CMMC Services

CMMC Maturity Levels
The CMMC framework has three maturity levels (ML). ML-1 is the least rigorous, ML-3 the most. The maturity level and assessment requirements are based on the sensitivity of the information shared with the contractor. Contractors who only have access to Federal Contract Information (FCI) will be ML-1. Contractors who have access to Controlled Unclassified Information (CUI) will be ML-2 or ML-3. Contracts that have CUI that the DoD deems not to be critical to national security will be ML-2 and might only require the contractor to annually self-certify compliance with CMMC 2.0.
Read more about FCI and CUI here

DoD contractors need to ensure they are prepared to meet the cybersecurity requirements for their CMMC Maturity Level.

DoD contractors first need to determine the CMMC Maturity Level with which they need to comply. Contractors should review their current contracts and speak with their contracting officers, contracting officer’s technical representative (COTR), or other DoD representative to determine the sensitivity of the information (CUI vs FCI) the government considers the contractor to have.

Once the Maturity Level is determined, contractors should perform an assessment to determine if there are any CMMC requirements that it is not meeting for their specific Maturity Level. If gaps are identified, the contractor needs to implement corrective actions to resolve the gaps.

Additionally, if not already performed, DoD contractors with CUI need to perform a self-assessment against NIST SP 800-171 and self-report in the DoD Supplier Performance Risk System (SPRS).

Keiter is a Registered Practitioner Organization (RPO) in the CMMC Marketplace.

Many DoD contractors will need assistance in getting ready for their self- and/or third-party assessments, to include identifying controls, identifying gaps, and developing plan of action and milestones (POA&Ms). Keiter’s Risk Advisory Services team has been providing cybersecurity services and consulting on the major IT frameworks such as NIST SP 800-171, NIST SP 800-53, HIPAA, and others for close to 20 years. As CMMC RPO, our team can help DoD prime and subcontractors with the following:

• Readiness Assessments and Gap Analyses against the CMMC Framework
• Assistance with Remediating Gaps Identified during Readiness Assessment
• Assistance with NIST SIP 800-171 Self-Assessment that is recorded in Supplier Performance Risk System

Below is our full collection of articles about the CMMC Level 1 Practices. In these articles we dive into the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC resource.

AC.L1

• (AC.L1-3.1.1) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
• (AC.L1-3.1.2) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
• (AC.L1-3.1.20) Verify and control/limit connections to and use of external information systems.
• (AC.L1-3.1.22) Control information posted or processed on publicly accessible information systems.
• (IA.L1-3.5.1) Identify information system users, processes acting on behalf of users, or devices.

IA.L1

• (IA.L1-3.5.2) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

MP.L1

• (MP.L1-3.8.3) Sanitize or destroy information system media containing Federal Contract Information [or Controlled Unclassified Information] before disposal or release for reuse.

PE.L1

• (PE.L1-3.10.1) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
• (PE.L1-3.10.3) Escort visitors and monitor visitor activity.
• (PE.L1-3.10.4) Maintain audit logs of physical access.
• (PE.L1-3.10.5) Control and manage physical access devices.

SC.L1

• (SC.L1-3.13.1) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
• (SC.L1-3.13.5) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

SI.L1

• (SI.L1-3.14.1) Identify, report, and correct information and information system flaws in a timely manner.
• (SI.L1-3.14.2) Provide protection from malicious code at appropriate locations within organizational information systems.
• (SI.L1-3.14.4) Update malicious code protection mechanisms when new releases are available.
• (SI.L1-3.14.5) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.