Level 1 Assessment Guide: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
No edit summary
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 1 Self-Assessment Guide] from the Office of the Under Secretary of Defense for Acquisition & Sustainment.'''
'''Source of Reference: The official [https://dodcio.defense.gov/CMMC/Documentation/ CMMC Level 1 Self-Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).'''


For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
Line 17: Line 17:
: [e] system access is limited to processes acting on behalf of authorized users; and
: [e] system access is limited to processes acting on behalf of authorized users; and
: [f] system access is limited to authorized devices (including other systems).
: [f] system access is limited to authorized devices (including other systems).
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_AC.L1-3.1.1_Details|More Practice Details...]]
|[[Practice_AC.L1-3.1.1_Details|More Practice Details...]]
Line 29: Line 31:
: [a] the types of transactions and functions that authorized users are permitted to execute are defined; and
: [a] the types of transactions and functions that authorized users are permitted to execute are defined; and
: [b] system access is limited to the defined types of transactions and functions for authorized users.
: [b] system access is limited to the defined types of transactions and functions for authorized users.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_AC.L1-3.1.2_Details|More Practice Details...]]
|[[Practice_AC.L1-3.1.2_Details|More Practice Details...]]
Line 45: Line 49:
: [e] connections to external systems are controlled/limited; and
: [e] connections to external systems are controlled/limited; and
: [f]  the use of external systems is controlled/limited.
: [f]  the use of external systems is controlled/limited.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AC.L1-3.1.20_Details|More Practice Details...]]
|[[Practice_AC.L1-3.1.20_Details|More Practice Details...]]
Line 60: Line 66:
: [d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and
: [d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and
: [e] mechanisms are in place to remove and address improper posting of FCI.
: [e] mechanisms are in place to remove and address improper posting of FCI.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AC.L1-3.1.22_Details|More Practice Details...]]
|[[Practice_AC.L1-3.1.22_Details|More Practice Details...]]
Line 69: Line 77:
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Identify information system users, processes acting on behalf of users, or devices.ASSESSMENT OBJECTIVES'''
Identify information system users, processes acting on behalf of users, or devices.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] system users are identified;
: [a] system users are identified;
: [b] processes acting on behalf of users are identified; and  
: [b] processes acting on behalf of users are identified; and  
: [c] devices accessing the system are identified.
: [c] devices accessing the system are identified.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_IA.L1-3.5.1_Details|More Practice Details...]]
|[[Practice_IA.L1-3.5.1_Details|More Practice Details...]]
Line 86: Line 98:
: [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and
: [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and
: [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
: [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_IA.L1-3.5.2_Details|More Practice Details...]]
|[[Practice_IA.L1-3.5.2_Details|More Practice Details...]]
Line 100: Line 114:
: [a] system media containing FCI is sanitized or destroyed before disposal; and  
: [a] system media containing FCI is sanitized or destroyed before disposal; and  
: [b] system media containing FCI is sanitized before it is released for reuse.
: [b] system media containing FCI is sanitized before it is released for reuse.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_MP.L1-3.8.3_Details|More Practice Details...]]
|[[Practice_MP.L1-3.8.3_Details|More Practice Details...]]
Line 116: Line 132:
: [c] physical access to equipment is limited to authorized individuals; and  
: [c] physical access to equipment is limited to authorized individuals; and  
: [d] physical access to operating environments is limited to authorized.
: [d] physical access to operating environments is limited to authorized.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_PE.L1-3.10.1_Details|More Practice Details...]]
|[[Practice_PE.L1-3.10.1_Details|More Practice Details...]]
Line 128: Line 146:
: [a] visitors are escorted; and  
: [a] visitors are escorted; and  
: [b] visitor activity is monitored.
: [b] visitor activity is monitored.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_PE.L1-3.10.3_Details|More Practice Details...]]
|[[Practice_PE.L1-3.10.3_Details|More Practice Details...]]
Line 139: Line 159:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] audit logs of physical access are maintained.
: [a] audit logs of physical access are maintained.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_PE.L1-3.10.4_Details|More Practice Details...]]
|[[Practice_PE.L1-3.10.4_Details|More Practice Details...]]
Line 152: Line 174:
: [b] physical access devices are controlled; and  
: [b] physical access devices are controlled; and  
: [c] physical access devices are managed.
: [c] physical access devices are managed.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_PE.L1-3.10.5_Details|More Practice Details...]]
|[[Practice_PE.L1-3.10.5_Details|More Practice Details...]]
Line 172: Line 196:
: [g] communications are protected at the external system boundary; and  
: [g] communications are protected at the external system boundary; and  
: [h] communications are protected at key internal boundaries.
: [h] communications are protected at key internal boundaries.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_SC.L1-3.13.1_Details|More Practice Details...]]
|[[Practice_SC.L1-3.13.1_Details|More Practice Details...]]
Line 183: Line 209:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] publicly accessible system components are identified; and  
: [a] publicly accessible system components are identified; and  
: [b] subnetworks for publicly accessible system components are physically or logically  
: [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.
separated from internal networks.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_SC.L1-3.13.5_Details|More Practice Details...]]
|[[Practice_SC.L1-3.13.5_Details|More Practice Details...]]
Line 194: Line 221:
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Identify, report, and correct information and information system flaws in a timely manner.ASSESSMENT OBJECTIVES'''
Identify, report, and correct information and information system flaws in a timely manner.
|-
|ASSESSMENT OBJECTIVES'''
: [a] the time within which to identify system flaws is specified;
: [a] the time within which to identify system flaws is specified;
: [b] system flaws are identified within the specified time frame;
: [b] system flaws are identified within the specified time frame;
Line 201: Line 230:
: [e] the time within which to correct system flaws is specified; and  
: [e] the time within which to correct system flaws is specified; and  
: [f] system flaws are corrected within the specified time frame.
: [f] system flaws are corrected within the specified time frame.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_SI.L1-3.14.1_Details|More Practice Details...]]
|[[Practice_SI.L1-3.14.1_Details|More Practice Details...]]
Line 213: Line 244:
: [a] designated locations for malicious code protection are identified; and  
: [a] designated locations for malicious code protection are identified; and  
: [b] protection from malicious code at designated locations is provided.
: [b] protection from malicious code at designated locations is provided.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_SI.L1-3.14.2_Details|More Practice Details...]]
|[[Practice_SI.L1-3.14.2_Details|More Practice Details...]]
Line 220: Line 253:
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Update malicious code protection mechanisms when new releases are available.ASSESSMENT OBJECTIVES'''
Update malicious code protection mechanisms when new releases are available.
|-
|ASSESSMENT OBJECTIVES'''
: [a] malicious code protection mechanisms are updated when new releases are available.
: [a] malicious code protection mechanisms are updated when new releases are available.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_SI.L1-3.14.4_Details|More Practice Details...]]
|[[Practice_SI.L1-3.14.4_Details|More Practice Details...]]
Line 234: Line 271:
: [a] the frequency for malicious code scans is defined;
: [a] the frequency for malicious code scans is defined;
: [b] malicious code scans are performed with the defined frequency; and  
: [b] malicious code scans are performed with the defined frequency; and  
: [c] real-time malicious code scans of files from external sources as files are downloaded,  
: [c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
opened, or executed are performed.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
|-
|-
|[[Practice_SI.L1-3.14.5_Details|More Practice Details...]]
|[[Practice_SI.L1-3.14.5_Details|More Practice Details...]]
|}
|}

Latest revision as of 23:34, 30 November 2022

Source of Reference: The official CMMC Level 1 Self-Assessment Guide from the Department of Defense Chief Information Officer (DoD CIO).

For inquiries and reporting errors on this wiki, please contact us. Thank you.

Access Control (AC)

Level 1 AC Practices

AC.L1-3.1.1 - AUTHORIZED ACCESS CONTROL

SECURITY REQUIREMENT

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

ASSESSMENT OBJECTIVES
[a] authorized users are identified;
[b] processes acting on behalf of authorized users are identified;
[c] devices (and other systems) authorized to connect to the system are identified;
[d] system access is limited to authorized users;
[e] system access is limited to processes acting on behalf of authorized users; and
[f] system access is limited to authorized devices (including other systems).
DoD Assessment Scoring Value: 5
More Practice Details...

AC.L1-3.1.2 - TRANSACTION & FUNCTION CONTROL

SECURITY REQUIREMENT

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

ASSESSMENT OBJECTIVES
[a] the types of transactions and functions that authorized users are permitted to execute are defined; and
[b] system access is limited to the defined types of transactions and functions for authorized users.
DoD Assessment Scoring Value: 5
More Practice Details...

AC.L1-3.1.20 - EXTERNAL CONNECTIONS

SECURITY REQUIREMENT

Verify and control/limit connections to and use of external information systems.

ASSESSMENT OBJECTIVES
[a] connections to external systems are identified;
[b] the use of external systems is identified;
[c] connections to external systems are verified;
[d] the use of external systems is verified;
[e] connections to external systems are controlled/limited; and
[f] the use of external systems is controlled/limited.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L1-3.1.22 - CONTROL PUBLIC INFORMATION

SECURITY REQUIREMENT

Control information posted or processed on publicly accessible information systems.

ASSESSMENT OBJECTIVES
[a] individuals authorized to post or process information on publicly accessible systems are identified;
[b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;
[c] a review process is in place prior to posting of any content to publicly accessible systems;
[d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and
[e] mechanisms are in place to remove and address improper posting of FCI.
DoD Assessment Scoring Value: 1
More Practice Details...

Identification and Authentication (IA)

Level 1 IA Practices

IA.L1-3.5.1 – IDENTIFICATION

SECURITY REQUIREMENT

Identify information system users, processes acting on behalf of users, or devices.

ASSESSMENT OBJECTIVES
[a] system users are identified;
[b] processes acting on behalf of users are identified; and
[c] devices accessing the system are identified.
DoD Assessment Scoring Value: 5
More Practice Details...

IA.L1-3.5.2 – AUTHENTICATION

SECURITY REQUIREMENT

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

ASSESSMENT OBJECTIVES
[a] the identity of each user is authenticated or verified as a prerequisite to system access;
[b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and
[c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
DoD Assessment Scoring Value: 5
More Practice Details...

Media Protection (MP)

Level 1 MP Practices

MP.L1-3.8.3 – MEDIA DISPOSAL

SECURITY REQUIREMENT

Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

ASSESSMENT OBJECTIVES
[a] system media containing FCI is sanitized or destroyed before disposal; and
[b] system media containing FCI is sanitized before it is released for reuse.
DoD Assessment Scoring Value: 5
More Practice Details...

Physical Protection (PE)

Level 1 PE Practices

PE.L1-3.10.1 – LIMIT PHYSICAL ACCESS

SECURITY REQUIREMENT

Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

ASSESSMENT OBJECTIVES
[a] authorized individuals allowed physical access are identified;
[b] physical access to organizational systems is limited to authorized individuals;
[c] physical access to equipment is limited to authorized individuals; and
[d] physical access to operating environments is limited to authorized.
DoD Assessment Scoring Value: 5
More Practice Details...

PE.L1-3.10.3 – ESCORT VISITORS

SECURITY REQUIREMENT

Escort visitors and monitor visitor activity.

ASSESSMENT OBJECTIVES
[a] visitors are escorted; and
[b] visitor activity is monitored.
DoD Assessment Scoring Value: 1
More Practice Details...

PE.L1-3.10.4 – PHYSICAL ACCESS LOGS

SECURITY REQUIREMENT

Maintain audit logs of physical access.

ASSESSMENT OBJECTIVES
[a] audit logs of physical access are maintained.
DoD Assessment Scoring Value: 1
More Practice Details...

PE.L1-3.10.5 – MANAGE PHYSICAL ACCESS

SECURITY REQUIREMENT

Control and manage physical access devices.

ASSESSMENT OBJECTIVES
[a] physical access devices are identified;
[b] physical access devices are controlled; and
[c] physical access devices are managed.
DoD Assessment Scoring Value: 1
More Practice Details...

System and Communications Protection (SC)

Level 1 SC Practices

SC.L1-3.13.1 – BOUNDARY PROTECTION

SECURITY REQUIREMENT

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

ASSESSMENT OBJECTIVES
[a] the external system boundary is defined;
[b] key internal system boundaries are defined;
[c] communications are monitored at the external system boundary;
[d] communications are monitored at key internal boundaries;
[e] communications are controlled at the external system boundary;
[f] communications are controlled at key internal boundaries;
[g] communications are protected at the external system boundary; and
[h] communications are protected at key internal boundaries.
DoD Assessment Scoring Value: 5
More Practice Details...

SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION

SECURITY REQUIREMENT

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

ASSESSMENT OBJECTIVES
[a] publicly accessible system components are identified; and
[b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.
DoD Assessment Scoring Value: 5
More Practice Details...

System and Information Integrity (SI)

Level 1 SI Practices

SI.L1-3.14.1 – FLAW REMEDIATION

SECURITY REQUIREMENT

Identify, report, and correct information and information system flaws in a timely manner.

ASSESSMENT OBJECTIVES
[a] the time within which to identify system flaws is specified;
[b] system flaws are identified within the specified time frame;
[c] the time within which to report system flaws is specified;
[d] system flaws are reported within the specified time frame;
[e] the time within which to correct system flaws is specified; and
[f] system flaws are corrected within the specified time frame.
DoD Assessment Scoring Value: 5
More Practice Details...

SI.L1-3.14.2 – MALICIOUS CODE PROTECTION

SECURITY REQUIREMENT

Provide protection from malicious code at appropriate locations within organizational information systems.

ASSESSMENT OBJECTIVES
[a] designated locations for malicious code protection are identified; and
[b] protection from malicious code at designated locations is provided.
DoD Assessment Scoring Value: 5
More Practice Details...

SI.L1-3.14.4 – UPDATE MALICIOUS CODE PROTECTION

SECURITY REQUIREMENT

Update malicious code protection mechanisms when new releases are available.

ASSESSMENT OBJECTIVES
[a] malicious code protection mechanisms are updated when new releases are available.
DoD Assessment Scoring Value: 5
More Practice Details...

SI.L1-3.14.5 – SYSTEM & FILE SCANNING

SECURITY REQUIREMENT

Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

ASSESSMENT OBJECTIVES
[a] the frequency for malicious code scans is defined;
[b] malicious code scans are performed with the defined frequency; and
[c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
DoD Assessment Scoring Value: 3
More Practice Details...