Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
The United States Department of Defense Office of the Under Secretary of Defense for Acquisition and Sustainment introduced the Cybersecurity Maturity Model Certification in 2019 and implemented this framework as an interim rule in late 2020. Learn about the requirements for CMMC Level 1 in the first version and the forthcoming second version of this model and get tips for developing a compliance checklist for basic CMMC certification.
Level 1 is the lowest level of CMMC that covers foundational security requirements. This level of certification specifies requirements for safeguarding Federal Contract Information and has the fewest controls of any of the levels in both versions of this model.
The security practices for Level 1 of CMMC originate in the FAR Clause or FAR 52.204-21, which is also known as 48 Code of Federal Regulations 52.204-21 or 48 CFR 52.204-21. The type of defense contract that your organization is seeking will determine whether Level 1 or a higher level of CMMC compliance will be necessary as a condition of contract award.
CMMC 1.0 had five levels of compliance, including two transition levels. Level 1 was a basic level of security for organizations that handle FCI. Level 1 certification does not cover Controlled Unclassified Information, which is the focus of Level 3 of CMMC 1.0 and Level 2 of CMMC 2.0.
The second version of this model only has three levels in total. Level 1 still covers basic security measures for FCI, while Level 2 aligns with the original controls for Level 3 and covers CUI. In addition to having considerably more controls than Level 1, Level 2 in CMMC 2.0 also has different assessment requirements for contracts involving prioritized acquisitions that are critical to national security.
CMMC 1.0 included 17 practices at Level 1. The second version of this model includes 15 requirements that overlap with these original requirements. A scheme of six domains covers all of the Level 1 requirements. Here are the domains for this level of compliance along with the number of capabilities and practices in each domain:
You should carefully review all of the requirements. These controls work together to safeguard FCI in non-federal systems.
Access Control covers system capabilities, limitations and verification processes. Identification and Authentication specifies practices for users, processes and devices. Media Protection requires that an organization sanitize or destroy system media containing FCI after use. Physical Protection includes access and logging requirements. System and Communication Protections addresses controls at system boundaries. System and Information Integrity describes capabilities and practices for identifying system flaws and malicious content.
CMMC 1.0 required third-party assessments at all levels with the exception of transition levels. The second version of this model requires all Level 1 organizations to conduct annual self-assessments and submit affirmations. This level does not require an accredited CMMC Third Party Assessment Organization or C3PAO to conduct third-party assessments.
An affirmation is a statement from a senior official attesting that an organization will continue to comply with the requirements for a particular level of the model. This measure also does not require any input or approval from third parties. Level 2 organizations with contracts for non-prioritized acquisitions that are not critical to national security can conduct self-assessments every three years. CMMC 2.0 requires annual affirmations at every level.
A CMMC checklist for a Level 1 organization should cover all of the necessary preparations for an internal assessment. It can be beneficial to divide a comprehensive checklist for compliance with this model into pre-assessment, assessment and post-assessment stages. Find out more about what to cover during each stage of the process.
You should make sure that your organization only needs to demonstrate the ability to securely handle FCI before preparing for an assessment. If you are also interested in seeking contracts that involve CUI, the stakeholders of your organization should consider pursuing a higher level of certification.
Start by identifying and listing any organizational assets, including information systems, that are subject to these controls. An information security platform that has baseline, visibility and monitoring functions can streamline the process of maturing your security program.
A Level 1 self-assessment should account for the capabilities and practices in every domain. You can make a checklist based on these requirements to guide the assessment process. Based on your findings, it can also be worthwhile to make checklists for any areas that require remediation.
These checklists can inform the production of a Security Assessment Report for internal use. Following the implementation of CMMC 2.0, your organization will need to register a self-assessment and affirmation in the DoD Supplier Performance Risk System.
It can also be worthwhile to reference assessment results to develop checklists for ongoing compliance. The documentation that you develop for the first self-assessment of your organization can serve as a guide for future annual assessments.
Checklists and other assessment documentation can also be useful for automating workflows on a continuous compliance platform. The right compliance solution can help your organization achieve and maintain Level 1 certification.
An all-in-one information security platform that allows for continuous monitoring can be helpful for obtaining CMMC Level 1 certification. Whether you need to meet Level 1 requirements as a condition of contract award or want to prepare for CMMC 2.0, you can use Compyl to implement practices and conduct internal assessments. Request a demo to see how Compyl can help your organization comply with CMMC.
