By Sese Bennett
November 14th, 2019
So, you need to be CMMC certified? If you’re like most small to mid-sized companies, you’re asking yourself – “What do I need to do to meet the CMMC requirements?” That is the million-dollar question.
Logically speaking, to pass an assessment, you need to know and understand what you’re being assessed on, and what is considered a “passing” grade. We hope this blog will assist in that understanding.
If you do not have any idea of what CMMC is, I encourage you to review our previous two blogs on the subject for a basic breakdown of the program. Since the articles were written, the CMMC program has matured a bit, but it should still give you the background you need to get up to speed.
So, let’s jump right in!
The first thing that should be on your radar is to determine what Cybersecurity Maturity Model Certification (“CMMC”) maturity level you are seeking as an organization. If you are storing, processing, or transmitting only Federal Contract Information (“FCI”), then you are likely only seeking CMMC Maturity Level 1 (“ML-1”) certification. If you are storing, processing, or transmitting anything else, then you are most likely seeking Maturity Level 3 (”ML-3”) or above. This is an overly-simplified description of the maturity level designations but hopefully it’s enough to get you going in the right direction.
Now for the good news! If your seeking ML-1, consider that the EZ button of the certification levels. ML-1 certification requires that your organization demonstrate compliance with seventeen (17) CMMC controls and meet a set of basic cyber hygiene requirements. These requirements are focused on validating what you are doing at the time of the assessment. Another way of putting it is that ML-1 is focused on performing the practice versus documenting the practice.
This means that technically your organization will not fail a ML-1 assessment because of the absence of practice documented. But in reality, you will need to have some sort of documentation available to show that your organization is performing the practice. Subsequently, it may be acceptable to provide informal or less detailed documentation to the CMMC assessor when reviewing ML-1 controls.
While we are on the subject of passing or failing, let’s talk about what that means in regards to CMMC. It should be noted that the CMMC certification is an all-pass or all-fail assessment. This means that you must pass all of the required practices for ML-1 in order to qualify for the certification.
Now, let’s do a quick breakdown of what those seventeen (17) ML-1 controls are looking for:
The first four (4) practices are based on the Access Controls (“AC”) practice family. These practices are designed to ensure that your organization properly limits access to authorized personnel, employs the privilege of least privilege by only giving the level of access that fits the users job role or responsibility, connections to external systems, and control of what is posted to publicly accessible systems such as websites on the internet. (AC.1.001, AC.1.002, AC.1.003, AC.1.004)
The next two (2) practices are based on the Identification and Authentication (“IA”) practice family. These two practices focus on identifying your users and services acting on their behalf to include things like service accounts or other accounts that may be device based. Additionally, this practice area examines how you authenticate (or verify) the identity of users, processes, and devices prior to allowing access to your systems. (IA.1.076, IA.1.077)
The Media Protection (“MP”) practice family contains only one (1) practice to consider for ML-1. The practice focuses on how you sanitize or destroy media containing Federal Contract Information (“FCI”) before disposal, release or reuse. (MP.1.118)
The next four (4) practices fall under the Physical Protection (“PE”) practice family. These practices focus on limiting physical access to your systems, equipment and their respective operating environments to authorized individuals. This practice family also includes how visitors are handled when they visit your facilities, how audit logs are maintained, and how physical access devices like badges, access cards, etc. are controlled and managed. (PE.1.131, PE.1.132, PE.1.133, PE.1.134)
The System and Communications Protection (“SC”) practice family contains two (2) practices that you need to consider. The first one focuses on monitoring, controlling, and protecting communications transmitted, or received by your systems at your key internal and external boundaries. The second practice examines how you are physically or logically separating your internal network from publicly accessible systems. (SC.1.175, SC.1.176)
That brings us to the last practice family for those organizations considering ML-1 CMMC certification. System and Information Integrity (“SI”) contains four (4) practices that focus on identifying and correcting system flaws (patching) in a timely manner. Malicious code protection and how malicious code mechanisms are also examined as part of this practice family. Finally, periodic and real-time scanning is examined as part of reviewing files from external sources as they are downloaded, opened, or executed. (SI.1.210, SI.1.211, SI.1.212, SI.1.213)
Now that you’re a CMMC ML-1 one expert, are you ready to get started on your CMMC journey? We certainly hope so. If you need assistance getting prepared, feel free to reach out and our team. We can help you prepare by conducting a readiness review to make sure you are on the path to success!
Be on the lookout for our next article in this series where we discuss the CMMC Maturity Level 2 (ML-2) designation, how it differs from ML-1, and how it fits into the overall CMMC ecosystem.
Until then, be safe and stay secure!
Provincia Government Solutions, LLC is a Nashville based government security and risk assessment company focused on government regulations such as NIST, FISMA, CMMC, SCA, 800-171 and MARS-E. Whether you are seeking a readiness assessment, consulting engagement, or CMMC certification assessment, we are a CMMC-AB approved C3PAO with CMMC Certified Provisional Assessor Levels 1-3 staff ready to assist you with all of your CMMC needs. Contact firstname.lastname@example.org for your free assessment quote.
Provincia Government Solutions is a Nashville TN based CMMC Third-Party Assessor Organization (C3PAO) and SBA certified HUBZone small business specializing in cybersecurity services for government agencies, contractors, and commercial organizations affiliated with government entities.