In this CMMC level 1 certification article, we address two security domains that are applicable to CMMC Level 1 Certification (for v2.0), namely System and Communications Protection (SC), and System and Information Integrity (SI). Check out Cyber AB’s CMMC guidelines for further information here
CMMC Level 1 Certification Steps (Part 1)? Read it here
CMMC Level 1 Certification Steps (Part 2)? Read it here
What are the CMMC Level 1 certification requirements for SC and SI domains?
Table of Contents
SC.L1-3.13.1: Boundary Protection
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
Consideration factors:
Contractors seeking CMMC Level 1 certification are required to isolate their system environment from external systems using firewalls, gateways, and cloud service boundaries if you are using cloud service. You should consider addressing the following questions:
- What are the external system boundary components that make up the entry and exit points for data flow (e.g., firewalls, gateways, cloud service boundaries)?
- What are the internal system boundary components that make up the entry and exit points for key internal data flow (e.g., internal firewalls, routers, any devices that can bridge the connection between one segment of the system and another) that separate segments of the internal network?
- Is data flowing in and out of the external and key internal system boundaries monitored (e.g., connections are logged and able to be reviewed, suspicious traffic generates alerts)?
- Is data traversing the external and internal system boundaries controlled such that connections are denied by default and only authorized connections are allowed?
- Is data flowing in and out of the external and key internal system boundaries protected (e.g., applying encryption when required or prudent, tunneling traffic as needed)?
Expectations to meet this requirement:
- System network diagram clearly showing the internal and external system boundaries, details of segmentation, internal system components (i.e., servers, computers, workstations, network and security appliances, mobile devices, printers, etc.), and location of networking appliances and security protection assets (i.e., firewalls, IDS, DLP, end-point protection software, anti-virus software, etc.)
- Demonstrated existence of working security protection and monitoring devices at the boundaries.
- Configuration and log files of the firewalls and other protection devices:
- Configuration files show that all connections are denied by default and only authorized connections are allowed by firewall rules. Ports and applications are blocked as a default unless needed.
- Demonstrated process where configuration, log files, and alerts are regularly reviewed.
SC.L1-3.13.5: Public-Access System Separation
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Consideration factors:
If any of your internal system components needs to be reached by the public they must be identified and separated from the other parts of the internal network by sub networking. Accepted physically/logically separation methods include isolated subnetworks and dedicated VLAN segmentation such as Demilitarized Zone (DMZ).
Expectations to meet this requirement:
All publicly accessible system components are listed in CMMC Level 1 certified system. These would include web server, e-mail server, file server, VPN gateways, and other publicly accessible servers/devices. System network diagram shows the sub networking and/or dedicated VLAN (i.e., DMZ) to separate those components. Firewalls are installed and configured in correct locations.
SI.L1-3.14.1: Flaw Remediation
Identify, report, and correct information and information system flaws in a timely manner.
Contractors seeking CMMC Level 1 certification are required to identify and fix the system hardware, software, and firmware bugs and issues timely. There must be a pre-defined frequency (in terms of days) for conducting vulnerability scans, configuration reviews, and a timeline for correcting the issues.
Consideration factors:
- Is the time frame (e.g., a number of days) within which system bug and issue identification activities (e.g., vulnerability scans, configuration scans, manual review) must be performed defined and documented?
- Are system bugs and issues (e.g., vulnerabilities, misconfigurations) identified in accordance with the specified time frame?
- Is the time frame (e.g., a set number of days dependent on the assessed severity of a flaw) within which system bugs and issues must be corrected defined and documented?
- Are system flaws (e.g., applied security patches, made configuration changes, or implemented workarounds or mitigations) corrected in accordance with the specified time frame?
Expectations to meet this requirement:
- A document and configuration files defining the time frame for review of bug and issues, software patches, configuration scans, and vulnerability scans.
- Log files showing the reported issues and bugs were fixed, configuration changes were done, and software patches were installed in predefined timeline.
- Obsolete and old hardware and software with no vendor support are disabled and no longer used.
SI.L1-3.14.2: Malicious Code Protection
Provide protection from malicious code at appropriate locations within organizational information systems.
Meeting this requirement is as easy as installing a robust anti-virus software on all end-points, including computers, workstations, servers, mobile devices, and all other machines as defined in-scope of the CMMC Level 1 certified system.
Consideration factors:
Are system components (e.g., workstations, servers, email gateways, mobile devices) for which malicious code protection must be provided identified and documented?
Expectations to meet this requirement:
- A document listing all in-scope system components where malicious code (e.g. virus, trojan, worm, ransomware, etc.) protection software is installed.
- Best practice: Use an office/productivity software where malicious software removal function is embedded for automatic scanning of the documents, spreadsheets, downloaded files, e-mails, etc.
- If a cloud service is used, obtain information/certification from the service provider that hosted files are subject to regular malicious code scanning.
SI.L1-3.14.4: Update Malicious Code Protection
Update malicious code protection mechanisms when new releases are available.
Contractors seeking CMMC Level 1 certification are required to install anti-virus software and have them regularly updated as well as monitor the update process performed successfully.
Consideration factors:
Is there a defined frequency by which malicious code protection mechanisms must be updated (e.g., frequency of automatic updates or manual processes)?
Expectations to meet this requirement:
- A document or configuration file defining the frequency by which anti-virus software are updated, either via automatic updates or manually.
- Demonstrated process of regular updates on the malicious code scanning software exists, and updates are accessible and subscribed by the organization. Anti-virus software typically receives the latest virus signatures as well as other AI based virus detection algorithms from the vendor servers directly, as such devices should be enabled to connect to vendor servers.
SI.L1-3.14.5: System & File Scanning
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Consideration factors:
Are files from media (e.g., USB drives, CD-ROM) included in the definition of external sources and are they being scanned?
Expectations to meet this requirement:
- A document or configuration files showing the frequency of scans.
- Demonstrated process of malicious code scanning on all devices on pre-defined periods.
- Demonstrated process of real-time malicious code scanning on files when they are received from external resources (i.e., internet, external media, USB drives, etc.), when they are opened or executed..
Comments are closed