Revision as of 00:09, 17 March 2025

Source of Reference: The official CMMC Level 1 Self-Assessment Guide Version 2.13, September 2024 from the Department of Defense Chief Information Officer (DoD CIO).

For inquiries and reporting errors on this wiki, please contact us. Thank you.

Version – 2.13 | September 2024

DoD-CIO-00002 (ZRIN 0790-ZA18)

CMMC Assessment Guide

Level 1

24-T-2764

CMMC Assessment Guide – Level 1 | Version 2.13

ii

NOTICES

The contents of this document do not have the force and effect of law and are not meant to

bind the public in any way. This document is intended only to provide clarity to the public

regarding existing requirements under the law or departmental policies.

DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.

CMMC Assessment Guide – Level 1 | Version 2.13

iii

TABLE OF CONTENTS

Introduction ............................................................................................................................................. 1

Assessment and Compliance .............................................................................................................. 2

Assessment Scope................................................................................................................................................. 2

CMMC-Custom Terms ............................................................................................................................ 3

Assessment Criteria and Methodology ........................................................................................... 5

Requirement Descriptions ............................................................................................................... 10

Introduction .......................................................................................................................................................... 10

Access Control (AC) ............................................................................................................................ 12

Identification and Authentication (IA) ........................................................................................ 22

IA.L1-b.1.v – Identification [FCI Data] .................................................................................................................. 22
IA.L1-b.1.vi – Authentication [FCI Data] ............................................................................................................. 24

Media Protection (MP) ...................................................................................................................... 27

MP.L1-b.1.vii – Media Disposal [FCI Data] ......................................................................................................... 27

Physical Protection (PE) ................................................................................................................... 29

PE.L1-b.1.viii – Limit Physical Access [FCI Data] ............................................................................................. 29
PE.L1-b.1.ix – Manage Visitors & Physical Access [FCI Data] ..................................................................... 31

System and Communications Protection (SC) ........................................................................... 34

SC.L1-b.1.x – Boundary Protection [FCI Data] .................................................................................................. 34
SC.L1-b.1.xi – Public-Access System Separation [FCI Data] ........................................................................ 37

System and Information Integrity (SI) ......................................................................................... 39

SI.L1-b.1.xii – Flaw Remediation [FCI Data] ...................................................................................................... 39
SI.L1-b.1.xiii – Malicious Code ProTection [FCI Data] ................................................................................... 42

CMMC Assessment Guide – Level 1 | Version 2.13

iv

SI.L1-b.1.xiv – Update Malicious Code Protection [FCI Data] ..................................................................... 45
SI.L1-b.1.xv – System & File Scanning [FCI Data] ............................................................................................ 47

Appendix A – Acronyms and Abbreviations .............................................................................. 49

Introduction

CMMC Assessment Guide – Level 1 | Version 2.13

1

Introduction
This document provides guidance in the preparation for and execution of a Level 1 self-

assessment under the Cybersecurity Maturity Model Certification (CMMC) Program as set

forth in section 170.15 of title 32, Code of Federal Regulations (CFR). Guidance for

conducting a Level 2 self-assessment or certification assessment can be found in CMMC

Assessment Guide – Level 2. Guidance for conducting a Level 3 certification assessment can

be found in CMMC Assessment Guide – Level 3. More details on the CMMC Model can be found

in CMMC Model Overview.
Level 1 focuses on the protection of Federal Contract Information (FCI), which is defined in

32 CFR § 170.4 and 48 CFR § 4.1901:

Federal contract information means information, not intended for public

release, that is provided by or generated for the Government under a contract to

develop or deliver a product or service to the Government, but not including

information provided by the Government to the public (such as on public

websites) or simple transactional information, such as necessary to process

payments.

Level 1 is comprised of the 15 basic safeguarding requirements specified in Federal

Acquisition Regulation (FAR) Clause 52.204-21.
Purpose and Audience
This guide is intended for Organizations Seeking Assessment (OSAs), cybersecurity

professionals, and individuals and companies that support CMMC efforts. This document can

be used as part of preparation for and conducting a Level 1 self-assessment.
Document Organization
This document is organized into the following sections:
•

 Assessment and Compliance:  provides an overview of the Level 1 self-assessment

process set forth in 32 CFR § 170.15, describes ways of documenting compliance, and

provides guidance regarding OSA size and the self-assessment scope requirements set

forth in 32 CFR § 170.19.

•

 CMMC-Custom Terms: incorporates definitions from 32 CFR § 170.4 and definitions

included by reference from 32 CFR § 170.2, and provides clarification of the intent and

scope of custom terms as used in the context of CMMC.

•

 Assessment Criteria and  Methodology:  provides guidance on criteria and

methodology (i.e., interview, examine, and test) that may be employed during a Level 1

self-assessment, as well as on assessment findings.

•

 Requirement  Descriptions:  provides  guidance  specific  to  each  Level  1  security

requirement.

Assessment and Compliance

CMMC Assessment Guide – Level 1 | Version 2.13

2

Assessment and Compliance
Level 1 self-assessment requirements are set forth in 32 CFR § 170.15. The OSA will assess

its own contractor information system(s) to determine if it meet all the basic safeguarding

requirements for FCI specified in FAR Clause 52.204-21. OSAs should use the self-assessment

methods as described in 32 CFR § 170.15.
Level 1 requirements may apply to an entire enterprise infrastructure or to a particular

enclave(s), depending upon where the FCI will be processed, stored, or transmitted.
OSAs can choose to perform the annual self-assessment internally or engage a third party to

assist. Use of a third party to assist is still considered a self-assessment and does not result

in a certification. The primary result of a self-assessment is the submission of Level 1

compliance results into the Supplier Performance Risk System (SPRS) and a self-assessment

report, which contains the findings associated with the self- assessment.

Assessment Scope

Prior to conducting a Level 1 self-assessment, the OSA must specify the CMMC Assessment

Scope as defined in 32 CFR § 170.19(a). The CMMC Assessment Scope identifies which assets

within the OSA’s environment will be assessed and the details of the self-assessment. In

accordance with §170.19, for a Level 1 self-assessment, the assets that process, store, or

transmit FCI are considered in-scope and should be assessed against the Level 1

requirements. See the CMMC Scoping Guide – Level 1 document for additional information.

CMMC-Custom Terms

CMMC Assessment Guide – Level 1 | Version 2.13

3

CMMC-Custom Terms
The CMMC Program has custom terms that align with program requirements. Although some

terms may have other definitions in open forums, it is important to understand these terms

as they apply to the CMMC Program.
The custom terms associated with Level 1 are:
•

 Assessment: As defined in 32 CFR § 170.4 means the testing or evaluation of security

controls to determine the extent to which the controls are implemented correctly,

operating as intended, and producing the desired outcome with respect to meeting the

security requirements for an information system or organization, as defined in 32 CFR §

170.15 to 32 CFR § 170.18.

o Level 1 self-assessment is the term for the activity performed by an OSA to

evaluate its own information system, when seeking a CMMC Status of Final Level

1 (Self).

•

 Assessment Objective: A set of determination statements that, taken together,

expresses the desired outcome for the assessment of a security requirement. Successful

implementation of the corresponding CMMC security requirement requires meeting all

applicable assessment objectives defined in NIST SP 800–171A or NIST SP 800-172A.

•

 Asset: An item of value to stakeholders. An asset may be tangible (e.g., a physical item

such as hardware, firmware, computing platform, network device, or other technology

component) or intangible (e.g., humans, data, information, software, capability, function,

service, trademark, copyright, patent, intellectual property, image, or reputation). The

value of an asset is determined by stakeholders in consideration of loss concerns across

the entire system life cycle. Such concerns include but are not limited to business or

mission concerns, as defined in NIST SP 800-160 Rev 1.

•

 CMMC Status: As defined in 32 CFR § 170.4 is the result of meeting or exceeding the

minimum required score for the corresponding assessment. The CMMC Status of an OSA

information system is officially stored in SPRS and additionally presented on a Certificate

of CMMC Status, if the assessment was conducted by a C3PAO or DCMA DIBCAC.

o Final Level 1 (Self) is defined in § 170.15(c)(1). To achieve a CMMC Status of Final

Level 1 (Self) the OSA must conduct a Level 1 self-assessment scored in

accordance with the CMMC Scoring Methodology described in § 170.24. The Level

1 self-assessment must be performed in accordance with the Level 1 scope

requirements set forth in § 170.19(a) and (b). In instances where an objective

addresses CUI, the term FCI should be substituted for CUI.

•

 Component:  A discrete identifiable information technology asset  that represents a

building block of a system and may include hardware, software, and firmware1. A

component is one type of asset.

1

NIST SP 800-171 Rev 2, p 59 under system component

CMMC-Custom Terms

CMMC Assessment Guide – Level 1 | Version 2.13

4

•

 Enduring Exception: A special circumstance or system where remediation and full

compliance with CMMC security requirements is not feasible. Examples include systems

required to replicate the configuration of ‘fielded’ systems, medical devices, test

equipment, OT, and IoT. No operational plan of action is required but the circumstance

must be documented within a system security plan. Specialized Assets and GFE may be

Enduring Exceptions.

•

 Information System  (IS):  A discrete set of information resources organized for the

collection, processing, maintenance, use, sharing, dissemination, or disposition of

information [NIST 800-171 Rev. 2]. An IS is one type of asset.

•

 Monitoring:  Continual checking, supervising, critically observing, or determining the

status in order to identify change from the performance level required or expected [NIST

SP 800-160 Vol 1].

•

 Operational plan of action: As used in security requirement CA.L2-3.12.2, means the

formal artifact which identifies temporary vulnerabilities and temporary deficiencies in

implementation of requirements and documents how and when they will be mitigated,

corrected, or eliminated. The OSA defines the format (e.g., document, spreadsheet,

database) and specific content of its operational plan of action. An operational plan of

action is not the same as a POA&M associated with an assessment.

•

 Organization-Defined: As determined by the OSA being assessed except as defined in

the case of Organization-Defined Parameter (ODP). This can be applied to a frequency or

rate at which something occurs within a given time period, or it could be associated with

describing the configuration of an OSA’s solution.

•

 Temporary deficiency: As defined in 32 CFR § 170.4 means a condition where

remediation of a discovered deficiency is feasible and a known fix is available or is in

process. The deficiency must be documented in an operational plan of action. A

temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC

security requirement but arises after implementation. A temporary deficiency may

apply during the initial implementation of a security requirement if, during roll-out,

specific issues with a very limited subset of equipment is discovered that must be

separately addressed. There is no standard duration for which a temporary deficiency

may be active. For example, FIPS-validated cryptography that requires a patch and the

patched version is no longer the validated version may be a temporary deficiency.

Assessment Criteria and Methodology

CMMC Assessment Guide – Level 1 | Version 2.13

5

Assessment Criteria and Methodology
This CMMC Assessment Guide – Level 1 provides guidance regarding the assessment

procedures required by 32 CFR § 170.15, which requires the Level 1 self-assessment to be

performed using the objectives defined in NIST Special Publication (SP) 800-171A2. NIST SP

800-171A Section 2.1 says the following:

An assessment procedure consists of an assessment objective and a set of

potential assessment methods and assessment objects that can be used to

conduct the assessment. Each assessment objective includes a determination

statement related to the requirement that is the subject of the assessment. The

determination statements are linked to the content of the requirement to ensure

traceability of the assessment results to the requirements. The application of an

assessment procedure to a requirement produces assessment findings. These

findings reflect, or are subsequently used, to help determine if the requirement

has been satisfied.
Assessment objects identify the specific items being assessed and can include

specifications, mechanisms, activities, and individuals.

•

 Specifications are the document-based artifacts (e.g., policies,

procedures, security plans, security requirements, functional

specifications, and architectural designs) associated with a system.

•

 Mechanisms are the specific hardware, software, or firmware safeguards

employed within a system.

•

 Activities are the protection-related actions supporting a system that

involve people (e.g., conducting system backup operations, exercising a

contingency plan, and monitoring network traffic).

•

 Individuals, or groups of individuals, are people applying the

specifications, mechanisms, or activities described above.

The assessment methods define the nature and the extent of the assessor’s

actions. The methods include examine, interview, and test.

•

 The examine method is the process of reviewing, inspecting, observing,

studying, or analyzing assessment objects (i.e., specifications,

mechanisms, activities). The purpose of the examine method is to

facilitate understanding, achieve clarification, or obtain evidence.

•

 The  interview  method is the process of holding discussions with

individuals or groups of individuals to facilitate understanding, achieve

clarification, or obtain evidence.

2

NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, June 2018 (italics

and bulleted list formatting altered)

Assessment Criteria and Methodology

CMMC Assessment Guide – Level 1 | Version 2.13

6

•

 And finally, the test method is the process of exercising assessment objects

(i.e., activities, mechanisms) under specified conditions to compare actual

with expected behavior.

In all three assessment methods, the results are used in making specific

determinations called for in the determination statements and thereby

achieving the objectives for the assessment procedure.

The guidance specified in NIST SP 800-171A focuses on Controlled Unclassified Information

(CUI). Since Level 1 focuses on safeguarding FCI, the applicable self-assessment objectives

for Level 1 are modified to address FCI rather than CUI as set forth in 32 CFR §

170.15(c)(1)(i). Where CUI is noted in a NIST SP 800-171A assessment objective, [FCI] has

been substituted in the Level 1 objective description. Level 1 security requirement

descriptions align with FAR Clause 52.204-21.

Criteria

Assessment objectives are provided for each Level 1 requirement and are based on existing

criteria in NIST SP 800-171A modified for FCI rather than CUI as set forth in 32 CFR §

170.15(c)(1)(i). The criteria are authoritative and provide the basis for the self-assessment

of a requirement.

Methodology

To verify and validate that an OSA is meeting CMMC requirements, evidence needs to exist

demonstrating that the OSA has fulfilled the objectives of the Level 1 requirements. Because

different self-assessment objectives can be met in different ways (e.g., through

documentation, computer configuration, network configuration, or training), a variety of

techniques may be used to determine if the OSA meets the Level 1 requirements, including

any of the three assessment methods from NIST SP 800-171A.
Follow the guidance in NIST SP 800-171A when determining which assessment methods to

use:

Organizations [OSAs] are not expected to employ all assessment methods and

objects contained within the assessment procedures identified in this

publication. Rather, organizations have the flexibility to determine the level of

effort needed and the assurance required for an assessment (e.g., which

assessment methods and assessment objects are deemed to be the most useful in

obtaining the desired results). This determination is made based on how the

organization can accomplish the assessment objectives in the most cost-effective

manner and with sufficient confidence to support the determination that the

[FCI] requirements have been satisfied.

For more detailed information on assessment methods, see NIST SP 800-171A Appendix D.

Assessment Criteria and Methodology

CMMC Assessment Guide – Level 1 | Version 2.13

7

Who Is Interviewed

Interviews of applicable staff (possibly at different organizational levels) may provide

information to help an entity determine if Level 1 security requirements have been

implemented, as well as if adequate resourcing, training, and planning have occurred for

individuals to implement the security requirements.

What Is Examined

Examination includes reviewing, inspecting, observing, studying, or analyzing assessment

objects. The objects can be documents, mechanisms, or activities.
For some security requirements, review of documentation may assist an entity in

determining if the assessment objectives have been met. Interviews with staff may help

identify relevant documents. As set forth in 32 CFR § 170.24, documents need to be in their

final forms; drafts of policies or documentation are not eligible to be used as evidence

because they are not yet official and still subject to change. Common types of documents that

may be used as evidence include:
•

 policy, process, and procedure documents;

•

 training materials;

•

 plans and planning documents; and

•

 system, network, and data flow diagrams.

This list of documents is not exhaustive or prescriptive. An OSA may not have these specific

documents, and other documents may be reviewed.
In other cases, the security requirement is best self-assessed by observing that safeguards

are in place by viewing hardware, associated configuration information, or observing staff

following a process.

What Is Tested

Testing is an important part of the self-assessment process. Interviews provide information

about what the OSA staff believe to be true, documentation provides evidence of

implementing policies and procedures, and testing demonstrates what has or has not been

done. For example, OSA staff may talk about how users are identified, documentation may

provide details on how users are identified, but seeing a demonstration of identifying users

provides evidence that the requirement is met. Not all security requirements utilize testing

to allow an entity to determine if whether the assessment objective has been met.

Assessment Criteria and Methodology

CMMC Assessment Guide – Level 1 | Version 2.13

8

Assessment Findings

The self-assessment of a CMMC requirement results in one of three possible findings: MET,

NOT MET, or NOT APPLICABLE as defined in 32 CFR § 170.24. To demonstrate Level 1

compliance, the OSA will need a finding of MET or NOT APPLICABLE on all Level 1 security

requirements.
•

 MET:  All applicable objectives  for the  security requirement are  satisfied  based on

evidence. All evidence must be in final form and not draft. Unacceptable forms of

evidence include working papers, drafts, and unofficial or unapproved policies. For each

security requirement marked MET, it is best practice to record statements that indicate

the response conforms to all objectives and document the appropriate evidence to

support the response.

o Enduring Exceptions when described, along with any mitigations, in the system

security plan shall be assessed as MET.

o Temporary deficiencies that are appropriately addressed in operational plans of

action (i.e., include deficiency reviews, milestones, and show progress towards

the implementation of corrections to reduce or eliminate identified

vulnerabilities) shall be assessed as MET.

•

 NOT MET: One or more objectives of the security requirement is not satisfied. For each

security requirement marked NOT MET, it is best practice to record statements that

explain why and document the appropriate evidence showing that the OSA does not

conform fully to all of the objectives.

•

 NOT APPLICABLE (N/A): A security requirement and/or objective do not apply at the

time of the assessment. For each security requirement marked N/A, it is best practice to

record a statement that explains why the requirement does not apply to the OSA. For

example, SC.L1-b.1.xi might be N/A if there are no publicly accessible systems within the

CMMC Assessment Scope. During an assessment, an assessment objective assessed as

N/A is equivalent to the same assessment objective being assessed as MET.
Each assessment objective in NIST SP 800-171A must yield a finding of MET or NOT

APPLICABLE in order for the overall security requirement to be scored as MET. Assessors

exercise judgment in determining when sufficient and adequate evidence has been

presented to make an assessment finding.
CMMC assessments are conducted and results are captured at the assessment objective

level. One NOT MET Assessment Objective results in a failure of the entire security

requirement.
A security requirement can be applicable even when assessment objectives included in

the security requirement are scored N/A. The security requirement is NOT MET when

one or more applicable assessment objectives is NOT MET.
Satisfaction of security requirements may be accomplished by other parts of the

enterprise or an External Service Provider (ESP), as defined in 32 CFR § 170.4. A security

requirement is considered MET if adequate evidence is provided that the enterprise or

Assessment Criteria and Methodology

CMMC Assessment Guide – Level 1 | Version 2.13

9

ESP implements the requirement objectives. An ESP may be external people, technology,

or facilities that the OSA uses, including cloud service providers, managed service

providers, managed security service providers, or cybersecurity-as-a-service providers.

Requirement Descriptions

CMMC Assessment Guide – Level 1 | Version 2.13

10

Requirement Descriptions
Introduction
This section provides detailed information and guidance for assessing each Level 1 security

requirement. The section is organized first by domain and then by individual security

requirement. Each security requirement description contains the following elements as

described in 32 CFR § 170.14(c):
•

 Requirement  Number, Name, and Statement: Headed by the requirement

identification number in the format, DD.L#-REQ (e.g., AC.L1-b.1.i); followed by the

requirement short name identifier, meant to be used for quick reference only; and finally

followed by the complete CMMC security requirement statement.

•

 Assessment Objectives [NIST SP 800-171A]: Identifies the specific set of objectives that

must be met to receive MET for the requirement as defined in NIST SP 800-171A.

•

 Potential Assessment Methods and Objects [NIST SP 800-171A]: Describes the nature

and the extent of the self-assessment actions as set forth in NIST SP 800-171A. The

methods include examine, interview, and test. Self-assessment objects identify the items

being assessed and can include specifications, mechanisms, activities, and individuals.

•

 Discussion [NIST SP 800-171 Rev. 2]: Contains discussion from the associated NIST SP

800-171 security requirement. Level 1 aligns with FAR Clause 52.204-21, which focuses

on FCI, and the NIST text has been modified, as set forth in 32 CFR § 170.15(c)(1), to

reflect this.

•

 Further Discussion:

o Expands upon the NIST SP 800-171 Rev. 2 discussion content to provide additional

guidance.

o Contains examples illustrating application of the requirements. These examples are

intended to provide insight but are not intended to be prescriptive of how the

requirement must be implemented, nor are they comprehensive of all assessment

objectives necessary to achieve the requirement. The assessment objectives met

within the example are referenced by letter in a bracket (e.g., [a,d] for objectives “a”

and “d”) within the text.

o Examples are written from the perspective of an organization or an employee of

an organization implementing solutions or researching approaches to satisfy

CMMC requirements. The objective is to put the reader into the role of

implementing or maintaining alternatives to satisfy security requirements.

Examples are not all-inclusive or prescriptive and do not imply any personal

responsibility for complying with CMMC requirements.

o Provides potential assessment considerations. These may include common

considerations for assessing the requirement and potential questions that may be

asked when assessing the objectives.

Requirement Descriptions

CMMC Assessment Guide – Level 1 | Version 2.13

11

•

 Key References: Lists  the  identical  basic safeguarding requirement from FAR clause

52.204-21 and the pertinent security requirement from NIST SP 800-171 Rev. 2.

AC.L1-b.1.i – Authorized Access Control [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

12

Access Control (AC)
AC.L1-B.1.I – AUTHORIZED ACCESS CONTROL [FCI DATA]

Limit information system access to authorized users, processes acting on behalf of

authorized users, or devices (including other information systems).

ASSESSMENT OBJECTIVES [NIST SP 800-171A]3

Determine if:
[a]

authorized users are identified;

[b]

processes acting on behalf of authorized users are identified;

[c]

devices (and other systems) authorized to connect to the system are identified;

[d]

system access is limited to authorized users;

[e]

system access is limited to processes acting on behalf of authorized users; and

[f]

system access is limited to authorized devices (including other systems).

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]3

Examine
[SELECT FROM: Access control policy; procedures addressing account management; system

security plan45; system design documentation; system configuration settings and associated

documentation; list of active system accounts and the name of the individual associated with

each account; notifications or records of recently transferred, separated, or terminated

employees; list of conditions for group and role membership; list of recently disabled system

accounts along with the name of the individual associated with each account; access

authorization records; account management compliance reviews; system monitoring

records; system audit logs and records; list of devices and systems authorized to connect to

organizational systems; other relevant documents or records].

Interview
[SELECT FROM: Personnel with account management responsibilities; system or network

administrators; personnel with information security responsibilities].

3

NIST SP 800-171A, p. 9

4

It is recommended that an OSA develop a SSP as a best practice at Level 1, however, it is not required in order

to obtain a Level 1 self-assessment.

AC.L1-b.1.i – Authorized Access Control [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

13

Test
[SELECT FROM: Organizational processes for managing system accounts; mechanisms for

implementing account management].

DISCUSSION [NIST SP 800-171 REV. 2]6

Access control policies (e.g., identity- or role-based policies, control matrices, and

cryptography) control access between active entities or subjects (i.e., users or processes

acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and

domains) in systems. Access enforcement mechanisms can be employed at the application

and service level to provide increased information security. Other systems include systems

internal and external to the organization. This requirement focuses on account management

for systems and applications. The definition of and enforcement of access authorizations,

other than those determined by account type (e.g., privileged verses [sic] non-privileged) are

addressed in AC.L1-b.1.ii.

FURTHER DISCUSSION

Identify users, processes, and devices that are allowed to use company computers and can

log on to the company network. Automated updates and other automatic processes should

be associated with the user who initiated (authorized) the process. Limit the devices (e.g.,

printers) that can be accessed by company computers. Set up your system so that only

authorized users, processes, and devices can access the company network.
This requirement, AC.L1-b.1.i, controls system access based on user, process, or device

identity. AC.L1-b.1.i leverages IA.L1-b.1.v which provides a vetted and trusted identity for

access control.

Example 1
Your company maintains a list of all personnel authorized to use company information

systems [a]. This list is used to support identification and authentication activities conducted

by IT when authorizing access to systems [a,d].

Example 2
A coworker wants to buy a new multi-function printer/scanner/fax device and make it

available on the company network. You explain that the company controls system and device

access to the network, and will prevent network access by unauthorized systems and devices

[c]. You help the coworker submit a ticket that asks for the printer to be granted access to

the network, and appropriate leadership approves the device [f].

Potential Assessment Considerations
•

 Is a list of authorized users maintained that defines their identities and roles [a]?

6

NIST SP 800-171 Rev. 2, p.10

AC.L1-b.1.i – Authorized Access Control [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

14

•

 Are account requests authorized before system access is granted [d,e,f]?

KEY REFERENCES

•

 FAR Clause 52.204-21 b.1.i

•

 NIST SP 800-171 Rev. 2 3.1.1

AC.L1-b.1.ii – Transaction & Function Control [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

15

AC.L1-B.1.II – TRANSACTION & FUNCTION CONTROL [FCI DATA]

Limit information system access to the types of transactions and functions that authorized

users are permitted to execute.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]7

Determine if:
[a]

the types of transactions and functions that authorized users are permitted to

execute are defined; and
[b]

system access is limited to the defined types of transactions and functions for

authorized users.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]7

Examine
[SELECT FROM: Access control policy; procedures addressing access enforcement; system

security plan; system design documentation; list of approved authorizations including

remote access authorizations; system audit logs and records; system configuration settings

and associated documentation; other relevant documents or records].

Interview
[SELECT FROM: Personnel with access enforcement responsibilities; system or network

administrators; personnel with information security responsibilities; system developers].

Test
[SELECT FROM: Mechanisms implementing access control policy].

DISCUSSION [NIST SP 800-171 REV. 2]8

Organizations may choose to define access privileges or other attributes by account, by type

of account, or a combination of both. System account types include individual, shared, group,

system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary.

Other attributes required for authorizing access include restrictions on time-of-day, day-of-

week, and point-of -origin. In defining other account attributes, organizations consider

system-related requirements (e.g., system upgrades scheduled maintenance,) and mission

or business requirements, (e.g., time zone differences, customer requirements, remote

access to support travel requirements).

7

NIST SP 800-171A, p. 9

8

NIST SP 800-171 Rev. 2, pp. 10-11

AC.L1-b.1.ii – Transaction & Function Control [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

16

FURTHER DISCUSSION

Limit users to only the information systems, roles, or applications they are permitted to use

and require for their roles and responsibilities. Limit access to applications and data based

on authorized users’ roles and responsibilities. Common types of functions a user can be

assigned are create, read, update, and delete.

Example
You supervise the team that manages DoD contracts for your company. Members of your

team need to access the contract information to perform their work properly. Because some

of that data contains FCI, you work with IT to set up your group’s systems so that users can

be assigned access based on their specific roles [a]. Each role limits whether an employee

has read-access or create/read/delete/update -access [b]. Implementing this access control

restricts access to FCI information unless specifically authorized.

Potential Assessment Considerations
•

 Are access control lists used to limit access to applications and data based on role and/or

identity [a]?

•

 Is access for authorized users restricted to those parts of the system they are explicitly

permitted to use, that is, is access denied by default and allowed by exception (e.g., a

person who only performs word-processing cannot access developer tools) [b]?

KEY REFERENCES

•

 FAR Clause 52.204-21 b.1.ii

•

 NIST SP 800-171 Rev. 2 3.1.2

AC.L1-b.1.iii – External Connections [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

17

AC.L1-B.1.III – EXTERNAL CONNECTIONS [FCI DATA]

Verify and control/limit connections to and use of external information systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]9

Determine if:
[a]

connections to external systems are identified;

[b]

the use of external systems is identified;

[c]

connections to external systems are verified;

[d]

the use of external systems is verified;

[e]

connections to external systems are controlled/limited; and

[f]

the use of external systems is controlled/limited.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]9

Examine
[SELECT FROM: Access control policy; procedures addressing the use of external systems;

terms and conditions for external systems; system security plan; list of applications

accessible from external systems; system configuration settings and associated

documentation; system connection or processing agreements; account management

documents; other relevant documents or records].

Interview
[SELECT FROM: Personnel with responsibilities for defining terms and conditions for use of

external systems to access organizational systems; system or network administrators;

personnel with information security responsibilities].

Test
[SELECT FROM: Mechanisms implementing terms and conditions on use of external

systems].

DISCUSSION [NIST SP 800-171 REV. 2]10

External systems are systems or components of systems for which organizations typically

have no direct supervision and authority over the application of security requirements and

controls or the determination of the effectiveness of implemented controls on those systems.

External systems include personally owned systems, components, or devices and privately-

owned computing and communications devices resident in commercial or public facilities.

9

NIST SP 800-171A, p. 17

10

NIST SP 800-171 Rev. 2, pp. 15-16

AC.L1-b.1.iii – External Connections [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

18

This requirement also addresses the use of external systems for the processing, storage, or

transmission of FCI, including accessing cloud services (e.g., infrastructure as a service,

platform as a service, or software as a service) from organizational systems.
Organizations establish terms and conditions for the use of external systems in accordance

with organizational security policies and procedures. Terms and conditions address as a

minimum, the types of applications that can be accessed on organizational systems from

external systems. If terms and conditions with the owners of external systems cannot be

established, organizations may impose restrictions on organizational personnel using those

external systems.
This requirement recognizes that there are circumstances where individuals using external

systems (e.g., contractors, coalition partners) need to access organizational systems. In those

situations, organizations need confidence that the external systems contain the necessary

controls so as not to compromise, damage, or otherwise harm organizational systems.

Verification that the required controls have been effectively implemented can be achieved

by third-party, independent assessments, attestations, or other means, depending on the

assurance or confidence level required by organizations.
Note that while “external” typically refers to outside of the organization’s direct supervision

and authority, that is not always the case. Regarding the protection of FCI across an

organization, the organization may have systems that process FCI and others that do not.

And among the systems that process FCI there are likely access restrictions for FCI that apply

between systems. Therefore, from the perspective of a given system, other systems within

the organization may be considered “external" to that system.

FURTHER DISCUSSION

Control and manage connections between your company network and outside networks.

Outside networks could include the public internet, one of your own company’s networks

that falls outside of your CMMC Assessment Scope (e.g., an isolated lab), or a network that

does not belong to your company. Tools to manage connections include firewalls and

connection allow/deny lists. External systems not controlled by your company could be

running applications that are prohibited or blocked. Control and limit access to corporate

networks from personally owned devices such as laptops, tablets, and phones. You may

choose to limit how and when your network is connected to outside systems or only allow

certain employees to connect to outside systems from network resources.

Example
Your company has just been awarded a contract which contains FCI. You remind your

coworkers of the policy requirement to use their company laptops, not personal laptops or

tablets, when working remotely on this contract [b,f]. You also remind everyone to work

from the cloud environment that is approved for processing and storing FCI rather than the

other collaborative tools that may be used for other projects [b,f].

AC.L1-b.1.iii – External Connections [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

19

Potential Assessment Considerations
•

 Are all connections to external systems outside of the assessment scope identified [a]?

•

 Are external systems (e.g., systems managed by OSAs, partners, or vendors; personal

devices) that are permitted to connect to or make use of organizational systems

identified [b]?

•

 Are methods employed to ensure that only authorized connections are being made to

external systems (e.g., requiring log-ins or certificates, access from a specific IP address,

or access via VPN) [c,e]?

•

 Are methods employed to confirm that only authorized external systems are connecting

(e.g., if employees are receiving company email on personal cell phones, is the OSA

checking to verify that only known/expected devices are connecting) [d]?

•

 Is the use of external systems limited, including by policy or physical control [f]?

KEY REFERENCES

•

 FAR Clause 52.204-21 b.1.iii

•

 NIST SP 800-171 Rev. 2 3.1.20

AC.L1-b.1.iv – Control Public Information [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

20

AC.L1-B.1.IV – CONTROL PUBLIC INFORMATION [FCI DATA]

Control information posted or processed on publicly accessible information systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]11

Determine if:
[a]

individuals authorized to post or process information on publicly accessible systems

are identified;
[b]

procedures to ensure [FCI] is not posted or processed on publicly accessible

systems are identified;
[c]

a review process is in place prior to posting of any content to publicly accessible

systems;
[d]

content on publicly accessible systems is reviewed to ensure that it does not include

[FCI]; and
[e]

mechanisms are in place to remove and address improper posting of [FCI].

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]11

Examine
[SELECT FROM: Access control policy; procedures addressing publicly accessible content;

system security plan; list of users authorized to post publicly accessible content on

organizational systems; training materials and/or records; records of publicly accessible

information reviews; records of response to nonpublic information on public websites;

system audit logs and records; security awareness training records; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with responsibilities for managing publicly accessible

information posted on organizational systems; personnel with information security

responsibilities].

Test
[SELECT FROM: Mechanisms implementing management of publicly accessible content].

DISCUSSION [NIST SP 800-171 REV. 2]12

In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the

public is not authorized access to nonpublic information (e.g., information protected under

the Privacy Act, FCI, and proprietary information). This requirement addresses systems that

11

NIST SP 800-171A, p. 18

12

NIST SP 800-171 Rev. 2, p. 16

AC.L1-b.1.iv – Control Public Information [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

21

are controlled by the organization and accessible to the public, typically without

identification or authentication. Individuals authorized to post FCI onto publicly accessible

systems are designated. The content of information is reviewed prior to posting onto

publicly accessible systems to ensure that nonpublic information is not included.

FURTHER DISCUSSION

Only government officials can be authorized to publicly release FCI. Do not allow FCI to

become public – always safeguard the confidentiality of FCI by controlling the posting of FCI

on company-controlled websites or public forums and the exposure of FCI in public

presentations or on public displays. It is important to know which users are allowed to

publish information on publicly accessible systems, like your company website, and

implement a review process before posting such information. If FCI is discovered on a

publicly accessible system, procedures should be in place to remove that information and

alert the appropriate parties.

Example
Your company decides to start issuing press releases about its projects in an effort to reach

more potential customers. Your company receives FCI from the government as part of its

DoD contract. Because you recognize the need to manage controlled information, including

FCI, you meet with the employees who write the releases and post information to establish

a review process [c]. It is decided that you will review press releases for FCI before posting

it on the company website [a,d]. Only certain employees will be authorized to post to the

website [a].

Potential Assessment Considerations
•

 Does information on externally facing systems (e.g., publicly accessible) have a

documented approval chain for public release [c]?

KEY REFERENCES

•

 FAR Clause 52.204-21 b.1.iv

•

 NIST SP 800-171 Rev. 2 3.1.22

IA.L1-b.1.v – Identification [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

22

Identification and Authentication (IA)
IA.L1-B.1.V – IDENTIFICATION [FCI DATA]

Identify information system users, processes acting on behalf of users, or devices.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]13

Determine if:
[a]

system users are identified;

[b]

processes acting on behalf of users are identified; and

[c]

devices accessing the system are identified.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]13

Examine
[SELECT FROM: Identification and authentication policy; procedures addressing user

identification and authentication; system security plan, system design documentation;

system configuration settings and associated documentation; system audit logs and records;

list of system accounts; other relevant documents or records].

Interview
[SELECT FROM: Personnel with system operations responsibilities; personnel with

information security responsibilities; system or network administrators; personnel with

account management responsibilities; system developers].

Test
[SELECT FROM: Organizational processes for uniquely identifying and authenticating users;

mechanisms supporting or implementing identification and authentication capability].

DISCUSSION [NIST SP 800-171 REV. 2]14

Common device identifiers include media access control (MAC), Internet Protocol (IP)

addresses, or device-unique token identifiers. Management of individual identifiers is not

applicable to shared system accounts. Typically, individual identifiers are the user names

associated with the system accounts assigned to those individuals. Organizations may

require unique identification of individuals in group accounts or for detailed accountability

of individual activity. In addition, this requirement addresses individual identifiers that are

not necessarily associated with system accounts. Organizational devices requiring

13

NIST SP 800-171A, p. 31

14

NIST SP 800-171 Rev. 2, p. 23

IA.L1-b.1.v – Identification [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

23

identification may be defined by type, by device, or by a combination of type/device.

NIST SP 800-63-3 provides guidance on digital identities.

FURTHER DISCUSSION

Individual, unique identifiers (e.g., user names) should be assigned to all users and processes

that access company systems. Authorized devices also should have unique identifiers.

Unique identifiers can be as simple as a short set of alphanumeric characters (e.g., SW001

could refer to a network switch, SW002 could refer to a different network switch).
This requirement, IA.L1-b.1.v, provides a vetted and trusted identity that supports the access

control mechanism required by AC.L1-b.1.i.

Example
You want to make sure that all employees working on a project can access important

information about it. Because this is work for the DoD and contains FCI, you also need to

prevent employees who are not working on that project from being able to access the

information. You assign each employee a unique user ID, which they use to log on to the

system [a].

Potential Assessment Considerations
•

 Are unique identifiers issued to individual users (e.g., usernames) [a]?

•

 Are the processes and service accounts that an authorized user initiates identified (e.g.,

scripts, automatic updates, configuration updates, vulnerability scans) [b]?

•

 Are unique device identifiers used for devices that access the system identified [c]?

KEY REFERENCES

•

 FAR Clause 52.204-21 b.1.v

•

 NIST SP 800-171 Rev. 2 3.5.1

IA.L1-b.1.vi – Authentication [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

24

IA.L1-B.1.VI – AUTHENTICATION [FCI DATA]

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite

to allowing access to organizational information systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]15

Determine if:
[a]

the identity of each user is authenticated or verified as a prerequisite to system

access;
[b]

the identity of each process acting on behalf of a user is authenticated or verified as

a prerequisite to system access; and
[c]

the identity of each device accessing or connecting to the system is authenticated or

verified as a prerequisite to system access.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]15

Examine
[SELECT FROM: Identification and authentication policy; system security plan; procedures

addressing authenticator management; procedures addressing user identification and

authentication; system design documentation; list of system authenticator types; system

configuration settings and associated documentation; change control records associated

with managing system authenticators; system audit logs and records; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with authenticator management responsibilities; personnel with

information security responsibilities; system or network administrators].

Test
[SELECT FROM: Mechanisms supporting or implementing authenticator management

capability].

DISCUSSION [NIST SP 800-171 REV. 2]16

Individual authenticators include the following: passwords, key cards, cryptographic

devices, and one-time password devices. Initial authenticator content is the actual content

of the authenticator, for example, the initial password. In contrast, the requirements about

authenticator content include the minimum password length. Developers ship system

components with factory default authentication credentials to allow for initial installation

15

NIST SP 800-171A, p. 31

16

NIST SP 800-171 Rev. 2, p. 23

IA.L1-b.1.vi – Authentication [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

25

and configuration. Default authentication credentials are often well known, easily

discoverable, and present a significant security risk.
Systems support authenticator management by organization-defined settings and

restrictions for various authenticator characteristics including minimum password length,

validation time window for time synchronous one-time tokens, and number of allowed

rejections during the verification stage of biometric authentication. Authenticator

management includes issuing and revoking, when no longer needed, authenticators for

temporary access such as that required for remote maintenance. Device authenticators

include certificates and passwords.
NIST SP 800-63-3 provides guidance on digital identities.

FURTHER DISCUSSION

Before a person or device is given system access, verify that the user or device is who or what

it claims to be. This verification is called authentication. The most common way to verify

identity is using a username and a hard-to-guess password.
Some devices ship with a default username (e.g., admin) and password. A default username

and password should be immediately changed to something unique. Default passwords may

be well known to the public, easily found in a search, or easy to guess, allowing an

unauthorized person to access the system.

Example 1
You are in charge of purchasing laptops that will store FCI. You know that some laptops come

with a default username and password. You notify IT that all default passwords should be

reset prior to laptop use [a]. You ask IT to explain the importance of resetting default

passwords and convey how easily they are discovered using internet searches during next

week’s cybersecurity awareness training.

Example 2
Your company decides to use cloud services for email and other capabilities that will

transmit FCI. Upon reviewing this requirement, you realize every user or device that

connects to the cloud service must be authenticated. As a result, you work with your cloud

service provider to ensure that only properly authenticated users and devices are allowed

to connect to the system [a,c].

Potential Assessment Considerations
•

 Are unique authenticators used to verify user identities (e.g., usernames and passwords)

[a]?

•

 An example of a process acting on behalf of users could be a script that logs in as a person

or service account [b]. Can the OSA show that it maintains a record of all of those service

accounts for use when reviewing log data or responding to an incident?

IA.L1-b.1.vi – Authentication [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

26

•

 Are user credentials authenticated in system processes (e.g., credentials binding,

certificates, tokens) [b]?

•

 Are device identifiers used in authentication processes (e.g., MAC address, non-

anonymous computer name, certificates) [c]?

KEY REFERENCES

•

 FAR Clause 52.204-21 b.1.vi

•

 NIST SP 800-171 Rev. 2 3.5.2

MP.L1-b.1.vii – Media Disposal [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

27

Media Protection (MP)
MP.L1-B.1.VII – MEDIA DISPOSAL [FCI DATA]

Sanitize or destroy information system media containing Federal Contract Information

before disposal or release for reuse.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]17

Determine if:
[a]

system media containing [FCI] is sanitized or destroyed before disposal; and

[b]

system media containing [FCI] is sanitized before it is released for reuse.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]18

Examine
[SELECT FROM: System media protection policy; procedures addressing media sanitization

and disposal; applicable standards and policies addressing media sanitization; system

security plan; media sanitization records; system audit logs and records; system design

documentation; system configuration settings and associated documentation; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with media sanitization responsibilities; personnel with

information security responsibilities; system or network administrators].

Test
[SELECT FROM: Organizational processes for media sanitization; mechanisms supporting or

implementing media sanitization].

DISCUSSION [NIST SP 800-171 REV. 2]19

This requirement applies to all system media, digital and non-digital, subject to disposal or

reuse. Examples include: digital media found in workstations, network components,

scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media

such as paper and microfilm. The sanitization process removes information from the media

such that the information cannot be retrieved or reconstructed. Sanitization techniques,

including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of

information to unauthorized individuals when such media is released for reuse or disposal.

17

NIST SP 800-171A, p. 41

18

NIST SP 800-171A, p. 42

19

NIST SP 800-171 Rev. 2, p. 29

MP.L1-b.1.vii – Media Disposal [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

28

Organizations determine the appropriate sanitization methods, recognizing that destruction

may be necessary when other methods cannot be applied to the media requiring sanitization.
Organizations use discretion on the employment of sanitization techniques and procedures

for media containing information that is in the public domain or publicly releasable or

deemed to have no adverse impact on organizations or individuals if released for reuse or

disposal. Sanitization of non-digital media includes destruction, removing FCI from

documents, or redacting selected sections or words from a document by obscuring the

redacted sections or words in a manner equivalent in effectiveness to removing the words

or sections from the document. NARA policy and guidance control sanitization processes.

NIST SP 800-88 provides guidance on media sanitization.

FURTHER DISCUSSION

Media can include a broad range of items that store information, including paper documents,

disks, tapes, digital photography, USB drives, CDs, DVDs, and mobile phones. It is important

to know what information is on media so that you can handle it properly. If there is FCI, you

or someone in your company should either:
•

 shred or destroy the device before disposal so it cannot be read; or

•

 clean or purge the information, if you want to reuse the device.

See NIST Special Publication 800-88, Revision 1, Guidelines for Media Sanitization, for more

information.

Example
As you pack for an office move, you find some old CDs in a file cabinet. You determine that

one has FCI from a project your company did for the DoD. You shred the CD rather than

simply throwing it in the trash [a].

Potential Assessment Considerations
•

 Is all managed data storage erased, encrypted, or destroyed using mechanisms to ensure

that no usable data is retrievable [a,b]?

KEY REFERENCES

•

 FAR Clause 52.204-21 b.1.vii

•

 NIST SP 800-171 Rev. 2 3.8.3

PE.L1-b.1.viii – Limit Physical Access [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

29

Physical Protection (PE)
PE.L1-B.1.VIII – LIMIT PHYSICAL ACCESS [FCI DATA]

Limit physical access to organizational information systems, equipment, and the respective

operating environments to authorized individuals.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]20

Determine if:
[a]

authorized individuals allowed physical access are identified;

[b]

physical access to organizational systems is limited to authorized individuals;

[c]

physical access to equipment is limited to authorized individuals; and

[d]

physical access to operating environments is limited to authorized individuals.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]20

Examine
[SELECT FROM: Physical and environmental protection policy; procedures addressing

physical access authorizations; system security plan; authorized personnel access list;

authorization credentials; physical access list reviews; physical access termination records

and associated documentation; other relevant documents or records].

Interview
[SELECT FROM: Personnel with physical access authorization responsibilities; personnel

with physical access to system facility; personnel with information security responsibilities].

Test
[SELECT FROM: Organizational processes for physical access authorizations; mechanisms

supporting or implementing physical access authorizations].

DISCUSSION [NIST SP 800-171 REV. 2]21

This requirement applies to employees, individuals with permanent physical access

authorization credentials, and visitors. Authorized individuals have credentials that include

badges, identification cards, and smart cards. Organizations determine the strength of

authorization credentials needed consistent with applicable laws, directives, policies,

20

NIST SP 800-171A, p. 46

21

NIST SP 800-171 Rev. 2, p. 32

PE.L1-b.1.viii – Limit Physical Access [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

30

regulations, standards, procedures, and guidelines. This requirement applies only to areas

within facilities that have not been designated as publicly accessible.
Limiting physical access to equipment may include placing equipment in locked rooms or

other secured areas and allowing access to authorized individuals only, and placing

equipment in locations that can be monitored by organizational personnel. Computing

devices, external disk drives, networking devices, monitors, printers, copiers, scanners,

facsimile machines, and audio devices are examples of equipment.

FURTHER DISCUSSION

This addresses the company’s physical space (e.g., office, testing environments, equipment

rooms), technical assets, and non-technical assets that need to be protected from

unauthorized physical access. Specific environments are limited to authorized employees,

and access is controlled with badges, electronic locks, physical key locks, etc.
Output devices, such as printers, are placed in areas where their use does not expose data to

unauthorized individuals. Lists of personnel with authorized access are developed and

maintained, and personnel are issued appropriate authorization credentials.

Example
You manage a DoD project that stores FCI on computers used only by project team members

[b,c]. You work with the facilities manager to put locks on the doors to the areas where the

computers are stored and used [b,c,d]. Project team members are the only individuals issued

with keys to the space. This restricts access to only those employees who work on the DoD

project and require access.

Potential Assessment Considerations
•

 Are lists of personnel with authorized access developed and maintained, and are

appropriate authorization credentials issued [a]?

•

 Has the facility/building manager designated building areas as “sensitive” and designed

physical security protections (e.g., guards, locks, cameras, card readers) to limit physical

access to the area to only authorized employees [b,c,d]?

•

 Are output devices such as printers placed in areas where their use does not expose data

to unauthorized individuals [c]?

KEY REFERENCES

•

 FAR Clause 52.204-21 b.1.viii

•

 NIST SP 800-171 Rev. 2 3.10.1

PE.L1-b.1.ix – Manage Visitors & Physical Access [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

31

PE.L1-B.1.IX – MANAGE VISITORS & PHYSICAL ACCESS [FCI DATA]

Escort visitors and monitor visitor activity; maintain audit logs of physical access; and

control and manage physical access devices.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]22

Determine if:
[a]

visitors are escorted;

[b]

visitor activity is monitored;

[c]

audit logs of physical access are maintained;

[d]

physical access devices are identified;

[e]

physical access devices are controlled; and

[f]

physical access devices are managed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]23

Examine
[SELECT FROM: Physical and environmental protection policy; procedures addressing

physical access control; system security plan; physical access control logs or records;

inventory records of physical access control devices; system entry and exit points; records

of key and lock combination changes; storage locations for physical access control devices;

physical access control devices; list of security safeguards controlling access to designated

publicly accessible areas within facility; other relevant documents or records].

Interview
[SELECT FROM: Personnel with physical access control responsibilities; personnel with

information security responsibilities].

Test
[SELECT FROM: Organizational processes for physical access control; mechanisms

supporting or implementing physical access control; physical access control devices].

DISCUSSION [NIST SP 800-171 REV. 2]24

Individuals with permanent physical access authorization credentials are not considered

visitors. Audit logs can be used to monitor visitor activity.

22

NIST SP 800-171A, p.47

23

NIST SP 800-171A, pp. 47-48

24

NIST SP 800-171 Rev. 2, pp. 32-33

PE.L1-b.1.ix – Manage Visitors & Physical Access [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

32

Organizations have flexibility in the types of audit logs employed. Audit logs can be

procedural (e.g., written log of individuals accessing the facility), automated (e.g., capturing

ID provided by a Personal Identity Verification (PIV) card), or some combination thereof.

Physical access points can include facility access points, interior access points to systems or

system components requiring supplemental access controls, or both. System components

(e.g., workstations, notebook computers) may be in areas designated as publicly accessible

with organizations safeguarding access to such devices.
Physical access devices include keys, locks, combinations, and card readers.

FURTHER DISCUSSION

Do not allow visitors, even those people you know well, to walk around your facility without

an escort. All non-employees should wear special visitor badges and/or are escorted by an

employee at all times while on the property.
Make sure you have a record of who accesses your facility (e.g., office, plant, factory). You can

do this in writing by having employees and visitors sign in and sign out or by electronic

means such as badge readers. Whatever means you use, you need to retain the access records

for the time period that your company has defined.
Identifying and controlling physical access devices (e.g., locks, badges, key cards) is just as

important as monitoring and limiting who is able to physically access certain equipment.

Physical access devices are only strong protection if you know who has them and what access

they allow. Physical access devices can be managed using manual or automatic processes

such a list of who is assigned what key, or updating the badge access system as personnel

change roles.

Example 1
Coming back from a meeting, you see the friend of a coworker walking down the hallway

near your office where FCI is stored. You know this person well and trust them, but are not

sure why they are in the building. You stop to talk, and the person explains that they are

meeting a coworker for lunch, but cannot remember where the lunchroom is. You walk the

person back to the reception area to get a visitor badge and wait until someone can escort

them to the lunchroom [a]. You report this incident, and the company decides to install a

badge reader at the main door so visitors cannot enter without an escort [a].

Example 2
You and your coworkers like to have friends and family join you for lunch at the office on

Fridays. Your small company has just signed a contract with the DoD in which your company

will receive FCI and you now need to document who enters and leaves your facility. You work

with the reception staff to ensure that all non-employees sign in at the reception area and

sign out when they leave [c]. You retain those paper sign-in sheets in a locked filing cabinet

for one year. Employees receive badges or key cards that enable tracking and logging access

to company facilities.

PE.L1-b.1.ix – Manage Visitors & Physical Access [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

33

Example 3
You are a facility manager. A team member retired today and returns their company keys to

you. The project on which they were working requires access to areas that contain

equipment with FCI. You receive the keys, check your electronic records against the serial

numbers on the keys to ensure all have been returned, and mark each key returned [f].

Potential Assessment Considerations
•

 Are personnel required to accompany visitors to areas in a facility with physical access

to organizational systems [a]?

•

 Are visitors clearly distinguishable from regular personnel [b]?

•

 Is visitor activity monitored (e.g., use of cameras or guards, reviews of secure areas upon

visitor departure, review of visitor audit logs) [b]?

•

 Are logs of physical access to sensitive areas (both authorized access and visitor access)

maintained per retention requirements [c]?

•

 Are visitor access records retained for as long as required [c]?

•

 Are lists or inventories of physical access devices maintained (e.g., keys, facility badges,

key cards) [d]?

•

 Is  access to physical access devices  limited  (e.g.,  granted to, and accessible only by,

authorized individuals) [e]?

•

 Are physical access devices managed (e.g., revoking key card access when necessary,

changing locks as needed, maintaining access control devices and systems) [f]?

KEY REFERENCES

•

 FAR Clause 52.204-21 b.1.ix

•

 NIST SP 800-171 Rev. 2 3.10.3

•

 NIST SP 800-171 Rev. 2 3.10.4

•

 NIST SP 800-171 Rev. 2 3.10.5

SC.L1-b.1.x – Boundary Protection [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

34

System and Communications Protection (SC)
SC.L1-B.1.X – BOUNDARY PROTECTION [FCI DATA]

Monitor, control, and protect organizational communications (i.e., information transmitted

or received by organizational information systems) at the external boundaries and key

internal boundaries of the information systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]25

Determine if:
[a]

the external system boundary is defined;

[b]

key internal system boundaries are defined;

[c]

communications are monitored at the external system boundary;

[d]

communications are monitored at key internal boundaries;

[e]

communications are controlled at the external system boundary;

[f]

communications are controlled at key internal boundaries;

[g]

communications are protected at the external system boundary; and

[h]

communications are protected at key internal boundaries.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]25

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

boundary protection; system security plan; list of key internal boundaries of the system;

system design documentation; boundary protection hardware and software; enterprise

security architecture documentation; system audit logs and records; system configuration

settings and associated documentation; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developers; personnel with boundary protection responsibilities].

Test
[SELECT FROM: Mechanisms implementing boundary protection capability].

25

NIST SP 800-171A, p. 53

SC.L1-b.1.x – Boundary Protection [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

35

DISCUSSION [NIST SP 800-171 REV. 2]26

Communications can be monitored, controlled, and protected at boundary components and

by restricting or prohibiting interfaces in organizational systems. Boundary components

include gateways, routers, firewalls, guards, network-based malicious code analysis and

virtualization systems, or encrypted tunnels implemented within a system security

architecture (e.g., routers protecting firewalls or application gateways residing on protected

subnetworks). Restricting or prohibiting interfaces in organizational systems includes

restricting external web communications traffic to designated web servers within managed

interfaces and prohibiting external traffic that appears to be spoofing internal addresses.
Organizations consider the shared nature of commercial telecommunications services in the

implementation of security requirements associated with the use of such services.

Commercial telecommunications services are commonly based on network components and

consolidated management systems shared by all attached commercial customers and may

also include third party-provided access lines and other service elements. Such transmission

services may represent sources of increased risk despite contract security provisions.

NIST SP 800-41 provides guidance on firewalls and firewall policy. NIST SP 800-125B

provides guidance on security for virtualization technologies.

FURTHER DISCUSSION

Fences, locks, badges, and key cards help keep non-employees out of your physical facilities.

Similarly, your company’s IT network or system has boundaries that must be protected.

Many companies use a web proxy and a firewall.
When an employee uses a company computer to go to a website, a web proxy makes the

request on the user’s behalf, looks at the web request, and decides if it should let the

employee go to the website.
A firewall controls access from the inside and outside, protecting valuable information and

resources stored on the company’s network. A firewall stops unwanted traffic on the internet

from passing through an outside “fence” to the company’s networks and information

systems. Internal boundaries determine where data can flow, for instance a software

development environment may have its own boundary controlling, monitoring, and

protecting the data that can leave that boundary.
It may be wise to monitor, control, or protect one part of the company network from another.

This can also be accomplished with a firewall and limits the ability of attackers and

disgruntled employees from entering sensitive parts of your internal network and causing

damage.

Example
You are setting up the new network with an FCI enclave. You start by sketching out a simple

diagram that identifies the external boundary of your network and any internal boundaries

that are needed [a,b]. The first piece of equipment you install is the firewall, a device to

26

NIST SP 800-171 Rev. 2, p. 36

SC.L1-b.1.x – Boundary Protection [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

36

separate your internal network from the internet. The firewall also has a feature that allows

you to block access to potentially malicious websites, and you configure that service as well

[a,c,e,g]. Some of your coworkers complain that they cannot get to certain websites [c,e,g].

You explain that the new network blocks websites that are known for spreading malware.

The firewall sends you a daily digest of blocked activity so that you can monitor the system

for attack trends [c,d].

Potential Assessment Considerations
•

 What are the external system boundary components that make up the entry and exit

points for data flow (e.g., firewalls, gateways, cloud service boundaries), behind which all

system components that handle regulated data are contained? What are the supporting

system components necessary for the protection of regulated data [a]?

•

 What are the internal system boundary components that make up the entry and exit

points for key internal data flow (e.g., internal firewalls, routers, any devices that can

bridge the connection between one segment of the system and another) that separate

segments of the internal network – including devices that separate internal network

segments such as development and production networks as well as a traditional DMZ at

the edge of the network [b]?

•

 Is data flowing in and out of the external and key internal system boundaries monitored

(e.g., connections are logged and able to be reviewed, suspicious traffic generates alerts)

[c,d]?

•

 Is  data  traversing  the external and internal system boundaries  controlled  such that

connections are denied by default and only authorized connections are allowed [e,f]?

•

 Is data flowing in and out of the external and key internal system boundaries protected

(e.g., applying encryption when required or prudent, tunneling traffic as needed) [g,h]?

KEY REFERENCES

•

 FAR Clause 52.204-21 b.1.x

•

 NIST SP 800-171 Rev. 2 3.13.1

SC.L1-b.1.xi – Public-Access System Separation [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

37

SC.L1-B.1.XI – PUBLIC-ACCESS SYSTEM SEPARATION [FCI DATA]

Implement subnetworks for publicly accessible system components that are physically or

logically separated from internal networks.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]27

Determine if:
[a]

publicly accessible system components are identified; and

[b]

subnetworks for publicly accessible system components are physically or logically

separated from internal networks.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]27

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

boundary protection; system security plan; list of key internal boundaries of the system;

system design documentation; boundary protection hardware and software; system

configuration settings and associated documentation; enterprise security architecture

documentation; system audit logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developers; personnel with boundary protection responsibilities].

Test
[SELECT FROM: Mechanisms implementing boundary protection capability].

DISCUSSION [NIST SP 800-171 REV. 2]28

Subnetworks that are physically or logically separated from internal networks are referred

to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control

devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-

based technologies.
NIST SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides

guidance on security for virtualization technologies.

27

NIST SP 800-171A, p. 55

28

NIST SP 800-171 Rev. 2, pp. 37-38

SC.L1-b.1.xi – Public-Access System Separation [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

38

FURTHER DISCUSSION

Publicly accessible systems should be separated from the internal systems that need to be

protected. Internal systems should not be placed on the same network as publicly accessible

systems, and access by default from DMZ networks to internal networks should be blocked.
One method of accomplishing this is to create a DMZ network, which enhances security by

providing public access to a specific set of resources while preventing connections from

those resources to the rest of the IT environment. Some OSAs may achieve a similar result

through the use of a cloud computing environment that is separated from the rest of the

company’s infrastructure.

Example
The head of recruiting at your firm wants to launch a website to post job openings and allow

the public to download an application form [a]. After some discussion, your team realizes it

needs to use a firewall to create a perimeter network to do this because your network

contains FCI [b]. You host the server separately from the company’s internal network where

FCI is stored and make sure the network on which it resides is isolated with the proper

firewall rules [b].

Potential Assessment Considerations
•

 Are any system components reachable by the public (e.g., internet-facing web servers,

VPN gateways, publicly accessible cloud services) [a]?

•

 Are  publicly accessible system components on physically or logically separated

subnetworks (e.g., isolated subnetworks using separate, dedicated VLAN segments such

as DMZs) [b]?

KEY REFERENCES

•

 FAR Clause 52.204-21 b.1.xi

•

 NIST SP 800-171 Rev. 2 3.13.5

SI.L1-b.1.xii – Flaw Remediation [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

39

System and Information Integrity (SI)
SI.L1-B.1.XII – FLAW REMEDIATION [FCI DATA]

Identify, report, and correct information and information system flaws in a timely manner.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]29

Determine if:
[a]

the time within which to identify system flaws is specified;

[b]

system flaws are identified within the specified time frame;

[c]

the time within which to report system flaws is specified;

[d]

system flaws are reported within the specified time frame;

[e]

the time within which to correct system flaws is specified; and

[f]

system flaws are corrected within the specified time frame.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]29

Examine
[SELECT FROM: System and information integrity policy; procedures addressing flaw

remediation; procedures addressing configuration management; system security plan; list

of flaws and vulnerabilities potentially affecting the system; list of recent security flaw

remediation actions performed on the system (e.g., list of installed patches, service packs,

hot fixes, and other software updates to correct system flaws); test results from the

installation of software and firmware updates to correct system flaws; installation/change

control records for security-relevant software and firmware updates; other relevant

documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; personnel installing, configuring, and maintaining the system; personnel

with responsibility for flaw remediation; personnel with configuration management

responsibility].

Test
[SELECT FROM: Organizational processes for identifying, reporting, and correcting system

flaws; organizational process for installing software and firmware updates; mechanisms

29

NIST SP 800-171A, p. 60

SI.L1-b.1.xii – Flaw Remediation [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

40

supporting or implementing reporting, and correcting system flaws; mechanisms supporting

or implementing testing software and firmware updates].

DISCUSSION [NIST SP 800-171 REV. 2]30

Organizations identify systems that are affected by announced software and firmware flaws

including potential vulnerabilities resulting from those flaws and report this information to

designated personnel with information security responsibilities. Security-relevant updates

include patches, service packs, hot fixes, and anti-virus signatures. Organizations address

flaws discovered during security assessments, continuous monitoring, incident response

activities, and system error handling. Organizations can take advantage of available

resources such as the Common Weakness Enumeration (CWE) database or Common

Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in

organizational systems.
Organization-defined time periods for updating security-relevant software and firmware

may vary based on a variety of factors including the criticality of the update (i.e., severity of

the vulnerability related to the discovered flaw). Some types of flaw remediation may require

more testing than other types of remediation. NIST SP 800-40 provides guidance on patch

management technologies.

FURTHER DISCUSSION

All software and firmware have potential flaws. Many vendors work to remedy those flaws

by releasing vulnerability information and updates to their software and firmware. OSAs

should have a process to review relevant vendor notifications and updates about problems

or weaknesses. After reviewing the information, the OSA should implement a patch

management process that allows for software and firmware flaws to be fixed without

adversely affecting the system functionality. OSAs should define the time frames within

which flaws are identified, reported, and corrected for all systems.

Example
You know that software vendors typically release patches, service packs, hot fixes, etc. and

want to make sure your software that processes FCI is up to date. You develop a policy that

requires checking vendor websites for flaw notifications every week [a]. The policy further

requires that those flaws be assessed for severity and patched on end-user computers once

each week and servers once each month [c,e]. Consistent with that policy, you configure the

system to check for updates weekly or daily depending on the criticality of the software [b,e].

Your team reviews available updates and implements the applicable ones according to the

defined schedule [f].

30

NIST SP 800-171 Rev. 2, pp. 40-41

SI.L1-b.1.xii – Flaw Remediation [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

41

Potential Assessment Considerations
•

 Is the time frame (e.g., a set number of days) within which system flaw identification

activities (e.g., vulnerability scans, configuration scans, manual review) must be

performed defined and documented [a]?

•

 Are system flaws (e.g., vulnerabilities, misconfigurations) identified in accordance with

the specified time frame [b]?

•

 Is the time frame (e.g., a set number of days dependent on the assessed severity of a flaw)

within which system flaws must be corrected defined and documented [e]?

•

 Are  system flaws (e.g., applied security patches, made configuration changes, or

implemented workarounds or mitigations) corrected within the specified time frame [f]?

KEY REFERENCES

•

 FAR Clause 52.204-21 b.1.xii

•

 NIST SP 800-171 Rev. 2 3.14.1

SI.L1-b.1.xiii – Malicious Code ProTection [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

42

SI.L1-B.1.XIII – MALICIOUS CODE PROTECTION [FCI DATA]

Provide protection from malicious code at appropriate locations within organizational

information systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]31

Determine if:
[a]

designated locations for malicious code protection are identified; and

[b]

protection from malicious code at designated locations is provided.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]32

Examine
[SELECT FROM: System and information integrity policy; configuration management policy

and procedures; procedures addressing malicious code protection; records of malicious

code protection updates; malicious code protection mechanisms; system security plan;

system configuration settings and associated documentation; record of actions initiated by

malicious code protection mechanisms in response to malicious code detection; scan results

from malicious code protection mechanisms; system design documentation; system audit

logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; personnel installing, configuring, and maintaining the system; personnel

with responsibility for malicious code protection; personnel with configuration management

responsibility].

Test
[SELECT FROM: Organizational processes for employing, updating, and configuring

malicious code protection mechanisms; organizational process for addressing false positives

and resulting potential impact; mechanisms supporting or implementing employing,

updating, and configuring malicious code protection mechanisms; mechanisms supporting

or implementing malicious code scanning and subsequent actions].

DISCUSSION [NIST SP 800-171 REV. 2]33

Designated [appropriate] locations include system entry and exit points which may include

firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy

servers, notebook computers, and mobile devices. Malicious code includes viruses, worms,

31

NIST SP 800-171A, p. 61

32

NIST SP 800-171A, p. 61-62

33

NIST SP 800-171 Rev. 2, p. 41

SI.L1-b.1.xiii – Malicious Code ProTection [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

43

Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g.,

UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using

techniques such as steganography. Malicious code can be inserted into systems in a variety

of ways including web accesses, electronic mail, electronic mail attachments, and portable

storage devices. Malicious code insertions occur through the exploitation of system

vulnerabilities.
Malicious code protection mechanisms include anti-virus signature definitions and

reputation-based technologies. A variety of technologies and methods exist to limit or

eliminate the effects of malicious code. Pervasive configuration management and

comprehensive software integrity controls may be effective in preventing execution of

unauthorized code. In addition to commercial off-the-shelf software, malicious code may also

be present in custom-built software. This could include logic bombs, back doors, and other

types of cyber-attacks that could affect organizational missions/business functions.

Traditional malicious code protection mechanisms cannot always detect such code. In these

situations, organizations rely instead on other safeguards including secure coding practices,

configuration management and control, trusted procurement processes, and monitoring

practices to help ensure that software does not perform functions other than the functions

intended. NIST SP 800-83 provides guidance on malware incident prevention.

FURTHER DISCUSSION

Malicious code purposely performs unauthorized activity that undermines the security of an

information system. A designated location may be a network device such as a firewall or an

end user’s computer.
Malicious code, which can be delivered by a range of means (e.g., email, removable media, or

websites), includes the following:
•

 Virus – program designed to cause damage, steal information, change data, send email,

show messages, or any combination of these things;

•

 Spyware – program designed to secretly gather information about a person’s activity;

•

 Trojan Horse – type of malware made to look like legitimate software and used by cyber

criminals to get access to a company’s systems; and

•

 Ransomware – type of malware that threatens to publish the victim’s data or perpetually

block access to it unless a ransom is paid.

Consider use of anti-malware tools to stop or lessen the impact of malicious code.

Example
Your company’s IT team is buying new computers and wants to protect your company’s

information from viruses and spyware. The computers will be used to process, store, and

transmit FCI. They research anti-malware products, select an appropriate solution, and

deploy antivirus software on all hosts for which satisfactory antivirus software is available

[a,b].

SI.L1-b.1.xiii – Malicious Code ProTection [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

44

Potential Assessment Considerations
•

 Are system components (e.g., workstations, servers, email gateways, mobile devices) for

which malicious code protection must be provided identified and documented [a]?

KEY REFERENCES

•

 FAR Clause 52.204-21 b.1.xiii

•

 NIST SP 800-171 Rev. 2 3.14.2

SI.L1-b.1.xiv – Update Malicious Code Protection [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

45

SI.L1-B.1.XIV – UPDATE MALICIOUS CODE PROTECTION [FCI DATA]

Update malicious code protection mechanisms when new releases are available.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]34

Determine if:
[a] malicious code protection mechanisms are updated when new releases are available.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]35

Examine
[SELECT FROM: System and information integrity policy; configuration management policy

and procedures; procedures addressing malicious code protection; malicious code

protection mechanisms; records of malicious code protection updates; system security plan;

system design documentation; system configuration settings and associated documentation;

scan results from malicious code protection mechanisms; record of actions initiated by

malicious code protection mechanisms in response to malicious code detection; system audit

logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; personnel installing, configuring, and maintaining the system; personnel

with responsibility for malicious code protection; personnel with configuration management

responsibility].

Test
[SELECT FROM: Organizational processes for employing, updating, and configuring

malicious code protection mechanisms; organizational process for addressing false positives

and resulting potential impact; mechanisms supporting or implementing malicious code

protection mechanisms (including updates and configurations); mechanisms supporting or

implementing malicious code scanning and subsequent actions].

DISCUSSION [NIST SP 800-171 REV. 2]36

Malicious code protection mechanisms include anti-virus signature definitions and

reputation-based technologies. A variety of technologies and methods exist to limit or

eliminate the effects of malicious code. Pervasive configuration management and

comprehensive software integrity controls may be effective in preventing execution of

unauthorized code. In addition to commercial off-the-shelf software, malicious code may also

be present in custom-built software. This could include logic bombs, back doors, and other

34

NIST SP 800-171A, p. 62

35

NIST SP 800-171A, p. 62-63

36

NIST SP 800-171 Rev. 2, pp 41-42

SI.L1-b.1.xiv – Update Malicious Code Protection [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

46

types of cyber-attacks that could affect organizational missions/business functions.

Traditional malicious code protection mechanisms cannot always detect such code. In these

situations, organizations rely instead on other safeguards including secure coding practices,

configuration management and control, trusted procurement processes, and monitoring

practices to help ensure that software does not perform functions other than the functions

intended.

FURTHER DISCUSSION

Malware changes on an hourly or daily basis, and it is important to update detection and

protection mechanisms frequently to maintain the effectiveness of the protection.

Example
You have installed anti-malware software to protect a computer that stores FCI from

malicious code. Knowing that malware evolves rapidly, you configure the software to

automatically check for malware definition updates every day and update as needed [a].

Potential Assessment Considerations
•

 Is there a defined frequency at which malicious code protection mechanisms must be

updated (e.g., frequency of automatic updates or manual processes) [a]?

KEY REFERENCES

•

 FAR Clause 52.204-21 b.1.xiv

•

 NIST SP 800-171 Rev. 2 3.14.4

SI.L1-b.1.xv – System & File Scanning [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

47

SI.L1-B.1.XV – SYSTEM & FILE SCANNING [FCI DATA]

Perform periodic scans of the information system and real-time scans of files from external

sources as files are downloaded, opened, or executed.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]37

Determine if:
[a]

the frequency for malicious code scans is defined;

[b]

malicious code scans are performed with the defined frequency; and

[c]

real-time malicious code scans of files from external sources as files are

downloaded, opened, or executed are performed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]37

Examine
[SELECT FROM: System and information integrity policy; configuration management policy

and procedures; procedures addressing malicious code protection; malicious code

protection mechanisms; records of malicious code protection updates; system security plan;

system design documentation; system configuration settings and associated documentation;

scan results from malicious code protection mechanisms; record of actions initiated by

malicious code protection mechanisms in response to malicious code detection; system audit

logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; personnel installing, configuring, and maintaining the system; personnel

with responsibility for malicious code protection; personnel with configuration management

responsibility].

Test
[SELECT FROM: Organizational processes for employing, updating, and configuring

malicious code protection mechanisms; organizational process for addressing false positives

and resulting potential impact; mechanisms supporting or implementing malicious code

protection mechanisms (including updates and configurations); mechanisms supporting or

implementing malicious code scanning and subsequent actions].

DISCUSSION [NIST SP 800-17]1 REV. 238

Periodic scans of organizational systems and real-time scans of files from external sources

can detect malicious code. Malicious code can be encoded in various formats (e.g.,

37

NIST SP 800-171A, p. 63

38

NIST SP 800-171 Rev. 2, p. 42

SI.L1-b.1.xv – System & File Scanning [FCI Data]

CMMC Assessment Guide – Level 1 | Version 2.13

48

UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using

techniques such as steganography. Malicious code can be inserted into systems in a variety

of ways including web accesses, electronic mail, electronic mail attachments, and portable

storage devices. Malicious code insertions occur through the exploitation of system

vulnerabilities.

FURTHER DISCUSSION

Consider use of anti-malware software to scan for viruses in your computer systems and

determine how often scans are conducted. Real-time scans look at the system whenever files

are downloaded, opened, and saved. Periodic scans check previously saved files against

updated malware information. Anti-malware software should be installed, run, and updated

on all hosts for which satisfactory antivirus software is available.

Example
Your company transmits FCI over email. You work with your company’s email provider to

enable enhanced protections that will scan all attachments to identify and quarantine those

that may be harmful prior to a user opening them [c]. In addition, you configure antivirus

software on each computer to scan for malicious code every day [a,b]. The software also

scans files that are downloaded or copied from removable media such as USB drives. It

quarantines any suspicious files and notifies the security team [c].

Potential Assessment Considerations
•

 Are files from media (e.g., USB drives, CD-ROM) included in the definition of external

sources and are they being scanned [c]?

KEY REFERENCES

•

 FAR Clause 52.204-21 b.1.xv

•

 NIST SP 800-171 Rev. 2 3.14.5

Appendix A – Acronyms and Abbreviations

CMMC Assessment Guide – Level 1 | Version 2.13

49

Appendix A – Acronyms and Abbreviations

AC

Access Control

CD-ROM

Compact Disk Read-Only Memory

CFR

Code of Federal Regulations

CMMC

Cybersecurity Maturity Model Certification

CUI

Controlled Unclassified Information

CVE

Common Vulnerabilities and Exposures

CWE

Common Weakness Enumeration

DFARS

Defense Federal Acquisition Regulation Supplement

DMZ

Demilitarized Zone

DoD

Department of Defense

ESP

External Service Provider

FAR

Federal Acquisition Regulation

FCI

Federal Contract Information

IT

Information Technology

NIST

National Institute of Standards and Technology

OSA

Organization Seeking Assessment

PIV

Personal Identity Verification

SC

System and Communications Protection

SI

System and Information Integrity

SP

Special Publication

SPRS

Supplier Performance Risk System

USB

Universal Serial Bus

UUENCODE Unix-to-Unix Encode

VLAN

Virtual Local Area Network

Document Outline

Original source: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL1v2.pdf

Access Control (AC)

Level 1 AC Practices

AC.L1-3.1.1 - AUTHORIZED ACCESS CONTROL

SECURITY REQUIREMENT Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
ASSESSMENT OBJECTIVES [a] authorized users are identified; [b] processes acting on behalf of authorized users are identified; [c] devices (and other systems) authorized to connect to the system are identified; [d] system access is limited to authorized users; [e] system access is limited to processes acting on behalf of authorized users; and [f] system access is limited to authorized devices (including other systems).
DoD Assessment Scoring Value: 5
More Practice Details...

AC.L1-3.1.2 - TRANSACTION & FUNCTION CONTROL

SECURITY REQUIREMENT Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
ASSESSMENT OBJECTIVES [a] the types of transactions and functions that authorized users are permitted to execute are defined; and [b] system access is limited to the defined types of transactions and functions for authorized users.
DoD Assessment Scoring Value: 5
More Practice Details...

AC.L1-3.1.20 - EXTERNAL CONNECTIONS

SECURITY REQUIREMENT Verify and control/limit connections to and use of external information systems.
ASSESSMENT OBJECTIVES [a] connections to external systems are identified; [b] the use of external systems is identified; [c] connections to external systems are verified; [d] the use of external systems is verified; [e] connections to external systems are controlled/limited; and [f] the use of external systems is controlled/limited.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L1-3.1.22 - CONTROL PUBLIC INFORMATION

SECURITY REQUIREMENT Control information posted or processed on publicly accessible information systems.
ASSESSMENT OBJECTIVES [a] individuals authorized to post or process information on publicly accessible systems are identified; [b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified; [c] a review process is in place prior to posting of any content to publicly accessible systems; [d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and [e] mechanisms are in place to remove and address improper posting of FCI.
DoD Assessment Scoring Value: 1
More Practice Details...

Identification and Authentication (IA)

Level 1 IA Practices

IA.L1-3.5.1 – IDENTIFICATION

SECURITY REQUIREMENT Identify information system users, processes acting on behalf of users, or devices.
ASSESSMENT OBJECTIVES [a] system users are identified; [b] processes acting on behalf of users are identified; and [c] devices accessing the system are identified.
DoD Assessment Scoring Value: 5
More Practice Details...

IA.L1-3.5.2 – AUTHENTICATION

SECURITY REQUIREMENT Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
ASSESSMENT OBJECTIVES [a] the identity of each user is authenticated or verified as a prerequisite to system access; [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
DoD Assessment Scoring Value: 5
More Practice Details...

Media Protection (MP)

Level 1 MP Practices

MP.L1-3.8.3 – MEDIA DISPOSAL

SECURITY REQUIREMENT Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
ASSESSMENT OBJECTIVES [a] system media containing FCI is sanitized or destroyed before disposal; and [b] system media containing FCI is sanitized before it is released for reuse.
DoD Assessment Scoring Value: 5
More Practice Details...

Physical Protection (PE)

Level 1 PE Practices

PE.L1-3.10.1 – LIMIT PHYSICAL ACCESS

SECURITY REQUIREMENT Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
ASSESSMENT OBJECTIVES [a] authorized individuals allowed physical access are identified; [b] physical access to organizational systems is limited to authorized individuals; [c] physical access to equipment is limited to authorized individuals; and [d] physical access to operating environments is limited to authorized.
DoD Assessment Scoring Value: 5
More Practice Details...

PE.L1-3.10.3 – ESCORT VISITORS

SECURITY REQUIREMENT Escort visitors and monitor visitor activity.
ASSESSMENT OBJECTIVES [a] visitors are escorted; and [b] visitor activity is monitored.
DoD Assessment Scoring Value: 1
More Practice Details...

PE.L1-3.10.4 – PHYSICAL ACCESS LOGS

SECURITY REQUIREMENT Maintain audit logs of physical access.
ASSESSMENT OBJECTIVES [a] audit logs of physical access are maintained.
DoD Assessment Scoring Value: 1
More Practice Details...

PE.L1-3.10.5 – MANAGE PHYSICAL ACCESS

SECURITY REQUIREMENT Control and manage physical access devices.
ASSESSMENT OBJECTIVES [a] physical access devices are identified; [b] physical access devices are controlled; and [c] physical access devices are managed.
DoD Assessment Scoring Value: 1
More Practice Details...

System and Communications Protection (SC)

Level 1 SC Practices

SC.L1-3.13.1 – BOUNDARY PROTECTION

SECURITY REQUIREMENT Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
ASSESSMENT OBJECTIVES [a] the external system boundary is defined; [b] key internal system boundaries are defined; [c] communications are monitored at the external system boundary; [d] communications are monitored at key internal boundaries; [e] communications are controlled at the external system boundary; [f] communications are controlled at key internal boundaries; [g] communications are protected at the external system boundary; and [h] communications are protected at key internal boundaries.
DoD Assessment Scoring Value: 5
More Practice Details...

SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION

SECURITY REQUIREMENT Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
ASSESSMENT OBJECTIVES [a] publicly accessible system components are identified; and [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.
DoD Assessment Scoring Value: 5
More Practice Details...

System and Information Integrity (SI)

Level 1 SI Practices

SI.L1-3.14.1 – FLAW REMEDIATION

SECURITY REQUIREMENT Identify, report, and correct information and information system flaws in a timely manner.
ASSESSMENT OBJECTIVES [a] the time within which to identify system flaws is specified; [b] system flaws are identified within the specified time frame; [c] the time within which to report system flaws is specified; [d] system flaws are reported within the specified time frame; [e] the time within which to correct system flaws is specified; and [f] system flaws are corrected within the specified time frame.
DoD Assessment Scoring Value: 5
More Practice Details...

SI.L1-3.14.2 – MALICIOUS CODE PROTECTION

SECURITY REQUIREMENT Provide protection from malicious code at appropriate locations within organizational information systems.
ASSESSMENT OBJECTIVES [a] designated locations for malicious code protection are identified; and [b] protection from malicious code at designated locations is provided.
DoD Assessment Scoring Value: 5
More Practice Details...

SI.L1-3.14.4 – UPDATE MALICIOUS CODE PROTECTION

SECURITY REQUIREMENT Update malicious code protection mechanisms when new releases are available.
ASSESSMENT OBJECTIVES [a] malicious code protection mechanisms are updated when new releases are available.
DoD Assessment Scoring Value: 5
More Practice Details...

SI.L1-3.14.5 – SYSTEM & FILE SCANNING

SECURITY REQUIREMENT Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
ASSESSMENT OBJECTIVES [a] the frequency for malicious code scans is defined; [b] malicious code scans are performed with the defined frequency; and [c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
DoD Assessment Scoring Value: 3
More Practice Details...

Level 1 Self-Assessment Guide: Difference between revisions

Revision as of 00:09, 17 March 2025

Contents

Document Outline

Access Control (AC)

Level 1 AC Practices

AC.L1-3.1.1 - AUTHORIZED ACCESS CONTROL

AC.L1-3.1.2 - TRANSACTION & FUNCTION CONTROL

AC.L1-3.1.20 - EXTERNAL CONNECTIONS

AC.L1-3.1.22 - CONTROL PUBLIC INFORMATION

Identification and Authentication (IA)

Level 1 IA Practices

IA.L1-3.5.1 – IDENTIFICATION

IA.L1-3.5.2 – AUTHENTICATION

Media Protection (MP)

Level 1 MP Practices

MP.L1-3.8.3 – MEDIA DISPOSAL

Physical Protection (PE)

Level 1 PE Practices

PE.L1-3.10.1 – LIMIT PHYSICAL ACCESS

PE.L1-3.10.3 – ESCORT VISITORS

PE.L1-3.10.4 – PHYSICAL ACCESS LOGS

PE.L1-3.10.5 – MANAGE PHYSICAL ACCESS

System and Communications Protection (SC)

Level 1 SC Practices

SC.L1-3.13.1 – BOUNDARY PROTECTION

SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION

System and Information Integrity (SI)

Level 1 SI Practices

SI.L1-3.14.1 – FLAW REMEDIATION

SI.L1-3.14.2 – MALICIOUS CODE PROTECTION

SI.L1-3.14.4 – UPDATE MALICIOUS CODE PROTECTION

SI.L1-3.14.5 – SYSTEM & FILE SCANNING

Navigation menu

@@ Line 1: / Line 1: @@
-'''Source of Reference: The official [https://dodcio.defense.gov/CMMC/Documentation/ CMMC Level 1 Self-Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).'''
+'''Source of Reference: The official [https://dodcio.defense.gov/CMMC/Resources-Documentation/ CMMC Level 1 Self-Assessment Guide Version 2.13, September 2024] from the Department of Defense Chief Information Officer (DoD CIO).'''
 For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
-== Access Control (AC) ==
-=== Level 1 AC Practices ===
-==== AC.L1-3.1.1 - AUTHORIZED ACCESS CONTROL ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] authorized users are identified;
-: [b] processes acting on behalf of authorized users are identified;
-: [c] devices (and other systems) authorized to connect to the system are identified;
-: [d] system access is limited to authorized users;
-: [e] system access is limited to processes acting on behalf of authorized users; and
-: [f] system access is limited to authorized devices (including other systems).
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_AC.L1-3.1.1_Details|More Practice Details...]]
-|}
-==== AC.L1-3.1.2 - TRANSACTION & FUNCTION CONTROL ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Limit information system access to the types of transactions and functions that authorized  users are permitted to execute.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the types of transactions and functions that authorized users are permitted to execute are defined; and
-: [b] system access is limited to the defined types of transactions and functions for authorized users.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_AC.L1-3.1.2_Details|More Practice Details...]]
-|}
-==== AC.L1-3.1.20 - EXTERNAL CONNECTIONS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Verify and control/limit connections to and use of external information systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] connections to external systems are identified;
-: [b] the use of external systems is identified;
-: [c] connections to external systems are verified;
-: [d] the use of external systems is verified;
-: [e] connections to external systems are controlled/limited; and
-: [f]  the use of external systems is controlled/limited.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AC.L1-3.1.20_Details|More Practice Details...]]
-|}
-==== AC.L1-3.1.22 - CONTROL PUBLIC INFORMATION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Control information posted or processed on publicly accessible information systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] individuals authorized to post or process information on publicly accessible systems are identified;
-: [b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;
-: [c] a review process is in place prior to posting of any content to publicly accessible systems;
-: [d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and
-: [e] mechanisms are in place to remove and address improper posting of FCI.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AC.L1-3.1.22_Details|More Practice Details...]]
-|}
-== Identification and Authentication (IA) ==
-=== Level 1 IA Practices ===
-==== IA.L1-3.5.1 – IDENTIFICATION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Identify information system users, processes acting on behalf of users, or devices.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] system users are identified;
-: [b] processes acting on behalf of users are identified; and
-: [c] devices accessing the system are identified.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_IA.L1-3.5.1_Details|More Practice Details...]]
-|}
-==== IA.L1-3.5.2 – AUTHENTICATION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the identity of each user is authenticated or verified as a prerequisite to system access;
-: [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and
-: [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_IA.L1-3.5.2_Details|More Practice Details...]]
-|}
-== Media Protection (MP) ==
-=== Level 1 MP Practices ===
-==== MP.L1-3.8.3 – MEDIA DISPOSAL ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] system media containing FCI is sanitized or destroyed before disposal; and
-: [b] system media containing FCI is sanitized before it is released for reuse.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_MP.L1-3.8.3_Details|More Practice Details...]]
-|}
-== Physical Protection (PE) ==
+Version – 2.13 | September 2024
-=== Level 1 PE Practices ===
-==== PE.L1-3.10.1 – LIMIT PHYSICAL ACCESS ====
+DoD-CIO-00002 (ZRIN 0790-ZA18)
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+'''CMMC Assessment Guide '''
-Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
-|-
+'''Level 1 '''
-|'''ASSESSMENT OBJECTIVES'''
-: [a] authorized individuals allowed physical access are identified;
+-T-2764
-: [b] physical access to organizational systems is limited to authorized individuals;
-: [c] physical access to equipment is limited to authorized individuals; and
-: [d] physical access to operating environments is limited to authorized.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_PE.L1-3.10.1_Details|More Practice Details...]]
-|}
+'''CMMC Assessment Guide – Level 1 '''|''' Version 2.13 '''
-==== PE.L1-3.10.3 – ESCORT VISITORS ====
+ii
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Escort visitors and monitor visitor activity.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] visitors are escorted; and
-: [b] visitor activity is monitored.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_PE.L1-3.10.3_Details|More Practice Details...]]
-|}
-==== PE.L1-3.10.4 – PHYSICAL ACCESS LOGS ====
+NOTICES
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Maintain audit logs of physical access.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] audit logs of physical access are maintained.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_PE.L1-3.10.4_Details|More Practice Details...]]
-|}
-==== PE.L1-3.10.5 – MANAGE PHYSICAL ACCESS ====
+The contents of this document do not have the force and effect of law and are not meant to
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+bind the public in any way. This document is intended only to provide clarity to the public
-Control and manage physical access devices.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] physical access devices are identified;
-: [b] physical access devices are controlled; and
-: [c] physical access devices are managed.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_PE.L1-3.10.5_Details|More Practice Details...]]
-|}
-== System and Communications Protection (SC) ==
+regarding existing requirements under the law or departmental policies.
-=== Level 1 SC Practices ===
-==== SC.L1-3.13.1 – BOUNDARY PROTECTION ====
+DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the external system boundary is defined;
-: [b] key internal system boundaries are defined;
-: [c] communications are monitored at the external system boundary;
-: [d] communications are monitored at key internal boundaries;
-: [e] communications are controlled at the external system boundary;
-: [f] communications are controlled at key internal boundaries;
-: [g] communications are protected at the external system boundary; and
-: [h] communications are protected at key internal boundaries.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_SC.L1-3.13.1_Details|More Practice Details...]]
-|}
-==== SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] publicly accessible system components are identified; and
-: [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_SC.L1-3.13.5_Details|More Practice Details...]]
-|}
-== System and Information Integrity (SI) ==
-=== Level 1 SI Practices ===
-==== SI.L1-3.14.1 – FLAW REMEDIATION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Identify, report, and correct information and information system flaws in a timely manner.
-|-
-|ASSESSMENT OBJECTIVES'''
-: [a] the time within which to identify system flaws is specified;
-: [b] system flaws are identified within the specified time frame;
-: [c] the time within which to report system flaws is specified;
-: [d] system flaws are reported within the specified time frame;
-: [e] the time within which to correct system flaws is specified; and
-: [f] system flaws are corrected within the specified time frame.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_SI.L1-3.14.1_Details|More Practice Details...]]
-|}
-==== SI.L1-3.14.2 – MALICIOUS CODE PROTECTION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Provide protection from malicious code at appropriate locations within organizational information systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] designated locations for malicious code protection are identified; and
-: [b] protection from malicious code at designated locations is provided.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_SI.L1-3.14.2_Details|More Practice Details...]]
-|}
-==== SI.L1-3.14.4 – UPDATE MALICIOUS CODE PROTECTION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Update malicious code protection mechanisms when new releases are available.
-|-
-|ASSESSMENT OBJECTIVES'''
-: [a] malicious code protection mechanisms are updated when new releases are available.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_SI.L1-3.14.4_Details|More Practice Details...]]
-|}
-==== SI.L1-3.14.5 – SYSTEM & FILE SCANNING ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the frequency for malicious code scans is defined;
-: [b] malicious code scans are performed with the defined frequency; and
-: [c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
-|-
-|[[Practice_SI.L1-3.14.5_Details|More Practice Details...]]
-|}
+'''CMMC Assessment Guide – Level 1 '''|''' Version 2.13 '''
+iii
-Version – 2.13 | September 2024
+''' '''
-DoD-CIO-00002 (ZRIN 0790-ZA18)
+TABLE OF CONTENTS
-'''CMMC Assessment Guide '''
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#5|'''Introduction ............................................................................................................................................. 1''' ]]
-'''Level 1 '''
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#6|'''Assessment and Compliance .............................................................................................................. 2''' ]]
--T-2764
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#6|Assessment Scope................................................................................................................................................. 2 ]]
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#7|'''CMMC-Custom Terms ............................................................................................................................ 3''' ]]
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#9|'''Assessment Criteria and Methodology ........................................................................................... 5''' ]]
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#10|Criteria ....................................................................................................................................................................... 6 <br />
+Methodology ........................................................................................................................................................... 6 <br />
+]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#12|Assessment Findings ........................................................................................................................................... 8 ]]
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#14|'''Requirement Descriptions ............................................................................................................... 10''' ]]
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#14|Introduction .......................................................................................................................................................... 10 ]]
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#16|'''Access Control (AC) ............................................................................................................................ 12''' ]]
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#16|AC.L1-b.1.i – Authorized Access Control [FCI Data] ....................................................................................... 12 <br />
+]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#19|AC.L1-b.1.ii – Transaction &amp; Function Control [FCI Data] ........................................................................... 15 <br />
+]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#21|AC.L1-b.1.iii – External Connections [FCI Data] ............................................................................................... 17 <br />
+]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#24|AC.L1-b.1.iv – Control Public Information [FCI Data] .................................................................................... 20 ]]
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#26|'''Identification and Authentication (IA) ........................................................................................ 22''' ]]
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#26|IA.L1-b.1.v – Identification [FCI Data] .................................................................................................................. 22 <br />
+]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#28|IA.L1-b.1.vi – Authentication [FCI Data] ............................................................................................................. 24 ]]
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#31|'''Media Protection (MP) ...................................................................................................................... 27''' ]]
-'''CMMC Assessment Guide – Level 1 '''|''' Version 2.13 '''
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#31|MP.L1-b.1.vii – Media Disposal [FCI Data] ......................................................................................................... 27 ]]
-ii
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#33|'''Physical Protection (PE) ................................................................................................................... 29''' ]]
-NOTICES
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#33|PE.L1-b.1.viii – Limit Physical Access [FCI Data] ............................................................................................. 29 <br />
+]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#35|PE.L1-b.1.ix – Manage Visitors &amp; Physical Access [FCI Data] ..................................................................... 31 ]]
-The contents of this document do not have the force and effect of law and are not meant to
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#38|'''System and Communications Protection (SC) ........................................................................... 34''' ]]
-bind the public in any way. This document is intended only to provide clarity to the public
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#38|SC.L1-b.1.x – Boundary Protection [FCI Data] .................................................................................................. 34 <br />
+]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#41|SC.L1-b.1.xi – Public-Access System Separation [FCI Data] ........................................................................ 37 ]]
-regarding existing requirements under the law or departmental policies.
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#43|'''System and Information Integrity (SI) ......................................................................................... 39''' ]]
-DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#43|SI.L1-b.1.xii – Flaw Remediation [FCI Data] ...................................................................................................... 39 <br />
+]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#46|SI.L1-b.1.xiii – Malicious Code ProTection [FCI Data] ................................................................................... 42 ]]
@@ Line 328: / Line 122: @@
 '''CMMC Assessment Guide – Level 1 '''|''' Version 2.13 '''
-iii
+iv
 ''' '''
-TABLE OF CONTENTS
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#49|SI.L1-b.1.xiv – Update Malicious Code Protection [FCI Data] ..................................................................... 45 <br />
+]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#51|SI.L1-b.1.xv – System &amp; File Scanning [FCI Data] ............................................................................................ 47 ]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#5|'''Introduction ............................................................................................................................................. 1''' ]]
+[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#53|'''Appendix A – Acronyms and Abbreviations .............................................................................. 49''' <br />
+]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#6|'''Assessment and Compliance .............................................................................................................. 2''' ]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#6|Assessment Scope................................................................................................................................................. 2 ]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#7|'''CMMC-Custom Terms ............................................................................................................................ 3''' ]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#9|'''Assessment Criteria and Methodology ........................................................................................... 5''' ]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#10|Criteria ....................................................................................................................................................................... 6 <br />
-Methodology ........................................................................................................................................................... 6 <br />
-]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#12|Assessment Findings ........................................................................................................................................... 8 ]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#14|'''Requirement Descriptions ............................................................................................................... 10''' ]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#14|Introduction .......................................................................................................................................................... 10 ]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#16|'''Access Control (AC) ............................................................................................................................ 12''' ]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#16|AC.L1-b.1.i – Authorized Access Control [FCI Data] ....................................................................................... 12 <br />
+Introduction
-]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#19|AC.L1-b.1.ii – Transaction &amp; Function Control [FCI Data] ........................................................................... 15 <br />
-]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#21|AC.L1-b.1.iii – External Connections [FCI Data] ............................................................................................... 17 <br />
-]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#24|AC.L1-b.1.iv – Control Public Information [FCI Data] .................................................................................... 20 ]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#26|'''Identification and Authentication (IA) ........................................................................................ 22''' ]]
+CMMC Assessment Guide – Level 1 | Version 2.13
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#26|IA.L1-b.1.v – Identification [FCI Data] .................................................................................................................. 22 <br />
-]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#28|IA.L1-b.1.vi – Authentication [FCI Data] ............................................................................................................. 24 ]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#31|'''Media Protection (MP) ...................................................................................................................... 27''' ]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#31|MP.L1-b.1.vii – Media Disposal [FCI Data] ......................................................................................................... 27 ]]
+Introduction <br />
+This document provides guidance  in the preparation for and execution of  a  Level  1  self-
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#33|'''Physical Protection (PE) ................................................................................................................... 29''' ]]
+assessment under the Cybersecurity Maturity Model Certification (CMMC) Program as set
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#33|PE.L1-b.1.viii – Limit Physical Access [FCI Data] ............................................................................................. 29 <br />
+forth in section 170.15  of title 32, Code of Federal Regulations (CFR).  Guidance for
-]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#35|PE.L1-b.1.ix – Manage Visitors &amp; Physical Access [FCI Data] ..................................................................... 31 ]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#38|'''System and Communications Protection (SC) ........................................................................... 34''' ]]
+conducting a Level  2  self-assessment or certification  assessment can be found in ''CMMC ''
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#38|SC.L1-b.1.x – Boundary Protection [FCI Data] .................................................................................................. 34 <br />
+''Assessment Guide – Level 2''. Guidance for conducting a Level 3 certification assessment can
-]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#41|SC.L1-b.1.xi – Public-Access System Separation [FCI Data] ........................................................................ 37 ]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#43|'''System and Information Integrity (SI) ......................................................................................... 39''' ]]
+be found in ''CMMC Assessment Guide – Level 3''. More details on the CMMC Model can be found
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#43|SI.L1-b.1.xii – Flaw Remediation [FCI Data] ...................................................................................................... 39 <br />
+in ''CMMC Model Overview''. <br />
-]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#46|SI.L1-b.1.xiii – Malicious Code ProTection [FCI Data] ................................................................................... 42 ]]
+Level 1 focuses on the protection of Federal Contract Information (FCI), which is defined in
+CFR § 170.4 and 48 CFR § 4.1901:
+''Federal contract information means information, not intended for public ''
+''release, that is provided by or generated for the Government under a contract to ''
+''develop or deliver a product or service to the Government, but not including ''
+''information provided by the Government to the public (such as on public ''
+''websites) or simple transactional information, such as necessary to process ''
+''payments. ''
+Level 1 is comprised of the  15  basic safeguarding requirements specified in Federal
+Acquisition Regulation (FAR) Clause 52.204-21. <br />
+Purpose and Audience  <br />
+This guide is intended for Organizations Seeking Assessment (OSAs), cybersecurity
+professionals, and individuals and companies that support CMMC efforts. This document can
-'''CMMC Assessment Guide – Level 1 '''|''' Version 2.13 '''
+be used as part of preparation for and conducting a Level 1 self-assessment. <br />
+Document Organization <br />
+This document is organized into the following sections: <br />
+•
-iv
+  '''Assessment and Compliance:''  '''''provides an overview of the Level 1 self-assessment
-''' '''
+process set forth in 32 CFR § 170.15, describes ways of documenting compliance, and
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#49|SI.L1-b.1.xiv – Update Malicious Code Protection [FCI Data] ..................................................................... 45 <br />
+provides guidance regarding OSA size and the self-assessment scope requirements set
-]][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#51|SI.L1-b.1.xv – System &amp; File Scanning [FCI Data] ............................................................................................ 47 ]]
-[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#53|'''Appendix A – Acronyms and Abbreviations .............................................................................. 49''' <br />
+forth in 32 CFR § 170.19.
-]]
+•
+  '''CMMC-Custom Terms: '''incorporates definitions from 32 CFR § 170.4 and definitions
+included by reference from 32 CFR § 170.2, and provides clarification of the intent and
+scope of custom terms as used in the context of CMMC.
+•
+  '''Assessment Criteria and  Methodology:'''  provides guidance on criteria and
+methodology (i.e., ''interview'', ''examine'', and ''test'') that may be employed during a Level 1
+self-assessment, as well as on assessment findings.
-Introduction
+•
-CMMC Assessment Guide – Level 1 | Version 2.13
+  '''Requirement  Descriptions:  '''provides  guidance  specific  to  each  Level  1  security
+requirement.
-Introduction <br />
-This document provides guidance  in the preparation for and execution of  a  Level  1  self-
-assessment under the Cybersecurity Maturity Model Certification (CMMC) Program as set
-forth in section 170.15  of title 32, Code of Federal Regulations (CFR).  Guidance for
-conducting a Level  2  self-assessment or certification  assessment can be found in ''CMMC ''
-''Assessment Guide – Level 2''. Guidance for conducting a Level 3 certification assessment can
-be found in ''CMMC Assessment Guide – Level 3''. More details on the CMMC Model can be found
-in ''CMMC Model Overview''. <br />
-Level 1 focuses on the protection of Federal Contract Information (FCI), which is defined in
-CFR § 170.4 and 48 CFR § 4.1901:
+Assessment and Compliance
-''Federal contract information means information, not intended for public ''
+CMMC Assessment Guide – Level 1 | Version 2.13
-''release, that is provided by or generated for the Government under a contract to ''
-''develop or deliver a product or service to the Government, but not including ''
-''information provided by the Government to the public (such as on public ''
+Assessment and Compliance <br />
+Level 1 self-assessment requirements are set forth in 32 CFR § 170.15. The OSA will assess
-''websites) or simple transactional information, such as necessary to process ''
+its own contractor information system(s) to determine if it meet all the basic safeguarding
-''payments. ''
+requirements for FCI specified in FAR Clause 52.204-21. OSAs should use the self-assessment
-Level 1 is comprised of the  15  basic safeguarding requirements specified in Federal
+methods as described in 32 CFR § 170.15. <br />
+Level  1  requirements  may apply to  an  entire enterprise infrastructure  or  to a  particular
-Acquisition Regulation (FAR) Clause 52.204-21. <br />
+enclave(s), depending upon where the FCI will be processed, stored, or transmitted. <br />
-Purpose and Audience  <br />
+OSAs can choose to perform the annual self-assessment internally or engage a third party to
-This guide is intended for Organizations Seeking Assessment (OSAs), cybersecurity
-professionals, and individuals and companies that support CMMC efforts. This document can
+assist. Use of a third party to assist is still considered a self-assessment and does not result
-be used as part of preparation for and conducting a Level 1 self-assessment. <br />
+in a certification.  The primary result of a self-assessment is the submission of Level  1
-Document Organization <br />
-This document is organized into the following sections: <br />
-•
-  '''Assessment and Compliance:''  '''''provides an overview of the Level 1 self-assessment
+compliance results into the Supplier Performance Risk System (SPRS) and a self-assessment
-process set forth in 32 CFR § 170.15, describes ways of documenting compliance, and
+report, which contains the findings associated with the self- assessment.
-provides guidance regarding OSA size and the self-assessment scope requirements set
+Assessment Scope
-forth in 32 CFR § 170.19.
+Prior to conducting a  Level 1 self-assessment, the OSA must specify the CMMC Assessment
-•
+Scope as defined in 32 CFR § 170.19(a). The CMMC Assessment Scope identifies which assets
-  '''CMMC-Custom Terms: '''incorporates definitions from 32 CFR § 170.4 and definitions
+within the OSA’s environment will be assessed and the details of the self-assessment. In
-included by reference from 32 CFR § 170.2, and provides clarification of the intent and
+accordance with §170.19, for a Level 1 self-assessment, the assets that process, store, or
-scope of custom terms as used in the context of CMMC.
+transmit FCI are considered in-scope and should  be assessed against the  Level  1
-•
+requirements. See the ''CMMC Scoping Guide – Level 1 ''document for additional information.
-  '''Assessment Criteria and  Methodology:'''  provides guidance on criteria and
-methodology (i.e., ''interview'', ''examine'', and ''test'') that may be employed during a Level 1
-self-assessment, as well as on assessment findings.
-•
-  '''Requirement  Descriptions:  '''provides  guidance  specific  to  each  Level  1  security
-requirement.
+CMMC-Custom Terms
+CMMC Assessment Guide – Level 1 | Version 2.13
+CMMC-Custom Terms <br />
+The CMMC Program has custom terms that align with program requirements. Although some
+terms may have other definitions in open forums, it is important to understand these terms
-Assessment and Compliance
+as they apply to the CMMC Program.  <br />
+The custom terms associated with Level 1 are: <br />
+•
-CMMC Assessment Guide – Level 1 | Version 2.13
+  '''Assessment:''' As defined in 32 CFR § 170.4 means the testing or evaluation of security
+controls to determine the extent to which the controls are implemented correctly,
+operating as intended, and producing the desired outcome with respect to meeting the
-Assessment and Compliance <br />
+security requirements for an information system or organization, as defined in 32 CFR §
-Level 1 self-assessment requirements are set forth in 32 CFR § 170.15. The OSA will assess
-its own contractor information system(s) to determine if it meet all the basic safeguarding
+.15 to 32 CFR § 170.18.
-requirements for FCI specified in FAR Clause 52.204-21. OSAs should use the self-assessment
+o  Level 1 self-assessment is the term for the activity performed by an OSA to
-methods as described in 32 CFR § 170.15. <br />
+evaluate its own information system, when seeking a CMMC Status of Final Level
-Level  1  requirements  may apply to  an  entire enterprise infrastructure  or  to a  particular
-enclave(s), depending upon where the FCI will be processed, stored, or transmitted. <br />
+(Self).
-OSAs can choose to perform the annual self-assessment internally or engage a third party to
-assist. Use of a third party to assist is still considered a self-assessment and does not result
+•
-in a certification.  The primary result of a self-assessment is the submission of Level  1
+  '''Assessment Objective:''' A set of determination statements that, taken together,
-compliance results into the Supplier Performance Risk System (SPRS) and a self-assessment
+expresses the desired outcome for the assessment of a security requirement. Successful
-report, which contains the findings associated with the self- assessment.
+implementation of the corresponding CMMC security requirement requires meeting all
-Assessment Scope
+applicable assessment objectives defined in NIST SP 800–171A or NIST SP 800-172A.
-Prior to conducting a  Level 1 self-assessment, the OSA must specify the CMMC Assessment
+•
-Scope as defined in 32 CFR § 170.19(a). The CMMC Assessment Scope identifies which assets
+  '''Asset:''' An item of value to stakeholders. An asset may be tangible (e.g., a physical item
-within the OSA’s environment will be assessed and the details of the self-assessment. In
+such as hardware, firmware, computing platform, network device, or other technology
-accordance with §170.19, for a Level 1 self-assessment, the assets that process, store, or
+component) or intangible (e.g., humans, data, information, software, capability, function,
-transmit FCI are considered in-scope and should  be assessed against the  Level  1
+service, trademark, copyright, patent, intellectual property, image, or reputation). The
-requirements. See the ''CMMC Scoping Guide – Level 1 ''document for additional information.
+value of an asset is determined by stakeholders in consideration of loss concerns across
+the entire system life cycle. Such concerns include but are not limited to business or
+mission concerns, as defined in NIST SP 800-160 Rev 1.
+•
+  '''CMMC Status:''' As defined in 32 CFR''' '''§ 170.4 is the result of meeting or exceeding the
+minimum required score for the corresponding assessment. The CMMC Status of an OSA
+information system is officially stored in SPRS and additionally presented on a Certificate
+of CMMC Status, if the assessment was conducted by a C3PAO or DCMA DIBCAC.
+o  Final Level 1 (Self) is defined in § 170.15(c)(1). To achieve a CMMC Status of Final
-CMMC-Custom Terms
+Level 1 (Self) the OSA must  conduct a Level 1 self-assessment scored in
-CMMC Assessment Guide – Level 1 | Version 2.13
+accordance with the CMMC Scoring Methodology described in § 170.24. The Level
+self-assessment must be performed in accordance with the Level  1 scope
+requirements set forth in § 170.19(a) and (b). In instances where an objective
-CMMC-Custom Terms <br />
+addresses CUI, the term FCI should be substituted for CUI.
-The CMMC Program has custom terms that align with program requirements. Although some
-terms may have other definitions in open forums, it is important to understand these terms
-as they apply to the CMMC Program.  <br />
-The custom terms associated with Level 1 are: <br />
 •
-   '''Assessment:''' As defined in 32 CFR § 170.4 means the testing or evaluation of security
+   '''Component:  '''A discrete identifiable information technology ''asset''  that represents a
-controls to determine the extent to which the controls are implemented correctly,
+building block of a system and may include hardware, software, and firmware[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#7|1]].  A
-operating as intended, and producing the desired outcome with respect to meeting the
+''component'' is one type of ''asset''.''' '''
-security requirements for an information system or organization, as defined in 32 CFR §
-.15 to 32 CFR § 170.18.
-o  Level 1 self-assessment is the term for the activity performed by an OSA to
+  NIST SP 800-171 Rev 2, p 59 under system component
-evaluate its own information system, when seeking a CMMC Status of Final Level
-(Self).
-•
-  '''Assessment Objective:''' A set of determination statements that, taken together,
-expresses the desired outcome for the assessment of a security requirement. Successful
-implementation of the corresponding CMMC security requirement requires meeting all
-applicable assessment objectives defined in NIST SP 800–171A or NIST SP 800-172A.
-•
-  '''Asset:''' An item of value to stakeholders. An asset may be tangible (e.g., a physical item
+CMMC-Custom Terms
-such as hardware, firmware, computing platform, network device, or other technology
+CMMC Assessment Guide – Level 1 | Version 2.13
-component) or intangible (e.g., humans, data, information, software, capability, function,
-service, trademark, copyright, patent, intellectual property, image, or reputation). The
-value of an asset is determined by stakeholders in consideration of loss concerns across
+•
+  '''Enduring Exception:''' A special circumstance or system where remediation and full
-the entire system life cycle. Such concerns include but are not limited to business or
+compliance with CMMC security requirements is not feasible. Examples include systems
-mission concerns, as defined in NIST SP 800-160 Rev 1.
+required to replicate the configuration of ‘fielded’ systems, medical devices, test
-•
+equipment, OT, and IoT. No operational plan of action is required but the circumstance
-  '''CMMC Status:''' As defined in 32 CFR''' '''§ 170.4 is the result of meeting or exceeding the
+must be documented within a system security plan. Specialized Assets and GFE may be
-minimum required score for the corresponding assessment. The CMMC Status of an OSA
+Enduring Exceptions.
-information system is officially stored in SPRS and additionally presented on a Certificate
+•
-of CMMC Status, if the assessment was conducted by a C3PAO or DCMA DIBCAC.
+  '''Information System  (IS):  '''A discrete set of information resources organized for the
-o  Final Level 1 (Self) is defined in § 170.15(c)(1). To achieve a CMMC Status of Final
+collection, processing, maintenance, use, sharing, dissemination, or disposition of
-Level 1 (Self) the OSA must  conduct a Level 1 self-assessment scored in
+information [NIST 800-171 Rev. 2]. An ''IS'' is one type of ''asset''.''' '''
-accordance with the CMMC Scoring Methodology described in § 170.24. The Level
+•
-self-assessment must be performed in accordance with the Level  1 scope
+  '''Monitoring:  '''Continual checking, supervising, critically observing, or determining the
-requirements set forth in § 170.19(a) and (b). In instances where an objective
+status in order to identify change from the performance level required or expected [NIST
-addresses CUI, the term FCI should be substituted for CUI.
+SP 800-160 Vol 1].
 •
-   '''Component:  '''A discrete identifiable information technology ''asset''  that represents a
+   '''Operational plan of action: '''As used in security requirement CA.L2-3.12.2, means the
-building block of a system and may include hardware, software, and firmware[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#7|1]].  A
+formal artifact which identifies temporary vulnerabilities and temporary deficiencies in
-''component'' is one type of ''asset''.''' '''
+implementation of requirements and documents how and when they will be mitigated,
+corrected, or eliminated.  The OSA defines the format (e.g., document, spreadsheet,
+database) and specific content of its operational plan of action. An operational plan of
- NIST SP 800-171 Rev 2, p 59 under system component
+action is not the same as a POA&amp;M associated with an assessment.''' '''
+•
+  '''Organization-Defined: '''As determined by the OSA being assessed except as defined in
+the case of Organization-Defined Parameter (ODP). This can be applied to a frequency or
+rate at which something occurs within a given time period, or it could be associated with
+describing the configuration of an OSA’s solution.
+•
+  '''Temporary deficiency:''' As defined in 32 CFR § 170.4 means a condition where
+remediation of a discovered deficiency is feasible and a known fix is available or is in
-CMMC-Custom Terms
+process. The deficiency must be documented in an operational plan of action. A
-CMMC Assessment Guide – Level 1 | Version 2.13
+temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC
+security requirement but arises after implementation. A temporary deficiency may
+apply during the initial implementation of a security requirement if, during roll-out,
-•
+specific issues with a very limited subset of equipment is discovered that must be
-  '''Enduring Exception:''' A special circumstance or system where remediation and full
+separately addressed. There is no standard duration for which a temporary deficiency
-compliance with CMMC security requirements is not feasible. Examples include systems
+may be active.  For example, FIPS-validated cryptography that requires a patch and the
-required to replicate the configuration of ‘fielded’ systems, medical devices, test
+patched version is no longer the validated version may be a temporary deficiency.
-equipment, OT, and IoT. No operational plan of action is required but the circumstance
-must be documented within a system security plan. Specialized Assets and GFE may be
-Enduring Exceptions.
-•
-  '''Information System  (IS):  '''A discrete set of information resources organized for the
-collection, processing, maintenance, use, sharing, dissemination, or disposition of
-information [NIST 800-171 Rev. 2]. An ''IS'' is one type of ''asset''.''' '''
-•
-  '''Monitoring:  '''Continual checking, supervising, critically observing, or determining the
+Assessment Criteria and Methodology
-status in order to identify change from the performance level required or expected [NIST
+CMMC Assessment Guide – Level 1 | Version 2.13
-SP 800-160 Vol 1].
-•
-  '''Operational plan of action: '''As used in security requirement CA.L2-3.12.2, means the
+Assessment Criteria and Methodology <br />
+This  ''CMMC  Assessment Guide –  Level 1''  provides guidance regarding the  assessment
-formal artifact which identifies temporary vulnerabilities and temporary deficiencies in
+procedures required by 32 CFR § 170.15, which requires the Level 1 self-assessment to be
-implementation of requirements and documents how and when they will be mitigated,
+performed using the objectives defined in NIST Special Publication (SP) 800-171A[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#9|2. ]]NIST SP
-corrected, or eliminated.  The OSA defines the format (e.g., document, spreadsheet,
+-171A Section 2.1 says the following:
-database) and specific content of its operational plan of action. An operational plan of
+''An assessment procedure consists of an assessment objective and a set of ''
-action is not the same as a POA&amp;M associated with an assessment.''' '''
+''potential assessment methods and assessment objects that can be used to ''
-•
+''conduct the assessment. Each assessment objective includes a determination ''
-  '''Organization-Defined: '''As determined by the OSA being assessed except as defined in
+''statement related to the requirement that is the subject of the assessment. The ''
-the case of Organization-Defined Parameter (ODP). This can be applied to a frequency or
+''determination statements are linked to the content of the requirement to ensure ''
-rate at which something occurs within a given time period, or it could be associated with
+''traceability of the assessment results to the requirements. The application of an ''
-describing the configuration of an OSA’s solution.
+''assessment procedure to a requirement produces assessment findings. These ''
-•
+''findings reflect, or are subsequently used, to help determine if the requirement ''
-  '''Temporary deficiency:''' As defined in 32 CFR § 170.4 means a condition where
+''has been satisfied. <br />
+Assessment objects identify the specific items being assessed and can include ''
-remediation of a discovered deficiency is feasible and a known fix is available or is in
+''specifications, mechanisms, activities, and individuals. ''
-process. The deficiency must be documented in an operational plan of action. A
+•
-temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC
+  ''Specifications are the document-based artifacts (e.g., policies, ''
-security requirement but arises after implementation. A temporary deficiency may
+''procedures, security plans, security requirements, functional ''
-apply during the initial implementation of a security requirement if, during roll-out,
+''specifications, and architectural designs) associated with a system. ''
-specific issues with a very limited subset of equipment is discovered that must be
+•
-separately addressed. There is no standard duration for which a temporary deficiency
+  ''Mechanisms are the specific hardware, software, or firmware safeguards ''
-may be active.  For example, FIPS-validated cryptography that requires a patch and the
+''employed within a system. ''
-patched version is no longer the validated version may be a temporary deficiency.
+•
+  ''Activities are the protection-related actions supporting a system that ''
+''involve people (e.g., conducting system backup operations, exercising a ''
+''contingency plan, and monitoring network traffic). ''
+•
+  ''Individuals, or groups of individuals, are people applying the ''
+''specifications, mechanisms, or activities described above. ''
+''The assessment methods define the nature and the extent of the  assessor’s''' '''''
+''actions. The methods include ''examine'', ''interview'', and ''test''. ''
-Assessment Criteria and Methodology
+•
-CMMC Assessment Guide – Level 1 | Version 2.13
+  ''The ''examine'' method is the process of reviewing, inspecting, observing, ''
+''studying, or analyzing assessment objects (i.e., specifications, ''
+''mechanisms, activities). The purpose of the ''examine''  method is to ''
-Assessment Criteria and Methodology <br />
+''facilitate understanding, achieve clarification, or obtain evidence. ''
-This  ''CMMC  Assessment Guide –  Level 1''  provides guidance regarding the  assessment
-procedures required by 32 CFR § 170.15, which requires the Level 1 self-assessment to be
+•
-performed using the objectives defined in NIST Special Publication (SP) 800-171A[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#9|2. ]]NIST SP
+  ''The  ''interview''  method is the process of holding discussions with ''
--171A Section 2.1 says the following:
+''individuals or groups of individuals to facilitate understanding, achieve ''
-''An assessment procedure consists of an assessment objective and a set of ''
+''clarification, or obtain evidence. ''
-''potential assessment methods and assessment objects that can be used to ''
-''conduct the assessment. Each assessment objective includes a determination ''
-''statement related to the requirement that is the subject of the assessment. The ''
+ NIST SP 800-171A, ''Assessing Security Requirements for Controlled Unclassified Information, ''June 2018 (italics
-''determination statements are linked to the content of the requirement to ensure ''
+and bulleted list formatting altered)
-''traceability of the assessment results to the requirements. The application of an ''
-''assessment procedure to a requirement produces assessment findings. These ''
-''findings reflect, or are subsequently used, to help determine if the requirement ''
-''has been satisfied. <br />
-Assessment objects identify the specific items being assessed and can include ''
-''specifications, mechanisms, activities, and individuals. ''
-•
-  ''Specifications are the document-based artifacts (e.g., policies, ''
-''procedures, security plans, security requirements, functional ''
-''specifications, and architectural designs) associated with a system. ''
+Assessment Criteria and Methodology
-•
+CMMC Assessment Guide – Level 1 | Version 2.13
-  ''Mechanisms are the specific hardware, software, or firmware safeguards ''
-''employed within a system. ''
 •
-   ''Activities are the protection-related actions supporting a system that ''
+   ''And finally, the ''test'' method is the process of exercising assessment objects ''
-''involve people (e.g., conducting system backup operations, exercising a ''
+''(i.e., activities, mechanisms) under specified conditions to compare actual ''
-''contingency plan, and monitoring network traffic). ''
+''with expected behavior. ''
-•
+''In all three assessment methods, the results are used in making specific ''
-  ''Individuals, or groups of individuals, are people applying the ''
+''determinations called for in the determination statements and thereby ''
-''specifications, mechanisms, or activities described above. ''
+''achieving the objectives for the assessment procedure. ''
-''The assessment methods define the nature and the extent of the  assessor’s''' '''''
+The guidance specified in NIST SP 800-171A focuses on Controlled Unclassified Information
-''actions. The methods include ''examine'', ''interview'', and ''test''. ''
+(CUI). Since Level 1 focuses on safeguarding FCI, the applicable self-assessment objectives
-•
+for  Level  1  are  modified  to address  FCI  rather than  CUI  as set forth in 32  CFR  §
-  ''The ''examine'' method is the process of reviewing, inspecting, observing, ''
+.15(c)(1)(i). Where '''CUI''' is noted in a NIST SP 800-171A assessment objective, '''[FCI]''' has
-''studying, or analyzing assessment objects (i.e., specifications, ''
+been  substituted in the Level  1  objective  description.  Level 1 security requirement
-''mechanisms, activities). The purpose of the ''examine''  method is to ''
+descriptions align with FAR Clause 52.204-21.
-''facilitate understanding, achieve clarification, or obtain evidence. ''
+Criteria
-•
+Assessment objectives are provided for each Level 1 requirement and are based on existing
-  ''The  ''interview''  method is the process of holding discussions with ''
+criteria  in  NIST SP 800-171A  modified for FCI  rather than  CUI  as set forth in 32  CFR  §
-''individuals or groups of individuals to facilitate understanding, achieve ''
+.15(c)(1)(i). The criteria are authoritative and provide the basis for the self-assessment
-''clarification, or obtain evidence. ''
+of a requirement.
+Methodology
+To verify and validate that an OSA is meeting CMMC requirements, evidence needs to exist
- NIST SP 800-171A, ''Assessing Security Requirements for Controlled Unclassified Information, ''June 2018 (italics
+demonstrating that the OSA has fulfilled the objectives of the Level 1 requirements. Because
-and bulleted list formatting altered)
+different  self-assessment objectives  can be met in different ways (e.g., through
+documentation, computer configuration, network configuration, or training),  a variety of
+techniques may be used to determine if the OSA meets the Level 1 requirements, including
+any of the three assessment methods from NIST SP 800-171A. <br />
+Follow the guidance in NIST SP 800-171A when determining which assessment methods to
+use:
+''Organizations [OSAs] are not expected to employ all assessment methods and ''
+''objects contained within the assessment procedures identified in this ''
+''publication. Rather, organizations have the flexibility to determine the level of ''
+''effort needed and the assurance required  for an assessment (e.g., which ''
-Assessment Criteria and Methodology
+''assessment methods and assessment objects are deemed to be the most useful in ''
-CMMC Assessment Guide – Level 1 | Version 2.13
+''obtaining the desired results). This determination is made based on how the ''
+''organization can accomplish the assessment objectives in the most cost-effective ''
+''manner and with sufficient confidence to support the determination that the ''
-•
+''[FCI] requirements have been satisfied. ''
-  ''And finally, the ''test'' method is the process of exercising assessment objects ''
+For more detailed information on assessment methods, see NIST SP 800-171A Appendix D.
-''(i.e., activities, mechanisms) under specified conditions to compare actual ''
-''with expected behavior. ''
-''In all three assessment methods, the results are used in making specific ''
-''determinations called for in the determination statements and thereby ''
-''achieving the objectives for the assessment procedure. ''
-The guidance specified in NIST SP 800-171A focuses on Controlled Unclassified Information
-(CUI). Since Level 1 focuses on safeguarding FCI, the applicable self-assessment objectives
-for  Level  1  are  modified  to address  FCI  rather than  CUI  as set forth in 32  CFR  §
-.15(c)(1)(i). Where '''CUI''' is noted in a NIST SP 800-171A assessment objective, '''[FCI]''' has
+Assessment Criteria and Methodology
-been  substituted in the Level  1  objective  description.  Level 1 security requirement
+CMMC Assessment Guide – Level 1 | Version 2.13
-descriptions align with FAR Clause 52.204-21.
-Criteria
-Assessment objectives are provided for each Level 1 requirement and are based on existing
+Who Is Interviewed
-criteria  in  NIST SP 800-171A  modified for FCI  rather than  CUI  as set forth in 32  CFR  §
+Interviews of applicable staff (possibly at different organizational levels)  may provide
-.15(c)(1)(i). The criteria are authoritative and provide the basis for the self-assessment
+information to help an entity determine if Level  1  security  requirements  have been
-of a requirement.
+implemented, as well as if adequate resourcing, training, and planning have occurred for
-Methodology
+individuals to implement the security requirements.
-To verify and validate that an OSA is meeting CMMC requirements, evidence needs to exist
+What Is Examined
-demonstrating that the OSA has fulfilled the objectives of the Level 1 requirements. Because
+Examination includes reviewing, inspecting, observing, studying, or analyzing assessment
-different  self-assessment objectives  can be met in different ways (e.g., through
+objects. The objects can be documents, mechanisms, or activities. <br />
+For some security  requirements, review of  documentation  may assist an entity in
-documentation, computer configuration, network configuration, or training),  a variety of
+determining  if  the  assessment objectives have been met. Interviews with staff may  help
-techniques may be used to determine if the OSA meets the Level 1 requirements, including
+identify relevant documents. As set forth in 32 CFR § 170.24, documents need to be in their
-any of the three assessment methods from NIST SP 800-171A. <br />
+final forms; drafts of policies or documentation are not eligible to be used  as evidence
-Follow the guidance in NIST SP 800-171A when determining which assessment methods to
-use:
+because they are not yet official and still subject to change. Common types of documents that
-''Organizations [OSAs] are not expected to employ all assessment methods and ''
+may be used as evidence include: <br />
+•
-''objects contained within the assessment procedures identified in this ''
+  policy, process, and procedure documents;
-''publication. Rather, organizations have the flexibility to determine the level of ''
+•
-''effort needed and the assurance required  for an assessment (e.g., which ''
+  training materials;
-''assessment methods and assessment objects are deemed to be the most useful in ''
+•
-''obtaining the desired results). This determination is made based on how the ''
+  plans and planning documents; and
-''organization can accomplish the assessment objectives in the most cost-effective ''
+•
-''manner and with sufficient confidence to support the determination that the ''
+  system, network, and data flow diagrams.
-''[FCI] requirements have been satisfied. ''
+This list of documents is not exhaustive or prescriptive. An OSA may not have these specific
-For more detailed information on assessment methods, see NIST SP 800-171A Appendix D.
+documents, and other documents may be reviewed. <br />
+In other cases, the security requirement is best self-assessed by observing that safeguards
+are in place by viewing hardware, associated configuration information, or observing staff
+following a process.
+What Is Tested
+Testing is an important part of the self-assessment process. Interviews provide information
+about  what the OSA  staff believe to be true, documentation provides evidence of
+implementing policies and procedures, and testing demonstrates what has or has not been
+done. For example, OSA staff may talk about how users are identified, documentation may
+provide details on how users are identified, but seeing a demonstration of identifying users
-Assessment Criteria and Methodology
+provides evidence that the requirement is met. Not all security requirements utilize testing
-CMMC Assessment Guide – Level 1 | Version 2.13
+to allow an entity to determine if whether the assessment objective has been met.
-Who Is Interviewed
-Interviews of applicable staff (possibly at different organizational levels)  may provide
-information to help an entity determine if Level  1  security  requirements  have been
-implemented, as well as if adequate resourcing, training, and planning have occurred for
-individuals to implement the security requirements.
-What Is Examined
-Examination includes reviewing, inspecting, observing, studying, or analyzing assessment
+Assessment Criteria and Methodology
-objects. The objects can be documents, mechanisms, or activities. <br />
+CMMC Assessment Guide – Level 1 | Version 2.13
-For some security  requirements, review of  documentation  may assist an entity in
-determining  if  the  assessment objectives have been met. Interviews with staff may  help
-identify relevant documents. As set forth in 32 CFR § 170.24, documents need to be in their
-final forms; drafts of policies or documentation are not eligible to be used  as evidence
+Assessment Findings
-because they are not yet official and still subject to change. Common types of documents that
+The self-assessment of a CMMC requirement results in one of three possible findings: MET,
-may be used as evidence include: <br />
+NOT  MET, or NOT APPLICABLE  as defined in 32 CFR  §  170.24. To demonstrate  Level  1
-•
-  policy, process, and procedure documents;
+compliance, the OSA will need a finding of MET or NOT APPLICABLE on all Level 1 security
+requirements. <br />
 •
-   training materials;
+   '''MET''':  All applicable objectives  for the  security requirement are  satisfied  based on
-•
+evidence.  All evidence must be in final form and not draft.  Unacceptable forms of
-  plans and planning documents; and
+evidence include working papers, drafts, and unofficial or unapproved policies. For each
-•
+security requirement marked MET, it is best practice to record statements that indicate
-  system, network, and data flow diagrams.
+the response  conforms to all objectives and document the appropriate evidence to
-This list of documents is not exhaustive or prescriptive. An OSA may not have these specific
+support the response.
-documents, and other documents may be reviewed. <br />
+o  Enduring Exceptions when described, along with any mitigations, in the system
-In other cases, the security requirement is best self-assessed by observing that safeguards
-are in place by viewing hardware, associated configuration information, or observing staff
+security plan shall be assessed as MET.
-following a process.
+o  Temporary deficiencies that are appropriately addressed in operational plans of
-What Is Tested
+action (i.e., include deficiency reviews, milestones, and show progress towards
-Testing is an important part of the self-assessment process. Interviews provide information
+the implementation of corrections to reduce or eliminate identified
-about  what the OSA  staff believe to be true, documentation provides evidence of
+vulnerabilities) shall be assessed as MET.
-implementing policies and procedures, and testing demonstrates what has or has not been
+•
-done. For example, OSA staff may talk about how users are identified, documentation may
+  '''NOT MET''': One or more objectives of the security requirement is not satisfied. For each
-provide details on how users are identified, but seeing a demonstration of identifying users
+security  requirement  marked NOT MET,  it is best practice to record statements that
-provides evidence that the requirement is met. Not all security requirements utilize testing
+explain why and document  the appropriate evidence showing  that the OSA  does not
-to allow an entity to determine if whether the assessment objective has been met.
+conform fully to all of the objectives.
+•
+  '''NOT APPLICABLE (N/A)''': A security requirement and/or objective do not apply at the
+time of the assessment. For each security requirement marked N/A, it is best practice to
+record a statement that explains why the requirement does not apply to the OSA. For
+example, SC.L1-b.1.xi might be N/A if there are no publicly accessible systems within the
+CMMC Assessment Scope. During an assessment, an assessment objective assessed as
+N/A is equivalent to the same assessment objective being assessed as MET. <br />
+Each assessment objective in NIST SP 800-171A must yield a finding of MET or NOT
+APPLICABLE in order for the overall security requirement to be scored as MET. Assessors
-Assessment Criteria and Methodology
+exercise judgment in determining when sufficient and adequate evidence has been
-CMMC Assessment Guide – Level 1 | Version 2.13
+presented to make an assessment finding. <br />
+CMMC assessments are conducted and results are captured at the assessment objective
+level.  One NOT MET Assessment Objective  results in a failure of the entire security
+requirement. <br />
+A security requirement can be applicable even when assessment objectives included in
-Assessment Findings
+the security requirement are scored N/A. The security requirement is NOT MET when
-The self-assessment of a CMMC requirement results in one of three possible findings: MET,
+one or more applicable assessment objectives is NOT MET. <br />
+Satisfaction of security requirements may be accomplished by other parts of the
-NOT  MET, or NOT APPLICABLE  as defined in 32 CFR  §  170.24. To demonstrate  Level  1
+enterprise or an External Service Provider (ESP), as defined in 32 CFR § 170.4. A security
-compliance, the OSA will need a finding of MET or NOT APPLICABLE on all Level 1 security
+requirement is considered MET if adequate evidence is provided that the enterprise or
-requirements. <br />
-•
-  '''MET''':  All applicable objectives  for the  security requirement are  satisfied  based on
-evidence.  All evidence must be in final form and not draft.  Unacceptable forms of
-evidence include working papers, drafts, and unofficial or unapproved policies. For each
-security requirement marked MET, it is best practice to record statements that indicate
-the response  conforms to all objectives and document the appropriate evidence to
-support the response.
-o  Enduring Exceptions when described, along with any mitigations, in the system
-security plan shall be assessed as MET.
+Assessment Criteria and Methodology
-o  Temporary deficiencies that are appropriately addressed in operational plans of
+CMMC Assessment Guide – Level 1 | Version 2.13
-action (i.e., include deficiency reviews, milestones, and show progress towards
-the implementation of corrections to reduce or eliminate identified
-vulnerabilities) shall be assessed as MET.
+ESP implements the requirement objectives. An ESP may be external people, technology,
-•
+or facilities that the OSA  uses, including cloud service providers, managed service
-  '''NOT MET''': One or more objectives of the security requirement is not satisfied. For each
+providers, managed security service providers, or cybersecurity-as-a-service providers.
-security  requirement  marked NOT MET,  it is best practice to record statements that
-explain why and document  the appropriate evidence showing  that the OSA  does not
-conform fully to all of the objectives.
-•
-  '''NOT APPLICABLE (N/A)''': A security requirement and/or objective do not apply at the
-time of the assessment. For each security requirement marked N/A, it is best practice to
-record a statement that explains why the requirement does not apply to the OSA. For
-example, SC.L1-b.1.xi might be N/A if there are no publicly accessible systems within the
-CMMC Assessment Scope. During an assessment, an assessment objective assessed as
+Requirement Descriptions
-N/A is equivalent to the same assessment objective being assessed as MET. <br />
+CMMC Assessment Guide – Level 1 | Version 2.13
-Each assessment objective in NIST SP 800-171A must yield a finding of MET or NOT
-APPLICABLE in order for the overall security requirement to be scored as MET. Assessors
-exercise judgment in determining when sufficient and adequate evidence has been
-presented to make an assessment finding. <br />
+Requirement Descriptions <br />
-CMMC assessments are conducted and results are captured at the assessment objective
+Introduction <br />
+This section provides detailed information and guidance for assessing each Level 1 security
-level.  One NOT MET Assessment Objective  results in a failure of the entire security
+requirement. The section  is  organized  first  by domain  and then by individual security
-requirement. <br />
+requirement. Each security  requirement  description  contains  the following  elements  as
-A security requirement can be applicable even when assessment objectives included in
-the security requirement are scored N/A. The security requirement is NOT MET when
+described in 32 CFR § 170.14(c): <br />
+•
-one or more applicable assessment objectives is NOT MET. <br />
+  '''Requirement  Number, Name, and Statement: '''Headed by the requirement
-Satisfaction of security requirements may be accomplished by other parts of the
-enterprise or an External Service Provider (ESP), as defined in 32 CFR § 170.4. A security
+identification number in the format, DD.L#-REQ  (e.g., AC.L1-b.1.i); followed by the
-requirement is considered MET if adequate evidence is provided that the enterprise or
+requirement short name identifier, meant to be used for quick reference only; and finally
+followed by the complete CMMC security requirement statement.
+•
+  '''Assessment Objectives [NIST SP 800-171A]: '''Identifies the specific set of objectives that
+must be met to receive MET for the requirement as defined in NIST SP 800-171A.
+•
+  '''Potential Assessment Methods and Objects [NIST SP 800-171A]: '''Describes the nature
+and the extent of the self-assessment  actions as set forth in NIST SP 800-171A. The
+methods include ''examine'', ''interview'', and ''test''. Self-assessment objects identify the items
-Assessment Criteria and Methodology
+being assessed and can include specifications, mechanisms, activities, and individuals.
-CMMC Assessment Guide – Level 1 | Version 2.13
+•
+  '''Discussion [NIST SP 800-171 Rev. 2]: '''Contains discussion from the associated NIST SP
+-171 security requirement. Level 1 aligns with FAR Clause 52.204-21, which focuses
-ESP implements the requirement objectives. An ESP may be external people, technology,
+on FCI, and the NIST text has been modified, as set forth in 32 CFR § 170.15(c)(1), to
-or facilities that the OSA  uses, including cloud service providers, managed service
+reflect this.
-providers, managed security service providers, or cybersecurity-as-a-service providers.
+•
+  '''Further Discussion: '''
+o  Expands upon the NIST SP 800-171 Rev. 2 discussion content to provide additional
+guidance.
+o  Contains examples illustrating application of the requirements. These examples are
+intended to provide  insight but are not intended  to be prescriptive of how the
+requirement must be implemented, nor are they comprehensive of all assessment
+objectives necessary to achieve the requirement. The assessment objectives met
+within the example are referenced by letter in a bracket (e.g., [a,d] for objectives “a”
-Requirement Descriptions
+and “d”) within the text.
-CMMC Assessment Guide – Level 1 | Version 2.13
+o  Examples are written from the perspective of an organization or an employee of
+an organization implementing solutions or researching approaches to satisfy
+CMMC requirements. The objective is to put the reader into the role of
+implementing or maintaining alternatives to satisfy security requirements.
+Examples are not all-inclusive or prescriptive and do not imply any personal
-Requirement Descriptions <br />
+responsibility for complying with CMMC requirements.
-Introduction <br />
-This section provides detailed information and guidance for assessing each Level 1 security
-requirement. The section  is  organized  first  by domain  and then by individual security
+o  Provides  potential assessment considerations.  These  may  include  common
-requirement. Each security  requirement  description  contains  the following  elements  as
+considerations for assessing the requirement and potential questions that may be
-described in 32 CFR § 170.14(c): <br />
+asked when assessing the objectives.
-•
-  '''Requirement  Number, Name, and Statement: '''Headed by the requirement
-identification number in the format, DD.L#-REQ  (e.g., AC.L1-b.1.i); followed by the
-requirement short name identifier, meant to be used for quick reference only; and finally
-followed by the complete CMMC security requirement statement.
-•
-  '''Assessment Objectives [NIST SP 800-171A]: '''Identifies the specific set of objectives that
-must be met to receive MET for the requirement as defined in NIST SP 800-171A.
-•
-  '''Potential Assessment Methods and Objects [NIST SP 800-171A]: '''Describes the nature
+Requirement Descriptions
-and the extent of the self-assessment  actions as set forth in NIST SP 800-171A. The
+CMMC Assessment Guide – Level 1 | Version 2.13
-methods include ''examine'', ''interview'', and ''test''. Self-assessment objects identify the items
-being assessed and can include specifications, mechanisms, activities, and individuals.
 •
-   '''Discussion [NIST SP 800-171 Rev. 2]: '''Contains discussion from the associated NIST SP
+   '''Key References: '''Lists  the  identical  basic safeguarding requirement from FAR clause
--171 security requirement. Level 1 aligns with FAR Clause 52.204-21, which focuses
+.204-21 and the pertinent security requirement from NIST SP 800-171 Rev. 2.
-on FCI, and the NIST text has been modified, as set forth in 32 CFR § 170.15(c)(1), to
-reflect this.
-•
-  '''Further Discussion: '''
-o  Expands upon the NIST SP 800-171 Rev. 2 discussion content to provide additional
-guidance.
-o  Contains examples illustrating application of the requirements. These examples are
-intended to provide  insight but are not intended  to be prescriptive of how the
-requirement must be implemented, nor are they comprehensive of all assessment
+AC.L1-b.1.i – Authorized Access Control [FCI Data]
-objectives necessary to achieve the requirement. The assessment objectives met
+CMMC Assessment Guide – Level 1 | Version 2.13
-within the example are referenced by letter in a bracket (e.g., [a,d] for objectives “a”
-and “d”) within the text.
-o  Examples are written from the perspective of an organization or an employee of
+Access Control (AC) <br />
+'''AC.L1-B.1.I – AUTHORIZED ACCESS CONTROL [FCI DATA] '''
-an organization implementing solutions or researching approaches to satisfy
+Limit  information system  access to authorized users, processes acting on behalf of
-CMMC requirements. The objective is to put the reader into the role of
+authorized users, or devices (including other information systems).
-implementing or maintaining alternatives to satisfy security requirements.
+'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#16|3 ]]'''
-Examples are not all-inclusive or prescriptive and do not imply any personal
+Determine if: <br />
+[a]
-responsibility for complying with CMMC requirements.
+authorized users are identified;
-o  Provides  potential assessment considerations.  These  may  include  common
+[b]
-considerations for assessing the requirement and potential questions that may be
+processes acting on behalf of authorized users are identified;
-asked when assessing the objectives.
+[c]
+devices (and other systems) authorized to connect to the system are identified;
+[d]
+system access is limited to authorized users;
+[e]
+system access is limited to processes acting on behalf of authorized users; and
+[f]
+system access is limited to authorized devices (including other systems).
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]3 '''
-Requirement Descriptions
+'''Examine <br />
+'''[SELECT FROM: Access control policy; procedures addressing account management; system
-CMMC Assessment Guide – Level 1 | Version 2.13
+security plan[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#16|45]]; system design documentation; system configuration settings and associated
+documentation; list of active system accounts and the name of the individual associated with
+each account; notifications or records of recently transferred, separated, or terminated
-•
+employees; list of conditions for group and role membership; list of recently disabled system
-  '''Key References: '''Lists  the  identical  basic safeguarding requirement from FAR clause
+accounts along with the name of the individual associated with each account; access
-.204-21 and the pertinent security requirement from NIST SP 800-171 Rev. 2.
+authorization records; account management compliance reviews; system monitoring
+records; system audit logs and records; list of devices and systems authorized to connect to
+organizational systems; other relevant documents or records].
+'''Interview <br />
+'''[SELECT FROM: Personnel with account management responsibilities; system or network
+administrators; personnel with information security responsibilities].
+ NIST SP 800-171A, p. 9
-AC.L1-b.1.i – Authorized Access Control [FCI Data]
+ It is recommended that an OSA develop a SSP as a best practice at Level 1, however, it is not required in order
-CMMC Assessment Guide – Level 1 | Version 2.13
+to obtain a Level 1 self-assessment.
-Access Control (AC) <br />
-'''AC.L1-B.1.I – AUTHORIZED ACCESS CONTROL [FCI DATA] '''
-Limit  information system  access to authorized users, processes acting on behalf of
-authorized users, or devices (including other information systems).
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#16|3 ]]'''
-Determine if: <br />
-[a]
-authorized users are identified;
-[b]
-processes acting on behalf of authorized users are identified;
-[c]
+AC.L1-b.1.i – Authorized Access Control [FCI Data]
-devices (and other systems) authorized to connect to the system are identified;
+CMMC Assessment Guide – Level 1 | Version 2.13
-[d]
-system access is limited to authorized users;
-[e]
+'''Test <br />
+'''[SELECT FROM: Organizational processes for managing system accounts; mechanisms for
-system access is limited to processes acting on behalf of authorized users; and
+implementing account management].
-[f]
+'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#17|6]] '''
-system access is limited to authorized devices (including other systems).
+Access control policies (e.g., identity-  or role-based policies, control matrices, and
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]3 '''
+cryptography) control access between active entities or subjects (i.e., users or processes
-'''Examine <br />
+acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and
-'''[SELECT FROM: Access control policy; procedures addressing account management; system
-security plan[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#16|45]]; system design documentation; system configuration settings and associated
+domains) in systems. Access enforcement mechanisms can be employed at the application
-documentation; list of active system accounts and the name of the individual associated with
+and service level to provide increased information security. Other systems include systems
-each account; notifications or records of recently transferred, separated, or terminated
+internal and external to the organization. This requirement focuses on account management
-employees; list of conditions for group and role membership; list of recently disabled system
+for systems and applications. The definition of and enforcement of access authorizations,
-accounts along with the name of the individual associated with each account; access
+other than those determined by account type (e.g., privileged verses ''[sic] ''non-privileged) are
-authorization records; account management compliance reviews; system monitoring
+addressed in AC.L1-b.1.ii.
-records; system audit logs and records; list of devices and systems authorized to connect to
+'''FURTHER DISCUSSION '''
-organizational systems; other relevant documents or records].
+Identify users, processes, and devices that are allowed to use company computers and can
-'''Interview <br />
+log on to the company network. Automated updates and other automatic processes should
-'''[SELECT FROM: Personnel with account management responsibilities; system or network
-administrators; personnel with information security responsibilities].
+be associated with the user who initiated (authorized) the process. Limit the devices (e.g.,
+printers)  that can be accessed by company computers.  Set up your system so that only
+authorized users, processes, and devices can access the company network. <br />
+This  requirement, AC.L1-b.1.i, controls system access based on user, process,  or device
+identity. AC.L1-b.1.i leverages IA.L1-b.1.v which provides a vetted and trusted identity for
+access control.
+'''Example 1 <br />
+'''Your company maintains a list of all personnel authorized to use company information
+systems [a]. This list is used to support identification and authentication activities conducted
+by IT when authorizing access to systems [a,d].
+'''Example 2 <br />
+'''A coworker wants to buy a new multi-function printer/scanner/fax device and make it
+available on the company network. You explain that the company controls system and device
+access to the network, and will prevent network access by unauthorized systems and devices
- NIST SP 800-171A, p. 9
+[c]. You help the coworker submit a ticket that asks for the printer to be granted access to
+the network, and appropriate leadership approves the device [f].
- It is recommended that an OSA develop a SSP as a best practice at Level 1, however, it is not required in order
+'''Potential Assessment Considerations <br />
+'''•
-to obtain a Level 1 self-assessment.
+  Is a list of authorized users maintained that defines their identities and roles [a]?
+  NIST SP 800-171 Rev. 2, p.10
@@ Line 1,374: / Line 1,188: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-'''Test <br />
+•
-'''[SELECT FROM: Organizational processes for managing system accounts; mechanisms for
-implementing account management].
+  Are account requests authorized before system access is granted [d,e,f]?
-'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#17|6]] '''
+'''KEY REFERENCES '''
-Access control policies (e.g., identity-  or role-based policies, control matrices, and
+•
-cryptography) control access between active entities or subjects (i.e., users or processes
+  FAR Clause 52.204-21 b.1.i
-acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and
+•
-domains) in systems. Access enforcement mechanisms can be employed at the application
+  NIST SP 800-171 Rev. 2 3.1.1
-and service level to provide increased information security. Other systems include systems
-internal and external to the organization. This requirement focuses on account management
-for systems and applications. The definition of and enforcement of access authorizations,
-other than those determined by account type (e.g., privileged verses ''[sic] ''non-privileged) are
-addressed in AC.L1-b.1.ii.
-'''FURTHER DISCUSSION '''
-Identify users, processes, and devices that are allowed to use company computers and can
-log on to the company network. Automated updates and other automatic processes should
-be associated with the user who initiated (authorized) the process. Limit the devices (e.g.,
-printers)  that can be accessed by company computers.  Set up your system so that only
+AC.L1-b.1.ii – Transaction &amp; Function Control [FCI Data]
-authorized users, processes, and devices can access the company network. <br />
+CMMC Assessment Guide – Level 1 | Version 2.13
-This  requirement, AC.L1-b.1.i, controls system access based on user, process,  or device
-identity. AC.L1-b.1.i leverages IA.L1-b.1.v which provides a vetted and trusted identity for
-access control.
-'''Example 1 <br />
+'''AC.L1-B.1.II – TRANSACTION &amp; FUNCTION CONTROL [FCI DATA] '''
-'''Your company maintains a list of all personnel authorized to use company information
-systems [a]. This list is used to support identification and authentication activities conducted
+Limit information system access to the types of transactions and functions that authorized
-by IT when authorizing access to systems [a,d].
+users are permitted to execute.
-'''Example 2 <br />
+'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#19|7 ]]'''
-'''A coworker wants to buy a new multi-function printer/scanner/fax device and make it
-available on the company network. You explain that the company controls system and device
+Determine if: <br />
+[a]
-access to the network, and will prevent network access by unauthorized systems and devices
+the types of transactions and functions that authorized users are permitted to
-[c]. You help the coworker submit a ticket that asks for the printer to be granted access to
+execute are defined; and <br />
+[b]
-the network, and appropriate leadership approves the device [f].
+system access is limited to the defined types of transactions and functions for
-'''Potential Assessment Considerations <br />
+authorized users.
-'''•
-  Is a list of authorized users maintained that defines their identities and roles [a]?
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]7 '''
+'''Examine <br />
+'''[SELECT FROM: Access control policy; procedures addressing access enforcement; system
+security plan; system design documentation; list of approved authorizations including
- NIST SP 800-171 Rev. 2, p.10
+remote access authorizations; system audit logs and records; system configuration settings
+and associated documentation; other relevant documents or records].
+'''Interview <br />
+'''[SELECT FROM: Personnel with access enforcement responsibilities; system or network
+administrators; personnel with information security responsibilities; system developers].
+'''Test <br />
+'''[SELECT FROM: Mechanisms implementing access control policy].
+'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#19|8]] '''
+Organizations may choose to define access privileges or other attributes by account, by type
+of account, or a combination of both. System account types include individual, shared, group,
+system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary.
+Other attributes required for authorizing access include restrictions on time-of-day, day-of-
+week, and point-of  -origin.  In defining other account attributes, organizations consider
-AC.L1-b.1.i – Authorized Access Control [FCI Data]
+system-related requirements (e.g., system upgrades scheduled maintenance,) and mission
-CMMC Assessment Guide – Level 1 | Version 2.13
+or  business requirements, (e.g., time zone differences, customer requirements, remote
+access to support travel requirements).
-•
-  Are account requests authorized before system access is granted [d,e,f]?
+ NIST SP 800-171A, p. 9
-'''KEY REFERENCES '''
-•
+ NIST SP 800-171 Rev. 2, pp. 10-11
-  FAR Clause 52.204-21 b.1.i
-•
-  NIST SP 800-171 Rev. 2 3.1.1
@@ Line 1,495: / Line 1,305: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-'''AC.L1-B.1.II – TRANSACTION &amp; FUNCTION CONTROL [FCI DATA] '''
+'''FURTHER DISCUSSION '''
-Limit information system access to the types of transactions and functions that authorized
+Limit users to only the information systems, roles, or applications they are permitted to use
-users are permitted to execute.
+and require for their roles and responsibilities. Limit access to applications and data based
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#19|7 ]]'''
+on authorized users’ roles and responsibilities. Common types of functions a user can be
-Determine if: <br />
+assigned are create, read, update, and delete.
-[a]
-the types of transactions and functions that authorized users are permitted to
+'''Example <br />
+'''You supervise the team that manages DoD contracts for your company. Members of your
-execute are defined; and <br />
+team need to access the contract information to perform their work properly. Because some
-[b]
-system access is limited to the defined types of transactions and functions for
+of that data contains FCI, you work with IT to set up your group’s systems so that users can
-authorized users.
+be assigned access based on their specific roles [a]. Each role limits whether an employee
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]7 '''
+has read-access or create/read/delete/update -access [b]. Implementing this access control
-'''Examine <br />
+restricts access to FCI information unless specifically authorized.
-'''[SELECT FROM: Access control policy; procedures addressing access enforcement; system
-security plan; system design documentation; list of approved authorizations including
+'''Potential Assessment Considerations <br />
+'''•
-remote access authorizations; system audit logs and records; system configuration settings
+  Are access control lists used to limit access to applications and data based on role and/or
-and associated documentation; other relevant documents or records].
+identity [a]?
-'''Interview <br />
+•
-'''[SELECT FROM: Personnel with access enforcement responsibilities; system or network
-administrators; personnel with information security responsibilities; system developers].
+  Is access for authorized users restricted to those parts of the system they are explicitly
-'''Test <br />
+permitted to use, that is, is access denied by default and allowed by exception (e.g., a
-'''[SELECT FROM: Mechanisms implementing access control policy].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#19|8]] '''
+person who only performs word-processing cannot access developer tools) [b]?
-Organizations may choose to define access privileges or other attributes by account, by type
+'''KEY REFERENCES '''
-of account, or a combination of both. System account types include individual, shared, group,
+•
-system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary.
+  FAR Clause 52.204-21 b.1.ii
-Other attributes required for authorizing access include restrictions on time-of-day, day-of-
+•
-week, and point-of  -origin.  In defining other account attributes, organizations consider
+  NIST SP 800-171 Rev. 2 3.1.2
-system-related requirements (e.g., system upgrades scheduled maintenance,) and mission
-or  business requirements, (e.g., time zone differences, customer requirements, remote
-access to support travel requirements).
- NIST SP 800-171A, p. 9
- NIST SP 800-171 Rev. 2, pp. 10-11
+AC.L1-b.1.iii – External Connections [FCI Data]
+CMMC Assessment Guide – Level 1 | Version 2.13
-AC.L1-b.1.ii – Transaction &amp; Function Control [FCI Data]
+'''AC.L1-B.1.III – EXTERNAL CONNECTIONS [FCI DATA] '''
-CMMC Assessment Guide – Level 1 | Version 2.13
+Verify and control/limit connections to and use of external information systems.
+'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#21|9 ]]'''
+Determine if: <br />
+[a]
-'''FURTHER DISCUSSION '''
+connections to external systems are identified;
-Limit users to only the information systems, roles, or applications they are permitted to use
+[b]
-and require for their roles and responsibilities. Limit access to applications and data based
+the use of external systems is identified;
-on authorized users’ roles and responsibilities. Common types of functions a user can be
+[c]
-assigned are create, read, update, and delete.
+connections to external systems are verified;
-'''Example <br />
+[d]
-'''You supervise the team that manages DoD contracts for your company. Members of your
-team need to access the contract information to perform their work properly. Because some
+the use of external systems is verified;
-of that data contains FCI, you work with IT to set up your group’s systems so that users can
+[e]
-be assigned access based on their specific roles [a]. Each role limits whether an employee
+connections to external systems are controlled/limited; and
-has read-access or create/read/delete/update -access [b]. Implementing this access control
+[f]
-restricts access to FCI information unless specifically authorized.
+the use of external systems is controlled/limited.
-'''Potential Assessment Considerations <br />
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]9 '''
-'''•
-  Are access control lists used to limit access to applications and data based on role and/or
+'''Examine <br />
+'''[SELECT FROM: Access control policy; procedures addressing the use of external systems;
-identity [a]?
+terms and conditions for external systems; system security plan; list of applications
-•
+accessible from external systems; system configuration settings and associated
-  Is access for authorized users restricted to those parts of the system they are explicitly
+documentation; system connection or processing agreements; account management
-permitted to use, that is, is access denied by default and allowed by exception (e.g., a
+documents; other relevant documents or records].
-person who only performs word-processing cannot access developer tools) [b]?
+'''Interview <br />
+'''[SELECT FROM: Personnel with responsibilities for defining terms and conditions for use of
-'''KEY REFERENCES '''
+external systems to access organizational systems; system or network administrators;
+personnel with information security responsibilities].
+'''Test <br />
+'''[SELECT FROM: Mechanisms implementing terms and conditions on use of external
+systems].
+'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#21|10]] '''
+External systems are systems or components of systems for which organizations typically
-•
+have no direct supervision and authority over the application of security requirements and
-  FAR Clause 52.204-21 b.1.ii
+controls or the determination of the effectiveness of implemented controls on those systems.
-•
+External systems include personally owned systems, components, or devices and privately-
-  NIST SP 800-171 Rev. 2 3.1.2
+owned computing and communications devices resident in commercial or public facilities.
+ NIST SP 800-171A, p. 17
+ NIST SP 800-171 Rev. 2, pp. 15-16
@@ Line 1,646: / Line 1,467: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-'''AC.L1-B.1.III – EXTERNAL CONNECTIONS [FCI DATA] '''
+This requirement also addresses the use of external systems for the processing, storage, or
-Verify and control/limit connections to and use of external information systems.
+transmission of FCI, including accessing cloud services (e.g., infrastructure as a service,
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#21|9 ]]'''
+platform as a service, or software as a service) from organizational systems. <br />
+Organizations establish terms and conditions for the use of external systems in accordance
-Determine if: <br />
+with organizational security policies and procedures. Terms and conditions address as a
-[a]
-connections to external systems are identified;
+minimum, the types of applications that can be accessed on organizational systems from
-[b]
+external systems. If terms and conditions with the owners of external systems cannot be
-the use of external systems is identified;
+established, organizations may impose restrictions on organizational personnel using those
-[c]
+external systems. <br />
+This requirement recognizes that there are circumstances where individuals using external
-connections to external systems are verified;
+systems (e.g., contractors, coalition partners) need to access organizational systems. In those
-[d]
+situations, organizations need confidence that the external systems contain the necessary
-the use of external systems is verified;
+controls so as not to compromise, damage, or otherwise harm organizational systems.
-[e]
+Verification that the required controls have been effectively implemented can be achieved
-connections to external systems are controlled/limited; and
+by third-party, independent assessments, attestations, or other means, depending on the
-[f]
+assurance or confidence level required by organizations. <br />
+Note that while “external” typically refers to outside of the organization’s direct supervision
-the use of external systems is controlled/limited.
+and authority, that is not always the case. Regarding the protection of FCI across an
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]9 '''
+organization, the organization may have systems that process FCI and others that do not.
-'''Examine <br />
+And among the systems that process FCI there are likely access restrictions for FCI that apply
-'''[SELECT FROM: Access control policy; procedures addressing the use of external systems;
-terms and conditions for external systems; system security plan; list of applications
+between systems. Therefore, from the perspective of a given system, other systems within
-accessible from external systems; system configuration settings and associated
+the organization may be considered “external&quot; to that system.
-documentation; system connection or processing agreements; account management
+'''FURTHER DISCUSSION '''
-documents; other relevant documents or records].
+Control and manage connections between your company network and outside networks.
-'''Interview <br />
+Outside networks could include the public internet, one of your own company’s networks
-'''[SELECT FROM: Personnel with responsibilities for defining terms and conditions for use of
-external systems to access organizational systems; system or network administrators;
+that falls outside of your CMMC Assessment Scope (e.g., an isolated lab), or a network that
-personnel with information security responsibilities].
+does not belong to your company.  Tools to manage connections include firewalls and
-'''Test <br />
+connection allow/deny lists. External systems not controlled by your  company could be
-'''[SELECT FROM: Mechanisms implementing terms and conditions on use of external
-systems].
+running applications that are prohibited or blocked. Control and limit access to corporate
-'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#21|10]] '''
+networks from personally owned  devices  such as  laptops, tablets, and phones.  You  may
-External systems are systems or components of systems for which organizations typically
+choose to limit how and when your network is connected to outside systems or only allow
-have no direct supervision and authority over the application of security requirements and
+certain employees to connect to outside systems from network resources.
-controls or the determination of the effectiveness of implemented controls on those systems.
+'''Example <br />
+'''Your company has just been awarded a contract which contains FCI. You remind your
-External systems include personally owned systems, components, or devices and privately-
+coworkers of the policy requirement to use their company laptops, not personal laptops or
-owned computing and communications devices resident in commercial or public facilities.
+tablets, when working remotely on this contract [b,f]. You also remind everyone to work
+from the cloud environment that is approved for processing and storing FCI rather than the
+other collaborative tools that may be used for other projects [b,f].
- NIST SP 800-171A, p. 17
- NIST SP 800-171 Rev. 2, pp. 15-16
@@ Line 1,741: / Line 1,556: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-This requirement also addresses the use of external systems for the processing, storage, or
+'''Potential Assessment Considerations <br />
+'''•
-transmission of FCI, including accessing cloud services (e.g., infrastructure as a service,
+  Are all connections to external systems outside of the assessment scope identified [a]?
-platform as a service, or software as a service) from organizational systems. <br />
+•
-Organizations establish terms and conditions for the use of external systems in accordance
-with organizational security policies and procedures. Terms and conditions address as a
+  Are external systems (e.g., systems managed by OSAs, partners, or vendors; personal
-minimum, the types of applications that can be accessed on organizational systems from
+devices) that are permitted to connect to or make use of organizational systems
-external systems. If terms and conditions with the owners of external systems cannot be
+identified [b]?
-established, organizations may impose restrictions on organizational personnel using those
+•
-external systems. <br />
+  Are methods employed to ensure that only authorized connections are being made to
-This requirement recognizes that there are circumstances where individuals using external
-systems (e.g., contractors, coalition partners) need to access organizational systems. In those
+external systems (e.g., requiring log-ins or certificates, access from a specific IP address,
-situations, organizations need confidence that the external systems contain the necessary
+or access via VPN) [c,e]?
-controls so as not to compromise, damage, or otherwise harm organizational systems.
+•
-Verification that the required controls have been effectively implemented can be achieved
+  Are methods employed to confirm that only authorized external systems are connecting
-by third-party, independent assessments, attestations, or other means, depending on the
+(e.g., if employees are receiving company email on personal cell phones, is the OSA
-assurance or confidence level required by organizations. <br />
+checking to verify that only known/expected devices are connecting) [d]?
-Note that while “external” typically refers to outside of the organization’s direct supervision
-and authority, that is not always the case. Regarding the protection of FCI across an
+•
-organization, the organization may have systems that process FCI and others that do not.
+  Is the use of external systems limited, including by policy or physical control [f]?
-And among the systems that process FCI there are likely access restrictions for FCI that apply
+'''KEY REFERENCES '''
-between systems. Therefore, from the perspective of a given system, other systems within
+•
-the organization may be considered “external&quot; to that system.
+  FAR Clause 52.204-21 b.1.iii
-'''FURTHER DISCUSSION '''
+•
-Control and manage connections between your company network and outside networks.
+  NIST SP 800-171 Rev. 2 3.1.20
-Outside networks could include the public internet, one of your own company’s networks
-that falls outside of your CMMC Assessment Scope (e.g., an isolated lab), or a network that
-does not belong to your company.  Tools to manage connections include firewalls and
-connection allow/deny lists. External systems not controlled by your  company could be
-running applications that are prohibited or blocked. Control and limit access to corporate
-networks from personally owned  devices  such as  laptops, tablets, and phones.  You  may
-choose to limit how and when your network is connected to outside systems or only allow
-certain employees to connect to outside systems from network resources.
-'''Example <br />
-'''Your company has just been awarded a contract which contains FCI. You remind your
-coworkers of the policy requirement to use their company laptops, not personal laptops or
+AC.L1-b.1.iv – Control Public Information [FCI Data]
-tablets, when working remotely on this contract [b,f]. You also remind everyone to work
+CMMC Assessment Guide – Level 1 | Version 2.13
-from the cloud environment that is approved for processing and storing FCI rather than the
-other collaborative tools that may be used for other projects [b,f].
+'''AC.L1-B.1.IV – CONTROL PUBLIC INFORMATION [FCI DATA] '''
+Control information posted or processed on publicly accessible information systems.
+'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#24|11 ]]'''
+Determine if: <br />
+[a]
+individuals authorized to post or process information on publicly accessible systems
+are identified; <br />
+[b]
+procedures to ensure [FCI] is not posted or processed on publicly accessible
+systems are identified; <br />
+[c]
-AC.L1-b.1.iii – External Connections [FCI Data]
+a review process is in place prior to posting of any content to publicly accessible
-CMMC Assessment Guide – Level 1 | Version 2.13
+systems; <br />
+[d]
+content on publicly accessible systems is reviewed to ensure that it does not include
+[FCI]; and <br />
+[e]
-'''Potential Assessment Considerations <br />
+mechanisms are in place to remove and address improper posting of [FCI].
-'''•
-  Are all connections to external systems outside of the assessment scope identified [a]?
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]11 '''
-•
+'''Examine <br />
+'''[SELECT FROM: Access control policy; procedures addressing publicly accessible content;
-  Are external systems (e.g., systems managed by OSAs, partners, or vendors; personal
+system security plan; list of users authorized to post publicly accessible content on
-devices) that are permitted to connect to or make use of organizational systems
+organizational systems; training materials and/or records; records of publicly accessible
-identified [b]?
+information reviews; records of response to nonpublic information on public websites;
-•
+system audit logs and records; security awareness training records; other relevant
-  Are methods employed to ensure that only authorized connections are being made to
+documents or records].
-external systems (e.g., requiring log-ins or certificates, access from a specific IP address,
+'''Interview <br />
+'''[SELECT FROM: Personnel with responsibilities for managing publicly accessible
-or access via VPN) [c,e]?
+information posted on organizational systems; personnel with information security
-•
+responsibilities].
-  Are methods employed to confirm that only authorized external systems are connecting
+'''Test <br />
+'''[SELECT FROM: Mechanisms implementing management of publicly accessible content].
-(e.g., if employees are receiving company email on personal cell phones, is the OSA
+'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#24|12]] '''
-checking to verify that only known/expected devices are connecting) [d]?
+In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the
-•
+public is not authorized access to nonpublic information (e.g., information protected under
-  Is the use of external systems limited, including by policy or physical control [f]?
+the Privacy Act, FCI, and proprietary information). This requirement addresses systems that
-'''KEY REFERENCES '''
-•
-  FAR Clause 52.204-21 b.1.iii
+ NIST SP 800-171A, p. 18
-•
-  NIST SP 800-171 Rev. 2 3.1.20
+ NIST SP 800-171 Rev. 2, p. 16
@@ Line 1,892: / Line 1,709: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-'''AC.L1-B.1.IV – CONTROL PUBLIC INFORMATION [FCI DATA] '''
+are controlled by the organization and accessible to the public, typically without
-Control information posted or processed on publicly accessible information systems.
+identification or authentication. Individuals authorized to post FCI onto publicly accessible
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#24|11 ]]'''
+systems are designated.  The content of information is reviewed prior to posting onto
-Determine if: <br />
+publicly accessible systems to ensure that nonpublic information is not included.
-[a]
-individuals authorized to post or process information on publicly accessible systems
+'''FURTHER DISCUSSION '''
-are identified; <br />
+Only government officials can be authorized to publicly release FCI. Do not allow FCI to
-[b]
-procedures to ensure [FCI] is not posted or processed on publicly accessible
+become public – always safeguard the confidentiality of FCI by controlling the posting of FCI
-systems are identified; <br />
+on company-controlled websites or public forums  and the exposure of FCI in public
-[c]
-a review process is in place prior to posting of any content to publicly accessible
+presentations or on public displays. It is important to know which users are allowed to
-systems; <br />
+publish  information on publicly accessible systems, like your company website, and
-[d]
-content on publicly accessible systems is reviewed to ensure that it does not include
+implement a review process before posting such information. If FCI is discovered on a
-[FCI]; and <br />
+publicly accessible system, procedures should be in place to remove that information and
-[e]
-mechanisms are in place to remove and address improper posting of [FCI].
+alert the appropriate parties.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]11 '''
+'''Example <br />
+'''Your company decides to start issuing press releases about its projects in an effort to reach
-'''Examine <br />
+more potential customers. Your company receives FCI from the government as part of its
-'''[SELECT FROM: Access control policy; procedures addressing publicly accessible content;
-system security plan; list of users authorized to post publicly accessible content on
+DoD contract. Because you recognize the need to manage controlled information, including
-organizational systems; training materials and/or records; records of publicly accessible
+FCI, you meet with the employees who write the releases and post information to establish
-information reviews; records of response to nonpublic information on public websites;
+a review process [c]. It is decided that you will review press releases for FCI before posting
-system audit logs and records; security awareness training records; other relevant
+it on the company website [a,d]. Only certain employees will be authorized to post to the
-documents or records].
+website [a].
-'''Interview <br />
+'''Potential Assessment Considerations <br />
-'''[SELECT FROM: Personnel with responsibilities for managing publicly accessible
+'''•
-information posted on organizational systems; personnel with information security
+  Does information on externally facing systems (e.g., publicly accessible) have a
-responsibilities].
+documented approval chain for public release [c]?
-'''Test <br />
+'''KEY REFERENCES '''
-'''[SELECT FROM: Mechanisms implementing management of publicly accessible content].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#24|12]] '''
+•
-In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the
+  FAR Clause 52.204-21 b.1.iv
-public is not authorized access to nonpublic information (e.g., information protected under
+•
-the Privacy Act, FCI, and proprietary information). This requirement addresses systems that
+  NIST SP 800-171 Rev. 2 3.1.22
- NIST SP 800-171A, p. 18
- NIST SP 800-171 Rev. 2, p. 16
+IA.L1-b.1.v – Identification [FCI Data]
+CMMC Assessment Guide – Level 1 | Version 2.13
-AC.L1-b.1.iv – Control Public Information [FCI Data]
+Identification and Authentication (IA) <br />
+'''IA.L1-B.1.V – IDENTIFICATION [FCI DATA] '''
-CMMC Assessment Guide – Level 1 | Version 2.13
+Identify information system users, processes acting on behalf of users, or devices.
+'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#26|13 ]]'''
+Determine if: <br />
+[a]
-are controlled by the organization and accessible to the public, typically without
+system users are identified;
-identification or authentication. Individuals authorized to post FCI onto publicly accessible
+[b]
-systems are designated.  The content of information is reviewed prior to posting onto
+processes acting on behalf of users are identified; and
-publicly accessible systems to ensure that nonpublic information is not included.
+[c]
-'''FURTHER DISCUSSION '''
+devices accessing the system are identified.
-Only government officials can be authorized to publicly release FCI. Do not allow FCI to
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]13 '''
-become public – always safeguard the confidentiality of FCI by controlling the posting of FCI
+'''Examine <br />
+'''[SELECT FROM: Identification and authentication policy; procedures addressing user
-on company-controlled websites or public forums  and the exposure of FCI in public
+identification and authentication; system security plan, system design documentation;
-presentations or on public displays. It is important to know which users are allowed to
+system configuration settings and associated documentation; system audit logs and records;
-publish  information on publicly accessible systems, like your company website, and
+list of system accounts; other relevant documents or records].
-implement a review process before posting such information. If FCI is discovered on a
+'''Interview <br />
+'''[SELECT  FROM: Personnel with system operations responsibilities; personnel with
-publicly accessible system, procedures should be in place to remove that information and
+information security responsibilities; system or network administrators; personnel with
-alert the appropriate parties.
+account management responsibilities; system developers].
-'''Example <br />
+'''Test <br />
-'''Your company decides to start issuing press releases about its projects in an effort to reach
+'''[SELECT FROM: Organizational processes for uniquely identifying and authenticating users;
-more potential customers. Your company receives FCI from the government as part of its
+mechanisms supporting or implementing identification and authentication capability].
-DoD contract. Because you recognize the need to manage controlled information, including
+'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#26|14]] '''
-FCI, you meet with the employees who write the releases and post information to establish
+Common device identifiers include media access control (MAC),  Internet Protocol (IP)
-a review process [c]. It is decided that you will review press releases for FCI before posting
+addresses, or device-unique token identifiers. Management of individual identifiers is not
-it on the company website [a,d]. Only certain employees will be authorized to post to the
+applicable to shared system accounts. Typically, individual identifiers are the user names
-website [a].
+associated with the system accounts assigned to those individuals.  Organizations may
-'''Potential Assessment Considerations <br />
+require unique identification of individuals in group accounts or for detailed accountability
-'''•
-  Does information on externally facing systems (e.g., publicly accessible) have a
+of individual activity. In addition, this requirement addresses individual identifiers that are
-documented approval chain for public release [c]?
+not necessarily associated with system accounts.  Organizational devices requiring
-'''KEY REFERENCES '''
-•
-  FAR Clause 52.204-21 b.1.iv
+ NIST SP 800-171A, p. 31
-•
-  NIST SP 800-171 Rev. 2 3.1.22
+ NIST SP 800-171 Rev. 2, p. 23
@@ Line 2,060: / Line 1,872: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-Identification and Authentication (IA) <br />
+identification may be defined by type, by device, or by a combination of type/device.
-'''IA.L1-B.1.V – IDENTIFICATION [FCI DATA] '''
-Identify information system users, processes acting on behalf of users, or devices.
+NIST SP 800-63-3 provides guidance on digital identities.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#26|13 ]]'''
+'''FURTHER DISCUSSION '''
-Determine if: <br />
+Individual, unique identifiers (e.g., user names) should be assigned to all users and processes
-[a]
-system users are identified;
+that  access company systems. Authorized devices also should have unique identifiers.
-[b]
+Unique identifiers can be as simple as a short set of alphanumeric characters (e.g., SW001
-processes acting on behalf of users are identified; and
+could refer to a network switch, SW002 could refer to a different network switch). <br />
+This requirement, IA.L1-b.1.v, provides a vetted and trusted identity that supports the access
-[c]
+control mechanism required by AC.L1-b.1.i.
-devices accessing the system are identified.
+'''Example <br />
+'''You want to make sure  that all employees working on a project can access important
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]13 '''
+information about it. Because this is work for the DoD and contains FCI, you also need to
-'''Examine <br />
+prevent employees who are not working on that project from being able to access the
-'''[SELECT FROM: Identification and authentication policy; procedures addressing user
-identification and authentication; system security plan, system design documentation;
+information. You assign each employee a unique user ID, which they use to log on to the
-system configuration settings and associated documentation; system audit logs and records;
+system [a].
-list of system accounts; other relevant documents or records].
+'''Potential Assessment Considerations <br />
+'''•
-'''Interview <br />
+  Are unique identifiers issued to individual users (e.g., usernames) [a]?
-'''[SELECT  FROM: Personnel with system operations responsibilities; personnel with
-information security responsibilities; system or network administrators; personnel with
+•
-account management responsibilities; system developers].
+  Are the processes and service accounts that an authorized user initiates identified (e.g.,
-'''Test <br />
+scripts, automatic updates, configuration updates, vulnerability scans) [b]?
-'''[SELECT FROM: Organizational processes for uniquely identifying and authenticating users;
-mechanisms supporting or implementing identification and authentication capability].
+•
-'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#26|14]] '''
+  Are unique device identifiers used for devices that access the system identified [c]?
-Common device identifiers include media access control (MAC),  Internet Protocol (IP)
+'''KEY REFERENCES'''
-addresses, or device-unique token identifiers. Management of individual identifiers is not
+•
-applicable to shared system accounts. Typically, individual identifiers are the user names
+  FAR Clause 52.204-21 b.1.v
-associated with the system accounts assigned to those individuals.  Organizations may
+•
-require unique identification of individuals in group accounts or for detailed accountability
+  NIST SP 800-171 Rev. 2 3.5.1
-of individual activity. In addition, this requirement addresses individual identifiers that are
-not necessarily associated with system accounts.  Organizational devices requiring
- NIST SP 800-171A, p. 31
- NIST SP 800-171 Rev. 2, p. 23
+IA.L1-b.1.vi – Authentication [FCI Data]
+CMMC Assessment Guide – Level 1 | Version 2.13
+'''IA.L1-B.1.VI – AUTHENTICATION [FCI DATA] '''
+Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite
+to allowing access to organizational information systems.
-IA.L1-b.1.v – Identification [FCI Data]
+'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#28|15 ]]'''
-CMMC Assessment Guide – Level 1 | Version 2.13
+Determine if: <br />
+[a]
+the identity of each user is authenticated or verified as a prerequisite to system
+access; <br />
+[b]
-identification may be defined by type, by device, or by a combination of type/device.
+the identity of each process acting on behalf of a user is authenticated or verified as
-NIST SP 800-63-3 provides guidance on digital identities.
+a prerequisite to system access; and <br />
+[c]
-'''FURTHER DISCUSSION '''
+the identity of each device accessing or connecting to the system is authenticated or
-Individual, unique identifiers (e.g., user names) should be assigned to all users and processes
+verified as a prerequisite to system access.
-that  access company systems. Authorized devices also should have unique identifiers.
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]15 '''
-Unique identifiers can be as simple as a short set of alphanumeric characters (e.g., SW001
+'''Examine <br />
+'''[SELECT FROM: Identification and authentication policy; system security plan; procedures
-could refer to a network switch, SW002 could refer to a different network switch). <br />
+addressing authenticator management; procedures addressing user identification and
-This requirement, IA.L1-b.1.v, provides a vetted and trusted identity that supports the access
-control mechanism required by AC.L1-b.1.i.
+authentication; system design documentation; list of system authenticator types; system
-'''Example <br />
+configuration settings and associated documentation; change control records associated
-'''You want to make sure  that all employees working on a project can access important
-information about it. Because this is work for the DoD and contains FCI, you also need to
+with managing system authenticators; system audit logs and records; other relevant
-prevent employees who are not working on that project from being able to access the
+documents or records].
-information. You assign each employee a unique user ID, which they use to log on to the
+'''Interview <br />
+'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
-system [a].
+information security responsibilities; system or network administrators].
+'''Test <br />
+'''[SELECT FROM: Mechanisms supporting or implementing authenticator management
-'''Potential Assessment Considerations <br />
+capability].
-'''•
-  Are unique identifiers issued to individual users (e.g., usernames) [a]?
+'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#28|16]] '''
-•
+Individual authenticators include the following: passwords, key cards, cryptographic
-  Are the processes and service accounts that an authorized user initiates identified (e.g.,
+devices, and one-time password devices. Initial authenticator content is the actual content
-scripts, automatic updates, configuration updates, vulnerability scans) [b]?
+of the authenticator, for example, the initial password. In contrast, the requirements about
-•
+authenticator content include the minimum password length.  Developers ship system
-  Are unique device identifiers used for devices that access the system identified [c]?
+components with factory default authentication credentials to allow for initial installation
-'''KEY REFERENCES'''
-•
-  FAR Clause 52.204-21 b.1.v
+ NIST SP 800-171A, p. 31
-•
-  NIST SP 800-171 Rev. 2 3.5.1
+ NIST SP 800-171 Rev. 2, p. 23
@@ Line 2,216: / Line 2,031: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-'''IA.L1-B.1.VI – AUTHENTICATION [FCI DATA] '''
+and configuration.  Default authentication credentials are often well known, easily
-Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite
+discoverable, and present a significant security risk. <br />
+Systems support authenticator management by organization-defined settings and
-to allowing access to organizational information systems.
+restrictions for various authenticator characteristics including minimum password length,
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#28|15 ]]'''
+validation time window for time synchronous one-time tokens, and number of allowed
-Determine if: <br />
+rejections during the verification stage of biometric authentication.  Authenticator
-[a]
-the identity of each user is authenticated or verified as a prerequisite to system
+management includes issuing and revoking, when no longer needed, authenticators for
-access; <br />
+temporary access such as that required for remote maintenance.  Device authenticators
-[b]
-the identity of each process acting on behalf of a user is authenticated or verified as
+include certificates and passwords. <br />
+NIST SP 800-63-3 provides guidance on digital identities.
-a prerequisite to system access; and <br />
+'''FURTHER DISCUSSION '''
-[c]
-the identity of each device accessing or connecting to the system is authenticated or
+Before a person or device is given system access, verify that the user or device is who or what
-verified as a prerequisite to system access.
+it claims to be. This verification is called authentication. The most common way to verify
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]15 '''
+identity is using a username and a hard-to-guess password. <br />
+Some devices ship with a default username (e.g., admin) and password. A default username
-'''Examine <br />
+and password should be immediately changed to something unique. Default passwords may
-'''[SELECT FROM: Identification and authentication policy; system security plan; procedures
-addressing authenticator management; procedures addressing user identification and
+be  well known to the public,  easily found in a search, or easy to guess,  allowing  an
-authentication; system design documentation; list of system authenticator types; system
+unauthorized person to access the system.
-configuration settings and associated documentation; change control records associated
+'''Example 1 <br />
+'''You are in charge of purchasing laptops that will store FCI. You know that some laptops come
-with managing system authenticators; system audit logs and records; other relevant
+with a default username and password. You notify IT that all default passwords should be
-documents or records].
+reset prior to laptop use [a]. You ask IT to explain the importance of resetting default
-'''Interview <br />
+passwords and convey how easily they are discovered using internet searches during next
-'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
-information security responsibilities; system or network administrators].
+week’s cybersecurity awareness training.
-'''Test <br />
+'''Example 2 <br />
-'''[SELECT FROM: Mechanisms supporting or implementing authenticator management
+'''Your company decides to use cloud services for email and other capabilities  that will
-capability].
+transmit FCI. Upon reviewing this requirement, you realize every user or device that
-'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#28|16]] '''
+connects to the cloud service must be authenticated. As a result, you work with your cloud
-Individual authenticators include the following: passwords, key cards, cryptographic
+service provider to ensure that only properly authenticated users and devices are allowed
-devices, and one-time password devices. Initial authenticator content is the actual content
+to connect to the system [a,c].
-of the authenticator, for example, the initial password. In contrast, the requirements about
+'''Potential Assessment Considerations <br />
+'''•
-authenticator content include the minimum password length.  Developers ship system
+  Are unique authenticators used to verify user identities (e.g., usernames and passwords)
-components with factory default authentication credentials to allow for initial installation
+[a]?
+•
+  An example of a process acting on behalf of users could be a script that logs in as a person
- NIST SP 800-171A, p. 31
+or service account [b]. Can the OSA show that it maintains a record of all of those service
+accounts for use when reviewing log data or responding to an incident?
- NIST SP 800-171 Rev. 2, p. 23
@@ Line 2,305: / Line 2,118: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-and configuration.  Default authentication credentials are often well known, easily
+•
-discoverable, and present a significant security risk. <br />
+  Are user credentials authenticated in system processes (e.g., credentials binding,
-Systems support authenticator management by organization-defined settings and
-restrictions for various authenticator characteristics including minimum password length,
+certificates, tokens) [b]?
-validation time window for time synchronous one-time tokens, and number of allowed
+•
-rejections during the verification stage of biometric authentication.  Authenticator
+  Are device identifiers used in authentication processes (e.g., MAC address, non-
-management includes issuing and revoking, when no longer needed, authenticators for
+anonymous computer name, certificates) [c]?
-temporary access such as that required for remote maintenance.  Device authenticators
+'''KEY REFERENCES '''
-include certificates and passwords. <br />
+•
-NIST SP 800-63-3 provides guidance on digital identities.
-'''FURTHER DISCUSSION '''
+  FAR Clause 52.204-21 b.1.vi
-Before a person or device is given system access, verify that the user or device is who or what
+•
-it claims to be. This verification is called authentication. The most common way to verify
+  NIST SP 800-171 Rev. 2 3.5.2
-identity is using a username and a hard-to-guess password. <br />
-Some devices ship with a default username (e.g., admin) and password. A default username
-and password should be immediately changed to something unique. Default passwords may
-be  well known to the public,  easily found in a search, or easy to guess,  allowing  an
-unauthorized person to access the system.
-'''Example 1 <br />
-'''You are in charge of purchasing laptops that will store FCI. You know that some laptops come
-with a default username and password. You notify IT that all default passwords should be
-reset prior to laptop use [a]. You ask IT to explain the importance of resetting default
-passwords and convey how easily they are discovered using internet searches during next
-week’s cybersecurity awareness training.
-'''Example 2 <br />
+MP.L1-b.1.vii – Media Disposal [FCI Data]
-'''Your company decides to use cloud services for email and other capabilities  that will
-transmit FCI. Upon reviewing this requirement, you realize every user or device that
+CMMC Assessment Guide – Level 1 | Version 2.13
-connects to the cloud service must be authenticated. As a result, you work with your cloud
-service provider to ensure that only properly authenticated users and devices are allowed
-to connect to the system [a,c].
+Media Protection (MP) <br />
+'''MP.L1-B.1.VII – MEDIA DISPOSAL [FCI DATA] '''
-'''Potential Assessment Considerations <br />
+Sanitize or destroy  information  system  media  containing  Federal Contract Information
-'''•
-  Are unique authenticators used to verify user identities (e.g., usernames and passwords)
+before disposal or release for reuse.
-[a]?
+'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#31|17 ]]'''
-•
+Determine if: <br />
+[a]
-  An example of a process acting on behalf of users could be a script that logs in as a person
+system media containing [FCI] is sanitized or destroyed before disposal; and
-or service account [b]. Can the OSA show that it maintains a record of all of those service
+[b]
-accounts for use when reviewing log data or responding to an incident?
+system media containing [FCI] is sanitized before it is released for reuse.
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#31|18 ]]'''
+'''Examine <br />
+'''[SELECT FROM: System media protection policy; procedures addressing media sanitization
+and disposal; applicable standards and policies addressing media sanitization; system
+security plan; media sanitization records; system audit logs and records; system design
+documentation; system configuration settings and associated documentation; other relevant
+documents or records].
+'''Interview <br />
+'''[SELECT FROM: Personnel with media sanitization responsibilities; personnel with
+information security responsibilities; system or network administrators].
-IA.L1-b.1.vi – Authentication [FCI Data]
+'''Test <br />
+'''[SELECT FROM: Organizational processes for media sanitization; mechanisms supporting or
-CMMC Assessment Guide – Level 1 | Version 2.13
+implementing media sanitization].
+'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#31|19]] '''
+This requirement applies to all system media, digital and non-digital, subject to disposal or
-•
+reuse.  Examples  include: digital media found in workstations, network components,
-  Are user credentials authenticated in system processes (e.g., credentials binding,
+scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media
-certificates, tokens) [b]?
+such as paper and microfilm. The sanitization process removes information from the media
-•
+such that the information cannot be retrieved or reconstructed.  Sanitization techniques,
-  Are device identifiers used in authentication processes (e.g., MAC address, non-
+including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of
-anonymous computer name, certificates) [c]?
+information to unauthorized individuals when such media is released for reuse or disposal.
-'''KEY REFERENCES '''
-•
-  FAR Clause 52.204-21 b.1.vi
+ NIST SP 800-171A, p. 41
-•
+ NIST SP 800-171A, p. 42
-  NIST SP 800-171 Rev. 2 3.5.2
+  NIST SP 800-171 Rev. 2, p. 29
@@ Line 2,433: / Line 2,247: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-Media Protection (MP) <br />
+Organizations determine the appropriate sanitization methods, recognizing that destruction
-'''MP.L1-B.1.VII – MEDIA DISPOSAL [FCI DATA] '''
-Sanitize or destroy  information  system  media  containing  Federal Contract Information
+may be necessary when other methods cannot be applied to the media requiring sanitization. <br />
+Organizations use discretion on the employment of sanitization techniques and procedures
-before disposal or release for reuse.
+for media containing information that is in the public domain or publicly releasable or
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#31|17 ]]'''
+deemed to have no adverse impact on organizations or individuals if released for reuse or
-Determine if: <br />
+disposal.  Sanitization of non-digital media includes destruction, removing FCI from
-[a]
-system media containing [FCI] is sanitized or destroyed before disposal; and
+documents, or redacting selected sections or words from a document by obscuring the
-[b]
+redacted sections or words in a manner equivalent in effectiveness to removing the words
-system media containing [FCI] is sanitized before it is released for reuse.
+or sections from the document. NARA policy and guidance control sanitization processes.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#31|18 ]]'''
+NIST SP 800-88 provides guidance on media sanitization.
-'''Examine <br />
+'''FURTHER DISCUSSION '''
-'''[SELECT FROM: System media protection policy; procedures addressing media sanitization
-and disposal; applicable standards and policies addressing media sanitization; system
+Media can include a broad range of items that store information, including paper documents,
-security plan; media sanitization records; system audit logs and records; system design
+disks, tapes, digital photography, USB drives, CDs, DVDs, and mobile phones. It is important
-documentation; system configuration settings and associated documentation; other relevant
+to know what information is on media so that you can handle it properly. If there is FCI, you
-documents or records].
+or someone in your company should either: <br />
+•
-'''Interview <br />
+  shred or destroy the device before disposal so it cannot be read; or
-'''[SELECT FROM: Personnel with media sanitization responsibilities; personnel with
-information security responsibilities; system or network administrators].
+•
-'''Test <br />
+  clean or purge the information, if you want to reuse the device.
-'''[SELECT FROM: Organizational processes for media sanitization; mechanisms supporting or
-implementing media sanitization].
+See NIST Special Publication 800-88, Revision 1, ''Guidelines for Media Sanitization'', for more
-'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#31|19]] '''
+information.
-This requirement applies to all system media, digital and non-digital, subject to disposal or
+'''Example <br />
+'''As you pack for an office move, you find some old CDs in a file cabinet. You determine that
-reuse.  Examples  include: digital media found in workstations, network components,
+one has FCI from a project your company did for the DoD. You shred the CD rather than
-scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media
+simply throwing it in the trash [a].
-such as paper and microfilm. The sanitization process removes information from the media
+'''Potential Assessment Considerations <br />
+'''•
-such that the information cannot be retrieved or reconstructed.  Sanitization techniques,
+  Is all managed data storage erased, encrypted, or destroyed using mechanisms to ensure
-including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of
+that no usable data is retrievable [a,b]?
-information to unauthorized individuals when such media is released for reuse or disposal.
+'''KEY REFERENCES '''
+•
+  FAR Clause 52.204-21 b.1.vii
- NIST SP 800-171A, p. 41
+•
+  NIST SP 800-171 Rev. 2 3.8.3
-  NIST SP 800-171A, p. 42
- NIST SP 800-171 Rev. 2, p. 29
@@ Line 2,517: / Line 2,326: @@
-MP.L1-b.1.vii – Media Disposal [FCI Data]
+PE.L1-b.1.viii – Limit Physical Access [FCI Data]
 CMMC Assessment Guide – Level 1 | Version 2.13
-Organizations determine the appropriate sanitization methods, recognizing that destruction
+Physical Protection (PE) <br />
+'''PE.L1-B.1.VIII – LIMIT PHYSICAL ACCESS [FCI DATA] '''
-may be necessary when other methods cannot be applied to the media requiring sanitization. <br />
+Limit physical access to organizational information systems, equipment, and the respective
-Organizations use discretion on the employment of sanitization techniques and procedures
-for media containing information that is in the public domain or publicly releasable or
+operating environments to authorized individuals.
-deemed to have no adverse impact on organizations or individuals if released for reuse or
+'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#33|20 ]]'''
-disposal.  Sanitization of non-digital media includes destruction, removing FCI from
+Determine if: <br />
+[a]
-documents, or redacting selected sections or words from a document by obscuring the
+authorized individuals allowed physical access are identified;
-redacted sections or words in a manner equivalent in effectiveness to removing the words
+[b]
-or sections from the document. NARA policy and guidance control sanitization processes.
+physical access to organizational systems is limited to authorized individuals;
-NIST SP 800-88 provides guidance on media sanitization.
+[c]
-'''FURTHER DISCUSSION '''
+physical access to equipment is limited to authorized individuals; and
-Media can include a broad range of items that store information, including paper documents,
+[d]
-disks, tapes, digital photography, USB drives, CDs, DVDs, and mobile phones. It is important
+physical access to operating environments is limited to authorized individuals.
-to know what information is on media so that you can handle it properly. If there is FCI, you
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]20 '''
-or someone in your company should either: <br />
+'''Examine <br />
-•
+'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
-  shred or destroy the device before disposal so it cannot be read; or
+physical access authorizations; system security plan; authorized personnel access list;
-•
+authorization credentials; physical access list reviews; physical access termination records
-  clean or purge the information, if you want to reuse the device.
+and associated documentation; other relevant documents or records].
-See NIST Special Publication 800-88, Revision 1, ''Guidelines for Media Sanitization'', for more
+'''Interview <br />
+'''[SELECT FROM: Personnel with physical access authorization responsibilities; personnel
-information.
+with physical access to system facility; personnel with information security responsibilities].
-'''Example <br />
+'''Test <br />
-'''As you pack for an office move, you find some old CDs in a file cabinet. You determine that
+'''[SELECT FROM: Organizational processes for physical access authorizations; mechanisms
-one has FCI from a project your company did for the DoD. You shred the CD rather than
+supporting or implementing physical access authorizations].
-simply throwing it in the trash [a].
+'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#33|21]] '''
-'''Potential Assessment Considerations <br />
+This requirement applies to employees, individuals with permanent physical access
-'''•
-  Is all managed data storage erased, encrypted, or destroyed using mechanisms to ensure
+authorization credentials, and visitors. Authorized individuals have credentials that include
-that no usable data is retrievable [a,b]?
+badges,  identification cards, and smart cards.  Organizations determine the strength of
-'''KEY REFERENCES '''
+authorization credentials needed consistent with applicable laws, directives, policies,
-•
-  FAR Clause 52.204-21 b.1.vii
-•
+ NIST SP 800-171A, p. 46
-  NIST SP 800-171 Rev. 2 3.8.3
+  NIST SP 800-171 Rev. 2, p. 32
@@ Line 2,604: / Line 2,414: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-Physical Protection (PE) <br />
+regulations, standards, procedures, and guidelines. This requirement applies only to areas
-'''PE.L1-B.1.VIII – LIMIT PHYSICAL ACCESS [FCI DATA] '''
-Limit physical access to organizational information systems, equipment, and the respective
+within facilities that have not been designated as publicly accessible. <br />
+Limiting physical access to equipment may include placing equipment in locked rooms or
-operating environments to authorized individuals.
+other secured areas and allowing access to authorized individuals only,  and placing
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#33|20 ]]'''
+equipment in locations that can be monitored by organizational personnel.  Computing
-Determine if: <br />
+devices, external disk drives, networking devices, monitors, printers, copiers, scanners,
-[a]
-authorized individuals allowed physical access are identified;
+facsimile machines, and audio devices are examples of equipment.
-[b]
+'''FURTHER DISCUSSION '''
-physical access to organizational systems is limited to authorized individuals;
+This addresses the company’s physical space (e.g., office, testing environments, equipment
-[c]
+rooms), technical assets, and non-technical assets that need to be protected from
-physical access to equipment is limited to authorized individuals; and
+unauthorized physical access. Specific environments are limited to authorized employees,
-[d]
+and access is controlled with badges, electronic locks, physical key locks, etc. <br />
+Output devices, such as printers, are placed in areas where their use does not expose data to
-physical access to operating environments is limited to authorized individuals.
+unauthorized individuals. Lists of personnel with authorized  access are developed and
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]20 '''
+maintained, and personnel are issued appropriate authorization credentials.
-'''Examine <br />
+'''Example <br />
-'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
+'''You manage a DoD project that stores FCI on computers used only by project team members
-physical access authorizations; system security plan; authorized personnel access list;
+[b,c]. You work with the facilities manager to put locks on the doors to the areas where the
-authorization credentials; physical access list reviews; physical access termination records
+computers are stored and used [b,c,d]. Project team members are the only individuals issued
-and associated documentation; other relevant documents or records].
+with keys to the space. This restricts access to only those employees who work on the DoD
-'''Interview <br />
+project and require access.
-'''[SELECT FROM: Personnel with physical access authorization responsibilities; personnel
-with physical access to system facility; personnel with information security responsibilities].
+'''Potential Assessment Considerations <br />
+'''•
-'''Test <br />
+  Are lists of personnel with authorized access developed and maintained, and are
-'''[SELECT FROM: Organizational processes for physical access authorizations; mechanisms
-supporting or implementing physical access authorizations].
+appropriate authorization credentials issued [a]?
-'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#33|21]] '''
+•
-This requirement applies to employees, individuals with permanent physical access
+  Has the facility/building manager designated building areas as “sensitive” and designed
+physical security protections (e.g., guards, locks, cameras, card readers) to limit physical
+access to the area to only authorized employees [b,c,d]?
-authorization credentials, and visitors. Authorized individuals have credentials that include
+•
-badges,  identification cards, and smart cards.  Organizations determine the strength of
+  Are output devices such as printers placed in areas where their use does not expose data
-authorization credentials needed consistent with applicable laws, directives, policies,
+to unauthorized individuals [c]?
+'''KEY REFERENCES '''
+•
- NIST SP 800-171A, p. 46
+  FAR Clause 52.204-21 b.1.viii
+•
- NIST SP 800-171 Rev. 2, p. 32
+  NIST SP 800-171 Rev. 2 3.10.1
@@ Line 2,684: / Line 2,497: @@
-PE.L1-b.1.viii – Limit Physical Access [FCI Data]
+PE.L1-b.1.ix – Manage Visitors &amp; Physical Access [FCI Data]
 CMMC Assessment Guide – Level 1 | Version 2.13
-regulations, standards, procedures, and guidelines. This requirement applies only to areas
+'''PE.L1-B.1.IX – MANAGE VISITORS &amp; PHYSICAL ACCESS [FCI DATA] '''
-within facilities that have not been designated as publicly accessible. <br />
+Escort visitors and monitor visitor activity; maintain audit logs of physical access; and
-Limiting physical access to equipment may include placing equipment in locked rooms or
-other secured areas and allowing access to authorized individuals only,  and placing
+control and manage physical access devices.
-equipment in locations that can be monitored by organizational personnel.  Computing
+'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#35|22 ]]'''
-devices, external disk drives, networking devices, monitors, printers, copiers, scanners,
+Determine if: <br />
+[a]
-facsimile machines, and audio devices are examples of equipment.
+visitors are escorted;
-'''FURTHER DISCUSSION '''
+[b]
-This addresses the company’s physical space (e.g., office, testing environments, equipment
+visitor activity is monitored;
-rooms), technical assets, and non-technical assets that need to be protected from
+[c]
-unauthorized physical access. Specific environments are limited to authorized employees,
+audit logs of physical access are maintained;
-and access is controlled with badges, electronic locks, physical key locks, etc. <br />
+[d]
-Output devices, such as printers, are placed in areas where their use does not expose data to
-unauthorized individuals. Lists of personnel with authorized  access are developed and
+physical access devices are identified;
-maintained, and personnel are issued appropriate authorization credentials.
+[e]
-'''Example <br />
+physical access devices are controlled; and
-'''You manage a DoD project that stores FCI on computers used only by project team members
-[b,c]. You work with the facilities manager to put locks on the doors to the areas where the
+[f]
-computers are stored and used [b,c,d]. Project team members are the only individuals issued
+physical access devices are managed.
-with keys to the space. This restricts access to only those employees who work on the DoD
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#35|23 ]]'''
-project and require access.
+'''Examine <br />
+'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
-'''Potential Assessment Considerations <br />
+physical access control; system security plan; physical access control logs or records;
-'''•
-  Are lists of personnel with authorized access developed and maintained, and are
+inventory records of physical access control devices; system entry and exit points; records
-appropriate authorization credentials issued [a]?
+of key and lock combination changes; storage locations for physical access control devices;
-•
+physical access control devices; list of security safeguards controlling access to designated
-  Has the facility/building manager designated building areas as “sensitive” and designed
+publicly accessible areas within facility; other relevant documents or records].
-physical security protections (e.g., guards, locks, cameras, card readers) to limit physical
+'''Interview <br />
+'''[SELECT FROM: Personnel with physical access control responsibilities; personnel with
-access to the area to only authorized employees [b,c,d]?
+information security responsibilities].
-•
+'''Test <br />
+'''[SELECT FROM: Organizational processes for physical access control; mechanisms
-  Are output devices such as printers placed in areas where their use does not expose data
+supporting or implementing physical access control; physical access control devices].
+'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#35|24]] '''
+Individuals with permanent physical access authorization credentials are not considered
+visitors. Audit logs can be used to monitor visitor activity.
-to unauthorized individuals [c]?
-'''KEY REFERENCES '''
+ NIST SP 800-171A, p.47
-•
-  FAR Clause 52.204-21 b.1.viii
+ NIST SP 800-171A, pp. 47-48
-•
-  NIST SP 800-171 Rev. 2 3.10.1
+ NIST SP 800-171 Rev. 2, pp. 32-33
@@ Line 2,775: / Line 2,596: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-'''PE.L1-B.1.IX – MANAGE VISITORS &amp; PHYSICAL ACCESS [FCI DATA] '''
+Organizations have flexibility in the types of audit logs employed. Audit logs can be
-Escort visitors and monitor visitor activity; maintain audit logs of physical access; and
+procedural (e.g., written log of individuals accessing the facility), automated (e.g., capturing
-control and manage physical access devices.
+ID provided by a Personal Identity Verification (PIV) card), or some combination thereof.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#35|22 ]]'''
+Physical access points can include facility access points, interior access points to systems or
-Determine if: <br />
+system components requiring supplemental access controls, or both. System components
-[a]
-visitors are escorted;
+(e.g., workstations, notebook computers) may be in areas designated as publicly accessible
-[b]
+with organizations safeguarding access to such devices. <br />
+Physical access devices include keys, locks, combinations, and card readers.
-visitor activity is monitored;
+'''FURTHER DISCUSSION '''
-[c]
+Do not allow visitors, even those people you know well, to walk around your facility without
-audit logs of physical access are maintained;
+an escort. All non-employees should wear special visitor badges and/or are escorted by an
-[d]
+employee at all times while on the property. <br />
+Make sure you have a record of who accesses your facility (e.g., office, plant, factory). You can
-physical access devices are identified;
+do this in writing by having employees and visitors sign in and sign out or by electronic
-[e]
+means such as badge readers. Whatever means you use, you need to retain the access records
-physical access devices are controlled; and
+for the time period that your company has defined. <br />
+Identifying and controlling physical access devices (e.g., locks, badges, key cards) is just as
-[f]
+important as monitoring and limiting who is able to physically access certain equipment.
-physical access devices are managed.
+Physical access devices are only strong protection if you know who has them and what access
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#35|23 ]]'''
+they allow. Physical access devices can be managed using manual or automatic processes
-'''Examine <br />
+such a list of who is assigned what key, or updating the badge access system as personnel
-'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
-physical access control; system security plan; physical access control logs or records;
+change roles.
-inventory records of physical access control devices; system entry and exit points; records
+'''Example 1 <br />
+'''Coming back from a meeting, you see the friend of a coworker walking down the hallway
-of key and lock combination changes; storage locations for physical access control devices;
+near your office where FCI is stored. You know this person well and trust them, but are not
-physical access control devices; list of security safeguards controlling access to designated
+sure why they are in the building. You stop to talk, and the person explains that they are
-publicly accessible areas within facility; other relevant documents or records].
+meeting a coworker for lunch, but cannot remember where the lunchroom is. You walk the
-'''Interview <br />
+person back to the reception area to get a visitor badge and wait until someone can escort
-'''[SELECT FROM: Personnel with physical access control responsibilities; personnel with
-information security responsibilities].
+them to the lunchroom [a]. You report this incident, and the company decides to install a
-'''Test <br />
+badge reader at the main door so visitors cannot enter without an escort [a].
-'''[SELECT FROM: Organizational processes for physical access control; mechanisms
-supporting or implementing physical access control; physical access control devices].
+'''Example 2 <br />
+'''You and your coworkers like to have friends and family join you for lunch at the office on
-'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#35|24]] '''
+Fridays. Your small company has just signed a contract with the DoD in which your company
-Individuals with permanent physical access authorization credentials are not considered
+will receive FCI and you now need to document who enters and leaves your facility. You work
-visitors. Audit logs can be used to monitor visitor activity.
+with the reception staff to ensure that all non-employees sign in at the reception area and
+sign out when they leave [c]. You retain those paper sign-in sheets in a locked filing cabinet
+for one year. Employees receive badges or key cards that enable tracking and logging access
- NIST SP 800-171A, p.47
+to company facilities.
- NIST SP 800-171A, pp. 47-48
- NIST SP 800-171 Rev. 2, pp. 32-33
@@ Line 2,870: / Line 2,684: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-Organizations have flexibility in the types of audit logs employed. Audit logs can be
+'''Example 3 <br />
+'''You are a facility manager. A team member retired today and returns their company keys to
-procedural (e.g., written log of individuals accessing the facility), automated (e.g., capturing
+you.  The project on which they were working requires  access to areas that contain
-ID provided by a Personal Identity Verification (PIV) card), or some combination thereof.
+equipment with FCI. You receive the keys, check your electronic records against the serial
-Physical access points can include facility access points, interior access points to systems or
+numbers on the keys to ensure all have been returned, and mark each key returned [f].
-system components requiring supplemental access controls, or both. System components
+'''Potential Assessment Considerations <br />
+'''•
-(e.g., workstations, notebook computers) may be in areas designated as publicly accessible
+  Are personnel required to accompany visitors to areas in a facility with physical access
-with organizations safeguarding access to such devices. <br />
+to organizational systems [a]?
-Physical access devices include keys, locks, combinations, and card readers.
-'''FURTHER DISCUSSION '''
+•
-Do not allow visitors, even those people you know well, to walk around your facility without
+  Are visitors clearly distinguishable from regular personnel [b]?
-an escort. All non-employees should wear special visitor badges and/or are escorted by an
+•
-employee at all times while on the property. <br />
+  Is visitor activity monitored (e.g., use of cameras or guards, reviews of secure areas upon
-Make sure you have a record of who accesses your facility (e.g., office, plant, factory). You can
-do this in writing by having employees and visitors sign in and sign out or by electronic
+visitor departure, review of visitor audit logs) [b]?
-means such as badge readers. Whatever means you use, you need to retain the access records
+•
-for the time period that your company has defined. <br />
+  Are logs of physical access to sensitive areas (both authorized access and visitor access)
-Identifying and controlling physical access devices (e.g., locks, badges, key cards) is just as
-important as monitoring and limiting who is able to physically access certain equipment.
+maintained per retention requirements [c]?
-Physical access devices are only strong protection if you know who has them and what access
+•
-they allow. Physical access devices can be managed using manual or automatic processes
+  Are visitor access records retained for as long as required [c]?
-such a list of who is assigned what key, or updating the badge access system as personnel
+•
-change roles.
+  Are lists or inventories of physical access devices maintained (e.g., keys, facility badges,
-'''Example 1 <br />
+key cards) [d]?
-'''Coming back from a meeting, you see the friend of a coworker walking down the hallway
-near your office where FCI is stored. You know this person well and trust them, but are not
+•
-sure why they are in the building. You stop to talk, and the person explains that they are
+  Is  access to physical access devices  limited  (e.g.,  granted to, and accessible only by,
-meeting a coworker for lunch, but cannot remember where the lunchroom is. You walk the
+authorized individuals) [e]?
-person back to the reception area to get a visitor badge and wait until someone can escort
+•
-them to the lunchroom [a]. You report this incident, and the company decides to install a
+  Are physical access devices managed (e.g., revoking key card access when necessary,
-badge reader at the main door so visitors cannot enter without an escort [a].
+changing locks as needed, maintaining access control devices and systems) [f]?
-'''Example 2 <br />
+'''KEY REFERENCES '''
-'''You and your coworkers like to have friends and family join you for lunch at the office on
-Fridays. Your small company has just signed a contract with the DoD in which your company
+•
-will receive FCI and you now need to document who enters and leaves your facility. You work
+  FAR Clause 52.204-21 b.1.ix
+•
+  NIST SP 800-171 Rev. 2 3.10.3
+•
-with the reception staff to ensure that all non-employees sign in at the reception area and
+  NIST SP 800-171 Rev. 2 3.10.4
-sign out when they leave [c]. You retain those paper sign-in sheets in a locked filing cabinet
+•
-for one year. Employees receive badges or key cards that enable tracking and logging access
+  NIST SP 800-171 Rev. 2 3.10.5
-to company facilities.
@@ Line 2,954: / Line 2,771: @@
-PE.L1-b.1.ix – Manage Visitors &amp; Physical Access [FCI Data]
+SC.L1-b.1.x – Boundary Protection [FCI Data]
 CMMC Assessment Guide – Level 1 | Version 2.13
-'''Example 3 <br />
+System and Communications Protection (SC) <br />
-'''You are a facility manager. A team member retired today and returns their company keys to
+'''SC.L1-B.1.X – BOUNDARY PROTECTION [FCI DATA] '''
-you.  The project on which they were working requires  access to areas that contain
+Monitor, control, and protect organizational communications (i.e., information transmitted
-equipment with FCI. You receive the keys, check your electronic records against the serial
+or received by organizational  information systems) at the external boundaries and key
-numbers on the keys to ensure all have been returned, and mark each key returned [f].
+internal boundaries of the information systems.
-'''Potential Assessment Considerations <br />
+'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#38|25 ]]'''
-'''•
-  Are personnel required to accompany visitors to areas in a facility with physical access
+Determine if: <br />
+[a]
-to organizational systems [a]?
+the external system boundary is defined;
-•
+[b]
-  Are visitors clearly distinguishable from regular personnel [b]?
+key internal system boundaries are defined;
-•
+[c]
-  Is visitor activity monitored (e.g., use of cameras or guards, reviews of secure areas upon
+communications are monitored at the external system boundary;
-visitor departure, review of visitor audit logs) [b]?
+[d]
-•
+communications are monitored at key internal boundaries;
-  Are logs of physical access to sensitive areas (both authorized access and visitor access)
+[e]
-maintained per retention requirements [c]?
+communications are controlled at the external system boundary;
-•
+[f]
-  Are visitor access records retained for as long as required [c]?
+communications are controlled at key internal boundaries;
-•
+[g]
-  Are lists or inventories of physical access devices maintained (e.g., keys, facility badges,
+communications are protected at the external system boundary; and
-key cards) [d]?
+[h]
-•
+communications are protected at key internal boundaries.
-  Is  access to physical access devices  limited  (e.g.,  granted to, and accessible only by,
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]25 '''
-authorized individuals) [e]?
+'''Examine <br />
+'''[SELECT FROM: System and communications protection policy; procedures addressing
-•
+boundary protection; system security plan; list of key internal boundaries of the system;
-  Are physical access devices managed (e.g., revoking key card access when necessary,
+system design documentation; boundary protection hardware and software; enterprise
-changing locks as needed, maintaining access control devices and systems) [f]?
+security architecture documentation; system audit logs and records; system configuration
-'''KEY REFERENCES '''
+settings and associated documentation; other relevant documents or records].
-•
+'''Interview <br />
+'''[SELECT FROM: System or network administrators; personnel with information security
-  FAR Clause 52.204-21 b.1.ix
+responsibilities; system developers; personnel with boundary protection responsibilities].
-•
+'''Test <br />
+'''[SELECT FROM: Mechanisms implementing boundary protection capability].
-  NIST SP 800-171 Rev. 2 3.10.3
-•
-  NIST SP 800-171 Rev. 2 3.10.4
+ NIST SP 800-171A, p. 53
-•
-  NIST SP 800-171 Rev. 2 3.10.5
@@ Line 3,049: / Line 2,863: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-System and Communications Protection (SC) <br />
+'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#39|26]] '''
-'''SC.L1-B.1.X – BOUNDARY PROTECTION [FCI DATA] '''
-Monitor, control, and protect organizational communications (i.e., information transmitted
+Communications can be monitored, controlled, and protected at boundary components and
-or received by organizational  information systems) at the external boundaries and key
+by restricting or prohibiting interfaces in organizational systems.  Boundary components
-internal boundaries of the information systems.
+include gateways, routers, firewalls, guards, network-based malicious code analysis and
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#38|25 ]]'''
+virtualization systems, or encrypted tunnels implemented within a system security
-Determine if: <br />
+architecture (e.g., routers protecting firewalls or application gateways residing on protected
-[a]
-the external system boundary is defined;
+subnetworks).  Restricting or prohibiting interfaces in organizational systems includes
-[b]
+restricting external web communications traffic to designated web servers within managed
-key internal system boundaries are defined;
+interfaces and prohibiting external traffic that appears to be spoofing internal addresses. <br />
+Organizations consider the shared nature of commercial telecommunications services in the
-[c]
+implementation of security requirements associated with the use of such services.
-communications are monitored at the external system boundary;
+Commercial telecommunications services are commonly based on network components and
-[d]
+consolidated management systems shared by all attached commercial customers and may
-communications are monitored at key internal boundaries;
+also include third party-provided access lines and other service elements. Such transmission
-[e]
+services may represent sources of increased risk despite contract security provisions.
-communications are controlled at the external system boundary;
+NIST SP 800-41 provides guidance on firewalls and firewall policy.  NIST  SP 800-125B
-[f]
+provides guidance on security for virtualization technologies.
-communications are controlled at key internal boundaries;
+'''FURTHER DISCUSSION '''
-[g]
+Fences, locks, badges, and key cards help keep non-employees out of your physical facilities.
-communications are protected at the external system boundary; and
+Similarly, your company’s IT network or system has boundaries that must be protected.
-[h]
+Many companies use a web proxy and a firewall. <br />
+When an employee uses a company computer to go to a website, a web proxy makes the
-communications are protected at key internal boundaries.
+request on the user’s behalf, looks at the web request, and decides if it should let the
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]25 '''
+employee go to the website. <br />
+A firewall controls access from the inside and outside, protecting valuable information and
-'''Examine <br />
+resources stored on the company’s network. A firewall stops unwanted traffic on the internet
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-boundary protection; system security plan; list of key internal boundaries of the system;
+from passing through an outside “fence” to the company’s networks and information
-system design documentation; boundary protection hardware and software; enterprise
+systems.  Internal boundaries determine where data can flow, for instance a software
-security architecture documentation; system audit logs and records; system configuration
+development environment may have its own boundary controlling, monitoring, and
-settings and associated documentation; other relevant documents or records].
+protecting the data that can leave that boundary. <br />
+It may be wise to monitor, control, or protect one part of the company network from another.
-'''Interview <br />
+This can also be accomplished  with a firewall  and  limits  the ability of attackers  and
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developers; personnel with boundary protection responsibilities].
+disgruntled employees from entering sensitive parts of your internal network and causing
-'''Test <br />
+damage.
-'''[SELECT FROM: Mechanisms implementing boundary protection capability].
+'''Example <br />
+'''You are setting up the new network with an FCI enclave. You start by sketching out a simple
+diagram that identifies the external boundary of your network and any internal boundaries
+that are needed [a,b]. The first piece of equipment you install is the firewall, a device to
-  NIST SP 800-171A, p. 53
+  NIST SP 800-171 Rev. 2, p. 36
@@ Line 3,137: / Line 2,957: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#39|26]] '''
+separate your internal network from the internet. The firewall also has a feature that allows
-Communications can be monitored, controlled, and protected at boundary components and
+you to block access to potentially malicious websites, and you configure that service as well
-by restricting or prohibiting interfaces in organizational systems.  Boundary components
+[a,c,e,g]. Some of your coworkers complain that they cannot get to certain websites [c,e,g].
-include gateways, routers, firewalls, guards, network-based malicious code analysis and
+You explain that the new network blocks websites that are known for spreading malware.
-virtualization systems, or encrypted tunnels implemented within a system security
+The firewall sends you a daily digest of blocked activity so that you can monitor the system
-architecture (e.g., routers protecting firewalls or application gateways residing on protected
+for attack trends [c,d].
-subnetworks).  Restricting or prohibiting interfaces in organizational systems includes
+'''Potential Assessment Considerations <br />
+'''•
-restricting external web communications traffic to designated web servers within managed
+  What are the external system boundary components that make up the entry and exit
-interfaces and prohibiting external traffic that appears to be spoofing internal addresses. <br />
+points for data flow (e.g., firewalls, gateways, cloud service boundaries), behind which all
-Organizations consider the shared nature of commercial telecommunications services in the
-implementation of security requirements associated with the use of such services.
+system components that handle regulated data are contained? What are the supporting
-Commercial telecommunications services are commonly based on network components and
+system components necessary for the protection of regulated data [a]?
-consolidated management systems shared by all attached commercial customers and may
+•
-also include third party-provided access lines and other service elements. Such transmission
+  What are the internal system boundary components that make up the entry and exit
-services may represent sources of increased risk despite contract security provisions.
+points for key internal data flow (e.g., internal firewalls, routers, any devices that can
-NIST SP 800-41 provides guidance on firewalls and firewall policy.  NIST  SP 800-125B
+bridge the connection between one segment of the system and another) that separate
-provides guidance on security for virtualization technologies.
+segments of the internal network  –  including devices that separate internal network
-'''FURTHER DISCUSSION '''
+segments such as development and production networks as well as a traditional DMZ at
-Fences, locks, badges, and key cards help keep non-employees out of your physical facilities.
+the edge of the network [b]?
-Similarly, your company’s IT network or system has boundaries that must be protected.
+•
-Many companies use a web proxy and a firewall. <br />
+  Is data flowing in and out of the external and key internal system boundaries monitored
-When an employee uses a company computer to go to a website, a web proxy makes the
-request on the user’s behalf, looks at the web request, and decides if it should let the
+(e.g., connections are logged and able to be reviewed, suspicious traffic generates alerts)
-employee go to the website. <br />
+[c,d]?
-A firewall controls access from the inside and outside, protecting valuable information and
-resources stored on the company’s network. A firewall stops unwanted traffic on the internet
+•
-from passing through an outside “fence” to the company’s networks and information
+  Is  data  traversing  the external and internal system boundaries  controlled  such that
-systems.  Internal boundaries determine where data can flow, for instance a software
+connections are denied by default and only authorized connections are allowed [e,f]?
-development environment may have its own boundary controlling, monitoring, and
+•
-protecting the data that can leave that boundary. <br />
+  Is data flowing in and out of the external and key internal system boundaries protected
-It may be wise to monitor, control, or protect one part of the company network from another.
-This can also be accomplished  with a firewall  and  limits  the ability of attackers  and
+(e.g., applying encryption when required or prudent, tunneling traffic as needed) [g,h]?
-disgruntled employees from entering sensitive parts of your internal network and causing
+'''KEY REFERENCES '''
-damage.
+•
-'''Example <br />
+  FAR Clause 52.204-21 b.1.x
-'''You are setting up the new network with an FCI enclave. You start by sketching out a simple
-diagram that identifies the external boundary of your network and any internal boundaries
+•
-that are needed [a,b]. The first piece of equipment you install is the firewall, a device to
+  NIST SP 800-171 Rev. 2 3.13.1
- NIST SP 800-171 Rev. 2, p. 36
@@ Line 3,227: / Line 3,039: @@
-SC.L1-b.1.x – Boundary Protection [FCI Data]
+SC.L1-b.1.xi – Public-Access System Separation [FCI Data]
 CMMC Assessment Guide – Level 1 | Version 2.13
-separate your internal network from the internet. The firewall also has a feature that allows
+'''SC.L1-B.1.XI – PUBLIC-ACCESS SYSTEM SEPARATION [FCI DATA] '''
-you to block access to potentially malicious websites, and you configure that service as well
+Implement subnetworks for publicly accessible system components that are physically or
-[a,c,e,g]. Some of your coworkers complain that they cannot get to certain websites [c,e,g].
+logically separated from internal networks.
-You explain that the new network blocks websites that are known for spreading malware.
+'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#41|27 ]]'''
-The firewall sends you a daily digest of blocked activity so that you can monitor the system
+Determine if: <br />
+[a]
-for attack trends [c,d].
+publicly accessible system components are identified; and
-'''Potential Assessment Considerations <br />
+[b]
-'''•
-  What are the external system boundary components that make up the entry and exit
+subnetworks for publicly accessible system components are physically or logically
-points for data flow (e.g., firewalls, gateways, cloud service boundaries), behind which all
+separated from internal networks.
-system components that handle regulated data are contained? What are the supporting
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]27 '''
-system components necessary for the protection of regulated data [a]?
+'''Examine <br />
+'''[SELECT FROM: System and communications protection policy; procedures addressing
-•
+boundary protection; system security plan; list of key internal boundaries of the system;
-  What are the internal system boundary components that make up the entry and exit
+system design documentation; boundary protection hardware and software; system
-points for key internal data flow (e.g., internal firewalls, routers, any devices that can
+configuration settings and associated documentation; enterprise security architecture
-bridge the connection between one segment of the system and another) that separate
+documentation; system audit logs and records; other relevant documents or records].
-segments of the internal network  –  including devices that separate internal network
+'''Interview <br />
+'''[SELECT FROM: System or network administrators; personnel with information security
-segments such as development and production networks as well as a traditional DMZ at
+responsibilities; system developers; personnel with boundary protection responsibilities].
-the edge of the network [b]?
+'''Test <br />
+'''[SELECT FROM: Mechanisms implementing boundary protection capability].
-•
+'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#41|28]] '''
-  Is data flowing in and out of the external and key internal system boundaries monitored
+Subnetworks that are physically or logically separated from internal networks are referred
-(e.g., connections are logged and able to be reviewed, suspicious traffic generates alerts)
+to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control
-[c,d]?
+devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-
-•
+based technologies. <br />
+NIST SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides
-  Is  data  traversing  the external and internal system boundaries  controlled  such that
+guidance on security for virtualization technologies.
-connections are denied by default and only authorized connections are allowed [e,f]?
-•
-  Is data flowing in and out of the external and key internal system boundaries protected
+ NIST SP 800-171A, p. 55
-(e.g., applying encryption when required or prudent, tunneling traffic as needed) [g,h]?
-'''KEY REFERENCES '''
+ NIST SP 800-171 Rev. 2, pp. 37-38
-•
-  FAR Clause 52.204-21 b.1.x
-•
-  NIST SP 800-171 Rev. 2 3.13.1
@@ Line 3,317: / Line 3,123: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-'''SC.L1-B.1.XI – PUBLIC-ACCESS SYSTEM SEPARATION [FCI DATA] '''
+'''FURTHER DISCUSSION '''
-Implement subnetworks for publicly accessible system components that are physically or
+Publicly accessible systems should be separated from the internal systems that need to be
-logically separated from internal networks.
+protected. Internal systems should not be placed on the same network as publicly accessible
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#41|27 ]]'''
+systems, and access by default from DMZ networks to internal networks should be blocked. <br />
+One method of accomplishing this is to create a DMZ network, which enhances security by
-Determine if: <br />
+providing public access to a specific set  of resources while preventing connections from
-[a]
-publicly accessible system components are identified; and
+those resources to the rest of the IT environment. Some OSAs may achieve a similar result
-[b]
+through the use of a cloud computing environment that is separated from the rest of the
-subnetworks for publicly accessible system components are physically or logically
+company’s infrastructure.
-separated from internal networks.
+'''Example <br />
+'''The head of recruiting at your firm wants to launch a website to post job openings and allow
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]27 '''
+the public to download an application form [a]. After some discussion, your team realizes it
-'''Examine <br />
+needs to use a firewall to create a perimeter network  to do this  because your network
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-boundary protection; system security plan; list of key internal boundaries of the system;
+contains FCI [b]. You host the server separately from the company’s internal network where
-system design documentation; boundary protection hardware and software; system
+FCI is stored and make sure the network on which it resides is isolated with the proper
-configuration settings and associated documentation; enterprise security architecture
+firewall rules [b].
-documentation; system audit logs and records; other relevant documents or records].
+'''Potential Assessment Considerations <br />
+'''•
-'''Interview <br />
+  Are any system components reachable by the public (e.g., internet-facing web servers,
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developers; personnel with boundary protection responsibilities].
+VPN gateways, publicly accessible cloud services) [a]?
-'''Test <br />
+•
-'''[SELECT FROM: Mechanisms implementing boundary protection capability].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#41|28]] '''
+  Are  publicly accessible system components on physically or logically separated
-Subnetworks that are physically or logically separated from internal networks are referred
+subnetworks (e.g., isolated subnetworks using separate, dedicated VLAN segments such
-to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control
+as DMZs) [b]?
-devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-
+'''KEY REFERENCES '''
-based technologies. <br />
+•
-NIST SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides
-guidance on security for virtualization technologies.
+  FAR Clause 52.204-21 b.1.xi
+•
+  NIST SP 800-171 Rev. 2 3.13.5
-  NIST SP 800-171A, p. 55
- NIST SP 800-171 Rev. 2, pp. 37-38
@@ Line 3,393: / Line 3,193: @@
-SC.L1-b.1.xi – Public-Access System Separation [FCI Data]
+SI.L1-b.1.xii – Flaw Remediation [FCI Data]
 CMMC Assessment Guide – Level 1 | Version 2.13
-'''FURTHER DISCUSSION '''
+System and Information Integrity (SI) <br />
+'''SI.L1-B.1.XII – FLAW REMEDIATION [FCI DATA] '''
-Publicly accessible systems should be separated from the internal systems that need to be
+Identify, report, and correct information and information system flaws in a timely manner.
-protected. Internal systems should not be placed on the same network as publicly accessible
+'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#43|29 ]]'''
-systems, and access by default from DMZ networks to internal networks should be blocked. <br />
+Determine if: <br />
-One method of accomplishing this is to create a DMZ network, which enhances security by
+[a]
-providing public access to a specific set  of resources while preventing connections from
+the time within which to identify system flaws is specified;
-those resources to the rest of the IT environment. Some OSAs may achieve a similar result
+[b]
-through the use of a cloud computing environment that is separated from the rest of the
+system flaws are identified within the specified time frame;
-company’s infrastructure.
+[c]
-'''Example <br />
+the time within which to report system flaws is specified;
-'''The head of recruiting at your firm wants to launch a website to post job openings and allow
-the public to download an application form [a]. After some discussion, your team realizes it
+[d]
-needs to use a firewall to create a perimeter network  to do this  because your network
+system flaws are reported within the specified time frame;
-contains FCI [b]. You host the server separately from the company’s internal network where
+[e]
-FCI is stored and make sure the network on which it resides is isolated with the proper
+the time within which to correct system flaws is specified; and
-firewall rules [b].
+[f]
-'''Potential Assessment Considerations <br />
+system flaws are corrected within the specified time frame.
-'''•
-  Are any system components reachable by the public (e.g., internet-facing web servers,
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]29 '''
-VPN gateways, publicly accessible cloud services) [a]?
+'''Examine <br />
+'''[SELECT FROM: System and information integrity policy; procedures addressing flaw
-•
+remediation; procedures addressing configuration management; system security plan; list
-  Are  publicly accessible system components on physically or logically separated
+of flaws and vulnerabilities potentially affecting the system; list of recent security flaw
-subnetworks (e.g., isolated subnetworks using separate, dedicated VLAN segments such
+remediation actions performed on the system (e.g., list of installed patches, service packs,
-as DMZs) [b]?
+hot fixes, and other software updates to correct system flaws); test results from the
-'''KEY REFERENCES '''
+installation of software and firmware updates to correct system flaws; installation/change
-•
+control records for security-relevant software and firmware updates; other relevant
-  FAR Clause 52.204-21 b.1.xi
+documents or records].
-•
+'''Interview <br />
+'''[SELECT FROM: System or network administrators; personnel with information security
-  NIST SP 800-171 Rev. 2 3.13.5
+responsibilities; personnel installing, configuring, and maintaining the system; personnel
+with responsibility for flaw remediation; personnel with configuration management
+responsibility].
+'''Test <br />
+'''[SELECT FROM: Organizational processes for identifying, reporting, and correcting system
+flaws; organizational process for installing software and firmware updates; mechanisms
+ NIST SP 800-171A, p. 60
@@ Line 3,471: / Line 3,285: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-System and Information Integrity (SI) <br />
+supporting or implementing reporting, and correcting system flaws; mechanisms supporting
-'''SI.L1-B.1.XII – FLAW REMEDIATION [FCI DATA] '''
-Identify, report, and correct information and information system flaws in a timely manner.
+or implementing testing software and firmware updates].
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#43|29 ]]'''
+'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#44|30]] '''
-Determine if: <br />
+Organizations identify systems that are affected by announced software and firmware flaws
-[a]
-the time within which to identify system flaws is specified;
+including potential vulnerabilities resulting from those flaws and report this information to
-[b]
+designated personnel with information security responsibilities. Security-relevant updates
-system flaws are identified within the specified time frame;
+include patches, service packs, hot fixes, and anti-virus signatures. Organizations address
-[c]
+flaws discovered during security assessments, continuous monitoring, incident response
-the time within which to report system flaws is specified;
+activities, and system error handling.  Organizations can take advantage of available
-[d]
+resources such as the Common Weakness Enumeration (CWE) database or Common
-system flaws are reported within the specified time frame;
+Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in
-[e]
+organizational systems. <br />
+Organization-defined time periods for updating security-relevant software and firmware
-the time within which to correct system flaws is specified; and
+may vary based on a variety of factors including the criticality of the update (i.e., severity of
-[f]
+the vulnerability related to the discovered flaw). Some types of flaw remediation may require
+more testing than other types of remediation. NIST SP 800-40 provides guidance on patch
+management technologies.
-system flaws are corrected within the specified time frame.
+'''FURTHER DISCUSSION '''
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]29 '''
+All software and firmware have potential flaws. Many vendors work to remedy those flaws
-'''Examine <br />
+by releasing vulnerability information and updates to their software and firmware. OSAs
-'''[SELECT FROM: System and information integrity policy; procedures addressing flaw
-remediation; procedures addressing configuration management; system security plan; list
+should have a process to review relevant vendor notifications and updates about problems
-of flaws and vulnerabilities potentially affecting the system; list of recent security flaw
+or weaknesses.  After reviewing the information, the OSA  should  implement a  patch
-remediation actions performed on the system (e.g., list of installed patches, service packs,
+management  process  that allows for software and firmware flaws to be fixed  without
-hot fixes, and other software updates to correct system flaws); test results from the
+adversely affecting the system functionality.  OSAs  should  define the time frames within
-installation of software and firmware updates to correct system flaws; installation/change
+which flaws are identified, reported, and corrected for all systems.
-control records for security-relevant software and firmware updates; other relevant
+'''Example <br />
+'''You know that software vendors typically release patches, service packs, hot fixes, etc. and
-documents or records].
+want to make sure your software that processes FCI is up to date. You develop a policy that
-'''Interview <br />
+requires checking vendor websites for flaw notifications every week [a]. The policy further
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; personnel installing, configuring, and maintaining the system; personnel
+requires that those flaws be assessed for severity and patched on end-user computers once
-with responsibility for flaw remediation; personnel with configuration management
+each week and servers once each month [c,e]. Consistent with that policy, you configure the
-responsibility].
+system to check for updates weekly or daily depending on the criticality of the software [b,e].
-'''Test <br />
+Your team reviews available updates and implements the applicable ones according to the
-'''[SELECT FROM: Organizational processes for identifying, reporting, and correcting system
-flaws; organizational process for installing software and firmware updates; mechanisms
+defined schedule [f].
-  NIST SP 800-171A, p. 60
+  NIST SP 800-171 Rev. 2, pp. 40-41
@@ Line 3,559: / Line 3,374: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-supporting or implementing reporting, and correcting system flaws; mechanisms supporting
+'''Potential Assessment Considerations <br />
+'''•
-or implementing testing software and firmware updates].
+  Is the time frame (e.g., a set number of days) within which system flaw identification
-'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#44|30]] '''
+activities (e.g., vulnerability scans, configuration scans, manual review) must be
-Organizations identify systems that are affected by announced software and firmware flaws
+performed defined and documented [a]?
-including potential vulnerabilities resulting from those flaws and report this information to
+•
-designated personnel with information security responsibilities. Security-relevant updates
+  Are system flaws (e.g., vulnerabilities, misconfigurations) identified in accordance with
-include patches, service packs, hot fixes, and anti-virus signatures. Organizations address
+the specified time frame [b]?
-flaws discovered during security assessments, continuous monitoring, incident response
+•
-activities, and system error handling.  Organizations can take advantage of available
+  Is the time frame (e.g., a set number of days dependent on the assessed severity of a flaw)
-resources such as the Common Weakness Enumeration (CWE) database or Common
+within which system flaws must be corrected defined and documented [e]?
-Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in
+•
-organizational systems. <br />
+  Are  system flaws (e.g., applied security patches, made configuration changes, or
-Organization-defined time periods for updating security-relevant software and firmware
-may vary based on a variety of factors including the criticality of the update (i.e., severity of
+implemented workarounds or mitigations) corrected within the specified time frame [f]?
-the vulnerability related to the discovered flaw). Some types of flaw remediation may require
+'''KEY REFERENCES '''
-more testing than other types of remediation. NIST SP 800-40 provides guidance on patch
+•
-management technologies.
+  FAR Clause 52.204-21 b.1.xii
-'''FURTHER DISCUSSION '''
+•
-All software and firmware have potential flaws. Many vendors work to remedy those flaws
+  NIST SP 800-171 Rev. 2 3.14.1
-by releasing vulnerability information and updates to their software and firmware. OSAs
-should have a process to review relevant vendor notifications and updates about problems
-or weaknesses.  After reviewing the information, the OSA  should  implement a  patch
-management  process  that allows for software and firmware flaws to be fixed  without
-adversely affecting the system functionality.  OSAs  should  define the time frames within
-which flaws are identified, reported, and corrected for all systems.
-'''Example <br />
-'''You know that software vendors typically release patches, service packs, hot fixes, etc. and
-want to make sure your software that processes FCI is up to date. You develop a policy that
-requires checking vendor websites for flaw notifications every week [a]. The policy further
-requires that those flaws be assessed for severity and patched on end-user computers once
+SI.L1-b.1.xiii – Malicious Code ProTection [FCI Data]
-each week and servers once each month [c,e]. Consistent with that policy, you configure the
+CMMC Assessment Guide – Level 1 | Version 2.13
-system to check for updates weekly or daily depending on the criticality of the software [b,e].
-Your team reviews available updates and implements the applicable ones according to the
-defined schedule [f].
+'''SI.L1-B.1.XIII – MALICIOUS CODE PROTECTION [FCI DATA] '''
+Provide protection from malicious code at appropriate locations within organizational
+information systems.
- NIST SP 800-171 Rev. 2, pp. 40-41
+'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#46|31 ]]'''
+Determine if: <br />
+[a]
+designated locations for malicious code protection are identified; and
+[b]
+protection from malicious code at designated locations is provided.
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#46|32 ]]'''
+'''Examine <br />
+'''[SELECT FROM: System and information integrity policy; configuration management policy
+and procedures; procedures addressing malicious code protection; records of malicious
+code protection updates; malicious code protection mechanisms; system security plan;
-SI.L1-b.1.xii – Flaw Remediation [FCI Data]
+system configuration settings and associated documentation; record of actions initiated by
-CMMC Assessment Guide – Level 1 | Version 2.13
+malicious code protection mechanisms in response to malicious code detection; scan results
+from malicious code protection mechanisms; system design documentation; system audit
+logs and records; other relevant documents or records].
-'''Potential Assessment Considerations <br />
+'''Interview <br />
-'''•
+'''[SELECT FROM: System or network administrators; personnel with information security
-  Is the time frame (e.g., a set number of days) within which system flaw identification
+responsibilities; personnel installing, configuring, and maintaining the system; personnel
-activities (e.g., vulnerability scans, configuration scans, manual review) must be
+with responsibility for malicious code protection; personnel with configuration management
-performed defined and documented [a]?
+responsibility].
-•
+'''Test <br />
+'''[SELECT FROM: Organizational processes for employing, updating, and configuring
-  Are system flaws (e.g., vulnerabilities, misconfigurations) identified in accordance with
+malicious code protection mechanisms; organizational process for addressing false positives
-the specified time frame [b]?
+and resulting potential impact; mechanisms supporting or implementing employing,
-•
+updating, and configuring malicious code protection mechanisms; mechanisms supporting
-  Is the time frame (e.g., a set number of days dependent on the assessed severity of a flaw)
+or implementing malicious code scanning and subsequent actions].
-within which system flaws must be corrected defined and documented [e]?
+'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#46|33]] '''
-•
+Designated [''appropriate''] locations include system entry and exit points which may include
-  Are  system flaws (e.g., applied security patches, made configuration changes, or
+firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy
-implemented workarounds or mitigations) corrected within the specified time frame [f]?
+servers, notebook computers, and mobile devices. Malicious code includes viruses, worms,
-'''KEY REFERENCES '''
-•
-  FAR Clause 52.204-21 b.1.xii
+ NIST SP 800-171A, p. 61
-•
-  NIST SP 800-171 Rev. 2 3.14.1
+ NIST SP 800-171A, p. 61-62
+  NIST SP 800-171 Rev. 2, p. 41
@@ Line 3,704: / Line 3,523: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-'''SI.L1-B.1.XIII – MALICIOUS CODE PROTECTION [FCI DATA] '''
+Trojan horses, and spyware.  Malicious code can be encoded in various formats (e.g.,
-Provide protection from malicious code at appropriate locations within organizational
+UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using
-information systems.
+techniques such as steganography. Malicious code can be inserted into systems in a variety
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#46|31 ]]'''
+of ways including web accesses, electronic mail, electronic mail attachments, and portable
-Determine if: <br />
+storage  devices.  Malicious code insertions  occur through the exploitation of system
-[a]
-designated locations for malicious code protection are identified; and
+vulnerabilities. <br />
+Malicious code protection mechanisms include anti-virus signature definitions and
-[b]
+reputation-based technologies.  A variety of technologies and methods exist to limit or
-protection from malicious code at designated locations is provided.
+eliminate the effects of malicious code.  Pervasive configuration management and
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#46|32 ]]'''
+comprehensive software integrity controls may be effective in preventing execution of
-'''Examine <br />
+unauthorized code. In addition to commercial off-the-shelf software, malicious code may also
-'''[SELECT FROM: System and information integrity policy; configuration management policy
-and procedures; procedures addressing malicious code protection; records of malicious
+be present in custom-built software. This could include logic bombs, back doors, and other
-code protection updates; malicious code protection mechanisms; system security plan;
+types of cyber-attacks that could affect organizational missions/business functions.
-system configuration settings and associated documentation; record of actions initiated by
+Traditional malicious code protection mechanisms cannot always detect such code. In these
-malicious code protection mechanisms in response to malicious code detection; scan results
+situations, organizations rely instead on other safeguards including secure coding practices,
-from malicious code protection mechanisms; system design documentation; system audit
+configuration management and control, trusted procurement processes, and monitoring
-logs and records; other relevant documents or records].
+practices to help ensure that software does not perform functions other than the functions
-'''Interview <br />
+intended. NIST SP 800-83 provides guidance on malware incident prevention.
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; personnel installing, configuring, and maintaining the system; personnel
+'''FURTHER DISCUSSION '''
-with responsibility for malicious code protection; personnel with configuration management
+Malicious code purposely performs unauthorized activity that undermines the security of an
-responsibility].
+information system. A designated location may be a network device such as a firewall or an
-'''Test <br />
+end user’s computer. <br />
-'''[SELECT FROM: Organizational processes for employing, updating, and configuring
+Malicious code, which can be delivered by a range of means (e.g., email, removable media, or
-malicious code protection mechanisms; organizational process for addressing false positives
+websites), includes the following: <br />
+•
-and resulting potential impact; mechanisms supporting or implementing employing,
+  Virus – program designed to cause damage, steal information, change data, send email,
-updating, and configuring malicious code protection mechanisms; mechanisms supporting
+show messages, or any combination of these things;
-or implementing malicious code scanning and subsequent actions].
+•
-'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#46|33]] '''
+  Spyware – program designed to secretly gather information about a person’s activity;
-Designated [''appropriate''] locations include system entry and exit points which may include
+•
-firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy
+  Trojan Horse – type of malware made to look like legitimate software and used by cyber
-servers, notebook computers, and mobile devices. Malicious code includes viruses, worms,
+criminals to get access to a company’s systems; and
+•
+  Ransomware – type of malware that threatens to publish the victim’s data or perpetually
- NIST SP 800-171A, p. 61
+block access to it unless a ransom is paid.
+Consider use of anti-malware tools to stop or lessen the impact of malicious code.
- NIST SP 800-171A, p. 61-62
+'''Example <br />
+'''Your company’s IT team is buying new computers and wants to protect your company’s
+information from viruses and spyware. The computers will be used to process, store, and
-  NIST SP 800-171 Rev. 2, p. 41
+transmit FCI.  They  research anti-malware products, select an appropriate solution, and
+deploy antivirus software on all hosts for which satisfactory antivirus software is available
+[a,b].
@@ Line 3,797: / Line 3,620: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-Trojan horses, and spyware.  Malicious code can be encoded in various formats (e.g.,
+'''Potential Assessment Considerations <br />
+'''•
-UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using
+  Are system components (e.g., workstations, servers, email gateways, mobile devices) for
-techniques such as steganography. Malicious code can be inserted into systems in a variety
+which malicious code protection must be provided identified and documented [a]?
-of ways including web accesses, electronic mail, electronic mail attachments, and portable
+'''KEY REFERENCES '''
-storage  devices.  Malicious code insertions  occur through the exploitation of system
+•
-vulnerabilities. <br />
+  FAR Clause 52.204-21 b.1.xiii
-Malicious code protection mechanisms include anti-virus signature definitions and
-reputation-based technologies.  A variety of technologies and methods exist to limit or
+•
-eliminate the effects of malicious code.  Pervasive configuration management and
+  NIST SP 800-171 Rev. 2 3.14.2
-comprehensive software integrity controls may be effective in preventing execution of
-unauthorized code. In addition to commercial off-the-shelf software, malicious code may also
-be present in custom-built software. This could include logic bombs, back doors, and other
-types of cyber-attacks that could affect organizational missions/business functions.
-Traditional malicious code protection mechanisms cannot always detect such code. In these
-situations, organizations rely instead on other safeguards including secure coding practices,
-configuration management and control, trusted procurement processes, and monitoring
-practices to help ensure that software does not perform functions other than the functions
-intended. NIST SP 800-83 provides guidance on malware incident prevention.
-'''FURTHER DISCUSSION '''
+SI.L1-b.1.xiv – Update Malicious Code Protection [FCI Data]
-Malicious code purposely performs unauthorized activity that undermines the security of an
+CMMC Assessment Guide – Level 1 | Version 2.13
-information system. A designated location may be a network device such as a firewall or an
-end user’s computer. <br />
-Malicious code, which can be delivered by a range of means (e.g., email, removable media, or
-websites), includes the following: <br />
+'''SI.L1-B.1.XIV – UPDATE MALICIOUS CODE PROTECTION [FCI DATA] '''
-•
-  Virus – program designed to cause damage, steal information, change data, send email,
+Update malicious code protection mechanisms when new releases are available.
-show messages, or any combination of these things;
+'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#49|34 ]]'''
-•
+Determine if: <br />
+[a] malicious code protection mechanisms are updated when new releases are available.
-  Spyware – program designed to secretly gather information about a person’s activity;
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#49|35 ]]'''
-•
+'''Examine <br />
+'''[SELECT FROM: System and information integrity policy; configuration management policy
-  Trojan Horse – type of malware made to look like legitimate software and used by cyber
+and procedures; procedures addressing malicious code protection; malicious code
-criminals to get access to a company’s systems; and
+protection mechanisms; records of malicious code protection updates; system security plan;
-•
+system design documentation; system configuration settings and associated documentation;
-  Ransomware – type of malware that threatens to publish the victim’s data or perpetually
+scan results from malicious code protection mechanisms; record of actions initiated by
-block access to it unless a ransom is paid.
+malicious code protection mechanisms in response to malicious code detection; system audit
-Consider use of anti-malware tools to stop or lessen the impact of malicious code.
+logs and records; other relevant documents or records].
-'''Example <br />
+'''Interview <br />
-'''Your company’s IT team is buying new computers and wants to protect your company’s
+'''[SELECT FROM: System or network administrators; personnel with information security
-information from viruses and spyware. The computers will be used to process, store, and
+responsibilities; personnel installing, configuring, and maintaining the system; personnel
-transmit FCI.  They  research anti-malware products, select an appropriate solution, and
+with responsibility for malicious code protection; personnel with configuration management
-deploy antivirus software on all hosts for which satisfactory antivirus software is available
+responsibility].
-[a,b].
+'''Test <br />
+'''[SELECT FROM: Organizational processes for employing, updating, and configuring
+malicious code protection mechanisms; organizational process for addressing false positives
+and resulting potential impact; mechanisms supporting or implementing malicious code
+protection mechanisms (including updates and configurations); mechanisms supporting or
+implementing malicious code scanning and subsequent actions].
+'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#49|36]] '''
+Malicious code protection mechanisms include anti-virus signature definitions and
+reputation-based technologies.  A variety of technologies and methods exist to limit or
+eliminate the effects of malicious code.  Pervasive configuration management and
-SI.L1-b.1.xiii – Malicious Code ProTection [FCI Data]
+comprehensive software integrity controls may be effective in preventing execution of
-CMMC Assessment Guide – Level 1 | Version 2.13
+unauthorized code. In addition to commercial off-the-shelf software, malicious code may also
+be present in custom-built software. This could include logic bombs, back doors, and other
-'''Potential Assessment Considerations <br />
-'''•
-  Are system components (e.g., workstations, servers, email gateways, mobile devices) for
+ NIST SP 800-171A, p. 62
-which malicious code protection must be provided identified and documented [a]?
-'''KEY REFERENCES '''
+ NIST SP 800-171A, p. 62-63
-•
-  FAR Clause 52.204-21 b.1.xiii
+ NIST SP 800-171 Rev. 2, pp 41-42
-•
-  NIST SP 800-171 Rev. 2 3.14.2
@@ Line 3,930: / Line 3,747: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-'''SI.L1-B.1.XIV – UPDATE MALICIOUS CODE PROTECTION [FCI DATA] '''
+types of cyber-attacks that could affect organizational missions/business functions.
-Update malicious code protection mechanisms when new releases are available.
+Traditional malicious code protection mechanisms cannot always detect such code. In these
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#49|34 ]]'''
+situations, organizations rely instead on other safeguards including secure coding practices,
-Determine if: <br />
+configuration management and control, trusted procurement processes, and monitoring
-[a] malicious code protection mechanisms are updated when new releases are available.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#49|35 ]]'''
+practices to help ensure that software does not perform functions other than the functions
-'''Examine <br />
+intended.
-'''[SELECT FROM: System and information integrity policy; configuration management policy
-and procedures; procedures addressing malicious code protection; malicious code
+'''FURTHER DISCUSSION '''
-protection mechanisms; records of malicious code protection updates; system security plan;
+Malware changes on an hourly or daily basis, and it is important to update detection and
-system design documentation; system configuration settings and associated documentation;
+protection mechanisms frequently to maintain the effectiveness of the protection.
-scan results from malicious code protection mechanisms; record of actions initiated by
+'''Example <br />
+'''You  have installed anti-malware software to protect a computer that stores FCI from
-malicious code protection mechanisms in response to malicious code detection; system audit
+malicious code. Knowing that malware evolves rapidly, you configure the software to
-logs and records; other relevant documents or records].
+automatically check for malware definition updates every day and update as needed [a].
-'''Interview <br />
+'''Potential Assessment Considerations <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
+'''•
-responsibilities; personnel installing, configuring, and maintaining the system; personnel
+  Is there a defined frequency at which malicious code protection mechanisms must be
-with responsibility for malicious code protection; personnel with configuration management
+updated (e.g., frequency of automatic updates or manual processes) [a]?
-responsibility].
+'''KEY REFERENCES '''
-'''Test <br />
+•
-'''[SELECT FROM: Organizational processes for employing, updating, and configuring
-malicious code protection mechanisms; organizational process for addressing false positives
+  FAR Clause 52.204-21 b.1.xiv
-and resulting potential impact; mechanisms supporting or implementing malicious code
+•
-protection mechanisms (including updates and configurations); mechanisms supporting or
+  NIST SP 800-171 Rev. 2 3.14.4
-implementing malicious code scanning and subsequent actions].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#49|36]] '''
-Malicious code protection mechanisms include anti-virus signature definitions and
-reputation-based technologies.  A variety of technologies and methods exist to limit or
-eliminate the effects of malicious code.  Pervasive configuration management and
-comprehensive software integrity controls may be effective in preventing execution of
-unauthorized code. In addition to commercial off-the-shelf software, malicious code may also
-be present in custom-built software. This could include logic bombs, back doors, and other
+SI.L1-b.1.xv – System &amp; File Scanning [FCI Data]
- NIST SP 800-171A, p. 62
+CMMC Assessment Guide – Level 1 | Version 2.13
-  NIST SP 800-171A, p. 62-63
+'''SI.L1-B.1.XV – SYSTEM &amp; FILE SCANNING [FCI DATA] '''
- NIST SP 800-171 Rev. 2, pp 41-42
+Perform periodic scans of the information system and real-time scans of files from external
+sources as files are downloaded, opened, or executed.
+'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#51|37 ]]'''
+Determine if: <br />
+[a]
+the frequency for malicious code scans is defined;
+[b]
+malicious code scans are performed with the defined frequency; and
+[c]
+real-time malicious code scans of files from external sources as files are
-SI.L1-b.1.xiv – Update Malicious Code Protection [FCI Data]
+downloaded, opened, or executed are performed.
-CMMC Assessment Guide – Level 1 | Version 2.13
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]37 '''
+'''Examine <br />
+'''[SELECT FROM: System and information integrity policy; configuration management policy
+and procedures; procedures addressing malicious code protection; malicious code
-types of cyber-attacks that could affect organizational missions/business functions.
+protection mechanisms; records of malicious code protection updates; system security plan;
-Traditional malicious code protection mechanisms cannot always detect such code. In these
+system design documentation; system configuration settings and associated documentation;
-situations, organizations rely instead on other safeguards including secure coding practices,
+scan results from malicious code protection mechanisms; record of actions initiated by
-configuration management and control, trusted procurement processes, and monitoring
+malicious code protection mechanisms in response to malicious code detection; system audit
-practices to help ensure that software does not perform functions other than the functions
+logs and records; other relevant documents or records].
-intended.
+'''Interview <br />
+'''[SELECT FROM: System or network administrators; personnel with information security
+responsibilities; personnel installing, configuring, and maintaining the system; personnel
-'''FURTHER DISCUSSION '''
+with responsibility for malicious code protection; personnel with configuration management
-Malware changes on an hourly or daily basis, and it is important to update detection and
+responsibility].
-protection mechanisms frequently to maintain the effectiveness of the protection.
+'''Test <br />
+'''[SELECT FROM: Organizational processes for employing, updating, and configuring
-'''Example <br />
+malicious code protection mechanisms; organizational process for addressing false positives
-'''You  have installed anti-malware software to protect a computer that stores FCI from
-malicious code. Knowing that malware evolves rapidly, you configure the software to
+and resulting potential impact; mechanisms supporting or implementing malicious code
-automatically check for malware definition updates every day and update as needed [a].
+protection mechanisms (including updates and configurations); mechanisms supporting or
-'''Potential Assessment Considerations <br />
+implementing malicious code scanning and subsequent actions].
-'''•
-  Is there a defined frequency at which malicious code protection mechanisms must be
+'''DISCUSSION [NIST SP 800-17]1 REV. 2[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#51|38]] '''
-updated (e.g., frequency of automatic updates or manual processes) [a]?
+Periodic scans of organizational systems and real-time scans of files from external sources
-'''KEY REFERENCES '''
+can detect malicious code. Malicious code can be encoded in various formats (e.g.,
-•
-  FAR Clause 52.204-21 b.1.xiv
-•
+ NIST SP 800-171A, p. 63
-  NIST SP 800-171 Rev. 2 3.14.4
+  NIST SP 800-171 Rev. 2, p. 42
@@ Line 4,082: / Line 3,901: @@
 CMMC Assessment Guide – Level 1 | Version 2.13
-'''SI.L1-B.1.XV – SYSTEM &amp; FILE SCANNING [FCI DATA] '''
+UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using
-Perform periodic scans of the information system and real-time scans of files from external
+techniques such as steganography. Malicious code can be inserted into systems in a variety
-sources as files are downloaded, opened, or executed.
+of ways including web accesses, electronic mail, electronic mail attachments, and portable
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#51|37 ]]'''
+storage devices. Malicious code insertions occur through the exploitation of system
-Determine if: <br />
+vulnerabilities.
-[a]
-the frequency for malicious code scans is defined;
+'''FURTHER DISCUSSION '''
-[b]
+Consider use of anti-malware software to scan for viruses in your computer systems and
-malicious code scans are performed with the defined frequency; and
+determine how often scans are conducted. Real-time scans look at the system whenever files
-[c]
+are downloaded, opened, and saved.  Periodic scans check previously saved files against
-real-time malicious code scans of files from external sources as files are
+updated malware information. Anti-malware software should be installed, run, and updated
-downloaded, opened, or executed are performed.
+on all hosts for which satisfactory antivirus software is available.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]37 '''
+'''Example <br />
+'''Your company transmits FCI over email. You work with your company’s email provider to
-'''Examine <br />
+enable enhanced protections that will scan all attachments to identify and quarantine those
-'''[SELECT FROM: System and information integrity policy; configuration management policy
-and procedures; procedures addressing malicious code protection; malicious code
+that may be harmful prior to a user opening them [c]. In addition, you configure antivirus
-protection mechanisms; records of malicious code protection updates; system security plan;
+software on each computer to scan for malicious code every day [a,b]. The software also
-system design documentation; system configuration settings and associated documentation;
+scans files that are downloaded or copied from removable media such as USB drives. It
-scan results from malicious code protection mechanisms; record of actions initiated by
+quarantines any suspicious files and notifies the security team [c].
-malicious code protection mechanisms in response to malicious code detection; system audit
+'''Potential Assessment Considerations <br />
+'''•
-logs and records; other relevant documents or records].
+  Are files from media (e.g., USB drives, CD-ROM) included in the definition of external
-'''Interview <br />
+sources and are they being scanned [c]?
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; personnel installing, configuring, and maintaining the system; personnel
+'''KEY REFERENCES '''
+•
-with responsibility for malicious code protection; personnel with configuration management
+  FAR Clause 52.204-21 b.1.xv
-responsibility].
+•
-'''Test <br />
+  NIST SP 800-171 Rev. 2 3.14.5
-'''[SELECT FROM: Organizational processes for employing, updating, and configuring
-malicious code protection mechanisms; organizational process for addressing false positives
-and resulting potential impact; mechanisms supporting or implementing malicious code
-protection mechanisms (including updates and configurations); mechanisms supporting or
-implementing malicious code scanning and subsequent actions].
-'''DISCUSSION [NIST SP 800-17]1 REV. 2[[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#51|38]] '''
-Periodic scans of organizational systems and real-time scans of files from external sources
-can detect malicious code. Malicious code can be encoded in various formats (e.g.,
+Appendix A – Acronyms and Abbreviations
- NIST SP 800-171A, p. 63
+CMMC Assessment Guide – Level 1 | Version 2.13
-  NIST SP 800-171 Rev. 2, p. 42
+Appendix A – Acronyms and Abbreviations
+AC
+Access Control
+CD-ROM
+Compact Disk Read-Only Memory
+CFR
+Code of Federal Regulations
+CMMC
-SI.L1-b.1.xv – System &amp; File Scanning [FCI Data]
+Cybersecurity Maturity Model Certification
-CMMC Assessment Guide – Level 1 | Version 2.13
+CUI
+Controlled Unclassified Information
+CVE
-UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using
+Common Vulnerabilities and Exposures
-techniques such as steganography. Malicious code can be inserted into systems in a variety
+CWE
-of ways including web accesses, electronic mail, electronic mail attachments, and portable
+Common Weakness Enumeration
-storage devices. Malicious code insertions occur through the exploitation of system
+DFARS
-vulnerabilities.
+Defense Federal Acquisition Regulation Supplement
-'''FURTHER DISCUSSION '''
+DMZ
-Consider use of anti-malware software to scan for viruses in your computer systems and
+Demilitarized Zone
-determine how often scans are conducted. Real-time scans look at the system whenever files
+DoD
-are downloaded, opened, and saved.  Periodic scans check previously saved files against
+Department of Defense
-updated malware information. Anti-malware software should be installed, run, and updated
+ESP
-on all hosts for which satisfactory antivirus software is available.
+External Service Provider
-'''Example <br />
+FAR
-'''Your company transmits FCI over email. You work with your company’s email provider to
-enable enhanced protections that will scan all attachments to identify and quarantine those
+Federal Acquisition Regulation
-that may be harmful prior to a user opening them [c]. In addition, you configure antivirus
+FCI
-software on each computer to scan for malicious code every day [a,b]. The software also
+Federal Contract Information
-scans files that are downloaded or copied from removable media such as USB drives. It
+IT
-quarantines any suspicious files and notifies the security team [c].
+Information Technology
-'''Potential Assessment Considerations <br />
+NIST
-'''•
-  Are files from media (e.g., USB drives, CD-ROM) included in the definition of external
+National Institute of Standards and Technology
-sources and are they being scanned [c]?
+OSA
-'''KEY REFERENCES '''
+Organization Seeking Assessment
-•
+PIV
-  FAR Clause 52.204-21 b.1.xv
+Personal Identity Verification
-•
+SC
-  NIST SP 800-171 Rev. 2 3.14.5
+System and Communications Protection
+SI
+System and Information Integrity
+SP
+Special Publication
+SPRS
+Supplier Performance Risk System
+USB
+Universal Serial Bus
-Appendix A – Acronyms and Abbreviations
+UUENCODE  Unix-to-Unix Encode
-CMMC Assessment Guide – Level 1 | Version 2.13
+VLAN
+Virtual Local Area Network
-Appendix A – Acronyms and Abbreviations
-AC
-Access Control
-CD-ROM
-Compact Disk Read-Only Memory
-CFR
-Code of Federal Regulations
-CMMC
-Cybersecurity Maturity Model Certification
-CUI
-Controlled Unclassified Information
-CVE
-Common Vulnerabilities and Exposures
-CWE
+= Document Outline =
-Common Weakness Enumeration
+* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#5|Introduction]]
+* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#6|Assessment and Compliance]]
+** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#6|Assessment Scope]]
+* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#7|CMMC-Custom Terms]]
+* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#9|Assessment Criteria and Methodology]]
+** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#10|Criteria]]
+** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#10|Methodology]]
+*** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#11|Who Is Interviewed]]
+*** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#11|What Is Examined]]
+*** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#11|What Is Tested]]
+** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#12|Assessment Findings]]
+* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#14|Requirement Descriptions]]
+** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#14|Introduction]]
+* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#16|Access Control (AC)]]
+* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#26|Identification and Authentication (IA)]]
+* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#31|Media Protection (MP)]]
+* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#33|Physical Protection (PE)]]
+* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#38|System and Communications Protection (SC)]]
+* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#43|System and Information Integrity (SI)]]
+* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#53|Appendix A – Acronyms and Abbreviations]]
-DFARS
-Defense Federal Acquisition Regulation Supplement
+-----
-DMZ
+Original source: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL1v2.pdf
-Demilitarized Zone
+== Access Control (AC) ==
+=== Level 1 AC Practices ===
-DoD
+==== AC.L1-3.1.1 - AUTHORIZED ACCESS CONTROL ====
+{|class="wikitable"
-Department of Defense
+|'''SECURITY REQUIREMENT'''
+Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
-ESP
+|-
+|'''ASSESSMENT OBJECTIVES'''
-External Service Provider
+: [a] authorized users are identified;
+: [b] processes acting on behalf of authorized users are identified;
+: [c] devices (and other systems) authorized to connect to the system are identified;
+: [d] system access is limited to authorized users;
+: [e] system access is limited to processes acting on behalf of authorized users; and
+: [f] system access is limited to authorized devices (including other systems).
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
+|-
+|[[Practice_AC.L1-3.1.1_Details|More Practice Details...]]
+|}
-FAR
+==== AC.L1-3.1.2 - TRANSACTION & FUNCTION CONTROL ====
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Limit information system access to the types of transactions and functions that authorized  users are permitted to execute.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the types of transactions and functions that authorized users are permitted to execute are defined; and
+: [b] system access is limited to the defined types of transactions and functions for authorized users.
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
+|-
+|[[Practice_AC.L1-3.1.2_Details|More Practice Details...]]
+|}
-Federal Acquisition Regulation
+==== AC.L1-3.1.20 - EXTERNAL CONNECTIONS ====
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Verify and control/limit connections to and use of external information systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] connections to external systems are identified;
+: [b] the use of external systems is identified;
+: [c] connections to external systems are verified;
+: [d] the use of external systems is verified;
+: [e] connections to external systems are controlled/limited; and
+: [f]  the use of external systems is controlled/limited.
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
+|-
+|[[Practice_AC.L1-3.1.20_Details|More Practice Details...]]
+|}
-FCI
+==== AC.L1-3.1.22 - CONTROL PUBLIC INFORMATION ====
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Control information posted or processed on publicly accessible information systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] individuals authorized to post or process information on publicly accessible systems are identified;
+: [b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;
+: [c] a review process is in place prior to posting of any content to publicly accessible systems;
+: [d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and
+: [e] mechanisms are in place to remove and address improper posting of FCI.
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
+|-
+|[[Practice_AC.L1-3.1.22_Details|More Practice Details...]]
+|}
-Federal Contract Information
+== Identification and Authentication (IA) ==
+=== Level 1 IA Practices ===
+==== IA.L1-3.5.1 – IDENTIFICATION ====
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Identify information system users, processes acting on behalf of users, or devices.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] system users are identified;
+: [b] processes acting on behalf of users are identified; and
+: [c] devices accessing the system are identified.
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
+|-
+|[[Practice_IA.L1-3.5.1_Details|More Practice Details...]]
+|}
-IT
+==== IA.L1-3.5.2 – AUTHENTICATION ====
+{|class="wikitable"
-Information Technology
+|'''SECURITY REQUIREMENT'''
+Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
-NIST
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the identity of each user is authenticated or verified as a prerequisite to system access;
+: [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and
+: [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
+|-
+|[[Practice_IA.L1-3.5.2_Details|More Practice Details...]]
+|}
-National Institute of Standards and Technology
+== Media Protection (MP) ==
+=== Level 1 MP Practices ===
+==== MP.L1-3.8.3 – MEDIA DISPOSAL ====
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] system media containing FCI is sanitized or destroyed before disposal; and
+: [b] system media containing FCI is sanitized before it is released for reuse.
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
+|-
+|[[Practice_MP.L1-3.8.3_Details|More Practice Details...]]
+|}
-OSA
+== Physical Protection (PE) ==
+=== Level 1 PE Practices ===
+==== PE.L1-3.10.1 – LIMIT PHYSICAL ACCESS ====
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] authorized individuals allowed physical access are identified;
+: [b] physical access to organizational systems is limited to authorized individuals;
+: [c] physical access to equipment is limited to authorized individuals; and
+: [d] physical access to operating environments is limited to authorized.
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
+|-
+|[[Practice_PE.L1-3.10.1_Details|More Practice Details...]]
+|}
-Organization Seeking Assessment
+==== PE.L1-3.10.3 – ESCORT VISITORS ====
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Escort visitors and monitor visitor activity.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] visitors are escorted; and
+: [b] visitor activity is monitored.
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
+|-
+|[[Practice_PE.L1-3.10.3_Details|More Practice Details...]]
+|}
-PIV
+==== PE.L1-3.10.4 – PHYSICAL ACCESS LOGS ====
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Maintain audit logs of physical access.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] audit logs of physical access are maintained.
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
+|-
+|[[Practice_PE.L1-3.10.4_Details|More Practice Details...]]
+|}
-Personal Identity Verification
+==== PE.L1-3.10.5 – MANAGE PHYSICAL ACCESS ====
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Control and manage physical access devices.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] physical access devices are identified;
+: [b] physical access devices are controlled; and
+: [c] physical access devices are managed.
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
+|-
+|[[Practice_PE.L1-3.10.5_Details|More Practice Details...]]
+|}
-SC
+== System and Communications Protection (SC) ==
+=== Level 1 SC Practices ===
+==== SC.L1-3.13.1 – BOUNDARY PROTECTION ====
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the external system boundary is defined;
+: [b] key internal system boundaries are defined;
+: [c] communications are monitored at the external system boundary;
+: [d] communications are monitored at key internal boundaries;
+: [e] communications are controlled at the external system boundary;
+: [f] communications are controlled at key internal boundaries;
+: [g] communications are protected at the external system boundary; and
+: [h] communications are protected at key internal boundaries.
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
+|-
+|[[Practice_SC.L1-3.13.1_Details|More Practice Details...]]
+|}
-System and Communications Protection
+==== SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION ====
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] publicly accessible system components are identified; and
+: [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
+|-
+|[[Practice_SC.L1-3.13.5_Details|More Practice Details...]]
+|}
-SI
+== System and Information Integrity (SI) ==
+=== Level 1 SI Practices ===
-System and Information Integrity
+==== SI.L1-3.14.1 – FLAW REMEDIATION ====
+{|class="wikitable"
-SP
+|'''SECURITY REQUIREMENT'''
+Identify, report, and correct information and information system flaws in a timely manner.
+|-
+|ASSESSMENT OBJECTIVES'''
+: [a] the time within which to identify system flaws is specified;
+: [b] system flaws are identified within the specified time frame;
+: [c] the time within which to report system flaws is specified;
+: [d] system flaws are reported within the specified time frame;
+: [e] the time within which to correct system flaws is specified; and
+: [f] system flaws are corrected within the specified time frame.
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
+|-
+|[[Practice_SI.L1-3.14.1_Details|More Practice Details...]]
+|}
-Special Publication
+==== SI.L1-3.14.2 – MALICIOUS CODE PROTECTION ====
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Provide protection from malicious code at appropriate locations within organizational information systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] designated locations for malicious code protection are identified; and
+: [b] protection from malicious code at designated locations is provided.
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
+|-
+|[[Practice_SI.L1-3.14.2_Details|More Practice Details...]]
+|}
-SPRS
+==== SI.L1-3.14.4 – UPDATE MALICIOUS CODE PROTECTION ====
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Update malicious code protection mechanisms when new releases are available.
+|-
+|ASSESSMENT OBJECTIVES'''
+: [a] malicious code protection mechanisms are updated when new releases are available.
+|-
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
+|-
+|[[Practice_SI.L1-3.14.4_Details|More Practice Details...]]
+|}
-Supplier Performance Risk System
+==== SI.L1-3.14.5 – SYSTEM & FILE SCANNING ====
+{|class="wikitable"
-USB
+|'''SECURITY REQUIREMENT'''
+Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
-Universal Serial Bus
+|-
+|'''ASSESSMENT OBJECTIVES'''
-UUENCODE  Unix-to-Unix Encode
+: [a] the frequency for malicious code scans is defined;
+: [b] malicious code scans are performed with the defined frequency; and
-VLAN
+: [c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
+|-
-Virtual Local Area Network
+|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
+|-
+|[[Practice_SI.L1-3.14.5_Details|More Practice Details...]]
+|}
-= Document Outline =
-* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#5|Introduction]]
-* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#6|Assessment and Compliance]]
-** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#6|Assessment Scope]]
-* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#7|CMMC-Custom Terms]]
-* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#9|Assessment Criteria and Methodology]]
-** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#10|Criteria]]
-** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#10|Methodology]]
-*** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#11|Who Is Interviewed]]
-*** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#11|What Is Examined]]
-*** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#11|What Is Tested]]
-** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#12|Assessment Findings]]
-* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#14|Requirement Descriptions]]
-** [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#14|Introduction]]
-* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#16|Access Control (AC)]]
-* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#26|Identification and Authentication (IA)]]
-* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#31|Media Protection (MP)]]
-* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#33|Physical Protection (PE)]]
-* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#38|System and Communications Protection (SC)]]
-* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#43|System and Information Integrity (SI)]]
-* [[3912f0904f8f7d41c23a95c5f4ab1dc9d2769d6e.html#53|Appendix A – Acronyms and Abbreviations]]
------
-Original source: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL1v2.pdf

Level 1 Self-Assessment Guide: Difference between revisions

Revision as of 00:09, 17 March 2025

Document Outline

Access Control (AC)

Level 1 AC Practices

AC.L1-3.1.1 - AUTHORIZED ACCESS CONTROL

AC.L1-3.1.2 - TRANSACTION & FUNCTION CONTROL

AC.L1-3.1.20 - EXTERNAL CONNECTIONS

AC.L1-3.1.22 - CONTROL PUBLIC INFORMATION

Identification and Authentication (IA)

Level 1 IA Practices

IA.L1-3.5.1 – IDENTIFICATION

IA.L1-3.5.2 – AUTHENTICATION

Media Protection (MP)

Level 1 MP Practices

MP.L1-3.8.3 – MEDIA DISPOSAL

Physical Protection (PE)

Level 1 PE Practices

PE.L1-3.10.1 – LIMIT PHYSICAL ACCESS

PE.L1-3.10.3 – ESCORT VISITORS

PE.L1-3.10.4 – PHYSICAL ACCESS LOGS

PE.L1-3.10.5 – MANAGE PHYSICAL ACCESS

System and Communications Protection (SC)

Level 1 SC Practices

SC.L1-3.13.1 – BOUNDARY PROTECTION

SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION

System and Information Integrity (SI)

Level 1 SI Practices

SI.L1-3.14.1 – FLAW REMEDIATION

SI.L1-3.14.2 – MALICIOUS CODE PROTECTION

SI.L1-3.14.4 – UPDATE MALICIOUS CODE PROTECTION

SI.L1-3.14.5 – SYSTEM & FILE SCANNING

Navigation menu

Search