CMMC Level 1
Domain AC: Access Control
Identify and control who and what has access to your systems.
- AC.L1-3.1.1
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- AC.L1-3.1.2
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- AC.L1-3.1.20
- Verify and control/limit connections to and use of external information systems.
- AC.L1-3.1.22
- Control information posted or processed on publicly accessible information systems.
Domain IA: Identification and Authentication
Closely tied to Access Control, this Domain contains practices to ensure that only the person assigned to a user account is the one using it.
Domain MP: Media Protection
Safeguard data stored on removable media, such as a USB drive, or even on paper.
Domain PE: Physical Protection
You must protect physical access to your facility and data, as a breach of physical security can be used to quickly override logical security practices.
- PE.L1-3.10.1
- Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- PE.L1-3.10.3
- Escort visitors and monitor visitor activity.
- PE.L1-3.10.4
- Maintain audit logs of physical access.
- PE.L1-3.10.5
- Control and manage physical access devices.
Domain SC: Systems and Communications Protection
Secure your network boundaries and communications.
- SC.L1-3.13.1
- Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems.
- SC.L1-3.13.5
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Domain SI: System and Information Integrity
Protect your network from malicious code execution by applying security patches in a timely manner and using anti-malware software.
- SI.L1-3.14.1
- Identify, report, and correct information system flaws in a timely manner.
- SI.L1-3.14.2
- Provide protection from malicious code at appropriate locations within organizational information systems.
- SI.L1-3.14.4
- Update malicious code protection mechanisms when new releases are available.
- SI.L1-3.14.5
- Perform periodic scans of information systems and real-time scans of files from external sources as files are downloaded, opened, or executed.