPABILITY: C028 Limit Physical access
|
|
Control and manage physical access devices. |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following · An inventory of physical access devices, · Information on how access devices are maintained and operated per the manufacturer recommendations, · Change logs or records to show updates of access devices when access control information is revised or changed, · Records of key and lock combination changes, · Records of unused or unassigned keys or keys cards with assurance that unused items are stored securely to prevent unauthorized access.
|
Practice: SC.L1-3.13.1
|
CAPABILITY: C039 Control communications at system boundaries
|
|
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following · If network communication boundaries have been identified · List of hardware/software used for network monitoring of key internal and external boundaries · Procedures that addresses boundary protection systems, such as routers, gateways, firewalls, configurations, and/or VPNs used to monitor or restrict authorized/unauthorized communications.
|
Practice: SC.L1-3.13.5
|
CAPABILITY: C039 Control communications at system boundaries
|
|
Implement subnetworks for publicly accessible systems components that are physically or logically separated from internal networks. |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following · Procedures or processes for protecting and separating internal systems from public facing systems, · The use of demilitarized zones (DMZ) that shows the structure and separation of systems in the DMZ, · Network routing configurations that verify all incoming and outgoing through the DMZ.
|
Practice: SI.L1-3.14.1
|
CAPABILITY: C040 Identify and manage information flaws
|
|
Identify, report, and correct information and information system flaws in a timely manner. |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following · Policy or procedures that address flaw remediation, · Security-relevant software updates (patches, service pack updates, hot fixes, or signature updates) in response to reported system flaws or vulnerabilities,
|
Practice: SI.L1-3.14.2
|
CAPABILITY: C041 Identify malicious content
|
|
Provide protection from malicious code at appropriate locations within organizational information systems. |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following An inventory of malicious code protections provided to systems at designated locations.
|
Practice: SI.L1-3.14.4
|
CAPABILITY: C041 Identify malicious content
|
|
Update malicious code protection mechanisms when new releases are available. |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following Malicious code protections are updated when new releases are available and also updated based on your organizational configuration management process.
|
Practice: SI.L1-3.14.5
|
CAPABILITY: C041 Identify malicious content
|
|
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. |
|
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following Security scans of files from an external source are scanned when downloaded, opened, or executed. (This would include files downloaded from websites, email attachments, embedded links, or from other interfaces with external systems.)
Copyright © 2022 Celerium. All Rights Reserved.