High Level summary of the first level of CMMC and assessment requirements.

CMMC Level 1 Conformity Assessments

CMMC Level 1 Conformity Assessments are all about an organization protecting Federal Contract Information (FCI) in accordance with 48 CFR § 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems.

The 15 Security Requirements per FAR 52.204-21 are:

  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify and control/limit connections to and use of external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users, or devices.
  6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
  8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
  10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
WARNING:  Security Requirements (i) and (x) are the hardest and should not be underestimated by an organization implementing them.

CMMC Level 1 Model Baseline

The CMMC Model for Level 1 maps to the 15 Security Requirements from FAR 52.204-21 paragraph (b)(1).

The CMMC model adds the corresponding NIST SP 800-171 family acronym + “L1” as the prefix.   The requirement from FAR 52.204-21 is normalized from (b)(1)(i-xv) to b.1.i-xv.  As an example,

“(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).”

becomes “AC.L1-b.1.i, Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).”

For self-assessments, the CMMC Program Rule mapped the FAR 52.204-21 15 requirements to 59 NIST SP 800-171A Assessment Objectives per Table 1 to §170.15(c)(1)(ii).

Assessment Objectives will be cited using the NIST SP 800-171A nomenclature of [a-z] for each separate Assessment Objective.  For example, the first Assessment Objective for AC.L1-b.1.i would be AC.L1-b.1.i[a].

CMMC Level 1 Self-Affirmation Requirements

For CMMC Level 1, every organization with the FAR 52.204-21 is required to:

  • Conduct a CMMC Level 1 Self-Assessment to determine their conformity.
  • Be evaluated against the corresponding NIST SP 800-171A Assessment Objectives per Table 1 in §170.15(c)(1)(ii).
  • Submit an annual self-affirmation of the organization’s 100% compliance to FAR 52.204-21 security requirements to DoD’s Supplier Performance Risk System (SPRS) (c.f., §170.22, Affirmation ).

CMMC Level 1 Third Party Certification Requirements

CMMC Level 1 has no requirement for a 3rd-party conformity assessment and certification.

CMMC Level 1 Plans of Action & Milestones (POA&M)

§170.15, CMMC Level 1 Self-Assessment and Affirmation requirements, of the draft CMMC Program rule states:

(a)(1) Self-Assessment. The OSA must complete and achieve a MET result for all security requirements specified in § 170.14(c)(2). No POA&Ms are permitted for CMMC Level 1.

Yes, no POA&Ms are allowed.  All organizations attesting their conformity to FAR 52.204-21 MUST do so with 100% compliance.

Failure to comply with CMMC Level 1 Conformity Assessments and compliance can result in “standard contractual remedies will apply and the Organization Seeking Assessment (OSA) will be ineligible for additional awards with CMMC Level 1 Self-Assessment or higher requirements for the information system within the CMMC Assessment Scope until such time as a valid CMMC Level 1 Self-Assessment is achieved.” (c.f., §170.15(a)(1)(ii))

Peak InfoSec Provided Services

For CMMC Level 1, Peak InfoSec can support your organization with the following services:

  • CMMC Level 1 Conformity Assessments & Letters of Attestation:  To reduce your organization’s business and senior leader’s personal liability risks when they submit the self-affirmation, the SPRS, Peak InfoSec can conduct a Level 1 Conformity Assessment and issue a Letter of Attestation regarding your organization’s compliance.
  • FCI Scoping:  Defining the scope of your FCI is harder due to the more nebulous nature of FCI.  For example, an email between your organization and the DoD about a contract you won is generally FCI.  Failure to understand your FCI scope can lead your organization to not implementing the required safeguarding requirements and incorrectly attest your compliance.

Key CMMC Sites

Key References

Key Acquisition References

Other Key Sites

An Authorized CMMC 3rd Party Assessment Organization (C3PAO)