CMMC level 1 certification focuses on the protection of Federal Contract Information (FCI) and is about “performing” the basic cybersecurity hygiene. Level 1 self-assessment methodology follows a data-centric security process and does not require development of a specific policy and procedure, unless a requirement calls for a particular documentary evidence. One of the documentary pieces of evidence is your asset inventory in CMMC Level 1 certification. As such, all users, processes acting on behalf of the users, people resources (i.e., contractors, vendors, ESP/MSP employees), technology resources (i.e., computers, servers, network appliances, security appliances, on-premise software, cloud-based software), and buildings/facilities must be documented. In this article, we will address two security domains that are applicable to CMMC Level 1 Certification (for v2.0), namely Access Control (AC), and Identification and Authentication (IA). Check out Cyber AB’s CMMC guidelines for further information here.
Table of Contents
What are the CMMC Level 1 certification requirements?
AC.L1-3.1.1: Authorized Access Control
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
CMMC Level 1 Certification Consideration factors:
CMMC Level 1 certification requires contractors to define all of the users, processes, and devices separately, and limit their access to exactly what they are supposed to do or execute, nothing more. You should be in a position of answering “Yes” for both of these questions:
- Is a list of authorized users maintained that defines their identities and roles?
- Are account requests authorized before system access is granted?
Expectations to meet this requirement:
- Having a list of all active and inactive users (i.e., employees, contractors, visitor accounts, service provider accounts, etc.), account names and where and what exact machines, applications, and services that they are authorized to access. Applications that are accessed include on-premise and cloud-based/hosted applications, including but not limited to e-mail, CRM, ERP, accounting and office/productivity applications. User accounts are disabled when the user is no longer required to access, such as when an employee leaves, pause or termination of a contractor and MSP services, etc.
- Having a list of all devices, workstations, laptops, security protection devices, routers, wireless access points, and network appliances with unique device names, and the user accounts who are authorized to access and use these devices. Devices are removed from the network and boundary if they are no longer needed.
- Having a complete list of all processes and system tasks and the accounts that those processes/tasks utilize. Processes must be disabled or removed if no longer needed.
- Demonstrated process that all users, devices, and processes are regularly reviewed by the system administrators and approved before use. Users should not be able to login without a valid password which is strong and regularly changed. Users should not be allowed to access the devices/machines or run processes that they are not authorized to. Users also should not be allowed to access work applications using their personal unapproved devices, or through unauthorized network devices, such as WiFi hot spots.
AC.L1-3.1.2: Transaction & Function Control
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
CMMC Level 1 Certification Consideration factors:
CMMC Level 1 certification requires contractors to generate an access control list where the contractor identified the administrators, privileged role owners, and regular users, and limit their access to applications and data based on their roles. You should be in a position of answering “Yes” for both of these questions:
- Are access control lists used to limit access to applications and data based on role and/or identity?
- Is access for authorized users restricted to those parts of the system they are explicitly permitted to use (e.g., a person who only performs word-processing cannot access developer tools)?
Expectations to meet this requirement:
- Having an access control list identifying all users, their roles, and the functions and tasks they are allowed to execute on workstations, machines, laptops, servers, network devices, and security protection devices. As a default, all users must be assigned only non-admin roles unless their job function specifically requires an elevated role.
- Demonstrated process and configurations where regular users are not allowed to carry administrator rights on their workstations/laptops, and are authorized to execute only the tasks that are expected from their job.
- File and folder permissions are configured correctly to limit the access of unauthorized users.
AC.L1-3.1.20: External Connections
Verify and control/limit connections to and use of external information systems.
CMMC Level 1 Certification Consideration factors:
CMMC Level 1 certification requires contractors to define the scope and boundary where FCI is handled and mark all IT resources and systems outside of that boundary as external. Control and limit the connections to external systems, and don’t mix and share the resources. You should be in a position of answering “Yes” for the following questions:
- Are all connections to external systems outside of the assessment scope identified?
- Are external systems (e.g., systems managed by contractors, partners, or vendors; personal devices) that are permitted to connect to or make use of organizational systems identified?
- Are methods employed to ensure that only authorized connections are being made to external systems (e.g., requiring log-ins or certificates, access from a specific IP address, or access via Virtual Private Network (VPN))?
- Are methods employed to confirm that only authorized external systems are connecting (e.g., if employees are receiving company email on personal cell phones, –Is your organization checking to verify that only known/expected devices are connecting)?
- Is the use of external systems limited, including by policy or physical control?
Expectations to meet this requirement:
- A network diagram properly showing the scope and boundary of the system environment that will process and store the FCI and possible external systems connected to the system environment.
- A policy and physical controls (e.g., web access block, closing ports, MAC and IP level controls) are in place to prevent access to external systems thereby reducing the possibility of leak of the FCI.
- List of contractors, external service providers, and vendors as well as personal devices which are authorized to connect from external systems to the secure workspace, and existences of physical controls to control their access, such as firewalls, and VPN.
AC.L1-3.1.22: Control Public Information
Control information posted or processed on publicly accessible information systems.
CMMC Level 1 Certification Consideration factors:
CMMC Level 1 certification requires contractors to control and limit the access to public systems and sites and have a documented process to review and approve the posts/uploads. You should be in a position of answering “Yes” for the following question:
Does information on externally facing systems (i.e., publicly accessible web sites, social media, file sharing sites, etc.) have a documented approval chain for public release?
Expectations to meet this requirement:
- A documented process listing the individuals who are authorized to post/upload on public systems, as well as individuals to review and approve the post/upload. How the review process is conducted to remove potential FCI should be explained in the process.
- A demonstrated example of review to ensure that the process is followed.
- A demonstrated example of timely removal of FCI in case it is found in the posted/uploaded document/data.
IA.L1-3.5.1: Identification
Identify information system users, processes acting on behalf of users, or devices.
CMMC Level 1 Certification Consideration factors:
Contractor seeking CMMC Level 1 certification should be in a position of answering “Yes” for the following questions:
- Are unique identifiers issued to individual users (e.g., usernames)?
- Are the processes and service accounts that an authorized user initiates identified (e.g., scripts, automatic updates, configuration updates, vulnerability scans)?
- Are unique device identifiers used for devices that access the system identified?
Expectations to meet this requirement:
Documentation or configuration files to support that each user, process, and device have its own unique identifier (i.e., username, MAC Id, process Id, etc.) and credentials, such as passwords when accessing the system.
IA.L1-3.5.2: Authentication
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
CMMC Level 1 Certification Consideration factors:
Contractor seeking CMMC Level 1 certification should be in a position of answering “Yes” for the following questions:
- Are unique authenticators used to verify user identities (e.g., passwords)?
- Can your show that the organization maintains a record of all service accounts (such as scripts, etc.) when reviewing log data or responding to an incident?
- Are user credentials authenticated in system processes (e.g., credentials binding, certificates, tokens)?
- Are device identifiers used in authentication processes (e.g., MAC address, non-anonymous computer name, certificates)?
Expectations to meet this requirement:
- Documentation or configuration files to support that each user, process, and device have its own unique identifier (i.e., username, MAC Id, process Id, etc.) and credentials, such as passwords when accessing the system.
- All users, devices, processes (including the company mobile devices) are forced to have strong passwords. Default passwords are not used and immediately changed.
- Demonstrated configuration and log files that authentication process applies to all users, devices, services accounts, and processes.
- Devices and processes have enabled automatic logout or lock features due to inactivity.
Comments are closed