CMMC Level 1 Conformity Assessments
CMMC Level 1 Conformity Assessments are all about an organization protecting Federal Contract Information (FCI) in accordance with 48 CFR § 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems.
The 15 Security Requirements per FAR 52.204-21 are:
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify and control/limit connections to and use of external information systems.
- Control information posted or processed on publicly accessible information systems.
- Identify information system users, processes acting on behalf of users, or devices.
- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
- Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
- Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- Identify, report, and correct information and information system flaws in a timely manner.
- Provide protection from malicious code at appropriate locations within organizational information systems.
- Update malicious code protection mechanisms when new releases are available.
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
WARNING: Security Requirements (i) and (x) are the hardest and should not be underestimated by an organization implementing them. |
CMMC Level 1 Model Baseline
The CMMC Model for Level 1 maps to the 15 Security Requirements from FAR 52.204-21 paragraph (b)(1).
The CMMC model adds the corresponding NIST SP 800-171 family acronym + “L1” as the prefix. The requirement from FAR 52.204-21 is normalized from (b)(1)(i-xv) to b.1.i-xv. As an example,
“(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).”
becomes “AC.L1-b.1.i, Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).”
For self-assessments, the CMMC Program Rule mapped the FAR 52.204-21 15 requirements to 59 NIST SP 800-171A Assessment Objectives per Table 1 to §170.15(c)(1)(ii).
Assessment Objectives will be cited using the NIST SP 800-171A nomenclature of [a-z] for each separate Assessment Objective. For example, the first Assessment Objective for AC.L1-b.1.i would be AC.L1-b.1.i[a].
CMMC Level 1 Self-Affirmation Requirements
For CMMC Level 1, every organization with the FAR 52.204-21 is required to:
- Conduct a CMMC Level 1 Self-Assessment to determine their conformity.
- Be evaluated against the corresponding NIST SP 800-171A Assessment Objectives per Table 1 in §170.15(c)(1)(ii).
- Submit an annual self-affirmation of the organization’s 100% compliance to FAR 52.204-21 security requirements to DoD’s Supplier Performance Risk System (SPRS) (c.f., §170.22, Affirmation ).
CMMC Level 1 Third Party Certification Requirements
CMMC Level 1 has no requirement for a 3rd-party conformity assessment and certification.
CMMC Level 1 Plans of Action & Milestones (POA&M)
§170.15, CMMC Level 1 Self-Assessment and Affirmation requirements, of the draft CMMC Program rule states:
“(a)(1) Self-Assessment. The OSA must complete and achieve a MET result for all security requirements specified in § 170.14(c)(2). No POA&Ms are permitted for CMMC Level 1.“
Yes, no POA&Ms are allowed. All organizations attesting their conformity to FAR 52.204-21 MUST do so with 100% compliance.
Failure to comply with CMMC Level 1 Conformity Assessments and compliance can result in “standard contractual remedies will apply and the Organization Seeking Assessment (OSA) will be ineligible for additional awards with CMMC Level 1 Self-Assessment or higher requirements for the information system within the CMMC Assessment Scope until such time as a valid CMMC Level 1 Self-Assessment is achieved.” (c.f., §170.15(a)(1)(ii))
Peak InfoSec Provided Services
For CMMC Level 1, Peak InfoSec can support your organization with the following services:
- CMMC Level 1 Conformity Assessments & Letters of Attestation: To reduce your organization’s business and senior leader’s personal liability risks when they submit the self-affirmation, the SPRS, Peak InfoSec can conduct a Level 1 Conformity Assessment and issue a Letter of Attestation regarding your organization’s compliance.
- FCI Scoping: Defining the scope of your FCI is harder due to the more nebulous nature of FCI. For example, an email between your organization and the DoD about a contract you won is generally FCI. Failure to understand your FCI scope can lead your organization to not implementing the required safeguarding requirements and incorrectly attest your compliance.
Social Contact