Plain English Guide to CMMC Level 1: Basic Cybersecurity Without the Headache

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_01 (00:21):
Hey there.
Welcome to the CMMC ComplianceGuide Podcast.
I'm Stacey.

SPEAKER_00 (00:25):
And I'm Austin.

SPEAKER_01 (00:26):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hard guns gettingcompanies fast tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on track.
Today's episode is all aboutCMNC Level One.

(00:48):
We're going to cover what it is,what the 15 required practices
are, what documentation youneed, and whether or not you
have to be assessed by someoneelse.
If you're a small shop handlingfederal contract information,
FCI, and you've been told thatyou need to get CMNC ready, this
is your starting line.
Okay, Austin, let's startsimple.
Can you tell us what CMMC levelone is?

SPEAKER_00 (01:08):
Yeah, so CMMC level one is from the government's
perspective, I should say, themost basic cybersecurity hygiene
or regiment uh that they wantyou to have in place to do
business with them, basically.
Um so uh if you're familiar withCMMC level two, um it's trying

(01:28):
to protect what's called CUI,uh, which is controlled
unclassified information.
Um I like to describe it as kindof like the smaller puzzle piece
of broader, bigger, moreclassified things.
It's not always exactly true,but kind of conceptually gets
the point across.
CMSC level one is is protectingnot CUI but FCI, federal

(01:52):
contract information.
Um, and what that is, um again,by no means a complete
definition of what it is, um,but like the way I like to think
of it um is uh informationthat's not publicly available
that is related to that contractthat you have with the

(02:13):
government.
A way to determine if it'spublicly available and whether
it's FCI or not is if it's notaccessible on a public website
that you don't have to log infor, even if you can register um
for a login for free and thenlog into it, that doesn't count.
Like unlogged in website that'sjust basically publicly

(02:34):
advertised, that's not FCI.
Everything else um is more onthe FCI thing sort of thing.
So basically, um if you have acontract with the government
that is in the defense space,but maybe even other stuff as
well, um, then you could behandling FCI.
You need to protect it with theminimum safeguards that they

(02:56):
tell you uh they want you to tokeep your contract and keep
doing business with them.
So CMMC level one uh has 15 corepractices.
Um they all come from the FARFederal Acquisition Regulation
52.204 hyphen 201 clause, um,which your most of your

(03:17):
contracts probably alreadyinclude.
Um, of course, we always cautionthat people go actually look at
their contracts and see what'sincluded to see if you even have
to follow these rules.
Um, but chances are um if you'redoing the business with the
government or someone that doesbusiness with the government,
it's probably in there.
Um so it's not some new in ininvention.

(03:37):
Um but with CMC level one, it'sjust now that you you have to
prove that you're doing it.
Um and uh starting in 2025,actually, I think just a couple
days ago, November 10th, um, youneed to do a self-assessment
every year um and upload yourscore into the SPRS A Spurs

(03:59):
system.
Um, and uh quick note on that,um, that if you actually go read
the rules, um it says in thereuh in in the far um that you
need to retain the evidence aswell.
So whenever you self-attest, youneed to aggregate or put all the

(04:20):
evidence that you had to saythat you were level one um in a
file or folder or or otherwisekeep it around so that way if
the government comes knocking,um you can actually prove to
them that you said that in goodfaith.
Um and it says it's notsomething that you should do,
um, just out of best practice.

(04:41):
It actually says you have to umretain that for I think it's six
years.
Um don't uh take that to thebank, go read it yourself.
I can't, I'm just that's justcoming off the top of the head,
but I think it's something likethat.

SPEAKER_01 (04:52):
So Austin, can you walk us through the 15 practices
in plain English?

SPEAKER_00 (04:56):
We'll go ahead and break them into the six
categories of the R.
Um, each category has uhmultiple practices, or well, one
or multiple practices.
And the first one um is accesscontrol, um and what it's made
up of.
And uh we're we're gonna stay inbroad strokes here um today to

(05:18):
kind of get the concept acrossso you can understand what CMMC
level one is and and and uh whatgenerally you have to do.
Um and so uh in access control,um, what you have to do is limit
who can access systems with FCI.
So a practical interpretation ofthat, um uh I'll bring up

(05:41):
QuickBooks again.
I like to talk about it a lot umbecause it's a good example of
um like a lot of customers use atool.
Um like QuickBooks, it's verycommonplace, right?
So, for example, CMMC level two,um, you're probably not gonna be
putting CUI um in yourQuickBooks, but what you are

(06:01):
putting in there for sure isFCI, federal contract
information, things likeinvoices, part numbers, stuff
like that, contract IDs orwhatever.
Um, that is all going inQuickBooks.
And so uh QuickBooks, forexample, you have to limit who
has access to those systems,what they can do with it, and
you have to document it.

(06:22):
Um, and then of course, anythingelse that has FCI, but um that's
a um a practical nugget you cantake away as an example.
Um, so another piece of accesscontrol is making sure that uh
the people that do have accessto FCI only have access to what
they need to do to do their jobor fulfill the role that they

(06:44):
are in the company.
Um they don't need just broadsweeping access to everything
unless they don't need it.
Uh another is you need to blockoutsiders from remote access
unless it's secure.
So um pretty simple thing there.
Um, but for example, um if youuse QuickBooks Online, then you

(07:06):
would need to set upmulti-factor authentication on
your QuickBooks Online.
Um and a lot of people don'thave that set up, but for FCI,
it's required.
And anything else that has FCIon it.
So your email, for sure, even ifum you don't have CUI, which if
you're level two, um, or youmight be in the future, uh, if

(07:28):
you're trying to be level one umthen and you're using Microsoft
commercial, then you need tohave uh multi-factor
authentication turned on youremail because you most likely
have uh FCI in your email.
So this all needs to bedocumented um and set up in a
similar way that uh level twois, just with less stringent

(07:52):
controls and and a slightly lessuh um heavy burden of
documentation.
And then you need to keep uhpublic data separate from from
FCI.
Uh the next category isidentification and authentic
authentication.
Um, the goal here is to know uhwho has access um to what,

(08:14):
right?
So a lot of companies uh tend touse shared logons, for example.
Um so uh you may have threepeople that are in accounting
that all use the accountinglogin for QuickBooks or this
computer, that computer, thissystem, or that system.
Um and uh that's not not okayfor Siemens C level one.

(08:35):
So they need the the best way todo it is to have named user
accounts that is directlyattributable to that person.
Um but if you want to useaccounting one, accounting two,
accounting three, and you wantto map it to um a specific
person in your documentation andsay Bobby Sue is accounting one,
um, then that could besufficient.

(08:58):
Um it's just not preferred.
Um and if we we like to verycleanly play by the rules, and
so we don't typically suggestdoing that, but um, it could be
argued that it's perfectly fineas long as you do it correctly.
So the the goal is to have aunique login for everyone.
So whenever they're doingsomething, uh you can see what

(09:19):
they've done and they only haveaccess to certain things.
So you don't have um potentiallymultiple people in the same
account that uh could do things,and we can't attribute it to one
individual or the other.
That's the main goal withidentity um and identification,
um, and then authentication.
Uh we want to make sure that umwe're requiring passwords for

(09:41):
everything, sufficientpasswords, um, and logon methods
that actually verify theiridentity.
So um, you know, sorry to breakit to you, but you can't have I
know there's there's asurprising number of of
companies out there that stillum uh like to have, and I'm
sorry I'm gonna call you outCEOs um and owners, but um it's

(10:03):
typically y'all, and you want tohave a user account that um
doesn't have a password to login, um, or uh and that's just
not gonna fly anymore becauseyou have compliance, and
compliance says you can't dothat.
Um so uh the good times aregone.
You can't do that anymore.
So um you have to implementthat.
The the other is uh mediaprotection.

(10:26):
So um media um in terms of IT umis not like you know videos and
popcorn and Netflix.
Um, you know, uh media is uh theuh the thing that data is stored
on, and it's called a medium.

(10:46):
So um and uh uh examples of thatwould be uh thumb drives,
computers, uh stuff like that.
Those are all mediums in whichyou can store data um is kind of
the the how the term is beingused.
And so uh when you get rid ofrid of old computers or USB

(11:07):
drives or thumb drives, um youneed to wipe them clean and
destroy them.
Uh your documentation needs tosay how you're gonna do it.
You need to have the evidencethat you did it and um and
everything else.
So uh that is that's the mainthing with media protection, is
just uh they don't want you uhto have a USB drive or a

(11:29):
computer that you have oldfederal contract information on
or invoices or part numbers andyou sold it on eBay or gave it
to your kid um to go do collegework on or something.
Um you need to scrub that data,destroy it.
Um, or even if like your USBdrive went bad and it's like, oh
well it's it's fine, it doesn'twork anymore, you can't get

(11:49):
access to it.
Not sufficient.
You need to destroy it properlyin a proved way that you can
reasonably um you know say thatthe data is gone and can't be
recovered, um and and thendocument it.
So um, you know, before you giveit your old computer to your
kiddos, you gotta you gottaclean it up first.

(12:10):
So uh so physical protection isprotecting the physical spaces
in which um your your f FCIinformation is stored.
So easy way to think about thisis you got a laptop or a
computer or a server, um, andyou have an office space, um,
those laptops and computers andservers are in the office space.

(12:32):
Um, and uh to protect thatphysical space uh and the and
the computers inside of it, um,you need to lock your doors.
Uh when you have visitors, youneed to escort them.
You have to have a visitor log.
These are the uh kind of thingsyou have to do in CMMC level
one.
Uh, and then you need to storethose logs, um, protect those
logs so that way you haveintegrity of um of the uh the

(12:56):
logs so that way you can provethings later and show it to um
the government if they cameknocking.
Uh then you also need to um ifyou have a uh physical office,
you don't have to go out andspend a bunch of money and get a
um some big uh$2,500 to$3,000door access control fob system.

(13:19):
Uh that's certainly a way toachieve it.
Um and um it's that was that waswhat we got quoted uh a couple
years ago.
I'm sure it's more expensivenow.
Um uh but uh you don't have todo that.
That is a way to solve it.
Um you can simply just serializethe keys.
Um if you have physical keys, uhget you a dremel.

(13:41):
Um I'm kidding, there's actuallyserialized keys you you can sell
and have a locksmith make foryou.
That's probably an easier way todo it.
Um if you have a digital code umdoor um and it's got a set of
digital codes, then you wouldjust have like um uh an
inventory of who has what codes,and you would decommission those
codes, change them when peoplecame or left, um, and who

(14:03):
they're attributable to.
Um, so those need to be able tobe tied to a person as well.
And then uh, you know,construction trailers, same
thing, unfortunately.
You guys are gonna have to, youknow, serialize the keys or do a
punch code and and and maintainan inventory of the construction
trailer uh uh keys.

(14:24):
I bring that one up because umit's uh it's a common one that
we see that um is a bit of aburden for people.
They have to do it, and ifthey're not doing it, then um
you know they're not compliant.
So it's a little easier for uhmaybe a aerospace manufacturer
machine shop.
They're they're kind of used todoing the escorting of visitors
and and the log, and everyonehas a fob for to get in the

(14:46):
doors or uh uh key code or aserialized key.
Those would be the main areas umthat you're needing to protect
uh physical access.
Um and it probably doesn't needto be said, but you know, your
server room uh ideally would bedone the same way uh as well.
Um so if you have a dedicatedspace for your your servers and

(15:07):
whatnot, you need to uh do allthe same things I said uh in the
same way.
So um another category is systemand communications protection.
Uh the easiest way um that I canthink of off the top of my head
to describe this one, uh, anexample is um like a uh website.

(15:28):
So if you host your own websiteat your office on your own
servers or something, um you youneed to segment your networks to
where that website server is noton the same uh network as where
your FCI information is.
So you the goal basically is tonot mix and match public-facing

(15:50):
systems with your privateproduction systems where your
FCI is stored.
So you want to segment um thosesystems where they can't
communicate to each other.
So if you have a uh a publicserver, like a web server,
website, um, or something likethat, then you need to um
separate that and and segment itappropriately.

(16:13):
And the last category is systemintegrity.
Um, and the main things here umare patching your software and
your computers.
You get updates for allcomputers and all your software.
Um a lot of times people just goclick later, ignore.
Um, well, for CMC level one, youhave to you have to do that
stuff.
Um, and you have to have um umthe policies for saying how you

(16:36):
handle it and everything else.
And um the reason being isbecause um if a lot of the
updates for your software um arenot necessarily uh like features
that you're getting from thesoftware provider, they're
actually patching security holesand exploits.

(16:57):
Um, so it's keeping hackers anduh and security holes uh from
being in your network.
And so that's why they want tomake sure that happens.
Um the use of antivirus orendpoint detection or something
like that.
So um uh needs to be doneproperly.
You need to make sure I've goton your all your computers and
it's managed um uhappropriately, and you're

(17:19):
updating it with the latestdefinitions, um, so that way
it's not working on a year-oldum expectation of what viruses
are.
It needs to be updated, uh, muchlike your um computers and your
software is, um, and then youneed to scan for threats
regularly.
So uh you can't just haveantivirus on your systems and it

(17:40):
be updated.
You actually have to um proveand show that you're scanning
for threats on a regular uhbasis, and and that's all
written in your policies aswell.
If you're using tools likeWindows or Microsoft 365, which
90% something like of us of usare, um, many of these can be
turned on um with a mild tomoderate amount of headache.

(18:05):
You're probably gonna need an ITguy um uh or lady at the end of
the day um to implement thesethings unless you're just really
savvy.
Um uh but the the real key ismaking sure you have all the
documentation um that it is setup correctly and how you're
gonna set it up.

SPEAKER_01 (18:23):
Well, I think you and I and our listeners can
agree it's not a CMMC complianceguide podcast episode without
the documentation topic comingup.

SPEAKER_00 (18:32):
You're right.

SPEAKER_01 (18:33):
So let's step into that a little bit further.
What kind of documentation isneeded for level one?

SPEAKER_00 (18:40):
So the documentation um that is needed is uh
policies, procedures, evidence.
Um we like to write it in asimilar way that your you know
your SSP and supporting policiesfor CNN CL level two is, but um
it very much can easily be justuh um a long set of policies and

(19:01):
procedures um that say howyou're satisfying all um six of
these categories, 15 uh of these15 practices, um that is
completely sufficient.
So um policies is uh you'rewriting down your rules, um,
what you're doing, for example,your password policy, what it

(19:22):
is, um uh and and how you'redoing it.
Um procedures is how you'reapplying those rules, um, how
it's set up, your procedures fordoing so um the good example of
this is your your patching.
Um you know, you have yourpatching policy, it's gonna be
uh X day of the week and it'sdone this way, your is done done

(19:45):
X day of the week, um, and yourprocedure way would be it's done
this way, implemented this way.
Um this is how we do it.
Um and then your evidence wouldbe uh screenshots, reports,
logs, checklists, things likethat.
Um uh any otherwise evidencethat you've you've done it um

(20:07):
and it's been implemented.
Uh and you want to make sure,again, like I said at the
beginning, um, that you youactually have that evidence in
some sort of repository.
Um if it's a ticketing system,um, you know, file, folder, um,
uh SIM or whatever, uh, I thinkit's uh go look it up, but I

(20:30):
think it's six years um is whatyou have to retain it for um at
the date of ad test station, um,I believe.
Um so make sure you have yourevidence.
That's one that for CMC levelone people just always miss.
You have to have evidence.
Um, and because the rule saysyou have to have evidence.
So um you don't if you want torisk it, that's on you.

(20:53):
You know, you do your thing.
But um, if I'm attesting, uh Isaid I did something and the
rule says I have to have theevidence and I have to retain it
for six years, I don't want toget caught if the government
comes knocking.
Um, so you'd my recommendationwould be to store all that
evidence and make sure you haveit every time that you attest.

SPEAKER_01 (21:11):
For CMMC level one, are they getting assessed or
certified?

SPEAKER_00 (21:16):
Yeah, so they are assessing themselves.
So um there's gonna be no thirdparty assessor, you're not
paying anyone to come in.
I guess you could if you reallywanted to.
Um, you know, try and um putyour best foot forward, um, but
is not required, and I don't seeanyone doing it.

(21:38):
Um, so uh you to be clear, youdo not need a third party
assessor, um, but you are gonnado a self-assessment of your own
company once a year and submityour score to um the Spurs
system, the SPRS system.
Um, and again, if I was as I'vesaid several times, you have to

(21:58):
make sure that you have theevidence for that
self-attestment uh on filessomewhere um to support that
claim for a period of I thinkit's six years.
Um so that is the other piecethat people tend to leave out.
You can do it yourself,certainly.
Um it'd be good to hire aconsultant that's very familiar

(22:21):
with uh CMMC and the standardsto make sure you're not missing
something.
Um because uh attesting is atesting that you are doing it.
So even if you you weren'tright, um not knowing that you
weren't right is not okay.

(22:42):
Um the the government says,Well, we don't really care if
you you didn't know what you'reattesting to, you attested, and
so you're still on the hook forit.
So um that's why we suggesthiring a professional to help
you through your attestment umand through your CMMC program.
They don't have to doeverything, but you know,
certainly at least a minimumlevel of guidance um would be

(23:06):
suggested sugg suggested.
Um, you know, uh if you if youwant to write your own contract
um that you have someone sign,uh that's cool, but have a
lawyer look at it.
You know, that's like anothercommon thing.
Like, so just uh you don't wantyou want to make sure you're not
uh running astray of the rulesor the laws or um you know

(23:27):
getting yourself in trouble thatyou otherwise didn't know if you
didn't hire someone that wasmore familiar with it.
So um that's what we suggest.
Uh again, not required, it is aself-attestment.
And even if if the governmentdoesn't come knocking, um your
prime or your customer might.
And they uh uh might want to seeevidence.
Uh I know um as of of late withthe leak the recent changes in

(23:50):
November 10th, um, we've hadsome uh a fair amount of of
primes um come to our customersum asking for for evidence on
certain items related to theirum CMMC level one status.
Um so it's not um unprecedentedto uh have your your customer um

(24:11):
looking at more than just yourtestament and your score and
actually looking for uh someverification uh of it.
Now we've not had them do a fullaudit, um, haven't seen that
yet, but they've definitely uhpicked out um some pieces they
wanted to see uh hard evidenceon.

SPEAKER_01 (24:29):
So for viewers and listeners at home, what would
you suggest they get started ontoday?

SPEAKER_00 (24:36):
Yeah, so um if you're familiar with the
podcast, um you know that we sayuh all roads lead to scope or
scoping um or your data flowdiagram.
Uh we honestly recommend a verysimilar uh you know situation
for for CMSC level one, um, andand what scope and and data flow

(24:58):
ultimately boils down to in itssimplest term um is uh answering
the question where does FCI,federal contact contract
information, live in myenvironment?
And you would start with whereyou get at get it from a
customer, how it travels throughyour network, who it touches,

(25:20):
who touches it, what systems,programs, cloud apps, quick
books, whatever it it resides oruh in um or traverses.
Um so figure that out.
That's that's figuring out andanswering the question where FCI
lives in your environment.
That's first.
Second, um, is review all the 15controls that we um talked about

(25:43):
today, uh uh and make sure thatyou meet them.
And I'll tell you what, in inthe description, what we can do
is um uh there's uh thegovernment provided CMMC level
one um uh guide.
I think it's a self uh uh testassessment guide or something
like that.
Um we'll drop that in so thatway it's easy to find.

(26:06):
Um sometimes it's not alwayseasy, uh, especially when you're
punching CMMC in Google thesedays, you get a lot of uh
different stuff.
Um, and it's not always thegovernment's.
So um we'll drop that in.
Uh so and you can use that um touh look at um all 15 um
practices or controls and makesure that you meet them.

(26:28):
Um and then third is documentyour practices and then draft
your documentation.
So what are your policies, whatare your procedures, how are you
achieving these um these 15requirements?
Um write all that in.
Um, and then once you do allthat and you generate your
evidence along with that, thenyou can fill out your SPRS score

(26:51):
or do your self-attestment.
There are some tools out therethat can help you do this.
Um it's a little easier to doCMMC level one without them.
Um uh, but they're certainly outthere you can search for them.
Um, probably the easiest placeto start um instead of going and
getting some um fancy tool uhunless you just want to, um, uh

(27:13):
is that document that we'll dropin the comment or description or
wherever wherever we decide toput it.

SPEAKER_01 (27:18):
If you have questions about what we covered
today, reach out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions, and we'll answer them
for free here on the podcast.
You can find our contact info atcmccomplianceguide.com.
Stay tuned for our next episode.
Until then, stay compliant, staysecure, and make sure to

(27:41):
subscribe.

All Episodes

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

The Burden

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Plain English Guide to CMMC Level 1: Basic Cybersecurity Without the Headache