Level 1 Assessment Guide

From CMMC Toolkit Wiki
Revision as of 04:59, 27 February 2022 by Wikiadmin (talk | contribs)
Jump to navigation Jump to search

Source of Reference: The official CMMC Level 1 Self-Assessment Guide from the Office of the Under Secretary of Defense for Acquisition & Sustainment.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

Access Control (AC)

Level 1 AC Practices

AC.L1-3.1.1 - AUTHORIZED ACCESS CONTROL

SECURITY REQUIREMENT

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

ASSESSMENT OBJECTIVES
[a] authorized users are identified;
[b] processes acting on behalf of authorized users are identified;
[c] devices (and other systems) authorized to connect to the system are identified;
[d] system access is limited to authorized users;
[e] system access is limited to processes acting on behalf of authorized users; and
[f] system access is limited to authorized devices (including other systems).
More Practice Details...

AC.L1-3.1.2 - TRANSACTION & FUNCTION CONTROL

SECURITY REQUIREMENT

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

ASSESSMENT OBJECTIVES
[a] the types of transactions and functions that authorized users are permitted to execute are defined; and
[b] system access is limited to the defined types of transactions and functions for authorized users.
More Practice Details...

AC.L1-3.1.20 - EXTERNAL CONNECTIONS

SECURITY REQUIREMENT

Verify and control/limit connections to and use of external information systems.

ASSESSMENT OBJECTIVES
[a] connections to external systems are identified;
[b] the use of external systems is identified;
[c] connections to external systems are verified;
[d] the use of external systems is verified;
[e] connections to external systems are controlled/limited; and
[f] the use of external systems is controlled/limited.
More Practice Details...

AC.L1-3.1.22 - CONTROL PUBLIC INFORMATION

SECURITY REQUIREMENT

Control information posted or processed on publicly accessible information systems.

ASSESSMENT OBJECTIVES
[a] individuals authorized to post or process information on publicly accessible systems are identified;
[b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;
[c] a review process is in place prior to posting of any content to publicly accessible systems;
[d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and
[e] mechanisms are in place to remove and address improper posting of FCI.
More Practice Details...

Identification and Authentication (IA)

Level 1 IA Practices

IA.L1-3.5.1 – IDENTIFICATION

SECURITY REQUIREMENT

Identify information system users, processes acting on behalf of users, or devices.ASSESSMENT OBJECTIVES

[a] system users are identified;
[b] processes acting on behalf of users are identified; and
[c] devices accessing the system are identified.
More Practice Details...

IA.L1-3.5.2 – AUTHENTICATION

SECURITY REQUIREMENT

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

ASSESSMENT OBJECTIVES
[a] the identity of each user is authenticated or verified as a prerequisite to system access;[b] the identity of each process acting on behalf of a user is authenticated or verified as a

prerequisite to system access; and

[c] the identity of each device accessing or connecting to the system is authenticated or

verified as a prerequisite to system access.

More Practice Details...

Media Protection (MP)

Level 1 MP Practices

MP.L1-3.8.3 – MEDIA DISPOSAL

SECURITY REQUIREMENT

Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

ASSESSMENT OBJECTIVES
[a] system media containing FCI is sanitized or destroyed before disposal; and
[b] system media containing FCI is sanitized before it is released for reuse.
More Practice Details...

Physical Protection (PE)

Level 1 PE Practices

PE.L1-3.10.1 – LIMIT PHYSICAL ACCESS

SECURITY REQUIREMENT

Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

ASSESSMENT OBJECTIVES
[a] authorized individuals allowed physical access are identified;
[b] physical access to organizational systems is limited to authorized individuals;
[c] physical access to equipment is limited to authorized individuals; and
[d] physical access to operating environments is limited to authorized
More Practice Details...

PE.L1-3.10.3 – ESCORT VISITORS

SECURITY REQUIREMENT

Escort visitors and monitor visitor activity.

ASSESSMENT OBJECTIVES
[a] visitors are escorted; and
[b] visitor activity is monitored.
More Practice Details...

PE.L1-3.10.4 – PHYSICAL ACCESS LOGS

SECURITY REQUIREMENT

Maintain audit logs of physical access.

ASSESSMENT OBJECTIVES
[a] audit logs of physical access are maintained.
More Practice Details...

PE.L1-3.10.5 – MANAGE PHYSICAL ACCESS

SECURITY REQUIREMENT

Control and manage physical access devices.

ASSESSMENT OBJECTIVES
[a] physical access devices are identified;
[b] physical access devices are controlled; and
[c] physical access devices are managed.
More Practice Details...

System and Communications Protection (SC)

Level 1 SC Practices

SC.L1-3.13.1 – BOUNDARY PROTECTION

SECURITY REQUIREMENT

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

ASSESSMENT OBJECTIVES
[a] the external system boundary is defined;
[b] key internal system boundaries are defined;
[c] communications are monitored at the external system boundary;
[d] communications are monitored at key internal boundaries;
[e] communications are controlled at the external system boundary;
[f] communications are controlled at key internal boundaries;
[g] communications are protected at the external system boundary; and
[h] communications are protected at key internal boundaries.
More Practice Details...

SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION

SECURITY REQUIREMENT

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

ASSESSMENT OBJECTIVES
[a] publicly accessible system components are identified; and
[b] subnetworks for publicly accessible system components are physically or logically

separated from internal networks.

More Practice Details...

System and Information Integrity (SI)

Level 1 SI Practices

SI.L1-3.14.1 – FLAW REMEDIATION

SECURITY REQUIREMENT

Identify, report, and correct information and information system flaws in a timely manner.ASSESSMENT OBJECTIVES

[a] the time within which to identify system flaws is specified;
[b] system flaws are identified within the specified time frame;
[c] the time within which to report system flaws is specified;
[d] system flaws are reported within the specified time frame;
[e] the time within which to correct system flaws is specified; and
[f] system flaws are corrected within the specified time frame.
More Practice Details...

SI.L1-3.14.2 – MALICIOUS CODE PROTECTION

SECURITY REQUIREMENT

Provide protection from malicious code at appropriate locations within organizational information systems.

ASSESSMENT OBJECTIVES
[a] designated locations for malicious code protection are identified; and
[b] protection from malicious code at designated locations is provided.
More Practice Details...

SI.L1-3.14.4 – UPDATE MALICIOUS CODE PROTECTION

SECURITY REQUIREMENT

Update malicious code protection mechanisms when new releases are available.ASSESSMENT OBJECTIVES

[a] malicious code protection mechanisms are updated when new releases are available.
More Practice Details...

SI.L1-3.14.5 – SYSTEM & FILE SCANNING

SECURITY REQUIREMENT

Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

ASSESSMENT OBJECTIVES
[a] the frequency for malicious code scans is defined;
[b] malicious code scans are performed with the defined frequency; and
[c] real-time malicious code scans of files from external sources as files are downloaded,

opened, or executed are performed.

More Practice Details...