How to Use the CMMC Level One Assessment Guide
Under the Cybersecurity Maturity Model Certification Program a level company who holds federal contract information must complete a self-assessment “with an accompanying senior company official affirmation” every year.
Introduction to CMMC Level One
CMMC Level One helps to ensure the contractor meets the basic safeguarding requirements for Federal Contract Information (FCI) specified in FAR Clause 52.204-21. Others can then have added trust to a companies system to protect sensitive data.
Most companies will keep their entire system secure beyond the baseline of the seventeen requirements of NIST-SP-800-171 included in the level one assessment guide. Level one provides you a staring line and not a finish line.
In fact, “a CMMC Level 1 self -assessment, the assets that process, store, or transmit FCI are considered in scope and should be assessed against the CMMC Level 1 practices.” Yet any basic risk based cybersecurity plan should meet the level one baseline.
FCI is such an umbrella term for any data generated as part of a federal contract most companies will not have level one enclaves. Some companies, those with cleared environments, may have some staff that only need access to FCI. Large multinational corporations may have level one business entities to act as a boundary between divisions that hold Controlled Unclassified Information with export controls and international divisions. Yet for the most part companies should assume their entire system, all the peopl, processes, and technology that get the contract done, fall in a level one scope.
Reading the Assessment Guide
The CMMC Level One Self-Assessment guide includes an overview of the level one assessment practice, the assessment criteria you use, key operational definitions to use during an assessment, and then a description of each assessment practice and a list of all assessment objectives for each practice.
When reading the assessment guide you need to understand the role of the assessment criteria. CMMC uses the NIST CMMC definition of an assessment procedure. This procedure consists of an assessment objective which gets met by using assessment methods that connect to assessment objects, or evidence, to justify the assessment finding. A CMMC practice gets met when all assessment objectives get met. This means your self-assessment needs an assessment procedure for each objective at level one. That means you need 59 assessment procedures. Each procuedure will have 2-3 assessment objects. So in your self-assessment you need to document 120-180 pieces of evidence.
You choose the methodologies based on which provides the most adequate depth to the assessment objectives. If your examination of document based artifacts, or specifications, will provide the greatest depth focus on that methodology. This focus allows you to apply greater rigor through a more comprehensive examination of the assessment object. Yet in our example of using document based artifacts the access control policy may not change between a basic and a comprehensive examination. You increase the rigor of the examination and not the amount of evidence.
Yet you ensure the sufficiency us your evidence by also including coverage from other methodologies. You may not put as strong a focus on assessment objects for other methodologies but you want to ensure you have a preponderance of qualitative and/or qualitative evivence so anyone who read your assessment finding would agree.
You also ensure the sufficiency of your coverage by deciding on how representaive the evidence is to the assessment objective across the sample. This means you must decide on how your sample sample size. Some times, such as an approved software list, you may include them all. When examining testing data of routers and switches a basic examination may include a representative sample, a more focused examination would triangulate the the asessment finding using other evidence. Finally a comprehensive examination may include checking the settings or procedures for each component.
If you struggle with deciding on the adaquecy of your depth and the sufficiency of the coverage of your evidence go back to the CMMC assessment practice statement. What is the intent? What evidence best shows you meet this intent for the assessment objective? What methodology? Focus there.
When reading the CMMC Level One Self-Assessment Guide remember the only prescriptive requirements are the CMMC practice and the determining statements of the assessment objectives that let you know if a practice is met or not met
CMMC Level 1 Self-Assessment Guide pages are shared by the CMMC-AB usimng a CMMC-BY license.