CMMC Level 1

Domain AC: Access Control

Identify and control who and what has access to your systems.

AC.L1-3.1.1: Authorized Access Control: Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
AC.L1-3.1.2: Transaction & Function Control: Limit system access to the types of transactions and functions that authorized users are permitted to execute.
AC.L1-3.1.20: External Connections: Verify and control/limit connections to and use of external systems.
AC.L1-3.1.22: Control Public Information: Control information posted or processed on publicly accessible systems.

Domain IA: Identification and Authentication

Closely tied to Access Control, this Domain contains practices to ensure that only the person assigned to a user account is the one using it.

IA.L1-3.5.1: Identification: Identify system users, processes acting on behalf of users, and devices.
IA.L1-3.5.2: Authentication: Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

Domain MP: Media Protection

Safeguard data stored on removable media, such as a USB drive, or even on paper.

MP.L1-3.8.3: Media Disposal: Sanitize or destroy information system media containing FCI/CUI before disposal or release for reuse.

Domain PE: Physical Protection

You must protect physical access to your facility and data, as a breach of physical security can be used to quickly override logical security practices.

PE.L1-3.10.1: Limit Physical Access: Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
PE.L1-3.10.3: Escort Visitors: Escort visitors and monitor visitor activity.
PE.L1-3.10.4: Physical Access Logs: Maintain audit logs of physical access.
PE.L1-3.10.5: Manage Physical Access: Control and manage physical access devices.

Domain SC: System and Communications Protection

Secure your network boundaries and communications.

SC.L1-3.13.1: Boundary Protection: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
SC.L1-3.13.5: Public-Access System Separation: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Domain SI: System and Information Integrity

Protect your network from malicious code execution by applying security patches in a timely manner and using anti-malware software.

SI.L1-3.14.1: Flaw Remediation: Identify, report, and correct system flaws in a timely manner.
SI.L1-3.14.2: Malicious Code Protection: Provide protection from malicious code at designated locations within organizational systems.
SI.L1-3.14.4: Update Malicious Code Protection: Update malicious code protection mechanisms when new releases are available.
SI.L1-3.14.5: System & File Scanning: Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.

No practices required for the following domains at CMMC Level 1

Domain AT Awareness and Training

Domain AU Audit and Accountability

Domain CA Security Assessment

Domain CM Configuration Management

Domain IR Incident Response

Domain MA Maintenance

Domain PS Personnel Security

Domain RA Risk Assessment