If you are reading this article, you are probably the owner of a small DoD contracting company. You’ve heard something about the CMMC (Cybersecurity Maturity Model Certification) either through your prime contractor or the SBA education office. You might be frustrated at yet another computer requirement, or you might be excited at the opportunity to distinguish your company from your competitors.
Are you just looking for a CMMC Level 1 audit provider? Right now, no company is authorized to perform audits (the CMMC is still in development). The author of this article and sponsor of CMMC Audit (Kieri Solutions) has started the process to become an auditor and is building a wait-list for audits in early 2021. Other audit providers will be listed on the CMMC accreditation body website as they are approved.
How to prepare for CMMC Level 1 certification
First, the standard disclaimer. This article is last updated in January 2021. Here is the status of the CMMC:
- The CMMC Model documents are version 1.02 (official / released)
- The CMMC Accreditation Body is formed and is working on building processes for auditor training, certification, and organization audits.
- There are no assessment companies authorized to perform CMMC assessments yet.
- There is no way for companies to get CMMC certified yet.
- This article is privately written and isn’t official guidance from any of the above organizations.
However, the good news is that for level 1 of the CMMC, the requirements are set and they match the “17 Critical FAR controls” which have been official for DoD contractors since 2016. So there is no reason to delay working on these security improvements.
What are the CMMC Level 1 requirements?
The CMMC repeatedly states that CMMC Level 1 maturity is “performed”. Not documented, not managed, and definitely not optimized. When they say performed, the intention is that a company has implemented security, and can show an auditor their security, but there isn’t a bunch of processes or policies or improvement around it. Note: There are occasional requirements for documentation such as inventories of computers or employees, or a procedure to double-check content before posting it publicly. This is different than the CMMC level 2+ requirements for policies and procedures.
An example of performing: Joe, the owner of PipeMaker, Inc., has three computers in his office, one for him, one for his wife, and one for the bookkeeper. Upon hearing about the CMMC, Joe calls a cyber security company and hands them a print-out of this blog, and of the latest CMMC Level 1 Assessment Guide **Note, this sentence has been updated. Use the Assessment Guide for Level 1, not the Appendix document** . They spend some time upgrading computers and making security improvements, then leave. Joe isn’t really sure what they did, but he follows their guidance about using strong passwords and locking the door to his office when he leaves.
Easy enough, right? But sadly, most small businesses I’ve seen don’t even meet this level of security. To be compliant with level 1, you need to WANT to be secure, and not take shortcuts. This is the difference between your accounts using the password Summer1! and having a complex password like 42small**DWARVEZ. It doesn’t cost much more, you just need to make the effort.
Implementing each security requirement for CMMC Level 1
Here are tips for how a very small business could do security for each Level 1 requirement. To be sure, I recommend working with a cyber security firm, but in the meantime, these easy suggestions will get you moving in the right direction.
CMMC AC.1.001 – Who is allowed access? What devices are connected?
Requirement text: “Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).“
How to pass? Identify who is allowed to use your company computers and create them their own accounts to log on. When an employee leaves your company, disable their accounts. Approve all devices connected to your network and know who their owners are. Make a list of each device that is allowed to connect to your network, your email system, your applications. Have a list of accounts and the people who can access your network, your email system, your applications.
How can you fail this? Disabling passwords, or leaving computers logged in so that anyone can access your data. Allowing employees to connect their own wireless access points. Allowing employees to access your cloud email from insecure (and unapproved) phones and personal computers.
Note: If you use a Managed Service Provider (an IT company that operates your network for you), they could lower your security rating if they are not secure. Your contract with the MSP should have language about them meeting CMMC Level 1 requirements too.
CMMC AC.1.002 – Assign “user” rights to most accounts
Requirement text: “Limit information system access to the types of transactions and functions that authorized users are permitted to execute.”
How to pass? Your non-IT employees should only have “user” rights to their computer, not “admin” rights. Use permissions in your business programs and file shares to limit employees from viewing sensitive information about your federal contracts.
How to fail this? Everyone has “administrator” rights on computers and devices.
CMMC AC.1.003 – Don’t share your neighbor’s network
Requirement text: “Verify and control/limit connections to and use of external information systems.”
How to pass? Keep your company network and computers separated from other businesses or the home network. Have your own internet router and don’t let other companies share it. Only use company computers for working on Federal contracts, never home computers, and never public computers.
How to fail? Sharing a WI-FI network with another business in the same building, so that their computers can communicate with your computers. If someone was network savvy, they could use this to eavesdrop on your internet browsing, or try to hack your computer directly. Using a personal laptop or tablet to work on a Federal contract. This puts sensitive information onto a device that isn’t secure.
CMMC AC.1.004 – Don’t share your data with the world
Requirement text: “Control information posted or processed on publicly accessible information systems.”
How to pass? If you use cloud storage like Dropbox, OneDrive, and Google Drive, make sure that anonymous access (no password required) is not enabled and your account has a good password. Tell your employees not to share their cloud documents with anyone outside of the contract. Have a procedure and an assigned person who has to review content before it is posted on your websites. Don’t post sensitive information onto public websites or public media.
How to fail? This requirement seems so easy, yet it is the cause of many recent headaches for the DoD. When you set up a cloud storage location, simply share it with “everyone” or use a blank password. Now everyone on the internet can view and download your files. You don’t have a procedure for reviewing content before it is posted to your website.
CMMC IA.1.076 – Make accounts for each employee
Requirement text: “Identify information system users, processes acting on behalf of users, or devices.”
How to pass? Use individual accounts for each person in your business, and don’t allow password sharing. Individual accounts let your computers and software know who is logged on so that the appropriate level of access is granted and their actions can be traced back to them.
How to fail? Multiple people know the password for your computer, which has the credentials for your bank stored in the web browser. One day, funds are stolen from your bank account. When you review the logs, it says that your account did it. It is impossible to determine who stole the funds.
CMMC IA.1.077 – Change the default passwords
Requirement text: “Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.”
How to pass? Ensure that all your company computers and devices require a username and password or other log-on method before they can be accessed. Your company mobile phone should have a pattern or PIN required to unlock it. The computers and devices should lock themselves after 10 or 20 minutes if not used. The password should not be guessable – default passwords should be changed.
How to fail? Letting your very old manufacturing computer have no password because it controls factory machines and production would be slower if you have to log on to it each day. Never changing the default password on your security system.
CMMC MP.1.118 – Crush it, shred it, or overwrite it before you trash it
Requirement text: “Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.”
How to pass? Before letting a computer, mobile device, thumb drive, or even a writeable CD leave your possession, work with an IT professional to destroy the data on them. There are three safe ways to destroy hard drives: 1) by hammering or crushing the data module, 2) by using a special program to overwrite the data many times, or 3) encrypting the drive with a long (16+ character) key. Make sure to shred documents and CDs before you get rid of them.
How to fail? Selling your old work computers to someone who uses IT forensic techniques to read the sensitive data stored in them. Let someone borrow a thumb drive which previously stored sensitive information (even if it was “deleted”). Throw any of these devices in the trash without destroying the data first.
CMMC PE.1.131 – Get away from my computer!
Requirement text: “Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”
How to pass? Identify the areas of your company work spaces that are public and private. (It is OK for everything to be private). Keep your computers, devices, network gear, and sensitive information in the private area. If you don’t have any employees actively supervising the private area, lock the door when you leave.
How to fail? Running cables for your internal network to wall jacks in the guest waiting area. Leaving the front office unlocked and unsupervised while you are in the shop working. Leaving your laptop on the table, logged on, at Starbucks, while you go to the bathroom.
CMMC PE.1.132 – Stop unauthorized people and supervise visitors
Requirement text: “Escort visitors and monitor visitor activity.”
How to pass? You need to be able to positively identify anyone who is in your facility and challenge those who don’t have permission to be there. A very small company with 4 employees should know each person on sight. If you see anyone else in your space, you need to stop them, and potentially call the police. Larger companies (where employees don’t know everyone) use employee and visitor badges to show who is allowed to be there.
How to fail: Not escorting a utility worker when they come inside to “do repairs”. They could be a bad person trying to steal sensitive information or hack your network. Not calling the police if an unknown person was found wandering around inside your offices.
CMMC PE.1.133 – Who was here yesterday?
Requirement text: “Maintain audit logs of physical access.”
How to pass? Use a sign-in and sign-out sheet for employees or visitors (complimentary template here). If you can afford it, use cameras around your facility to identify everyone who enters and exits, including your employees. Install electronic locks with individually-assigned keys that keep a record of who went through them.
How to fail? Finding computers stolen and not having any idea who was in the building during the last 24 hours. You have a camera but it is positioned so that you can’t identify who entered and exited.
CMMC PE.1.134 – I’m going to need your key back…
Requirement text: “Control and manage physical access devices.”
How to pass? Restrict the number of people who can unlock the doors or disable the security system at your business. Lock your doors and windows to protect your computers and documents. If an employee leaves, change the locks. If you can afford it, use electronic locks that can easily be re-programmed.
How to fail? Never change the door locks even though you’ve had employees leave in the past. Leave windows unlocked. Giving keys to your building supervisor or janitor service without discussing security protocols with them.
CMMC SC.1.175 – Keep your computers inside the firewall
Requirement text: “Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.“
How to pass? Just like parts of your facility are “private”, you should treat your company network as private. For very small businesses, the private network is connected to the LAN ports on your internet router. Make sure your firewall stops all traffic from the internet by default, so that internet attacks can’t reach your computers.
How to fail? Posting the WI-FI password to your internal network in an area that non-employees can see. Not using a firewall.
CMMC SC.1.176 – Just because you can, doesn’t mean you should…
Requirement text: “Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.”
How to pass? Very small companies probably shouldn’t try to operate servers that are connected to the internet. Use a web hosting company to host your website. Hire a security specialist if you need to open access from the internet to any of your computers so that they can set it up securely.
How to fail? Modify your firewall so that it allows traffic from the internet to go to one of your computers or devices. This is called “opening a port” and exposes your computer to internet attacks.
CMMC SI.1.210 – Install updates!
Requirement text: “Identify, report, and correct information and information system flaws in a timely manner.”
How to pass? Enable automatic download and install of system updates / patches on all of your devices. If your scanner, printer, router, or business software hasn’t been updated in a while, you should search for the latest update and install it. You remove apps that are no longer supported by the vendor.
How to fail? You are still using Windows XP or Windows 7 on your computers. You click cancel every time your system asks for an update. You’ve never updated your printer or router.
CMMC SI.1.211 – Use antivirus systems
Requirement text: “Provide protection from malicious code at appropriate locations within organizational information systems.”
How to pass? Have a working antivirus program on each of your computers. Any reputable antivirus program will work. Use an email service that includes virus removal, such as Office 365. Consider a router with threat protection like the Sonicwall SOHO.
How to fail? Ignore warnings from your antivirus that it detects malware. Bypass the inherent protection on your tablet or phone by “jail-breaking” it.
CMMC SI.1.212 – Subscribe for threat protection
Requirement text: “Update malicious code protection mechanisms when new releases are available.”
How to pass? Make sure your computer antivirus and firewall threat protection is eligible for updates by paying for the subscription. Make sure all of your computers can download the antivirus definitions by giving them regular internet access.
How to fail? Your shop computer hasn’t downloaded new antivirus updates in a year because it isn’t connected to the network. Or you didn’t renew the antivirus subscription so the computers can’t download new definitions.
CMMC SI.1.213 – Enable antivirus scans
Requirement text: “Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.”
How to pass? Configure your antivirus program to do a full scan weekly, and to provide “active protection”.
How to fail? Cancel the antivirus scans because they make your computer slow.
The Level 1 CMMC requirements are easier the smaller your company is.
With only a few computers to worry about, you can meet the intention of level 1 pretty easily. Many very small companies can implement these practices without any additional cost.
Are you a bigger company preparing for CMMC level 1? I recommend working with a CMMC consultant to make sure you are taking the right actions to secure your environment. Large companies find even Level 1 to be very difficult to do 100%. You need to understand the full scope (and consider segmenting your federal team). Unlike a very small business, you probably have processes that need to be identified and controlled. Your physical locations need to be secure. I encourage you to reach out to our sponsor (Kieri Solutions) for consulting if you are a larger business. The CMMC-AB hosts a marketplace of Registered Practitioners who can also assist you.
Now go forth and be secure!
I’ve personally seen companies fail every one of these basic security requirements during my career. It seems like a no-brainer to be cyber-secure, but in many cases, the business owner sabotaged themselves by just not caring. They would have hired an expert electrician if they needed wiring fixed, gone to a good doctor if they were sick, or taken their car to the dealership for repairs, but when it came to their computers, they tried to get by with the absolute minimum.
Care a little, spend a little, be conscientious, and use good passwords. Your company can be CMMC level 1!
What do you think? Would you give different cyber-security advice to the very small businesses? What products would you recommend?
Please join in the discussion if you have tips, ideas, or horror stories of companies that did security wrong.
CMMC Assessment Guide for Level 1 webinar and review
Webinar on CMMC Level 1 by the Software Engineering Institute (CMU)
CMMC FAQs for Organizations Seeking Certification
What is FCI in CMMC and how does it affect scope?
CMMC Glossary of Terms and Definitions
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. She specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. She is the chief editor for cmmcaudit.org, a public resource for news and informational articles about the Cybersecurity Maturity Model Certification.
15 thoughts on “CMMC Level 1 certification and preparation (how-to)”
Do i need certifications from a C3PA0 for level 1?
In regards to CMMC AC.1.002
users, in a Domain environment, having LOCAL Admin rights to their PC also a point that will cause non compliance ??
Using Joe’s PipeMaker, Inc. as a small business example, can someone clarify an obvious question about Third-Party Service Providers (TSPs)’s that Joe could soon ask? If Joe’s bookkeeper quits, and Joe does not replace him/her, and instead uses a trusted aunt to manage payroll since she has her own home accounting business, would Joe’s poor aunt have to get a CMMC Level 1 too?
Or, should Joe be hiring another cybersecurity consultant just to figure out who can do his books or process payroll?
How does a company with a Prime contract with DoD determine if CMMC Level 1, Level 2 or higher is needed?
The government provides my employees with a government laptop, CACs, & usage of the government network. All work is normally done on-site, except since COVID 19, my employees telework using the government equipment and network.
Internal company work is accomplished on my PC.
There is nothing is the current contract that requires CMMC certification. However, I am concerned about future contract awards.
This is unfortunately a question that doesn’t have a good answer yet. The answer is that you will know what CMMC level is required when the contract states the CMMC level.
Before the contract is released, you can ask the procurement officer what they think will happen in regards to CMMC requirements.
For Leve1 cert, do we need to address every remote job site with the following controls? Most remote sites do not have servers, but they do have workstations, networks, routers, firewalls, and VPN connectivity inot our DC.
PE.1.131 Limit physical access to organizational information
systems, equipment, and the respective operating
environments to authorized individuals.
PE.1.132 Escort visitors and monitor visitor activity.
PE.1.133 Maintain audit logs of physical access.
PE.1.134 Control and manage physical access devices.
Yes, if they have open network connectivity to systems (like PCs) that have federal contract information on them.
We sell commercial off the shelf (COTS) products but also meet all the requirements of Level 1. Is there a reporting option for Level 1 or only Level 3 and above?
No reporting option at this time. For CMMC, you have to get an independent third party assessment and certification to show that you meet each level.
Pretty significant level 1 requirements
for Level 2-5, do you have an idea what the requirements are?
Yes the requirements for level 2 (and 3, 4, 5) are listed in the latest CMMC Model document released by the DoD.
I have links to the document and a guide for how to understand it on this page: https://www.cmmcaudit.org/cmmc-capabilities-controls-discussion-home/
At level 2 and above, I recommend getting a cyber-security compliance specialist to help, either on-payroll or as a consultant.
On products, Auditors; especially 3PAO, have to be very very careful in promoting products. I normally give a detailed what the problem is and in notes or off line discuss options of solutions. (Too many solutions/products only answer part of the challenge)
Managed Services, SDN, managed email, all these can be good solutions for small business. All these solutions need be addressed by cost and requirement. Because a company off loads email does not mean it no longer needs Patching or IT onsite when they can reduce labor cost is where it becomes effective solution.
Honestly, when you look at it from a small group’s perspective it is cheaper to maintain on prem than off load. Then there is Data type requirement. If they have ITAR Google email may land them with a huge fine from the State dept. However, if they can map requirement successfully they may have a reimbursable cost on the contract.
The out product of any assessment should include CAP / POAM to road map them into a solution. There no magic wand, but their are processes which make the selection of a solution less painful. MIT (Carnegie Mellon) as a number of free processes which can be adopted, that will increase maturity and thought on secure IT practices. Over all smaller the business less knowledgeable they are in IT.
A few things here :
800-171B is through on the criteria for Maturity. 800-53, RMF is still a good reference model for expected results in testing.
I don’t see why CMMC Organization needs to sponsor a required training for Auditor certification. Testing yes. ISC2 went the dual route (Testing in the .org and Training in the .com) but the training isn’t required and shouldn’t be. Hold the Auditors accountable by authority revocation on package issues. This is how every organization accomplishes their Charter.
Second, the most common issue with any assessment of any organization, especially in the smaller less resourced companies is LRPs (see DOD CIO architecture LRPs) are not mapped sometimes not even known or recognized. Large Corporations sometimes have even more trouble meeting Fed and DOD requirements as the Global company is looking at centralized solutions to reduce costing, while solutions may not meet single contract requirements.
My One Advice for the Small Business is Map the requirement to How you are meeting it. Understand if you are responsible for the IT that your list of mapping grows and so does the cost and effort (aka people) will rise as well. Understand the Business, IT and Data requirements by the DFAR, your Implementation mapped to the 171B.
If they can do this they are leaps and bounds toward passing a Level 1 assessment. From that point they have known GAPs and a Plan on how to fix themselves.
Very good information and easy to understand. Do you have something similar to this for Level 2?
At this point, I don’t have a similar article for CMMC Level 2. That level, and higher levels, are technically challenging and generally need full time IT staff, and part-time cyber-security staff to perform.
If your company needs Level 2 or Level 3 or higher for a DoD contract, you have a few options (remember that none of this is official advice).
1) Partner with a company that already has a CMMC certified network, and use their network for the contract.
2) Hire a part-time cybersecurity consultant to guide you
3) Stand up an internal IT person as your security officer and have them figure this out. (You might want to hire a cybersecurity consultant to help train them and start the program, or send them through an official training course)
-Amira Armond, https://www.kieri.com