The Cybersecurity Maturity Model Certification (CMMC) is designed to ensure the protection of sensitive national security information such as controlled unclassified information (CUI) and federal contract information (FCI). The certification applies to all DoD contractors and subcontractors, and a contractor that fails to maintain compliance will be unable to bid for DoD contracts. CMMC 2.0 is an update to the CMMC 1.0 that was initially released in January 2021.

Under DFARS and DoD rules and policies, the DoD implemented cybersecurity controls in the CMMC standard to protect CUI and FCI. Thus, the CMMC measures an organization’s ability to protect FCI and CUI. FCI is any information that is ‘not intended for public release,’ CUI is information that requires safeguarding and may also be subject to dissemination controls. FCI is defined in FAR clause 52.204-21, and CUI is defined in Title 32 CFR Part 2002. Since Level 1 focuses on safeguarding FCI, the applicable self-assessment objectives for Level 1 are modified to address FCI rather than CUI as set forth in 32 CFR § 170.15(c)(1)(i).

This article looks at everything you need to know about CMMC 2.0 Level 1, its controls, and requirements.

CMMC 2.0 Level 1: Everything You Need to Know

What Determines My CMMC Level Requirement?

The required CMMC certification level is determined by the specific kind of information a company handles and the type of work it does. The specific level of certification will be spelled out in all new DoD contracts. If a supplier is not certified at the specified level, the company cannot bid on the DoD business.

Companies that have a FAR 52.204-21 (which is a subset of DFARS requirements) in their contract and handle only FCI will need to achieve CMMC Level 1. This level does not require a certified third-party assessment provider for certification. It requires an annual self-assessment that has attestation from a corporate executive.

What Is CMMC 2.0 Level 1?

The Foundational level is the first of the three levels, and it consists of basic cybersecurity risk management practices. This level encompasses the most basic of cyber protection measures and is intended to address the most common cyber threats. It focuses on basic measures of security and risk management, such as authentication and access control, which is the ability to control who can access what information.

The requirements of this level are divided into 6 domains and 15 requirements, including, but not limited to, Access Control, Identification and Authentication, and System and Information Integrity. Organizations must demonstrate that all of the required practices have been implemented, as well as demonstrate effective cybersecurity risk management processes.

Who Needs CMMC 2.0 Level 1?

CMMC 2.0 Level 1 applies to DoD contractors and subcontractors that handle FCI that is provided by or generated for the government under a contract to develop or deliver a product or service to the government.

The Foundational level requires organizations to perform basic cybersecurity practices. They are allowed to reach certification through an annual self-assessment. CMMC Third Party Assessor Organizations (C3PAOs) are not involved with Level 1 certification. 

CMMC 2.0 Level 1 Domains and Controls

CMMC Maturity Level 1 is the first and foundational level of CMMC certification. The requirements of this level are divided into these 6 domains:

Domain

Number of Controls

Access Control (AC)

4 controls

Identification and Authentication (IA)

2 controls

Media Protection (MP)

1 control

Physical Protection (PE)

2 controls

System and Communications Protection (SC)

2 controls

System and Information Integrity (SI)

4 controls

The controls and security requirements in each domain include:

Access Control (AC)

The Access Control domain focuses on the tracking and understanding of who has access to your systems and network. This includes user privileges, remote access, and internal system access. The specific controls include:

  • Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)
  • Limit information system access to the types of transactions and functions that authorized uses are permitted to execute
  • Verify and control/limit connections to and use of external information systems
  • Control information posted or processed on publicly accessible information systems

Identification and Authentication (IA)

The Identification and Authentication domain focuses on the roles within an organization. It synergizes with the access control domain by ensuring that access to all systems and networks is traceable for reporting and accountability. The controls include:

  • Identify information system users, processes acting on behalf of users, or devices
  • Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems

Media Protection (MP)

Media Protection focuses on identifying, tracking, and ongoing maintenance of media. It also includes policies about protection, data sanitation, and acceptable transportation. This domain has only one requirement:

  • Sanitize or destroy information system media containing federal contract information before disposal or release for reuse

Physical Protection (PE)

Many organizations implement a sign-in process, requiring card reader identification and access to certain portions of their location. Yet, not every organization supervises its visitors throughout their entire stay. This domain has the following requirements that help organizations with that:

  • Limit physical access to the organization’s information systems, equipment, and the respective operating environments to authorized individuals
  • Escort visitors and monitor visitor activity
  • Maintain audit logs of physical access devices
  • Control and manage physical access devices

System and Communications Protection (SC)

Communication between employees needs to be secure so that no bad actor may eavesdrop and record sensitive data. The System and Communications Protection domain focuses on the implementation of boundary level defense on an organizational communication level. The requirements in this domain include:

  • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizations’ information systems) at the external boundaries and key internal boundaries of the information systems
  • Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

System and Information Integrity (SI)

This domain focuses on the ongoing maintenance and management of issues within information systems. It emphasizes that organizations place efforts toward identifying malicious code, placing ongoing protections on email and system monitoring. The requirements include:

  • Identify, report, and correct information and information system flaws in a timely manner
  • Provide protection from malicious code at appropriate locations within organizational information systems
  • Update malicious code protection mechanisms when new releases are available
  • Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed

Frequently Asked Questions

 

What Is CMMC 2.0?

CMMC 2.0 is the latest version of the Cybersecurity Maturity Model Certification. It is a comprehensive set of procedures and standards developed by the Department of Defense, meant to establish a consistent approach to safeguarding CUI. The CMMC model is designed to help organizations evaluate and address their cybersecurity risks, as well as improve their overall security posture.

What Is the Purpose of CMMC 2.0 Level 1?

The primary purpose of CMMC 2.0 Level 1 is to ensure that organiations have the basic controls tin place to protect FCI from unauthorized use. Level 1 is comprised of the 15 basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204-21.

What Are the Consequences of Noncompliance With CMMC 2.0 Level 1?

The consequences of noncompliance with CMMC 2.0 Level 1 vary. Failing to comply with the minimum standards can open up an organization to potential harm, as sensitive information could be leaked or stolen. Additionally, organizations may face penalties from the Department of Defense or other regulatory bodies if they are found to be out of compliance.

How Can I Implement CMMC 2.0 Level 1 Practices?

Implementing CMMC 2.0 Level 1 practices in an organization can be done at different levels and can be tailored to the organization’s situation. A starting point is to create a risk assessment, and from there, organizations can identify the specific controls and practices needed to meet the standards. They should also establish a program for monitoring and reporting on their progress.

What Are the Benefits of Complying With CMMC 2.0 Level 1?

The benefits of complying with CMMC 2.0 Level 1 are numerous. First, organizations will be able to protect the integrity of their FCI and be confident that it is safe from unauthorized use. Additionally, by having a a basic set of cybersecurity practices in place, organizations can demonstrate due diligence to customers and other stakeholders, and can help prevent costly data breaches. Finally, complying with CMMC 2.0 Level 1 can help organizations qualify to bid for contracts with the DoD.

Kiteworks Private Content Network Enables Compliance With CMMC 2.0 Level 1

The Kiteworks Private Content Network (PCN) simplifies and helps organizations in the Defense Industrial Base (DIB) to comply with the CMMC 2.0 Level 1 compliance process. Kiteworks unifies, tracks, controls, and secures all sensitive content communications in one platform. It also allows first parties and third parties to collaborate on confidential content. Kiteworks helps simplify and accelerate the process of achieving CMMC 2.0 Level 1 compliance by providing access control, secure file transfer, file encryption, secure file sharing, and authentication with two-factor authentication and multi-factor authentication. Organizations can set granular permissions and policies to ensure the highest levels of security of their data and content.

As part of CMMC 2.0 Level 1 compliance, Kiteworks helps organizations to create a digital audit trail on their sensitive content communications. This enables them to monitor sensitive content communications and to demonstrate adherence to data privacy and security regulations, including CMMC 2.0 Level 1.

To learn more about the Kiteworks Private Content Network and how it can accelerate your CMMC 2.0 Level 1 compliance, schedule a custom-tailored demo today. 

Back to Risk & Compliance Glossary

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.

Lancez-vous.

Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Comienza ahora.

Es fácil empezar a asegurar el cumplimiento normativo y gestionar los riesgos de manera efectiva con Kiteworks. Únete a las miles de organizaciones que confían en su plataforma de comunicación de contenidos hoy mismo. Selecciona una opción a continuación.

Share
Tweet
Share
Explore Kiteworks