CMMC Level 1

Domain AC: Access Control

Identify and control who and what has access to your systems.

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Verify and control/limit connections to and use of external information systems.
Control information posted or processed on publicly accessible information systems.

Domain IA: Identification and Authentication

Closely tied to Access Control, this Domain contains practices to ensure that only the person assigned to a user account is the one using it.

Identify information system users, processes acting on behalf of users, or devices.
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Domain MP: Media Protection

Safeguard data stored on removable media, such as a USB drive, or even on paper.

Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

Domain PE: Physical Protection

You must protect physical access to your facility and data, as a breach of physical security can be used to quickly override logical security practices.

Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
Escort visitors and monitor visitor activity.
Maintain audit logs of physical access.
Control and manage physical access devices.

Domain SC: System and Communications Protection

Secure your network boundaries and communications.

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems.
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Domain SI: System and Information Integrity

Protect your network from malicious code execution by applying security patches in a timely manner and using anti-malware software.

Identify, report, and correct information system flaws in a timely manner.
Provide protection from malicious code at appropriate locations within organizational information systems.
Update malicious code protection mechanisms when new releases are available.
Perform periodic scans of information systems and real-time scans of files from external sources as files are downloaded, opened, or executed.

No practices required for the following domains at CMMC Level 1

  • Domain AT Awareness and Training

  • Domain AU Audit and Accountability

  • Domain CA Security Assessment

  • Domain CM Configuration Management

  • Domain IR Incident Response

  • Domain MA Maintenance

  • Domain PS Personnel Security

  • Domain RA Risk Assessment