CMMC Level 1

CMMC Level 1

Processes: Performed
Level 1 requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.

Practices: Basic Cyber Hygiene
Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”)

AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
AC.1.003 Verify and control/limit connections to and use of external information systems.
AC.1.004 Control information posted or processed on publicly accessible information systems.
IA.1.076 Identify information system users, processes acting on behalf of users, or devices.
IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
MP.1.118 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
PE.1.131 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
PE.1.132 Escort visitors and monitor visitor activity.
PE.1.133 Maintain audit logs of physical access.
PE.1.134 Control and manage physical access devices.
SC.1.175 Monitor, control, and protect organizational communications (i.e., information transmitted orreceived by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
SI.1.210 Identify, report, and correct information and information system flaws in a timely manner.
SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems.
SI.1.212 Update malicious code protection mechanisms when new releases are available.
SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.