A CMMC Level 1 Compliance Checklist Breakdown

AC.1.001 - Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)

How: My recommendation is to perform a periodic review of access to all the systems you’re using. An example would be reviewing Microsoft 365 active accounts every quarter. Create a list of roles or titles and what systems they need access to.

AC.1.002 - Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

How: Example: Limiting Microsoft 365 settings so users cannot add third-party apps to access OneDrive/SharePoint without admin authorization; limit what devices can connect to Microsoft 365 without authorization; put files with FCI in a separate folder where fewer people have access.

AC.1.003 - Verify and control and/or limit connections to, and use of, external information systems.

How: External systems are personal devices, third-party systems, public networks, cloud services, or home networks. Here, you’d use web filtering software, VPN software, and requirements on personal devices before they can connect to email, as well as policies that set expectations for employees to use only approved software.

AC.1.004 - Control Information Posted or Processed on Publicly Accessible Information Systems

How: Identify FCI through policy and systems documentation through asset management, review content before posting, limit who can post to public systems like company LinkedIn or Facebook pages, and provide regular training on protecting FCI to employees.

IA.1.076 – Identify Information System Users, Processes Acting on Behalf of Users and Devices

How: Each person with access to a system needs a unique account. Shared accounts don’t work. Do not share email accounts. Instead set up individual accounts, and then grant access to a shared mailbox to provide accountability. These accounts should be tied to a real person, and those accounts should be kept current and accurate. This includes accounts that are “acting on behalf of”, also known as a service account. AI bots may be included in this so be very careful what data these AI bots are granted access to!

IA.1.077 – Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems

How: Inventory your assets. Create a list of all your devices, laptops, desktops, servers, and third-party software. Enforce passwords and password requirements across all those systems. Disable guest accounts, and change any default IT manufacturer passwords. Lastly, use account lockout settings to prevent infinite guessing against your IT system authentication methods.

MP.1.118 – Sanitize or destroy information system media containing Federal contract information before disposal or release for reuse

How: Only one today? You’ll see why. This one may seem small but there’s a lot packed in it.

What is "Information System Media"? This term is broad and includes anything that can store data, whether digital or non-digital.

• Digital Media: Hard Disk Drives (HDDs) / Solid State Drives (SSDs), USB Flash Drives, Optical Discs, Magnetic Tapes, Mobile Devices, Network Devices with Storage, Printers, Scanners, Copiers.
• Non-Digital Media: Paper Documents, Microfilm/Microfiche.

What is Disposal or Reuse? Clearing, purging, and destruction are methods to make sure data doesn’t end up in a breach scenario with your company name attached to it. Clearing is using a special technique to wipe the data. Purging is a step up from clearing. Destroying is what it sounds like. The media is ruined to a degree it isn’t practical to recover it. Before you destroy drives or hand them over to another company, you must document what’s being destroyed. Document the serial number of each drive destroyed. Take photos. Store the evidence safely. In short, you need evidence of what was destroyed before destroying it.

Policy and Procedures: Write it down so it can be followed by whoever is responsible. Develop and document clear policies and procedures for media sanitization and destruction, specifying methods, responsibilities, and documentation requirements. This should be part of your System Security Plan (SSP).

PE.1.131 – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals

How: Have more strict access to a network or server area. For organizations with minimal onsite equipment, this is usually the network closet space. Secure this room with a key or door badge and limit access to only a select few. Keeping it to one person isn’t wise either, so don’t go overboard. You need redundancy.

PE.1.132 – Escort Visitors and Monitor Visitor Activity

How: Escort visitors to the person they have an appointment with. Do not let people wander. Monitoring can be accomplished simply by ensuring the person stays in their designated area. If onsite cameras are available, that’s an additional layer of monitoring to take advantage of.

PE.1.133 – Maintain Audit Logs of Physical Access

How: One of the easiest ways to accomplish this is to have a sign-in sheet at the front desk. Any guest or visitor must sign in first before going anywhere on the premises. Don’t forget to create a process to store these somewhere for evidence.

PE.1.134 – Control and Manage Physical Access Devices

How: Have an asset inventory of all company-owned systems. Regularly review the inventory to keep it updated. Within the inventory track who has the asset throughout the asset lifecycle. Create a policy and procedure for returning assets to the individual(s) responsible for deploying and disposing of assets. Include a section for handling lost and stolen assets and track those incidents for evidence and review. Lastly, track physical keys and door fobs (policy/procedure) and assign a responsible party for key management.

SC.1.175 – Monitor, control, and protect organizational communications (i.e., Information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems.

How: Organizational communications include tools such as email and cloud document storage. Don’t try to remember this off the top of your head. Keeping an asset list of PCs and cloud software helps create a reference point for fulfilling “monitoring, control, and protect.” Some tangibles are: Firewalls, Intrusion Detection/Intrusion Prevention Systems, Data Loss Prevention, Secure Communication Protocols, Email Security Gateways, Network Segmentation, Logging and Auditing, User Training and Awareness.

SC.1.176 – Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

How: This covers a broad spectrum of possibilities depending on the complexity of your business’s network setup. At one end, you may depend primarily on cloud software and have almost no systems on your office network except PCs and a couple of printers. In this scenario, you may not have much to change. For more complex setups, consider network design examples like a DMZ (Demilitarized zone for public-facing systems) or physically separate networks.

SI.1.210 – Identify, Report and Correct Information and Information Flaws in a Timely Manner

How: This one is challenging to meet on your own; however, it isn’t insurmountable. To identify flaws, you need to check for missing patches, poor configurations of systems, and missing controls, such as antivirus or a firewall being disabled. This also includes information integrity, so think about storing FCI data in a place that has strong audit logs to know who changes or deletes anything. Detecting and tracking incidents from AV systems, email security features, and firewall notifications are all necessary. Lastly, there also needs to be a correction component, which is taking action on each incident and cleaning up any problems that come from it. Make sure to write everything down in an incident tracking log.

SI.1.211 – Provide protection from malicious code at appropriate locations within organizational information systems.

How: Employ antivirus software with real-time scanning and periodic scans. All systems in the scope of FCI should have this in place. The antivirus software should have the capability to update regularly.

SI.1.212 – Update Malicious Code Protection Mechanisms When New Releases are Available.

How: Set antivirus software and system security updates to be automatic. Have a way to check that those systems update regularly. Make sure there is a policy or procedure in place to enforce this activity.

SI.1.213 – Perform periodic scans of information systems and real-time scans of files from external sources as files are downloaded, opened or executed.

How: Configure the antivirus software to schedule periodic scans as well as immediately scan files from other computer systems. Many antivirus software programs have this ability, but make sure before you buy it. Gather screenshots for the configuration in these antivirus systems to prove they are in place. Having a centralized patch management and antivirus management system helps simplify evidence capture and oversight of the systems.