CMMC Level 1 Security Controls

Version 2.0

The Cybersecurity Maturity Model Certification Level 1 defines 17 foundational cybersecurity practices required for any organization handling Federal Contract Information under Department of Defense contracts. The practices derive from FAR 52.204-21 and cover basic safeguarding of contractor information systems. Level 1 is the entry point for DoD contractors and must be self-assessed annually.

17

Total controls

6

Critical priority

92h

Est. implementation

6

Trust service categories

CMMC 2.0 practices are derived from FAR 52.204-21 and NIST SP 800-171, both published by U.S. federal agencies and in the public domain. The CMMC framework is published by the Department of Defense.

Access Control Identification & Authentication Media Protection Physical Protection System & Comms Protection System & Info Integrity

Access Control

4 controls

Limit system access to authorized users, processes, and devices, and restrict each user to only the transactions and functions their role requires.

Authorized Access

Limit system access to authorized users, processes, and devices

Limit system access to permitted transactions and functions

External Connections

Verify and control connections to external information systems

Public Systems

Control FCI posted or processed on publicly accessible systems

Identification & Authentication

2 controls

Identify all users, processes acting on behalf of users, and devices before granting access, and verify their identity through authentication.

Identification

Identify all users, processes, and devices that access systems

Authentication

Authenticate users, processes, and devices before granting access

Media Protection

1 controls

Sanitize or destroy media containing Federal Contract Information before disposal or reuse to prevent data recovery.

Media Sanitization

Sanitize or destroy media containing FCI before disposal or reuse

Physical Protection

4 controls

Limit and monitor physical access to organizational systems, equipment, and the facilities that house them to authorized individuals only.

Physical Access

Limit physical access to systems and facilities to authorized individuals

Escort visitors and monitor visitor activity in secured areas

Maintain audit logs of physical access to secured areas

Control and manage physical access devices

System & Comms Protection

2 controls

Monitor and protect organizational communications at network boundaries and isolate publicly accessible components from internal networks.

Boundary Protection

Monitor, control, and protect communications at network boundaries

Network Segmentation

Implement subnetworks for publicly accessible system components

System & Info Integrity

4 controls

Identify and correct system flaws, provide malware protection at key locations, keep protections current, and perform regular system scans.

Flaw Remediation

Identify, report, and correct information system flaws in a timely manner

Malware Protection

Provide protection from malicious code at appropriate locations

Update malware protection mechanisms when new releases are available

System Scanning

Perform periodic system scans and real-time scans of files from external sources