Level 1: Requires that an organization performs the specified practices. Because the organization may only be able to perform these practices in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for level 1. Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”)
As defined in 48 CFR 52.204-21 “Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.“
So what does that mean? Our take on what is FCI is any document/information that is produced in response to a CDRL or request from the Government. This would basically be any document that you create for the Government which means that pretty much every DoD contractor will require, at least, CMMC level 1. What’s more important than our interpretation is your companies Contracting Officer’s, or legal counsel, opinion. They are the people that will need to defend your position to the Government.
That may be a moot point as the CMMC is set up to be a requirement to win in sections L and M of the RFP; which means that to even bid on the contract you’ll need to be certified to level 1 regardless of whether you process FCI or not.
The National Institute for Science and Technology (NIST) Special Publication (SP) 800-171 is the security control, or requirement, catalog. These controls are grouped into a family of similar controls based on what process they impact. One key consideration is that the controls are only applicable to the systems that process FCI. If you’ve segregated your networks between commercial and government customers then you need only focus on the government segment. Below are the families and their impact on your organization.
The controls in this family require that you control access to your system from users as well as other systems. This is typically accomplished with usernames and passwords and Application Program Interface (API) authentication. Most organizations already have this in place but you may need to consider any computers that allow users to access your servers or cloud applications with a shared account/password.
For level 1, if you’ve properly implemented access control you’ve probably also implemented the Identification and Authentication controls. These are simply to make sure that you have usernames and passwords for every account that has access to FCI.
Media protection requires that you clear, or sanitize, any media (i.e. Hard Drives, Thumb Drives, USB External Drives, etc…) prior to releasing them from your control.
Physical protection requires that you limit access to your facilities, escort visitors and maintain some level of logs of who accessed your facility. This can be with either badge swipe devices that collect the who, when, where of the swipe; or with paper logs. This seems to be one of the more annoying controls to implement as many companies can’t justify a badging system for access to their facilities and who really wants to fill out a paper log whenever they come to work and leave each day.
The key phrase from this control family is to “Monitor, Control, and Protect” communications. This means that you will need to buy some hardware AND monitor it. You will need a firewall and an Intrusion Detection System; of which there are many suitable devices for small businesses that can run as cheap as $100. The more expensive part of this control is having a qualified individual dedicated to monitoring the device on a periodic basis. For a level 1 implementation this would be someone on your IT staff as it would hardly justify hiring a full time security professional for just this one control
In addition to “Monitor, Control, and Protect” you will also need to segregate your network from private and public-facing. This means that if you host any publicly accessible servers (e.g. a web server for your corporate website) then you have it placed in what is called a Demilitarized Zone or DMZ. The firewall you choose to implement will be able to implement the DMZ for your servers quite easily.
This control family simply deals with having anti-virus software installed on all of your computers and servers, and any other places of importance like integrated anti-virus in your email server. The software will need to be configured to protect the system in real-time as well as conducting periodic full system scans.