CMMC Level 1

Domain AC: Access Control

Identify and control who and what has access to your systems.

AC.1.001
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
AC.1.002
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
AC.1.003
Verify and control/limit connections to and use of external information systems.
AC.1.004
Control information posted or processed on publicly accessible information systems.

Domain IA: Identification and Authentication

Closely tied to Access Control, this Domain contains practices to ensure that only the person assigned to a user account is the one using it.

IA.1.076
Identify information system users, processes acting on behalf of users, or devices.
IA.1.077
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Domain MP: Media Protection

Safeguard data stored on removable media, such as a USB drive, or even on paper.

MP.1.118
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

Domain PE: Physical Protection

You must protect physical access to your facility and data, as a breach of physical security can be used to quickly override logical security practices.

PE.1.131
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
PE.1.132
Escort visitors and monitor visitor activity.
PE.1.133
Maintain audit logs of physical access.
PE.1.134
Control and manage physical access devices.

Domain SC: Systems and Communications Protection

Secure your network boundaries and communications.

SC.1.175
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems.
SC.1.176
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Domain SI: System and Information Integrity

Protect your network from malicious code execution by applying security patches in a timely manner and using anti-malware software.

SI.1.210
Identify, report, and correct information system flaws in a timely manner.
SI.1.211
Provide protection from malicious code at appropriate locations within organizational information systems.
SI.1.212
Update malicious code protection mechanisms when new releases are available.
SI.1.213
Perform periodic scans of information systems and real-time scans of files from external sources as files are downloaded, opened, or executed.

No practices required for the following domains at CMMC Level 1

  • Domain AM Asset Management

  • Domain AT Awareness and Training

  • Domain AU Audit and Accountability

  • Domain CA Security Assessment

  • Domain CM Configuration Management

  • Domain IR Incident Response

  • Domain MA Maintenance

  • Domain PS Personnel Security

  • Domain RE Recovery

  • Domain RM Risk Management

  • Domain SA Situational Awareness