The following table contains the required 17 Practices, including controls mapping from NIST SP 800-171 Rev 2 ,for Cybersecurity Maturity Model Certification (CMMC) Level 1 (L1) systems.
| DOMAIN | CAPABILITY | LEVEL 1 | |
|---|---|---|---|
| 1 | ACCESS CONTROL (AC) | C001 – Establish system access requirements | AC.1.001 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems): NIST SP 800-171 Rev 2 3.1.1 |
| C002 – Control internal system access | AC.1.002 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute: NIST SP 800-171 Rev 2 3.1.2 | ||
| C003 – Control remote system access | N/A | ||
| C004 – Limit data access to authorized users and processes | AC.1.003 – Verify and control/limit connections to and use of external information systems: NIST SP 800-171 Rev 2 3.1.20 | ||
| AC.1.004 – Control information posted or processed on publicly accessible information systems: NIST SP 800-171 Rev 2 3.1.22 | |||
| 2 | ASSET MANAGEMENT (AM) | C005 – Identify and document assets | N/A |
| C006 – Manage asset inventory | N/A | ||
| 3 | AUDIT AND ACCOUNTABILITY (AU) | C007 – Define audit requirements | N/A |
| C008 – Perform auditing | N/A | ||
| C009 – Identify and protect audit information | N/A | ||
| C010 – Review and manage audit logs | N/A | ||
| 4 | AWARENESS AND TRAINING (AT) | C011 – Conduct security awareness activities | N/A |
| C012 – Conduct training | N/A | ||
| 5 | CONFIGURATION MANAGEMENT (CM) | C013 – Establish configuration baselines | N/A |
| C014 – Perform configuration and change management | N/A | ||
| 6 | IDENTIFICATION AND AUTHENTICATION (IA) | C015 – Grant access to authenticated entities | IA.1.076 – Identify information system users, processes acting on behalf of users, or devices: NIST SP 800-171 Rev 2 3.5.1 |
| IA.1.077 – Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems: NIST SP 800-171 Rev 2 3.5.2 | |||
| N/A | |||
| N/A | |||
| N/A | |||
| 7 | INCIDENT RESPONSE (IR) | C016 – Plan incident response | N/A |
| C017 – Detect and report events | N/A | ||
| C018 – Develop and implement a response to a declared incident | N/A | ||
| C019 – Perform post incident reviews | N/A | ||
| C020 – Test incident response | N/A | ||
| 8 | MAINTENANCE (MA) | C021 – Manage maintenance | N/A |
| 9 | MEDIA PROTECTION (MP) | C022 – Identify and mark media | N/A |
| C023 – Protect and control media | N/A | ||
| C024 – Sanitize media | MP.1.118 – Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse: NIST SP 800-171 Rev 2 3.8.3 | ||
| C025 – Protect media during transport | N/A | ||
| 10 | PERSONNEL SECURITY (PS) | C026 – Screen personnel | N/A |
| C027 – Protect CUI during personnel actions | N/A | ||
| 11 | PHYSICAL PROTECTION (PE) | C028 – Limit physical access | PE.1.131 – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals: NIST SP 800-171 Rev 2 3.10.1 |
| PE.1.132 – Escort visitors and monitor visitor activity: NIST SP 800-171 Rev 2 3.10.3 | |||
| PE.1.133 – Maintain audit logs of physical access: NIST SP 800-171 Rev 2 3.10.4 | |||
| PE.1.134 – Control and manage physical access devices: NIST SP 800-171 Rev 2 3.10.5 | |||
| 12 | RECOVERY (RE) | C029 – Manage backups | N/A |
| C030 – Manage information security continuity | N/A | ||
| 13 | RISK MANAGEMENT (RM) | C031 – Identify and evaluate risk | N/A |
| C032 – Manage risk | N/A | ||
| C033 – Manage supply chain risk | N/A | ||
| 14 | SECURITY ASSESSMENT (CA) | C034 – Develop and manage a system security plan | N/A |
| C035 – Define and manage controls | N/A | ||
| C036 – Perform code reviews | N/A | ||
| 15 | SITUATIONAL AWARENESS (SA) | C037 – Implement threat monitoring | N/A |
| 16 | SYSTEM AND COMMUNICATIONS PROTECTION (SC) | C038 – Define security requirements for systems and communications | N/A |
| C039 – Control communications at system boundaries | SC.1.175 – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems: NIST SP 800-171 Rev 2 3.13.1 | ||
| SC.1.176 – Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks: NIST SP 800-171 Rev 2 3.13.5 | |||
| 17 | SYSTEM AND INFORMATION INTEGRITY (SI) | C040 – Identify and manage information system flaws | SI.1.210 – Identify, report, and correct information and information system flaws in a timely manner: NIST SP 800-171 Rev 2 3.14.1 |
| C041 – Identify malicious content | SI.1.211 – Provide protection from malicious code at appropriate locations within organizational information systems: NIST SP 800-171 Rev 2 3.14.2 | ||
| SI.1.212 – Update malicious code protection mechanisms when new releases are available: NIST SP 800-171 Rev 2 3.14.4 | |||
| SI.1.213 – Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed: NIST SP 800-171 Rev 2 3.14.5 | |||
| C042 – Perform network and system monitoring | N/A | ||
| C043 – Implement advanced email protections | N/A |