CMMC Level 1 Certification
The current CMMC guidelines do not require a process assessment for the lowest level of maturity, assuming that processes are ad hoc. The assessed practices must only meet the FAR 52.204-21 requirements. These requirements are the “most basic level of safeguarding” as established in 2016. Technology has advanced significantly since then.
While minimum standards are appealing to subject organizations, the requirements for CMMC Level 1 are so low that meeting only those requirements could raise concerns about an organization’s security program. First, the practice requirements established at Level 1 are below what many enforcement authorities expect today. Second, the process requirements are non-existent, when most enforcement authorities require systematic processes.
CMMC Level 1 requires only the most basic security controls. These security controls may not be “reasonable” for the sensitivity of data that an organization collects. For instance, the CIS 20 includes training, penetration testing, and red team requirements, whereas the FAR clause is silent on these issues. Then AG Harris considered the CIS 20 as the minimum for any personal information; certifying to a lesser standard, especially in cases where more sensitive information is stored, could be problematic.
Next, many enforcement authorities would view an ad hoc security program as unreasonable, even though such a program is sufficient for CMMC Level 1. As an example, the FTC has included in its recent consent decrees a requirement that organizations present their board or equivalent with the organization’s written information security program.
Organizations that seek CMMC Level 1 certification should ensure that the paperwork surrounding the process is clear that the assessor did not examine their entire cybersecurity program, and only looked at the practices necessary for the organization to meet its DFARS requirements