Security Catapult helps you … Be prepared for CMMC. Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes. Try now for free ›

Security Catapult helps you … Understand your gaps. See compliance gaps, compliance scores and proactive security tasks in a single interface. Try now for free ›

Security Catapult helps you … Validate NIST SP 800-171. Based on your CMMC answers, we let you know where you stand on NIST. Try now for free ›

Security Catapult helps you … Build a plan of action. Track your burn down and stay on top of security needs. Try now for free ›

Security Catapult helps you … Build your policy. Say goodbye to maintaining a security policy. We do it for you. Try now for free ›

CMMC Level 1

Domain AC: Access Control

Identify and control who and what has access to your systems.

AC.L1-3.1.1
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
AC.L1-3.1.2
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
AC.L1-3.1.20
Verify and control/limit connections to and use of external information systems.
AC.L1-3.1.22
Control information posted or processed on publicly accessible information systems.

Domain IA: Identification and Authentication

Closely tied to Access Control, this Domain contains practices to ensure that only the person assigned to a user account is the one using it.

IA.L1-3.5.1
Identify information system users, processes acting on behalf of users, or devices.
IA.L1-3.5.2
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Domain MP: Media Protection

Safeguard data stored on removable media, such as a USB drive, or even on paper.

MP.L1-3.8.3
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

Domain PE: Physical Protection

You must protect physical access to your facility and data, as a breach of physical security can be used to quickly override logical security practices.

PE.L1-3.10.1
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
PE.L1-3.10.3
Escort visitors and monitor visitor activity.
PE.L1-3.10.4
Maintain audit logs of physical access.
PE.L1-3.10.5
Control and manage physical access devices.

Domain SC: Systems and Communications Protection

Secure your network boundaries and communications.

SC.L1-3.13.1
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems.
SC.L1-3.13.5
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Domain SI: System and Information Integrity

Protect your network from malicious code execution by applying security patches in a timely manner and using anti-malware software.

SI.L1-3.14.1
Identify, report, and correct information system flaws in a timely manner.
SI.L1-3.14.2
Provide protection from malicious code at appropriate locations within organizational information systems.
SI.L1-3.14.4
Update malicious code protection mechanisms when new releases are available.
SI.L1-3.14.5
Perform periodic scans of information systems and real-time scans of files from external sources as files are downloaded, opened, or executed.

No practices required for the following domains at CMMC Level 1

  • Domain AT Awareness and Training

  • Domain AU Audit and Accountability

  • Domain CA Security Assessment

  • Domain CM Configuration Management

  • Domain IR Incident Response

  • Domain MA Maintenance

  • Domain PS Personnel Security

  • Domain RA Risk Assessment