CMMC Level 1 for SMBs

CMMC stands for Cybersecurity Maturity Model Certification, and it is a requirement for contractors who work with the Department of Defense (DOD). The CMMC framework is based on the NIST 800-171 and NIST 800-172 standards, which define the best practices for protecting sensitive data. The current version of the CMMC model has three levels of certification, ranging from basic to advanced. Depending on the type and level of service provided to the DOD, contractors need to achieve a certain level of certification. 

CMMC Foundation - Level 1

Let's dive into Level 1, the most common certification level applicable to small and medium-sized businesses. At this foundational level, emphasis is placed on implementing essential cybersecurity risk management practices to safeguard against cyber threats. Along with basic cybersecurity hygiene, authentication and access control take center stage, ensuring that only authorized individuals have access to specific information. 

CMMC Level 1 Practice Areas

CMMC Practice Areas

17 CMMC Level 1 Controls to Know

The CMMC Level 1 certification requires adherence to a set of 17 controls from the six practice areas mentioned above. All 17 controls align with the Federal Acquisition Regulation (FAR) 52.204.21. Let's break down these controls and understand their significance in achieving CMMC Level 1 compliance.

CMMC Level 1 Controls

CMMC Control Point Checklist

Contractors aiming for Level 1 certification must conduct a comprehensive self-assessment, evaluating their compliance with the 17 control points across the six practice areas. For each control point, contractors need to establish a policy, a control, and a process to identify and address any deviations that may arise.

  • A policy is a written document that states the desired outcome or goal, such as "All usernames and passwords must be unique and supported by multi-factor authentication."
  • A control is a specific tool or mechanism that enforces the policy, such as "Enable MFA for Office 365".
  • A process is a way of monitoring and verifying that the policy and control are being followed and reporting any exceptions or violations. For example, "Review MFA reports monthly and take corrective actions if needed." 

When self-assessing, contractors need to be honest and thorough and be prepared to provide evidence of their compliance if requested. They also need to ensure that their policies, controls, and processes apply to all the technology they use in their organization, with very few exceptions.

How to Achieve CMMC Self-Certification with an MSSP

To achieve CMMC self-certification, an organization needs to meet a certain score based on the implementation of security controls and policies. An MSSP is a Managed Security Service Provider, which is a company that offers cybersecurity services to other organizations. An MSSP can provide valuable assistance in CMMC Self-Cerfication by helping the organization improve its score, deploy the required controls, and write the appropriate documentation. 

What will an MSSP do?

  • Assess your current security posture, identify gaps and weaknesses, and implement solutions to address them.
  • Create and maintain a System Security Plan (SSP), which is a document that describes how the organization meets the CMMC requirements. An SSP includes information such as the scope of the system, the roles and responsibilities of the personnel involved, the security policies and procedures in place, and evidence of compliance.
  • Prepare your organization for an audit by a third-party assessor, which is required for higher levels of certification.
  • Check out our previous blog post to explore more about how an MSSP can help you achieve CMMC for your SMB.