Site icon

Performing Level 1 Self-Assessments Under CMMC Requirements

Our previous article discussed what it meant to scope your self-assessment while pursuing Level 1 Maturity under CMMC. This approach included identifying the boundaries of FCI-holding systems and comprehensively cataloging technology, people, and processes that play a part in that system. 

Here, we take the next step and cover CIO guidelines for performing your self-assessment

 

Assessment Criteria and Methodology Guidelines

The CIO document outlines specific criteria and methodology for conducting a Level 1 self-assessment. This structured approach ensures contractors can accurately assess compliance with CMMC requirements. 

The general assessment criteria are:

The methodology outlined in this document is as follows:

This structured methodology ensures contractors can systematically assess their cybersecurity practices against CMMC Level 1 requirements, facilitating a comprehensive evaluation of their readiness and compliance.

 

Practice Categories for Self-Assessment

CMMC organizes the cybersecurity practices that need to be assessed into specific categories or domains. Each domain focuses on a different aspect of cybersecurity and includes practices tailored to protect FCI. Here are the categories for the practices defined in the document:

Access Control (AC) practices are designed to limit information system access to authorized users, processes, or devices and manage the types of transactions and functions that authorized individuals are permitted to execute:

 

Identification and Authentication (IA) includes practices related to identifying and authenticating users’ identities, processes, or devices before allowing access to the organization’s information systems.

 

Media Protection (MP) focuses on safeguarding digital and non-digital media containing FCI, including procedures for sanitizing and disposing of media to prevent unauthorized access and data leakage.

 

Physical Protection (PE) covers practices that limit authorized individuals’ physical access to organizational information systems, equipment, and operating environments, protecting them from physical threats.

 

System and Communications Protection (SC) aims to monitor, control, and protect organizational communications at the external and critical internal boundaries of information systems to prevent unauthorized access and data exfiltration.

 

System and Information Integrity (SI) includes practices that focus on promptly identifying, reporting, and correcting information and information system flaws and providing protection from malicious code at designated locations within organizational information systems.

Each domain encompasses specific practices that organizations must implement and assess as part of their CMMC Level 1 self-assessment. The practices within these domains are designed to establish a foundation of cybersecurity measures that protect the confidentiality, integrity, and availability of FCI handled by the contractor.

 

Track Your CMMC Systems for Assessment with Continuum GRC

Continuum GRC is a cloud platform that stays ahead of the curve, including support for CMMC certification (along with our sister company and C3PAO, Lazarus Alliance). We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect its systems and ensure compliance.

[wpforms id= “43885”]

Exit mobile version