Pragmatic Steps to Get CMMC Level 1 Compliant

Get started securing your business as a federal subcontractor with meme driven guidance.

You, too, can follow along with this 50-page PDF CMMC Self-Assessment Guide.

The FAR 52.204-21 “Basic Safeguarding of Covered Contractor Information Systems” outlines what you must do if you have non-public government contract information available at your business.

Here’s how you can quickly move towards becoming more secure and compliant.

Scoping

Every business should consider these items as a general business resilience practice, but CMMC is specifically concerned with protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)—the non-public data.

Before you can start, you’ll need to start writing down where this information is coming from, where it’s going, where it’s being accessed from, who can potentially access it, and what has the ability to access it. You can start by making a list of these assets.

The AFCEA has a great diagram of how you might consider scoping assets for CMMC.

AFCEA.org
Making Progress

There are many many words written for each of the items in the NIST 800-171 document (and assessment requirements) and CMMC Level 1 Guide. For each of these items, there are simple things you can do to start making progress.

This obviously isn’t a replacement for a thorough self-assessment.

1. Limit All Access to Authorized Users Only

Only people who actually need access to government contract info should have it. Start by restricting access now, not later.

Quick Wins - Set up groups in Active Directory or SharePoint for departments that handle federal information and assign users to these groups. Keep it high level. Then remove access when they leave or roles change. Create a quarterly meeting reminder to review these groups for accuracy.

2. Limit Access to Authorized Departments Only
  1. Even if someone has access to files, they should only be able to do what their job requires—nothing more.
  2. Quick Win - Assign roles within Active Directory or SharePoint that restrict what each group can do, like read-only or edit access, but no deletion rights.
3. Control Access To and From External Connections
  1. Make sure only authorized people and devices connect to your systems and that external systems and websites storing sensitive info are protected.
  2. Quick Wins - Disallow personal devices from accessing company information, or use Conditional Access Policies and Mobile Device Management solutions to protect info. Inventory systems, vendors, and platforms. Look at router and firewall connections to ensure only trusted devices and destinations are allowed.
4. Be Careful with Public Posts and Website Files
  1. Don’t let sensitive contract information reach the public. Policies should dictate who can share things online, on third-party websites and forums, and ensure they’re reviewed before and after.
  2. Quick Wins - Write down who can post contract-related information online and a verification process before information relating to a contract is shared or posted.
5. Every User Gets Their Own Login
  1. Every user must have their own login, and all logins should be logged and monitored.
  2. Quick Win - Get rid of shared accounts. Everyone has their own account on everything.
6. Everything Has a Strong Password
  1. Strong passwords aren’t optional. Make sure you’re using unique passwords and follow NIST guidelines.
  2. Quick Wins - Enforce a policy requiring 14-character unique passwords across all systems handling federal information or hardware-backed PINs or biometrics. Start with a good password policy on Active Directory accounts. (yes, NIST says 8 characters and 6 digit PINs, but go 14+ and remove the 90 day change requirement).
7. Safely Destroy Computers and Hard Drives and USB Drives
  1. When it’s time to dispose of devices, make sure you safely sanitize or destroy them.
  2. Quick Wins - Follow NIST 800-88 guidelines to ensure secure destruction of USB drives and hard drives before disposal or re-use. Write down when and how this is down.

8. Only Let Escorted and Approved People Access Sensitive Places

  1. Physical access to sensitive areas needs to be locked down and tracked.
  2. Quick Wins - Define who can access areas with sensitive information in a policy. Lock your doors or otherwise restrict access. Use a sign-in and sign-out logbook. Track where keys and badges are.
9. Protect Networked and Wireless Communications
  1. Create separate networks for sensitive information and control traffic at network boundaries.
  2. Quick Wins - Diagram your internal and external network boundaries - perfection not required. Monitor traffic crossing those boundaries. Restrict ports and isolate inter-device communications.
10. Fix Security Problems
  1. Security flaws are like mold—fix them before they cause irreparable damage.
  2. Quick Wins - Set up a basic process for responding to and, most importantly, resolving security alerts from your antivirus software and employee reports.
11. Install Antivirus on Important Systems
  1. Make sure critical systems have antivirus and firewall protection, and configure automatic scans and cloud-enabled protections.
  2. Quick Wins - Use business-grade Endpoint Detection and Response solutions. “Windows Defender for Business” and Sentinel One are good considerations.
12. Keep Things Updated and Patched
  1. Updates and patches are essential - long gaps between updates and upgrades have been responsible for countless breaches.
  2. Quick Wins - Enable automatic updates on everything you can or unattended upgrades on Linux. Set a patch schedule prioritizing externally facing systems and use the Exploit Prediction Scoring System (EPSS) to prioritize what gets patched.

13. Regularly Scan Systems with Antivirus

  1. Schedule regular antivirus scans and make sure they happen automatically when files are opened or downloaded.
  2. Quick Win - Most respectable security solutions do this by default. Get one.

What Next?

Currently, you’re not required to do more than self-attest at Level One, but it is good practice to add your attestation to SPRS. You’re also not required to have a System Security Plan (aka Information Security Policy and Procedures), nor do you need Plans of Action and Milestones (POAMs) for remediation. You can start preparing for Level Two by documenting the above and starting with an Information Security Policy or System Security Plan.

This is an evolving space with implications for everyone in the Defense space. It will impact your vendors and managed IT companies and the software platforms you use.

There’s more to come, but you can get started today internally. To help kickstart your security program, you might also be interested in the copy-paste Secure Startup Manifesto and its associated resources, documents, and playbooks.

Have a project in mind? Let’s talk

Get in touch

Read more

Hertz Leaks 60,000 Insurance Claim Reports on Their Claims Website

Legitimate emails with bad practices and an insecure website add insult to injury.

How to Ask Your Vendors to Verify Their Security Practices

Your vendors' security practices directly impact your own. Ensuring that your partners have robust data security controls in place is not just about peace of mind—it's a regulatory requirement for many industries, especially when dealing with sensitive information.

A Physical Site Security Audit Checklist You Can Actually Use

This audit checklist is designed to guide you through a thorough review of your site’s security based on leading standards from organizations like ASIS International, ISO, NFPA, and BOMA. Let’s break it down into actionable steps, making sure you can spot weak spots and implement fixes without drowning in paperwork.
Cybersecurity Risk Advisory and Professional Services (i.e. hackers)
Montana Office
563 Ash Rd, Suite B
Kalispell, MT 59901
Pages
HomeAboutBlogServicesContactPrivacy Policy
Resources
CyberPricesSaas HardeningBad PasswordsPrinciplesStartup Security Workbook
Stay in the know
Practical content, no fluff.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.