Level 1 Assessment Guide: Difference between revisions
No edit summary |
No edit summary |
||
(12 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
'''Source of Reference: The official [https:// | '''Source of Reference: The official [https://dodcio.defense.gov/CMMC/Documentation/ CMMC Level 1 Self-Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).''' | ||
For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. | For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. | ||
Line 17: | Line 17: | ||
: [e] system access is limited to processes acting on behalf of authorized users; and | : [e] system access is limited to processes acting on behalf of authorized users; and | ||
: [f] system access is limited to authorized devices (including other systems). | : [f] system access is limited to authorized devices (including other systems). | ||
|- | |||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5''' | |||
|- | |- | ||
|[[Practice_AC.L1-3.1.1_Details|More Practice Details...]] | |[[Practice_AC.L1-3.1.1_Details|More Practice Details...]] | ||
Line 29: | Line 31: | ||
: [a] the types of transactions and functions that authorized users are permitted to execute are defined; and | : [a] the types of transactions and functions that authorized users are permitted to execute are defined; and | ||
: [b] system access is limited to the defined types of transactions and functions for authorized users. | : [b] system access is limited to the defined types of transactions and functions for authorized users. | ||
|- | |||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5''' | |||
|- | |- | ||
|[[Practice_AC.L1-3.1.2_Details|More Practice Details...]] | |[[Practice_AC.L1-3.1.2_Details|More Practice Details...]] | ||
Line 45: | Line 49: | ||
: [e] connections to external systems are controlled/limited; and | : [e] connections to external systems are controlled/limited; and | ||
: [f] the use of external systems is controlled/limited. | : [f] the use of external systems is controlled/limited. | ||
|- | |||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1''' | |||
|- | |- | ||
|[[Practice_AC.L1-3.1.20_Details|More Practice Details...]] | |[[Practice_AC.L1-3.1.20_Details|More Practice Details...]] | ||
Line 60: | Line 66: | ||
: [d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and | : [d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and | ||
: [e] mechanisms are in place to remove and address improper posting of FCI. | : [e] mechanisms are in place to remove and address improper posting of FCI. | ||
|- | |||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1''' | |||
|- | |- | ||
|[[Practice_AC.L1-3.1.22_Details|More Practice Details...]] | |[[Practice_AC.L1-3.1.22_Details|More Practice Details...]] | ||
Line 69: | Line 77: | ||
{|class="wikitable" | {|class="wikitable" | ||
|'''SECURITY REQUIREMENT''' | |'''SECURITY REQUIREMENT''' | ||
Identify information system users, processes acting on behalf of users, or devices.ASSESSMENT OBJECTIVES''' | Identify information system users, processes acting on behalf of users, or devices. | ||
|- | |||
|'''ASSESSMENT OBJECTIVES''' | |||
: [a] system users are identified; | : [a] system users are identified; | ||
: [b] processes acting on behalf of users are identified; and | : [b] processes acting on behalf of users are identified; and | ||
: [c] devices accessing the system are identified. | : [c] devices accessing the system are identified. | ||
|- | |||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5''' | |||
|- | |- | ||
|[[Practice_IA.L1-3.5.1_Details|More Practice Details...]] | |[[Practice_IA.L1-3.5.1_Details|More Practice Details...]] | ||
Line 83: | Line 95: | ||
|- | |- | ||
|'''ASSESSMENT OBJECTIVES''' | |'''ASSESSMENT OBJECTIVES''' | ||
: [a] the identity of each user is authenticated or verified as a prerequisite to system access;[b] the identity of each process acting on behalf of a user is authenticated or verified as a | : [a] the identity of each user is authenticated or verified as a prerequisite to system access; | ||
prerequisite to system access; and | : [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and | ||
: [c] the identity of each device accessing or connecting to the system is authenticated or | : [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access. | ||
verified as a prerequisite to system access. | |- | ||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5''' | |||
|- | |- | ||
|[[Practice_IA.L1-3.5.2_Details|More Practice Details...]] | |[[Practice_IA.L1-3.5.2_Details|More Practice Details...]] | ||
Line 101: | Line 114: | ||
: [a] system media containing FCI is sanitized or destroyed before disposal; and | : [a] system media containing FCI is sanitized or destroyed before disposal; and | ||
: [b] system media containing FCI is sanitized before it is released for reuse. | : [b] system media containing FCI is sanitized before it is released for reuse. | ||
|- | |||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5''' | |||
|- | |- | ||
|[[Practice_MP.L1-3.8.3_Details|More Practice Details...]] | |[[Practice_MP.L1-3.8.3_Details|More Practice Details...]] | ||
Line 116: | Line 131: | ||
: [b] physical access to organizational systems is limited to authorized individuals; | : [b] physical access to organizational systems is limited to authorized individuals; | ||
: [c] physical access to equipment is limited to authorized individuals; and | : [c] physical access to equipment is limited to authorized individuals; and | ||
: [d] physical access to operating environments is limited to authorized | : [d] physical access to operating environments is limited to authorized. | ||
|- | |||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5''' | |||
|- | |- | ||
|[[Practice_PE.L1-3.10.1_Details|More Practice Details...]] | |[[Practice_PE.L1-3.10.1_Details|More Practice Details...]] | ||
Line 129: | Line 146: | ||
: [a] visitors are escorted; and | : [a] visitors are escorted; and | ||
: [b] visitor activity is monitored. | : [b] visitor activity is monitored. | ||
|- | |||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1''' | |||
|- | |- | ||
|[[Practice_PE.L1-3.10.3_Details|More Practice Details...]] | |[[Practice_PE.L1-3.10.3_Details|More Practice Details...]] | ||
Line 140: | Line 159: | ||
|'''ASSESSMENT OBJECTIVES''' | |'''ASSESSMENT OBJECTIVES''' | ||
: [a] audit logs of physical access are maintained. | : [a] audit logs of physical access are maintained. | ||
|- | |||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1''' | |||
|- | |- | ||
|[[Practice_PE.L1-3.10.4_Details|More Practice Details...]] | |[[Practice_PE.L1-3.10.4_Details|More Practice Details...]] | ||
Line 153: | Line 174: | ||
: [b] physical access devices are controlled; and | : [b] physical access devices are controlled; and | ||
: [c] physical access devices are managed. | : [c] physical access devices are managed. | ||
|- | |||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1''' | |||
|- | |- | ||
|[[Practice_PE.L1-3.10.5_Details|More Practice Details...]] | |[[Practice_PE.L1-3.10.5_Details|More Practice Details...]] | ||
Line 173: | Line 196: | ||
: [g] communications are protected at the external system boundary; and | : [g] communications are protected at the external system boundary; and | ||
: [h] communications are protected at key internal boundaries. | : [h] communications are protected at key internal boundaries. | ||
|- | |||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5''' | |||
|- | |- | ||
|[[Practice_SC.L1-3.13.1_Details|More Practice Details...]] | |[[Practice_SC.L1-3.13.1_Details|More Practice Details...]] | ||
Line 184: | Line 209: | ||
|'''ASSESSMENT OBJECTIVES''' | |'''ASSESSMENT OBJECTIVES''' | ||
: [a] publicly accessible system components are identified; and | : [a] publicly accessible system components are identified; and | ||
: [b] subnetworks for publicly accessible system components are physically or logically | : [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks. | ||
separated from internal networks. | |- | ||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5''' | |||
|- | |- | ||
|[[Practice_SC.L1-3.13.5_Details|More Practice Details...]] | |[[Practice_SC.L1-3.13.5_Details|More Practice Details...]] | ||
Line 195: | Line 221: | ||
{|class="wikitable" | {|class="wikitable" | ||
|'''SECURITY REQUIREMENT''' | |'''SECURITY REQUIREMENT''' | ||
Identify, report, and correct information and information system flaws in a timely manner.ASSESSMENT OBJECTIVES''' | Identify, report, and correct information and information system flaws in a timely manner. | ||
|- | |||
|ASSESSMENT OBJECTIVES''' | |||
: [a] the time within which to identify system flaws is specified; | : [a] the time within which to identify system flaws is specified; | ||
: [b] system flaws are identified within the specified time frame; | : [b] system flaws are identified within the specified time frame; | ||
Line 202: | Line 230: | ||
: [e] the time within which to correct system flaws is specified; and | : [e] the time within which to correct system flaws is specified; and | ||
: [f] system flaws are corrected within the specified time frame. | : [f] system flaws are corrected within the specified time frame. | ||
|- | |||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5''' | |||
|- | |- | ||
|[[Practice_SI.L1-3.14.1_Details|More Practice Details...]] | |[[Practice_SI.L1-3.14.1_Details|More Practice Details...]] | ||
Line 214: | Line 244: | ||
: [a] designated locations for malicious code protection are identified; and | : [a] designated locations for malicious code protection are identified; and | ||
: [b] protection from malicious code at designated locations is provided. | : [b] protection from malicious code at designated locations is provided. | ||
|- | |||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5''' | |||
|- | |- | ||
|[[Practice_SI.L1-3.14.2_Details|More Practice Details...]] | |[[Practice_SI.L1-3.14.2_Details|More Practice Details...]] | ||
Line 221: | Line 253: | ||
{|class="wikitable" | {|class="wikitable" | ||
|'''SECURITY REQUIREMENT''' | |'''SECURITY REQUIREMENT''' | ||
Update malicious code protection mechanisms when new releases are available.ASSESSMENT OBJECTIVES''' | Update malicious code protection mechanisms when new releases are available. | ||
|- | |||
|ASSESSMENT OBJECTIVES''' | |||
: [a] malicious code protection mechanisms are updated when new releases are available. | : [a] malicious code protection mechanisms are updated when new releases are available. | ||
|- | |||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5''' | |||
|- | |- | ||
|[[Practice_SI.L1-3.14.4_Details|More Practice Details...]] | |[[Practice_SI.L1-3.14.4_Details|More Practice Details...]] | ||
Line 235: | Line 271: | ||
: [a] the frequency for malicious code scans is defined; | : [a] the frequency for malicious code scans is defined; | ||
: [b] malicious code scans are performed with the defined frequency; and | : [b] malicious code scans are performed with the defined frequency; and | ||
: [c] real-time malicious code scans of files from external sources as files are downloaded, | : [c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed. | ||
opened, or executed are performed. | |- | ||
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3''' | |||
|- | |- | ||
|[[Practice_SI.L1-3.14.5_Details|More Practice Details...]] | |[[Practice_SI.L1-3.14.5_Details|More Practice Details...]] | ||
|} | |} |
Latest revision as of 23:34, 30 November 2022
Source of Reference: The official CMMC Level 1 Self-Assessment Guide from the Department of Defense Chief Information Officer (DoD CIO).
For inquiries and reporting errors on this wiki, please contact us. Thank you.
Access Control (AC)
Level 1 AC Practices
AC.L1-3.1.1 - AUTHORIZED ACCESS CONTROL
SECURITY REQUIREMENT
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 5 |
More Practice Details... |
AC.L1-3.1.2 - TRANSACTION & FUNCTION CONTROL
SECURITY REQUIREMENT
Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 5 |
More Practice Details... |
AC.L1-3.1.20 - EXTERNAL CONNECTIONS
SECURITY REQUIREMENT
Verify and control/limit connections to and use of external information systems. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 1 |
More Practice Details... |
AC.L1-3.1.22 - CONTROL PUBLIC INFORMATION
SECURITY REQUIREMENT
Control information posted or processed on publicly accessible information systems. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 1 |
More Practice Details... |
Identification and Authentication (IA)
Level 1 IA Practices
IA.L1-3.5.1 – IDENTIFICATION
SECURITY REQUIREMENT
Identify information system users, processes acting on behalf of users, or devices. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 5 |
More Practice Details... |
IA.L1-3.5.2 – AUTHENTICATION
SECURITY REQUIREMENT
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 5 |
More Practice Details... |
Media Protection (MP)
Level 1 MP Practices
MP.L1-3.8.3 – MEDIA DISPOSAL
SECURITY REQUIREMENT
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 5 |
More Practice Details... |
Physical Protection (PE)
Level 1 PE Practices
PE.L1-3.10.1 – LIMIT PHYSICAL ACCESS
SECURITY REQUIREMENT
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 5 |
More Practice Details... |
PE.L1-3.10.3 – ESCORT VISITORS
SECURITY REQUIREMENT
Escort visitors and monitor visitor activity. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 1 |
More Practice Details... |
PE.L1-3.10.4 – PHYSICAL ACCESS LOGS
SECURITY REQUIREMENT
Maintain audit logs of physical access. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 1 |
More Practice Details... |
PE.L1-3.10.5 – MANAGE PHYSICAL ACCESS
SECURITY REQUIREMENT
Control and manage physical access devices. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 1 |
More Practice Details... |
System and Communications Protection (SC)
Level 1 SC Practices
SC.L1-3.13.1 – BOUNDARY PROTECTION
SECURITY REQUIREMENT
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 5 |
More Practice Details... |
SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION
SECURITY REQUIREMENT
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 5 |
More Practice Details... |
System and Information Integrity (SI)
Level 1 SI Practices
SI.L1-3.14.1 – FLAW REMEDIATION
SECURITY REQUIREMENT
Identify, report, and correct information and information system flaws in a timely manner. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 5 |
More Practice Details... |
SI.L1-3.14.2 – MALICIOUS CODE PROTECTION
SECURITY REQUIREMENT
Provide protection from malicious code at appropriate locations within organizational information systems. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 5 |
More Practice Details... |
SI.L1-3.14.4 – UPDATE MALICIOUS CODE PROTECTION
SECURITY REQUIREMENT
Update malicious code protection mechanisms when new releases are available. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 5 |
More Practice Details... |
SI.L1-3.14.5 – SYSTEM & FILE SCANNING
SECURITY REQUIREMENT
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. |
ASSESSMENT OBJECTIVES
|
DoD Assessment Scoring Value: 3 |
More Practice Details... |