TO RESILIENCE
Forward
This guide has been developed by Cyber Florida at USF to support the implementation and maintenance of Cybersecurity Maturity Model Certification (CMMC) Level 1 practices for organizations operating within the state of Florida. It is made in conjunction with the Florida Cyber Risk Assessment (FCRA) which is a no cost tool to assess your organizations cyber posture. It is designed to provide practical insights, actionable steps, and relevant resources tailored to meet the specific needs of small to mid-sized businesses and contractors working with the Department of War (DoW). By focusing on the 15 foundational cybersecurity practices required for CMMC Level 1, this guide aims to help Florida-based organizations strengthen their cybersecurity posture and ensure compliance with federal requirements, ultimately contributing to a more secure and resilient defense supply chain.
Introduction
This guidebook is designed to provide practical, step-by-step guidance for organizations working toward Cybersecurity Maturity Model Certification (CMMC) Level 1 compliance. It translates the official CMMC requirements into actionable strategies, helping small to mid-sized businesses understand what needs to be done, why it matters, and how to do it efficiently—without getting lost in overly technical jargon or unnecessary complexity.
CMMC Level 1 focuses on the basic safeguarding of Federal Contract Information (FCI) through the implementation of foundational cybersecurity practices. While these requirements are considered “Foundational,” failing to meet them can result in disqualification from Department of War (DoW) contracts that require even minimal handling of FCI. This guide aims to demystify those requirements and enable organizations to build a sustainable, audit-ready cybersecurity baseline.
Most companies struggle with the question: “Do I actually need CMMC L1?”, Well here is a quick way you can determine:
1. Check Your Contract or Solicitation for DFARS Clauses
a. Start by examining your current DoD contract or solicitation. Look specifically for DFARS 252.204-7021 (Cybersecurity Maturity Model Certification Requirements). If it’s included, you will need to meet the designated CMMC level—typically Level 1 for Federal Contract Information (FCI)—as part of contract performance. Additionally, the presence of DFARS 252.204-7012, -7019, or -7020 indicates that you handle sensitive information and are likely expected to meet CMMC requirements in future solicitations.
2. Identify Whether You Handle Federal Contract Information (FCI)
a. Even if DFARS 7021 isn’t in your current contract, consider the type of information your organization processes. If you receive, store, transmit, or generate non-public information provided under a DoD contract (classified as FCI), you fall within the expected scope for CMMC Level 1. Companies that only provide pure Commercial Off-The-Shelf (COTS) products are generally exempt from this requirement.
3. Understand Supply Chain Flow-Down Obligations
a. If you are a subcontractor, your CMMC obligations don’t disappear simply because your subcontract doesn’t explicitly state them. When a prime contractor’s contract includes DFARS 7021, they are required to flow down those cybersecurity requirements to all subcontractors that handle FCI or Controlled Unclassified Information (CUI). Many primes already ask suppliers for self-assessment scores or cybersecurity attestations to remain eligible for work.
4. Plan for Future Requirements
a. DoD intends for nearly all future contracts involving FCI to include DFARS 7021, with full rollout expected by mid-late 2026. Organizations that wish to compete for future DoD work—or remain part of a prime’s supply chain—should proactively implement CMMC Level 1 practices now, even if their current contracts do not yet mandate it.
A HELPFUL NOTE
Even if you are not directly required to have CMMC L1, please note a lot of the factors CMMC L1 promotes can only positively impact your company’s cyber hygiene.
Before you begin this guide, please reference the official documentation provided by the Department of War (DoW):
1. CMMC Scoping Guide
2. CMMC Assessment Guide
3. NIST SP 800-171 Rev.2
Who Should Use This Guide?
This guide is tailored for:
• Small and medium-sized businesses (SMBs) in the Defense Industrial Base (DIB) that handle Federal Contract Information (FCI) and are seeking to achieve or maintain CMMC Level 1 compliance.
• IT administrators, compliance officers, and business owners responsible for implementing or overseeing cybersecurity policies and procedures.
• Organizations that need a plain-language, operational playbook to turn compliance requirements into concrete actions.
• Teams preparing for a CMMC Level 1 self-assessment or external assessment, and seeking confidence in their readiness.
Whether you’re new to compliance or already familiar with NIST 800-171 or DFARS, this guide helps you break down the Level 1 requirements into manageable tasks and decisions, so you can stay focused on protecting your information—and keeping your DoD business.
Key Characteristics of Level 1
• Focus: Protection of FCI through basic cybersecurity measures.
• Practices Required: 15 practices across 6 domains (e.g., Access Control, System & Communications Protection).
• Process Maturity: No formal process maturity is required—organizations simply need to perform the practices.
• Assessment Type: Organizations will be allowed to perform a self-assessment, unless otherwise required by the contract.
• Technology Scope: All systems, devices, people, and processes that store, process, or transmit FCI fall within scope.
Achieving CMMC Level 1 compliance is not just about checking boxes—it’s about building a foundation of trust, resilience, and responsibility in your organization’s cybersecurity practices. This guide is here to help you navigate that process with clarity and confidence. Whether you’re just starting your compliance jour-
ney or looking to validate your current efforts, use this playbook as a practical companion. With the right mindset, tools, and structure, CMMC Level 1 is entirely within reach—and a smart investment in your future with the Department of War.
Remember that your submission in the Supplier Performance Risk System (SPRS) serves as your official proof of completing a CMMC Level 1 self-assessment. There is no separate certificate or formal documentation issued by DoD for Level 1—your SPRS entry is what contracting officers and primes will reference to verify compliance. It is therefore critical that your self-assessment is accurate, documented internally, and updated as required to reflect your organization’s current security posture.
Getting Started
Step 1: Understand what you’re protecting
Before you can secure anything, you need to know what you’re protecting and where it lives. For organizations working toward CMMC Level 1, the focus is on Federal Contract Information (FCI). Understanding what qualifies as FCI—and where it exists within your environment—is the essential first step in defining the scope of your cybersecurity efforts. Note for CMMC Level 1, there are no documentation requirements for Level 1 self-assessments including In-Scope, Out-of-Scope, Specialized Assets. If your goal is to pursue CMMC Level 1 then you should in fact document these scopes as they will be a critical part of our system security plan.
In the context of CMMC Level 1, “In-Scope Assets” refers to all systems, devices, applications, users, and processes that store, process, or transmit FCI, as well as anything that could impact the security of those systems.
What Is Federal Contract Information (FCI)?
Federal Contract Information is any information provided by or generated for the U.S. government under a contract that is not intended for public release. It doesn’t have to be classified or sensitive like Controlled Unclassified Information (CUI), but it still requires protection under federal regulations.
Examples of FCI might include:
• Contract specifications or deliverables not publicly available
• Internal communications with the DoD or a prime contractor
• Invoices, purchase orders, and reports related to a federal contract
• Technical data created to fulfill a contract (unless it’s specifically marked for public distribution) If your organization does business with the DoD—even as a subcontractor—there’s a good chance you’re handling FCI.
Unlike Controlled Unclassified Information (CUI), which must be formally marked in accordance with DoDI 5200.48 and the NARA CUI Registry, Federal Contract Information (FCI) does not have an established government-wide
marking requirement. Organizations should not expect to see FCI labeled or portion-marked in the same fashion as CUI. Instead, companies are responsible for identifying and documenting what constitutes FCI within their environment—such as contract documents, deliverables, or related communications—and ensuring that staff understand how to handle it appropriately. While not required, some organizations may choose to apply internal labels (e.g., “Internal Use Only – Contains FCI”) to improve awareness, but this is considered a best practice rather than a compliance mandate.
Identifying Where FCI Is Stored, Processed, or Transmitted
Once you’ve identified what qualifies as FCI in your organization, the next step is to map where it exists across your systems and workflows. This includes both digital and physical locations. Ask yourself:
• Where is FCI stored? (e.g., local drives, file servers, cloud platforms, backups)
• How is FCI transmitted? (e.g., email, file-sharing tools, messaging apps)
• Who accesses FCI, and from what devices? (e.g., company laptops, remote desktops, mobile devices)
• Are there third parties or contractors that come into contact with FCI?
Conducting a basic data inventory or data flow diagram can be extremely helpful here. This doesn’t need to be overly complex, but it should give you a clear picture of all systems, users, and processes that touch FCI. These are the parts of your environment that fall under the scope of CMMC Level 1 and will need to follow the required cybersecurity practices.
By taking the time to identify and document where FCI exists in your environment, you’ll be better positioned to protect it—and avoid wasting time and effort securing systems that don’t need to be in scope.
Now that you have a concept of what FCI is, lets break it down even further:
In-Scope Assets:
The assets in scope are those that process, store, or transmit Federal Contract Information (FCI). In simple terms, if a system or device touches FCI in any way—whether it’s reading it, saving it, or sending it—it falls within the scope of CMMC Level 1 and must comply with the required security practices.
1. Identify FCI in Your Environment
• Start by listing all the types of FCI your organization receives or generates under DoD contracts.
• Ask: What documents, files, emails, or data qualify as FCI?
2. Locate Where FCI Is Stored, Processed, or Transmitted Look across your systems, both on-premises and in the cloud.
• Common FCI locations include:
• Email systems
• Cloud storage (e.g., OneDrive, Google Drive, SharePoint)
• Local workstations and laptops
• File servers or shared network drives
3. Map Out Data Flows
• Create a simple diagram or list that shows how FCI moves through your environment—from receipt, to use, to storage and sharing.
• Include inbound and outbound flows (e.g., FCI emailed to subcontractors or uploaded to portals).
4. Determine Who Has Access
• Identify all users (employees, contractors, vendors) who interact with FCI. Ask: What systems do they use? Are they managed and secured?
5. Assess Supporting Infrastructure
• Include any systems that connect to or support the FCI-handling environment (e.g., domain controllers, antivirus servers, backup systems).
• These may not directly handle FCI but could impact its confidentiality or integrity.
Out-of-Scope Assets:
Systems, devices, applications, or components that do not process, store, or transmit Federal Contract Information (FCI)—and that are also adequately separated from the systems that do. Identifying out-of-scope assets helps organizations focus their compliance efforts and avoid applying unnecessary security controls to parts of the business that don’t handle FCI.
Assets can be considered out of scope if they meet the following criteria:
• They never handle FCI – The system has no access to, or interaction with, FCI in any form.
• They are properly segmented – The system is isolated from in-scope environments through physical, logical, or administrative controls (e.g., VLANs, firewalls, access restrictions).
• They don’t affect the confidentiality, integrity, or availability of FCI systems – Supporting infrastructure like printers, IoT devices, or internet-only computers that don’t interact with FCI systems may be considered out of scope if they can’t impact those systems.
Common examples of out-of-scope assets:
Personal devices that never access work systems or FCI
• Business systems used only for marketing, HR, or public-facing websites
• Segmented guest Wi-Fi networks
• Systems used solely for commercial or non-federal contracts
A Caution on Assumptions
Just because an asset isn’t intended to handle FCI doesn’t mean it’s automatically out of scope. You’ll need to ensure there are clear technical or administrative boundaries—and document them. Otherwise, assessors (or auditors during a self-assessment) may include them as part of your security perimeter.
Specialized Assets
At CMMC Level 1, specialized assets are not subject to additional requirements the way they are at Levels 2 and 3. However, they are still part of your environment, and if they process, store, or transmit FCI, they are in scope.
Specialized assets are a specific category of systems or devices that may exist in your environment but do not function like general-purpose IT systems. While they might fall within the broader security perimeter, they often require tailored considerations due to their unique roles, configurations, or limitations. The Department of Defense defines specialized assets in the context of CMMC as systems that may not be easily secured using standard security tools or practices but still need to be addressed in a meaningful way during your assessment.
These assets include:
• Operational Technology (OT) – Systems that monitor or control industrial processes (e.g., PLCs, SCADA systems).
• Internet of Things (IoT) Devices – Smart cameras, sensors, or environmental controls.
• Government-Furnished Equipment (GFE) – Devices provided by a federal agency that your organization does not fully control.
• Test Equipment and Lab Systems – Devices used in R&D or QA environments, often with limited connectivity.
• Legacy Systems – Older systems that cannot be easily patched or updated but are still in use for critical operations.
What you should do for Specialized Assets?
For CMMC Level 1 it is not required to document specialized assets but in practice it is best to at least understand what you can do:
Assets can be considered out of scope if they meet the following criteria:
• Identify any specialized assets early in your scoping process.
• Document how they are used and whether they handle FCI.
• Segment or isolate them if possible, to reduce compliance complexity.
• Apply reasonable safeguards, even if full compliance is not technically feasible (e.g., network monitoring, access control, limited connectivity).
The 15 CMMC Level 1 Practices (Organized By Domain)
The core of your CMMC assessment will be understanding these 15 CMMC requirements below. Each of the following sections is designed to help you understand and implement the CMMC Level 1 practices with confidence. For every practice, you’ll find a clear explanation of what it requires, why it matters, and how it applies in real-world scenarios. We provide step-by-step implementation guidance, along with example tools, scripts, and policy templates to support your efforts. To wrap up each section, a verification checklist is included to help you confirm that the practice is being properly performed and maintained. Please reference the CMMC Assessment Guide in parallel with this document to assess the official DoD objectives for each security requirement.
Depending on the service providers and platforms your organization relies on, some CMMC Level 1 requirements may already be inherently satisfied as part of the provider’s standard security controls. For example, cloud service providers, managed IT firms, or email hosting platforms often handle functions such as physical security of data centers, encryption of data in transit, or backup management. While this can reduce your organization’s direct burden, it remains your responsibility to verify and document which controls are covered by the provider, ensure they align with contractual and regulatory expectations, and maintain evidence (such as shared responsibility matrices or compliance attestations) to demonstrate how these inherited controls support your self-assessment.
Access Control
Access Control refers to the security practices that ensure only authorized individuals can access your systems, data, and physical spaces—especially those that handle Federal Contract Information (FCI). The goal is to limit access to FCI to only those who need it to perform their job duties, reducing the risk of unauthorized disclosure or misuse. At CMMC Level 1, Access Control is about basic, practical safeguards that restrict who can use systems and what they can do once logged in.
Why Access Control Matters? Without proper access control, anyone (internal or external) could potentially view, alter, or steal sensitive government-related information. Even accidental exposure by well-meaning employees can have serious consequences, including non-compliance, contract risk, or data breaches. It is important to have an Access Control policy which Cyber Florida will provide reference.
AC. 3.1.1: Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
Practice Explanation: This control requires you to make sure that only approved people, devices, and processes can access your systems—especially those that handle Federal Contract Information (FCI). That means you must prevent unauthorized users from logging in, stop unknown devices from connecting, and ensure that only trusted software or processes can act on behalf of users.
In simpler terms: only the right people, using approved systems, should be able to get into your network or applications.
Why it Matters?
Real-World Examples
Allowing unrestricted access is a major security risk. Unauthorized access—whether by an outside attacker, a rogue employee, or even a well-meaning user who’s using an unapproved device—can lead to accidental or intentional exposure of sensitive information. This control is your first line of defense in ensuring FCI is only available to people and systems that truly need it.
1. A company laptop gets lost, and someone tries to use it to log into company email. Because access is restricted to authorized devices, the login is blocked.
2. An employee tries to install unauthorized software that attempts to access customer data. The software fails because only trusted processes are allowed to interact with sensitive systems.
3. A temporary contractor is added to the system with limited access only to the folders they need—and their account is automatically disabled after the contract ends.
How to Implement It (Cookbook-Style Steps)
1. Create a list of authorized users
• Define who should have access to your systems that process FCI.
• Include full-time staff, contractors, and any service accounts.
2. Set up user accounts with unique credentials
• No shared logins.
• Enforce strong passwords or multifactor authentication (MFA) if possible.
3. Limit access based on roles
• Use role-based access control (RBAC) to ensure users only see what they need.
Continued on Page 12
How to Implement It (Cookbook-Style Steps)
4. Maintain a list of authorized devices
• Use an inventory system to track approved laptops, desktops, mobile devices, and servers.
• Block unregistered or personal devices from connecting to networks handling FCI.
5. Restrict access by device
• Use device management tools (like Microsoft Intune, Jamf, or endpoint protection platforms) to allow only known, compliant devices to access systems.
6. Control automated processes
• Ensure any scripts or software that run on behalf of a user (like backups or data sync tools) are reviewed, approved, and monitored.
7. Regularly review access
Conduct monthly or quarterly audits of user accounts and devices.
• Disable accounts that are no longer needed.
8. Log and monitor access attempts
• Ensure any scripts or software that run on behalf of a user (like backups or data sync tools) are reviewed, approved, and monitored.
Verification Checklist
User Access Controls
❑ A list of authorized users is maintained and reviewed regularly
❑ Each user has a unique account (no shared logins)
❑ Access is based on job role or need-to-know
❑ User accounts are disabled or removed promptly when no longer needed (e.g., terminated employees or expired contracts)
Device Access Controls
❑ An inventory of all authorized devices is documented and kept up to date
❑ Only company-approved or managed devices can access systems with FCI
❑ Personal or unknown devices are blocked or segmented from FCI systems
Continued on Page 13
Verification Checklist
Processes and Software
❑ Only approved applications/processes can run or act on behalf of users
❑ Automated tasks (e.g., scripts or service accounts) are limited and documented
Monitoring and Maintenance
❑ Access logs are enabled and reviewed periodically
❑ There is a documented process for onboarding and offboarding users and devices
❑ User permissions are reviewed at least annually, or when roles change
AC. 3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.
Practice Explanation:
This control is about ensuring that users can only do what they are authorized to do once they access a system. It’s not just about who can log in—it’s also about what they can see, change, or execute after logging in. You need to apply role-based or permission-based restrictions so that users don’t have more access than necessary to perform their job functions.
In short: don’t give users the keys to the whole kingdom when they only need access to one room.
Why it Matters?
Even trusted users can make mistakes—or abuse their access. By restricting users to only the functions and data they need, you reduce the risk of accidental damage, data exposure, or internal misuse. This is especially important in small businesses where IT roles often overlap, and it’s easy to give “full access” out of convenience.
Restricting functionality also limits the blast radius if a user account is ever compromised by a phishing attack or malware.
Real-World Examples
• A shipping clerk can access the order processing system but can’t view HR files or system configuration settings.
• A temporary contractor has access only to a specific project folder— not the entire shared drive.
• A marketing employee logs into their email and collaboration tools, but can’t install software or make administrative changes to the company IT infrastructure.
How to Implement It (Cookbook-Style Steps)
1. Define User Roles
• List the main job functions in your organization (e.g., admin, engineer, HR, contractor). Determine what systems and actions each role needs to perform their duties.
• Include full-time staff, contractors, and any service accounts.
2. Set Up Role-Based Access Control (RBAC)
• Use your systems’ built-in permissions features to assign users to roles or groups. For example, in Microsoft 365 or Google Workspace, set up groups like “Finance,” “Sales,” or “IT Admins” with appropriate access levels.
3. Assign the Least Privilege Needed
• Give users only the minimum access necessary to perform their work. Avoid assigning “Administrator” or “Full Access” rights unless absolutely required.
4. Restrict System Functions
• Use an inventory system to track approved laptops, desktops, mobile devices, and servers.
5. Regularly Review and Adjust Access
• Periodically audit who has access to what, especially after job changes or project completion. Remove unnecessary rights immediately.
6. Document Permissions
Keep a record of role definitions and permission settings for compliance and troubleshooting.
Verification Checklist
Role and Access Definitions
❑ User roles and associated permissions are defined.
❑ Access levels are based on job responsibilities.
❑ Admin-level privileges are limited and justified.
System Configuration
❑ Permissions are configured in systems, applications, and file shares.
❑ Users cannot perform actions outside of their authorized role.
Continued on Page 15
Verification Checklist Ongoing Review
❑ Access permissions are reviewed at least annually or when job roles change.
❑ Outdated or unnecessary permissions are promptly removed.
❑ Access changes are documented and approved.
AC. 3.1.3: Verify and control/limit connections to and use of external information systems.
Practice Explanation:
Why it Matters?
Real-World Examples
This requirement is about monitoring, managing, and limiting how your internal systems connect to systems that are outside your organization’s control—such as third-party cloud services, file-sharing platforms, personal email accounts, or vendors’ systems.
The goal is to prevent unauthorized or insecure connections that could expose Federal Contract Information (FCI) or introduce cybersecurity risks.
In short: you must know when your systems are reaching outside your network—and control how that happens.
External systems are often outside of your security protections and monitoring. If users or systems freely connect to untrusted external platforms, FCI could be leaked, stolen, or compromised without your knowledge.
Controlling these connections helps keep FCI within your trusted environment and protects it from being exposed via insecure channels.
• Employees are prevented from emailing FCI to personal email accounts like Gmail or Yahoo.
• A contractor cannot connect a personal laptop to the corporate Wi-Fi network without approval.
• The company blocks access to unauthorized cloud storage sites (e.g., Dropbox, Box) unless explicitly allowed for business use.
• A workstation is not allowed to connect to an unknown external USB drive.
How to Implement It (Cookbook-Style Steps)
1. Define What Counts as an External System
• Any system you don’t fully control: cloud apps, vendor platforms, personal devices, home networks, etc.
2. Consider an Acceptable Use Policy
• Document what types of external systems are allowed or prohibited. Be clear about rules for file sharing, remote work, personal devices, and external drives.
3. Limit Network Connections
• Use firewall rules or DNS filtering to block access to unauthorized websites or services (e.g., personal Dropbox, Tor networks).
• Allow only business-approved cloud services for FCI (e.g., M365 or a specific DoD-approved platform).
4. Restrict Device Usage
• Prevent personal laptops or phones from accessing FCI systems unless securely managed (e.g., via MDM or VPN).
5. Control Remote Access
• Use VPNs or secure gateways for remote access. Require MFA and device validation for external logins.
6. Log and Monitor External Connections
Monitor network logs to detect unusual outbound connections.
• Alert on connections to known risky or unsanctioned domains.
7. Educate Your Users
• Train staff not to use personal email or file-sharing apps for FCI. Explain why using unapproved systems is a security risk.
Verification Checklist
Policies and Definitions
❑ An acceptable or your Access control policy defines external systems and usage restrictions.
❑ The policy is communicated to all users (and acknowledged).
❑ Business-approved external services are documented.
Continued on Page 17
Verification Checklist
Technical Controls
❑ Web and network filtering blocks access to unauthorized services (if applicable).
❑ USB ports or removable media are restricted or monitored.
❑ Remote access is secure, limited, and logged.
Monitoring and Training
❑ User behavior related to external systems is monitored.
❑ Staff are trained on what external systems are allowed.
❑ Suspicious or unauthorized external connections are investigated.
AC. 3.1.4: Control FCI posted or processed on publicly accessible systems.
Practice Explanation: This practice requires you to make sure that sensitive information like Federal Contract Information (FCI) is not stored, processed, or displayed on systems that are open to the public—such as websites, blogs, file-sharing platforms, or forums. Publicly accessible systems are any systems that can be accessed by users without authentication or restrictions.
In short: do not put FCI anywhere that the general public can see or download it.
Even though this control references CUI, organizations pursuing CMMC Level 1 must still prevent public exposure of FCI, which is a basic safeguarding requirement under FAR 52.204-21.
Why it Matters?
Information posted to the internet—intentionally or accidentally—can quickly become permanently accessible, indexed by search engines, or harvested by malicious actors. Once FCI is exposed publicly, it could violate your DoD contract, damage your reputation, and increase risk of cyberattack.
This requirement is about avoiding accidental leaks and ensuring employees understand the boundaries between public and protected information.
Real-World Examples
• A project proposal containing contract data is accidentally uploaded to the company’s public website instead of an internal portal.
• A team member copies FCI into a shared Google Doc without access restrictions, and the link is shared with people outside the company.
• A marketing team unknowingly posts screenshots containing FCI on social media during a product launch.
How to Implement It (Cookbook-Style Steps)
1. Identify Publicly Accessible Systems
• These include your company website, public FTP servers, blogs, social media, or shared document links with “anyone with the link” access.
2. Create and Enforce a Data Handling Policy
• Clearly define what FCI is and state that it must never be posted to public systems.
• Include guidance on secure file sharing and approvals before publishing content.
3. Restrict Upload Permissions
• Limit who can upload or post content to your public website or external platforms.
• Use access controls and workflow approvals for content publication.
4. Use Secure Collaboration Tools
• Use approved cloud services (e.g., Microsoft 365 or Google Workspace) with proper access controls in place. Avoid tools that default to public sharing unless settings are reviewed.
5. Conduct Periodic Reviews
Scan your public-facing systems for unintentional exposure of FCI.
6. Train Your Staff
• Educate employees about what FCI is and what not to share publicly.
• Include this in onboarding, annual security training, or content approval workflows.
Verification Checklist
System Awareness
❑ All publicly accessible systems are identified and documented
❑ Permissions to upload or publish content are restricted and reviewed
Data Controls
❑ A policy prohibits posting FCI on public platforms
❑ Shared links to documents are set to private or limited access
❑ Public-facing documents are reviewed before posting
Continued on Page 19
Verification Checklist Prevention & Monitoring
❑ Staff are trained on secure data handling and public sharing risks
❑ Public systems are periodically reviewed for accidental FCI exposure
❑ Tools or scans are used to detect publicly available sensitive information
Identification and Authentication
Identification and Authentication (IA) is a fundamental part of cybersecurity under the Cybersecurity Maturity Model Certification (CMMC) framework. It ensures that only authorized individuals and devices can access company systems and data. This means each user must have a unique login, and each system or process must be tied to an identifiable entity. By enforcing this requirement, organizations can track who is accessing what, when, and from where—critical for maintaining accountability and detecting unauthorized activity.
In practice, this includes assigning individual usernames and passwords, maintaining an inventory of approved devices, and ensuring system tasks (like backups or updates) are run under designated service accounts rather than shared or generic logins. For small businesses, this step lays the groundwork for more advanced security controls and greatly reduces the risk of unauthorized access—whether from internal misuse or external threats like phishing or malware. Implementing strong identification and authentication procedures is a practical and essential step toward protecting Federal Contract Information (FCI) and meeting CMMC Level 1 requirements.
IA. 3.5.1: Identify system users, processes acting on behalf of users, and devices.
Practice Explanation:
This requirement is all about knowing who (or what) is on your systems. You must be able to identify every user, device, and process that accesses your IT environment. That means every login should be tied to a specific person or authorized system process. No anonymous or shared access should be allowed.
This is the foundation for accountability—if you don’t know who accessed a system, you can’t track down problems or ensure only the right people (and devices) are connected
Why it Matters?
Small businesses often overlook this, especially when people share accounts or connect personal devices to the network. But failing to properly identify users or devices creates major blind spots in your security.
Continued on Page 19
Why it Matters?
Real-World Examples
• If you don’t know who’s logged in, you can’t enforce access rules.
• If a device is compromised, you need to know where it came from.
• If something breaks or is breached, you need to trace the source. Identification is the first step to accountability and control.
• Individual logins only: Each employee has their own username and password, rather than sharing a generic account like “officeuser”.
• Device tracking: Laptops and workstations have asset tags or inventory records linked to employees.
• System processes: A scheduled backup job runs under a named service account, not a generic admin login.
• Multi-device access: A user logs in from a work laptop and a company-issued phone—both are identified and approved.
How to Implement It (Cookbook-Style Steps)
1. Create Unique User Accounts
• Make sure every employee, contractor, and admin has their own user ID.
• Avoid shared accounts wherever possible—each person should have traceable access.
2. Track and Approve Devices
• Maintain a list of approved company devices (laptops, desktops, phones). Record who each device is assigned to.
• Use basic tools like spreadsheets, or asset management software if available.
3. Use Login Credentials
• Require a username and password to access any system containing Federal Contract Information (FCI).
• Set up authentication for applications, cloud services, and email—no guest or public logins.
4. Identify System Processes
• For automated tasks (like backups or updates), use dedicated service accounts—don’t use personal admin logins.
• Document what each service account is for and restrict their permissions.
Continued on Page 21
How to Implement It (Cookbook-Style Steps)
4. Disable Unused Accounts
• Immediately disable access for employees who leave or contractors whose work is finished.
• Review account lists regularly to remove unused or stale accounts.
Verification Checklist
Users and Accounts
❑ Every system user has a unique ID or system identifier
❑ No shared or generic logins are in use
❑ Former employee accounts are disabled promptly Devices
❑ All company devices are identified and tracked
❑ Each device is linked to a specific user or role
❑ Unauthorized devices are not allowed to connect Processes
❑ System tasks use named service accounts
❑ Service account use is documented and reviewed Authentication
❑ All logins require credentials (no anonymous access)
❑ Login logs are enabled for user and device activity tracking
IA. 3.5.2: Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
Practice Explanation:
This control ensures that no one—and nothing—can access your systems unless their identity has been confirmed. Authentication is the process of verifying that users, devices, or system processes are who they claim to be, typically after identification (like entering a username). It’s what prevents unauthorized users or rogue software from simply walking into your network.
Authentication can be as simple as a password, or more secure using multiple factors (like a phone notification or hardware token). For CMMC Level 1, at a minimum, you must require valid login credentials before granting access to any system that contains Federal Contract Information (FCI).
Why it Matters?
Real-World Examples
Just knowing who someone says they are isn’t enough—you must verify it. Weak or absent authentication is one of the easiest ways attackers gain access to systems, often through phishing or stolen credentials. If you don’t have strong authentication mechanisms in place, you’re leaving the door wide open to intruders.
Requiring authentication also helps prevent internal errors and misuse. If someone logs in as themselves (not a shared account), their actions are traceable. This accountability reduces risky behavior and makes it easier to detect unusual or malicious activity.
• Employees must enter a username and password before accessing email or cloud apps.
• A remote user logs in via VPN, which checks both their credentials and device certificate.
• Company servers require authentication before automated scripts can execute backups.
• A company-issued laptop must pass a device check before connecting to the internal network.
How to Implement It (Cookbook-Style Steps)
1. Require Login Credentials for All Users
• All systems with access to FCI must require a valid username and password.
• This includes cloud apps, file storage, VPNs, and any on-premises servers.
2. Avoid Anonymous or Shared Access
• Remove guest accounts or default logins.
• Assign every user a unique set of credentials.
3. Enforce Password Policies
• Require strong passwords (at least 8 characters, mix of letters/ numbers/symbols).
• Avoid obvious or reused passwords (e.g., “Welcome123”).
• Use a password manager if needed to store and manage credentials securely.
4. Authenticate Devices and Processes
Set up authentication for connected devices (e.g., certificate-based VPN access). Use named service accounts for system tasks—don’t allow unauthenticated scripts or apps.
4. Log Authentication Activity
• Turn on system logs for login attempts (successes and failures). Regularly review these logs for unusual access attempts.
Verification Checklist User Access
❑ All users must authenticate before accessing systems
❑ No anonymous or shared logins are used
❑ Passwords meet complexity and length requirements
Device/Process Access
❑ Devices are authenticated before connecting (e.g., VPN or certificates)
❑ Processes use service accounts with appropriate authentication System Logging
❑ Login events are logged for auditing
❑ Failed login attempts are monitored and reviewed
Media Protection
Media Protection focuses on safeguarding physical and digital media that contain sensitive information, such as printed documents, USB drives, external hard drives, or backup tapes. Even at CMMC Level 1, where the scope is limited to protecting Federal Contract Information (FCI), it’s essential to control who can access, move, or dispose of that media. Small businesses must ensure that any storage device or printed material with FCI is properly labeled, securely stored, and handled with care—especially when transported or discarded. Protecting media prevents unauthorized disclosure, loss, or theft of information, whether it’s on a laptop hard drive or a stack of printed reports left in a shared workspace.
MP. 3.8.3: Sanitize or destroy system media containing Federal Contract Information before disposal or release for reuse.
Practice Explanation:
This requirement is about making sure that sensitive data doesn’t leave your control by accident. When you’re disposing of or reusing any kind of media—like old laptops, USB drives, hard disks, CDs, or printed documents—you must either sanitize (securely erase) the data or destroy the media entirely. This ensures that Federal Contract Information (FCI) can’t be recovered by someone who shouldn’t have access.
For reuse, this might mean wiping a hard drive before reassigning a laptop to a new employee. For disposal, it could mean physically destroying a failed hard drive or shredding printed documents.
Why it Matters?
Improperly discarded media is a goldmine for hackers, identity thieves, or even competitors. Simply deleting files or putting devices in the trash isn’t enough—data can often be recovered with basic tools. By securely erasing or destroying media before it’s thrown out or repurposed, you prevent FCI from leaking outside your organization.
This control is especially important for small businesses that rely on shared workstations, cloud backups, or frequent hardware replacements. One forgotten flash drive can turn into a data breach.
Real-World Examples
How to Implement It (Cookbook-Style Steps)
• An old company laptop is sanitized using disk-wiping software before being donated or recycled.
• A broken USB drive that once stored FCI is physically destroyed before disposal.
• Printed project documents are shredded after a contract ends.
• A cloud virtual machine is decommissioned, and its storage volumes are securely wiped by the provider.
1. Identify Media That Stores FCI
Make a list of where FCI could be stored: hard drives, USBs, CDs, printed docs, cloud storage.
• Include employee devices if they’re used to store or process FCI.
2. Use Secure Erasure Tools
• For reuse: use software like DBAN (Darik’s Boot and Nuke), BitLocker “full wipe” options, or manufacturer utilities to wipe drives.
3. Physically Destroy Unneeded Media
• Use shredders, degaussers, or drill presses for drives. Shred printed materials—don’t just recycle them.
4. Set a Reuse/Disposal Policy
• Create a short-written policy that says FCI-related media must be wiped or destroyed before reuse/disposal.
• Make this part of your offboarding process for hardware and personnel.
4. Train Staff
• Teach employees to never throw away old USB drives, computers, or papers without proper destruction or approval. Post a checklist or signage near disposal/recycling areas as a reminder.
Verification Checklist Inventory & Tracking
❑ Media that contains or once contained FCI is tracked or identifiable
❑ Employees understand what qualifies as sensitive media Sanitization/Destruction Procedures
❑ Secure erasure tools are used for reuse or repurposing
❑ Physical destruction is used for broken or end-of-life media
❑ Paper documents are shredded or securely destroyed Policy & Awareness
❑ A media disposal and reuse policy exists and is communicated
❑ Staff are trained not to discard media with FCI casually
❑ Destruction is logged or verified when possible
Physical Protection
The Physical Protection domain is all about safeguarding your physical spaces—offices, data closets, and any location where sensitive information (like Federal Contract Information, or FCI) is stored or processed. This means controlling who can enter your facilities, access hardware, or handle devices that may hold sensitive data. Even the best cybersecurity measures can be bypassed if someone can simply walk in and steal a laptop or access an unlocked server.
At CMMC Level 1, physical protection doesn’t require high-tech security systems—basic, common-sense protections go a long way. Lock doors to areas with sensitive systems, use cable locks or cabinets for equipment, and restrict access to only those who need it. For many small businesses, applying simple controls like visitor sign-ins, employee badges, or keeping portable devices secured
PE. 3.10.1: Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
Practice Explanation:-
This This requirement focuses on keeping unauthorized people away from your sensitive systems and equipment. It’s not about cybersecurity settings—it’s about doors, locks, keys, and access control in the real world. You need to ensure that only authorized personnel can physically access areas where organizational systems are stored or operated—this includes offices, server rooms, networking closets, or even storage cabinets that hold devices with Federal Contract Information (FCI).
At a minimum, this means locking doors, keeping equipment in secure areas, and tracking who is allowed access. It also includes securing devices like laptops or portable drives that might otherwise be easy targets.
Why it Matters?
All the firewalls and antivirus software in the world won’t stop someone from walking off with a laptop or plugging a malicious device into your network if they can just walk into your office. Physical access can allow attackers to bypass logical controls, steal data, or disrupt operations. Even innocent mistakes—like a visitor using an unlocked workstation—can cause damage.
For small businesses with limited resources, this is often a weak point—but the good news is, basic physical safeguards are usually easy and low-cost to implement.
Real-World Examples
• An office locks its server closet, and only the IT lead has the key.
• A visitor must sign in at the front desk and wear a badge while on site.
• Company laptops are locked in a cabinet after hours. A security camera monitors the building entrance, and only employees with badges can enter.
Shared coworking spaces include physical safeguards like secure lockers and limited room access.
How to Implement It (Cookbook-Style Steps)
1. Identify Areas and Equipment That Require Protection
• List locations: offices, server rooms, IT closets, employee workstations, etc.
• Identify devices: laptops, desktops, switches, routers, external drives.
2. Restrict Access to Authorized Individuals
• Lock doors to sensitive areas. Use keys, keycards, numeric keypads, or other barriers to control entry.
• Label rooms or cabinets clearly if access is restricted.
3. Control and Monitor Visitors
• Require visitors to sign in and be escorted while on premises. Keep a simple visitor log with time in/out and person visited
• Use badges or stickers to identify non-employees.
4. Secure Equipment
• Lock laptops in drawers or secure cabinets when not in use.
• Use cable locks for computers in public or shared areas. Avoid leaving portable drives or devices unattended.
Continued on Page 27
How to Implement It (Cookbook-Style Steps)
5. Train Employees
• Make sure staff understand not to let unknown people “tailgate” into secure areas.
• Train employees to report suspicious behavior or unauthorized access attempts.
Verification Checklist
Access Controls
❑ Doors to sensitive areas (server rooms, IT closets) are locked
❑ Only authorized personnel can access systems and equipment
❑ Shared or coworking spaces have additional physical protections
Visitor Management
❑ Visitors are logged and supervised
❑ Badges or identifiers are used for non-staff
❑ Physical access is not granted without approval
Device Security
❑ Portable systems (laptops, USBs) are stored securely when not in use
❑ Workstations in open areas are secured when unattended
❑ Cable locks or locked storage are used where applicable Awareness
❑ Employees are trained to recognize and prevent unauthorized physical access
❑ There is a clear policy for physical security responsibilities
PE. 3.10.3: Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
Practice Explanation
This requirement is about having a controlled, accountable process for managing visitors and the devices or methods used to grant physical access (like keys, keycards, or door codes). You need to ensure that visitors are not left unsupervised, that their comings and goings are recorded, and that access tools are tracked and managed. In other words, don’t just let someone walk into your facility, wander around unescorted, and then leave without a trace.
Even for small businesses, this can be done in a simple and effective way—with a visitor log sheet, ID badges or stickers, and someone responsible for supervision and access control.
Why it Matters?
Unsupervised or unlogged visitors represent a major risk. Whether it’s a vendor, customer, or delivery person, anyone without a legitimate reason to be in your workspace should be escorted and their presence tracked. Failing to do so can lead to accidental exposure of sensitive data or intentional theft or sabotage.
Also, tools like keys, door badges, or codes need to be assigned, tracked, and revoked when people leave the company or change roles—just like user accounts.
Real-World Examples
A visitor signs in at reception, wears a badge, and is accompanied by an employee during their visit.
A logbook or electronic visitor log records names, times, and purpose of visits.
Physical keys to server rooms are signed out and logged.
• A former employee’s building keycard is disabled immediately after departure.
• An office uses a basic keypad lock and changes the code regularly or when staff leave.
How to Implement It (Cookbook-Style Steps)
1. Create a Visitor Sign-In Process
• Use a physical sign-in sheet or electronic log.
• Record visitor name, company, reason for visit, time in/out, and host.
• Assign badges or stickers to visually mark visitors.
2. Escort All Visitors
Require that visitors be accompanied at all times.
• Make employees responsible for supervising guests they invite.
3. Monitor and Review Visitor Logs
• Keep logs for a reasonable period (e.g., 90 days or more).
• Periodically review logs to check for unusual or unapproved access.
4. Control Access Devices
Maintain a list of who has keys, fobs, access cards, or door codes.
• Assign them only to authorized personnel.
• Recover or deactivate access devices when employees leave or no longer need access.
Continued on Page 29
How to Implement It (Cookbook-Style Steps)
5. Train Staff
• Ensure employees know the visitor policy.
• Make it clear they’re responsible for anyone they bring into secure areas.
Post signage if needed: “All visitors must sign in and be escorted.”
Verification Checklist
Visitor Management
❑ A sign-in/out log is maintained and reviewed periodically
❑ Visitors are clearly identified (badges, stickers)
❑ Visitors are always escorted by authorized personnel
Access Device Control
❑ Physical access devices (keys, cards, codes) are tracked
❑ Access is removed when no longer needed (employee leaves, role changes)
❑ A record of access device assignments exists Awareness
❑ Staff are trained on the visitor policy and access control procedures
❑ Clear signage reinforces visitor escort and sign-in requirements
❑ Policy includes how long visitor logs and access records are retained
System and Communications Protection (SC)
The System and Communications Protection domain is focused on making sure that data stays safe while it’s moving. This applies whether you’re sending an email, uploading a file, accessing a website, or using a remote connection. The goal is to protect the confidentiality and integrity of information as it travels across networks— especially when that data includes Federal Contract Information (FCI).
At CMMC Level 1, SC includes basic protections, such as ensuring that information sent across the internet or between systems is encrypted, and that external connections are secure. It doesn’t require full-blown network segmentation or deep packet inspection—just that common-sense, widely available tools (like HTTPS, VPNs, and email encryption) are being used.
SC. 3.14.3: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
Practice Explanation: This requirement is about protecting the “edges” of your network where your internal systems connect to the outside world (like the internet) or to less secure parts of your own environment. It means having some way to monitor, filter, and secure data as it flows in and out of your network, and possibly between key internal systems as well.
In practical terms for a small business, this typically means using a firewall, ensuring you’re only allowing authorized traffic, and encrypting communications where needed (like HTTPS, VPNs, or secure email). You don’t need a complex security operations center— just a clear process to guard and watch how data moves across your network’s boundaries.
Why it Matters?
Unmonitored communication channels are one of the biggest attack surfaces in any organization. If you don’t know what’s going in or out of your network, or if your data is moving without protection, attackers can snoop, steal, or tamper with it.
For example, malware can sneak in through unfiltered internet traffic, or sensitive files could be sent unencrypted over public networks. This control helps you lock down your digital borders, which is critical for keeping Federal Contract Information (FCI) secure.
Real-World Examples
• A business uses a firewall to allow only certain types of traffic (e.g., web, email) and blocks everything else.
• Email systems are configured to use encryption when sending sensitive information.
• Remote employees access company resources using a secure VPN.
• The company uses HTTPS for all internal web-based tools, even those not exposed to the internet.
• An alert is generated if an unknown device tries to connect to the network.
How to Implement It (Cookbook-Style Steps)
1. Deploy and Configure a Firewall
• Install a commercial or business-grade firewall between your internal network and the internet.
• Block all inbound traffic by default and allow only approved services (e.g., HTTPS, VPN).
• Set rules to prevent unauthorized outbound traffic (like malware calling home).
Continued on Page 31
How to Implement It (Cookbook-Style Steps)
2. Use Secure Communication Protocols
• Ensure your website and internal tools use HTTPS
• Use email encryption tools (like TLS) to protect messages containing FCI.
2. Use Secure Communication Protocols
• Ensure your website and internal tools use HTTPS Use email encryption tools (like TLS) to protect messages containing FCI.
3. Protect Remote Access
• Require employees to use a VPN or other secure channel when accessing your systems remotely. Disable port forwarding or public access to internal systems unless absolutely necessary.
4. Monitor Network Traffic
• Use firewall logging to track incoming and outgoing connections.
• Review logs periodically for unusual traffic or access attempts.
5. Segment Key Internal Systems (if possible)
• If feasible, place sensitive systems (like file servers or accounting) in separate VLANs or zones.
• Use internal firewalls or access control lists to restrict communication between zones.
Verification Checklist
Boundary
Protection
❑ A firewall is installed and actively filtering traffic
❑ Inbound and outbound rules restrict access to only necessary services
❑ Logs are enabled to monitor external communication
Secure Communication
❑ All external-facing websites use HTTPS
❑ Sensitive email communications are encrypted
❑ VPN is required for remote access
Monitoring and Review
❑ Firewall logs are reviewed regularly
❑ Alerts or notifications are set for suspicious traffic
❑ Communication policies are documented and followed
SC.L1-3.14.5: PUBLIC-ACCESS SYSTEM SEPARATION [FCI DATA]: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Practice Explanation:
This requirement means that any systems you expose to the public (like websites, online portals, or mail servers) should not be placed directly on your internal network where sensitive business systems and Federal Contract Information (FCI) are stored. Instead, these public-facing systems should live in a separate network segment, sometimes called a demilitarized zone (DMZ) or perimeter network.
The separation can be physical (e.g., separate hardware and switches) or logical (e.g., VLANs and firewall rules). The key idea is to limit risk: if a public-facing system is compromised, it shouldn’t give an attacker a direct line into your internal business systems.
Why it Matters?
Public-facing systems are prime targets for attackers because they’re accessible 24/7 from anywhere. If your email server or web portal lives on the same network as your internal file server, a compromise on one could quickly spread to the other.
By separating them, even if a public system is attacked, the attacker can’t easily reach sensitive internal systems—you’ve contained the blast radius. This is a fundamental security principle: segmentation limits exposure
Real-World Examples
How to Implement It (Cookbook-Style Steps)
• A company hosts its website on a cloud server that’s not connected to its internal office network.
• A business email server in a DMZ is separated by a firewall that only allows limited access to internal systems.
• A small company uses VLANs to keep its customer web portal isolated from its internal ERP system.
• A firewall rule allows public access to a web app but blocks all other inbound traffic to internal devices.
1. Identify Public-Facing Systems
Make a list of systems that are accessible from the internet (e.g., web servers, email servers, file transfer services).
• Include cloud-hosted services you manage directly (not third-party SaaS).
Continued on Page 31
How to Implement It (Cookbook-Style Steps)
2. Segment These Systems
• Place public systems in a separate network zone, either physically (e.g., different switch/router) or logically (e.g., VLAN).
• Use your firewall to strictly control traffic between public systems and internal systems.
3. Use Firewalls or Routers to Enforce Separation
• Configure rules so public systems can’t initiate connections to internal resources unless absolutely necessary.
• Log and monitor any allowed traffic for anomalies.
4. Avoid Storing FCI on Public Systems
• Never store Federal Contract Information directly on a public-facing system.
• If interaction with FCI is needed (e.g., for file uploads), route it through secure, segmented infrastructure.
5. Document Your Network Architecture
• Maintain a simple diagram showing your segmented networks and where public systems live.
• Include descriptions of firewall rules and access control between zones.
Verification Checklist
Identification
❑ All publicly accessible systems are identified
❑ Public systems are evaluated for potential FCI exposure Segmentation
❑ Public systems are placed in separate physical or logical networks
❑ Firewalls or routers enforce strict access rules between zones
❑ Internal systems are not directly accessible from the internet Control & Monitoring
❑ Traffic between networks is logged and reviewed
❑ No unnecessary ports or services are exposed
❑ Segmentation architecture is documented and up to date
System and Information Integrity (SI)
The System and Information Integrity (SI) domain in CMMC Level 1 focuses on keeping your organization’s systems secure, updated, and free from harmful threats. It covers four key practices: identifying and fixing known flaws in a timely manner, using antivirus or antimalware tools to protect against malicious code, ensuring those protections are regularly updated, and performing both real-time and periodic system scans to detect harmful files. The goal of SI is to maintain the health and integrity of your systems, reducing the risk of cyberattacks or data breaches caused by outdated software, unpatched vulnerabilities, or undetected malware. These are foundational safeguards that every organization handling Federal Contract Information (FCI) should have in place to ensure a clean, secure computing environment.
SI.L1-3.14.1: FLAW REMEDIATION [FCI DATA]: Identify, report, and correct information and information system flaws in a timely manner.
Practice Explanation:
This control is about keeping your systems updated, patched, and secure. As soon as flaws (also called vulnerabilities) are discovered in software or hardware, vendors usually release updates or patches to fix them. Your responsibility is to make sure those flaws are identified, reported, and corrected quickly—especially if they could affect the confidentiality of Federal Contract Information (FCI).
You don’t need to run a complex vulnerability management program, but you do need a basic, repeatable process for making sure updates are applied and known issues don’t go ignored.
Why it Matters?
Real-World Examples
Most successful cyberattacks don’t rely on high-level tricks—they exploit known vulnerabilities that haven’t been patched. Something as simple as an outdated operating system, browser, or third-party plugin can give attackers a way in. Keeping systems up to date is one of the easiest and most effective ways to reduce your exposure to threats.
For small businesses, where a single unpatched workstation could compromise the entire environment, flaw remediation is an essential security foundation.
• A company installs monthly operating system and software updates on all computers.
• An employee reports a bug in a third-party app; IT checks with the vendor and installs the latest patch.
• Automatic updates are enabled for common tools like browsers and antivirus software.
• A system scan reveals outdated firmware on a firewall, and it’s updated during the next maintenance window.
How to Implement It (Cookbook-Style Steps)
1. Track Systems and Software
• Maintain a list of key systems and software (OS, browsers, business apps).
• Include who manages each system or device.
2. Enable Automatic Updates
• Turn on automatic updates where possible for Windows, macOS, browsers, and antivirus.
• For third-party software, check for update settings or schedule periodic manual checks.
3. Monitor for Security Alerts
• Subscribe to vendor or product email alerts (e.g., Microsoft, Apple, Adobe).
• Monitor U.S. government sources like CISA or US-CERT if you have internal IT staff.
4. Patch Regularly
• Apply critical security updates as soon as possible—ideally within a few days.
• For non-critical updates, patch monthly or during scheduled maintenance.
5. Document the Process
• Create a simple update log: date, system, patch, and who applied it.
• Set calendar reminders or automate where possible.
6. Train Staff to Report Issues
• Teach employees to report strange behavior (e.g., crashes, pop-ups) as possible flaws. Have a point person or process to review and investigate these reports.
Verification Checklist
❑ Systems and software with FCI access are inventoried
❑ Responsible parties are assigned to manage updates
Remediation
❑ Security patches are applied in a timely manner
❑ Automatic updates are enabled where available
❑ Manual updates are tracked and documented
Continued on Page 36
Verification Checklist
Monitoring
❑ Vendor alerts or newsletters are monitored
❑ Known flaws are reviewed and addressed promptly
❑ Reports of system issues are investigated
Monitoring
❑ Vendor alerts or newsletters are monitored
❑ Known flaws are reviewed and addressed promptly
❑ Reports of system issues are investigated
Awareness
❑ Staff know how to report suspicious or buggy behavior
❑ Update policy or checklist is in place and followed
SI.L1-3.14.2 – MALICIOUS CODE PROTECTION [FCI DATA]: Provide protection from malicious code at appropriate locations within organizational information systems.
Practice Explanation:
This requirement is about defending your systems from malicious code—things like viruses, worms, spyware, trojans, and ransomware. You need to have protections in place that can detect, block, and remove malicious code where it might enter or run in your environment.
For most small businesses, this means having antivirus or anti-malware software installed and active on all systems, especially where Federal Contract Information (FCI) is accessed or stored. It also includes keeping that protection up to date and making sure it’s actually working.
Why it Matters?
Real-World Examples
Malicious code is one of the most common and dangerous threats facing organizations of all sizes. It can be introduced through emails, websites, USB drives, downloads, or even software updates. Once inside, it can steal data, disrupt operations, or spread across systems quickly
By placing protections at the right points—on devices, servers, and even email systems—you significantly reduce your risk of compromise. Malicious code protection is a basic but critical layer of defense for any organization handling FCI.
• Company laptops have Microsoft Defender or a third-party antivirus that scans in real time and checks downloaded files.
Continued on Page 37
Real-World Examples
• Email is filtered for malware before it ever reaches users (e.g., via Microsoft 365 or Google Workspace protections).
USB ports are restricted or scanned when new devices are plugged in.
• Regular antivirus scans are scheduled, and alerts are monitored by IT.
How to Implement It (Cookbook-Style Steps)
1. Install Antivirus/Antimalware Software
• Deploy reputable antivirus software on all laptops, desktops, and servers.
• Windows Defender (built into Windows 10/11) is acceptable if properly configured and updated.
2. Enable Real-Time Protection
• Make sure real-time scanning is turned on so files are checked when opened, downloaded, or executed. Don’t rely on periodic scans alone.
3. Keep Definitions and Software Updated
• Enable automatic updates for malware definitions and scanning engines.
• Check regularly that systems are receiving and applying updates.
4. Scan Removable Media
• Configure antivirus to automatically scan USB drives or external devices when connected. Restrict use of unauthorized USBs where possible.
5. Filter Malware at the Network Level
• Use email filtering (e.g., Microsoft Defender for Office 365 or Google’s built-in protections) to block malware-laden attachments or links.
• Enable safe browsing protections on company browsers.
6. Respond to Detections
• Make sure alerts are visible and acted upon.
• Document steps taken if malware is found (quarantine, removal, system reimage).
Verification Checklist
Endpoint Protection
❑ Antivirus software is installed on all workstations and servers
❑ Real-time protection is enabled and functional
❑ Malware definitions and software are kept up to date
Continued on Page 38
Verification Checklist
Peripheral Protection
❑ Removable devices (USBs) are scanned automatically
❑ Use of unauthorized devices is restricted or monitored
Network/Email Filtering
❑ Email services scan for malware before delivery
❑ Malicious websites and downloads are blocked or warned
Response
❑ Malware alerts are monitored and acted upon.
❑ Infections are logged and resolved with clear procedures.
❑ Employees know how to report suspicious files or behavior.
SI.L1-3.14.4 – UPDATE MALICIOUS CODE PROTECTION [FCI DATA]: Update malicious code protection mechanisms when new releases are available.
Practice Explanation:
This control ensures that your malicious code protection tools—like antivirus or anti-malware software—are kept current and effective. It’s not enough to just install protection once; you have to keep it updated so it can defend against new and evolving threats. Updates typically include:
• New malware signatures to detect emerging threats
• Software updates to fix vulnerabilities or improve performance
• Engine upgrades to enhance scanning and detection
This requirement is about setting up a routine or automated process to make sure these updates happen promptly and consistently.
Why it Matters?
Malware evolves constantly. If your antivirus definitions or engines are outdated, they won’t recognize new threats, leaving you exposed. Cybercriminals are always finding new ways to bypass defenses, and software vendors respond with updates—but only if you apply them.
For small businesses, relying on “set it and forget it” antivirus is a mistake unless it’s set to automatically update. An outdated security tool can be worse than none at all because it gives a false sense of safety.
Continued on Page 37
Real-World Examples
• A third-party antivirus tool pushes out a critical detection engine upgrade, which is automatically installed across the company’s devices.
• An IT administrator reviews update logs weekly to confirm all endpoints are current.
• Antivirus alerts an administrator when it hasn’t been updated for more than 24 hours.
How to Implement It (Cookbook-Style Steps)
1. Enable Automatic Updates
Configure antivirus/anti-malware software to automatically download and install updates for signatures and software patches.
• Ensure the setting is active on all endpoints—desktops, laptops, and servers.
2. Verify Update Frequency
• Check how often updates occur (many tools push updates daily or hourly).
• Validate that definitions and scanning engines are being refreshed automatically.
3. Monitor Update Status
• Use your antivirus console (if available) to review update status across devices. For standalone systems, spot-check update logs or use built-in tools (e.g., Windows Security Center).
4. Manually Update When Needed
• If automatic updates fail or are disabled (e.g., due to travel or no internet), update manually.
• Train staff on how to trigger manual updates when prompted.
5. Document and Automate Checks
• Keep a record or checklist to confirm update mechanisms are in place and functioning.
Verification Checklist
Automatic Updates
❑ Antivirus is configured to automatically update malware definitions and engines
❑ Update settings are verified on all FCI-relevant systems
Monitoring
❑ Update status is reviewed regularly (weekly or more often)
❑ Systems that fall behind are identified and fixed
Continued on Page 40
Verification Checklist
Manual Intervention
❑ Manual update instructions are available to users when needed
❑ Alerts or notifications prompt users when updates are overdue
Documentation
❑ There is a documented procedure for ensuring updates are applied
❑ Staff responsible for monitoring updates are clearly identified
SI.L1-3.14.5 – SYSTEM & FILE SCANNING [FCI DATA]: Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Practice Explanation:
This control requires you to actively scan your systems and files for signs of malicious code—both on a schedule and in real time. Periodic system scans look for dormant or hidden threats, while real-time scanning inspects files as they are downloaded, opened, or executed, which helps block threats before they can run.
This is one of the core functions of antivirus/antimalware software, and most modern solutions include both scan types. Your job is to make sure these scans are turned on, run regularly, and cover all relevant devices that store or access Federal Contract Information (FCI).
Why it Matters?
Real-time scanning is your first line of defense—it catches threats as they happen, like when an employee clicks a malicious email attachment or opens a compromised USB drive. Periodic scanning acts as a second layer, helping you find malware that may have slipped past initial defenses or has been lying dormant.
Together, these two scanning methods help ensure your systems stay clean and protected, even if a threat sneaks in. Failing to scan consistently can leave malware undetected for weeks or months— plenty of time for it to do serious damage.
Real-World Examples
• Antivirus runs a full system scan every Sunday night on all company laptops.
• A file downloaded from the internet is automatically scanned before being saved to disk.
• An email attachment is blocked by the antivirus software before it can open.
A company server is configured to scan USB devices upon insertion.
How to Implement It (Cookbook-Style Steps)
1. Enable Real-Time Scanning
• Verify your antivirus or anti-malware software has real-time protection turned on.
• Make sure it scans files when they’re downloaded, opened, or executed—especially from:
• Web downloads
Removable media (e.g., USB drives)
2. Schedule Regular Full-System Scans
• Set up weekly or daily scans, depending on your organization’s risk profile.
• Ensure full scans cover all drives and file types.
3. Verify Scan Results and Alerts
• Check that completed scans are logged and results are visible to admins or users. Ensure alerts are triggered if malware is found and that there’s a follow-up process.
4. Apply to All FCI-Handling Systems
• This includes desktops, laptops, file servers, and any portable devices used to store or process FCI.
• Ensure new systems are enrolled in your scanning process upon setup.
5. Train Users
• Let employees know that their devices are scanned regularly.
• Teach them to avoid disabling real-time protection or ignoring scan alerts.
Verification Checklist
Real-Time Protection
❑ Antivirus software performs real-time scanning of downloaded, opened, and executed files
❑ Threats from email attachments, web content, or USB devices are detected before execution
Scheduled Scanning
❑ Full system scans are scheduled and run on a regular basis (e.g., weekly)
❑ Scan logs show when scans ran and whether any threats were detected
Continued on Page 42
Verification Checklist Monitoring and Alerts
❑ Scan results are reviewed or monitored by IT staff
❑ Detected threats trigger alerts and follow-up actions
Coverage
❑ All systems handling FCI are included in real-time and periodic scanning routines
Implementation Blueprints
While CMMC Level 1 does not explicitly require formal documentation or written policies, having supplemental policies and procedures in place greatly strengthens an organization’s ability to consistently meet and sustain compliance. These policies serve as internal guidance to ensure that security practices—such as limiting access, updating software, scanning for malware, or managing physical security—are applied uniformly across the organization. Supplemental policies also help during audits or self-assessments by demonstrating intent, accountability, and repeatability. For small businesses in particular, lightweight but clear policies act as guardrails that reduce human error and ensure that cybersecurity isn’t left to memory or best effort. Cyber Florida’s effort towards CMMC aims to provide as a foundational building stone for Small businesses in Florida so we will provide example templates where relevant.
Even though CMMC Level 1 doesn’t formally require a System Security Plan (SSP), maintaining one is considered a best practice—and it will be essential if your organization ever moves toward Level 2 or engages in DFARS 252.204-7012 contracts. An SSP documents your environment, the security controls you’ve implemented, and how you meet the CMMC requirements. It serves as a centralized reference for both internal use and external reviews, showing that your organization has thought through its security responsibilities and has a plan in place to protect Federal Contract Information (FCI). For small businesses, a well-written SSP doesn’t need to be long—it just needs to clearly describe what systems you have, who manages them, and how security is enforced. In the event of an incident, audit, or self-assessment, your SSP becomes your go-to document to explain and defend your security posture.
Note: a SSP is not required formally for CMMC L1 assessment. Cyber Florida’s L2 CMMC Guide will teach you more about building an SSP.
Documentation and Evidence Collection
Even though CMMC Level 1 does not formally require extensive documentation, preparing and maintaining clear records during a self-assessment is strongly recommended. At a minimum, organizations should complete a self-assessment worksheet that maps each of the 15 required practices to how the control is
implemented, who is responsible, and what systems or tools are used. A good way to document these is to create a folder structure in your file system with evidence for each security requirement. Please use the previous verification checklist as an outline for different screenshots you can gather.
An Evidence Storage Plan outlines how an organization collects, organizes, and retains proof—often called “artifacts”—that demonstrate its implementation of CMMC Level 1 security practices. Although CMMC Level 1 does not require documentation, storing evidence in a centralized, secure, and well-structured way ensures you are prepared for internal reviews, external inquiries, or future audits. A solid plan defines where evidence is stored (e.g., a shared network drive, secure cloud folder, or compliance management tool), how files are labeled (e.g., by control ID or domain), and who is responsible for maintaining it. For example, a folder structure might include subfolders by CMMC domain (Access Control, Media Protection, etc.), with each containing screenshots, logs, inventories, or policies related to specific requirements. Access to this storage should be restricted to authorized personnel and backed up regularly. Establishing this plan not only strengthens your self-assessment process, but also creates a repeatable and defensible approach to compliance as requirements evolve.
Self- Assessment and Compliance Reporting
For your first step, you’re in luck – Cyber Florida offers a free Cyber Florida Risk Assessment which will ask you a series of questions to prep you for your CMMC L1 readiness. This Cyber Risk Assessment is a comprehensive system breakdown which provides instant feedback on how you can improve you’re the cyber hygiene. This is a FREE assessment offered by Cyber Florida and it should be the first step in your race to achieve CMMC certification!
To perform a CMMC Level 1 self-assessment, an organization should begin by identifying the full scope of the environment that handles or stores Federal Contract Information (FCI)—this includes systems, users, devices, and physical locations. Once the scope is defined, the organization should evaluate itself against the 15 required practices, using the CMMC Level 1 Self-Assessment Guide or worksheet. For each practice, the assessor (often an internal IT or compliance lead) should determine whether the control is fully implemented, partially implemented, or not implemented, and provide a brief explanation of how the requirement is met. During this process, it’s important to collect supporting evidence such as screenshots, access control lists, scan logs, or policy documents to back up each claim. These should be organized clearly in a centralized evidence storage location.
Once all practices are reviewed, the organization calculates its self-assessment score (maximum of 15 points) and, if required by a contract or DFARS clause, submits the score to the Supplier Performance Risk System (SPRS) along with the date of assessment, CAGE code, and description of the assessment scope. To fully document the assessment, it is strongly recommended to create a simple System Security Plan (SSP) that outlines how the controls are implemented, and a record of who performed the assessment
and when. While third-party certification is not required at Level 1, maintaining this documentation shows diligence, supports accountability, and ensures a repeatable process for annual reassessments or future CMMC maturity level increases.
In order to submit your self-assessment, you must first register and account with SPRS which can be found here. After you have created an account, please follow the guide at this page: CMMC SPRS Submission guide
This will be your official proof of a CMMC L1 self-assessment.
Remember, your submission in SPRS is your proof of a L1 self assessment.
Training and Awareness
Note: While training and awareness is not a formal requirement under CMMC Level 1 , we’ve included this section to raise awareness and encourage healthy cyber hygiene practices. This content also supports Cyber Florida’s mission to help small businesses across the state strengthen their security posture using free, accessible resources. We highly recommend reviewing this section as a proactive step toward building a more cyber-resilient organization.
Employee cybersecurity training is one of the most cost-effective and impactful ways to reduce risk—especially for small businesses handling Federal Contract Information (FCI). While CMMC Level 1 does not mandate formal training programs, it expects that staff understand and consistently apply basic cyber hygiene practices. Training helps ensure that employees become a human firewall, capable of recognizing and avoiding common threats that target user behavior.
If you want to just get CMMC L1 as fast as possible, you can skip over this next section; however, if your plan is to increase your cyber hygiene and move to CMMC L2, It is worth reading!
At a minimum, training should cover safe password practices, including the use of strong, unique passwords and the importance of never sharing credentials. Employees should understand the principle of least privilege, meaning they should only access systems or data necessary for their roles. Training should also explain how to recognize phishing emails, suspicious attachments, and social engineering tactics. Staff should know to report anything unusual and avoid clicking on unknown links or connecting unauthorized devices to company systems.
Additional training topics include the importance of locking screens when away, safely handling and disposing of printed documents, and reporting lost or stolen devices immediately. If your organization uses removable media (like USB drives), employees should be taught how to handle them securely, including scanning for malware and avoiding the use of unapproved devices. Even brief reminders about avoiding public Wi-Fi for work tasks and the safe use of VPNs when working remotely can go a long way.
Training doesn’t have to be complex. Short sessions, quick reference guides, posters, or periodic emails can reinforce good habits. The key is to build awareness and ensure that employees understand their role in protecting FCI—not just through technology, but through everyday behaviors.
Find free and low-cost cybersecurity training courses here: https://www.nist.gov/itl/applied-cybersecurity/nice/resources/online-learning-content
Cybersecurity training should be conducted at least annually to ensure employees stay current on risks and continue practicing safe behaviors that protect Federal Contract Information (FCI). In addition to yearly sessions, refresher training should be provided when new threats emerge, policies change, or employees take on new roles involving sensitive data. To demonstrate compliance and accountability, organizations should track participation and maintain training records for each employee. A copy of the training completion certificate or sign-in sheet should be stored in the employee’s personnel or HR file, along with the date of completion and topics covered. These records serve as evidence during self-assessments or audits, and help reinforce a culture of security by showing that cybersecurity is taken seriously and applied consistently across the organization.
Maintenance and Continuous Monitoring
Continuous Monitoring and Updates:
Continuous monitoring is essential for maintaining a secure environment, even at CMMC Level 1. While you may not need advanced tools or real-time analytics, you should regularly check the status of your systems, user accounts, software updates, and antivirus protections to ensure they are functioning as expected. This can include reviewing firewall or antivirus logs, confirming backups ran successfully, or checking that user access hasn’t drifted beyond what’s necessary. Periodic review of security configurations helps detect unauthorized changes or potential vulnerabilities early, allowing for faster remediation. Keeping a simple monitoring schedule—weekly or monthly, depending on risk—is an effective way to stay proactive and prevent small issues from becoming serious incidents.
Annual Reassessment Checklist:
Performing a formal annual reassessment ensures that your organization is still meeting all 15 CMMC Level 1 practices and that no controls have slipped through the cracks. This process should involve reviewing your original self-assessment, revalidating how each control is implemented, checking that supporting evidence is current, and updating any documentation like your System Security Plan (SSP). The annual review is also a good time to ensure new systems or changes in personnel haven’t introduced gaps. A checklist can guide this process by walking through each domain (e.g., Access Control, Media Protection) and verifying implementation, responsibility, and associated artifacts. Documenting your reassessment and storing a dated copy strengthens accountability and demonstrates a commitment to continuous compliance.
Responding to Incidents:
Even with strong safeguards in place, incidents can still happen—whether it’s a phishing email clicked, a lost device, or an unusual login detected. Your team should be prepared to recognize, report, and respond to these events quickly. Having a basic incident response procedure helps minimize damage and ensures appropriate steps are taken. Employees should know how to report suspicious activity immediately, and someone in the organization should be designated to investigate and document the event. For CMMC Level 1, your response doesn’t need to be complex, but it should include collecting relevant details (what happened, when, who was affected), containing the issue, and taking corrective action. Keeping a simple incident log and reviewing incidents regularly can help identify patterns and improve your defenses over time.
Updating Systems and Procedures:
As technology, threats, and business needs evolve, it’s important to review and update your systems and procedures regularly. Software and hardware should be kept current through regular patching and vendor updates. Likewise, internal procedures—such as those for granting access, onboarding new staff, or managing removable media—should be reviewed to reflect how your organization actually operates today. Any changes to infrastructure, such as adding a new cloud service or moving office locations, should prompt a check to ensure existing security practices still apply. Updating your policies, SOPs, and documentation keeps your compliance posture aligned with reality and ensures that everyone is working from the most current guidance.
Conclusion
At first glance, this document may seem overwhelming, but there are a few critical points to keep in mind.
CMMC Level 1 (L1) primarily focuses on protecting Federal Contract Information (FCI). It is a self-assessment, meaning your organization is responsible for evaluating its own compliance with the requirements. Achieving CMMC L1 will not only strengthen your organization’s cybersecurity hygiene but can also serve as a foundation to enhance internal processes and procedures. Cyber Florida has developed a Risk Assessment Guide to help expedite this process, giving your organization a clearer understanding of its current security posture. Here is a quick checklist to help you summarize this guide:
To accomplish CMMC L1 and continue to do business with DoD and Fed with DFARS and FAR requirements, these are the steps you’ll take
1. Risk Assessment Complete the Cyber Florida Risk Assessment to determine your security posture.
2. Identify Contractual Obligations: Determine your contractual requirements or plans for future contractual requirements.
3. Assess Resources and Capabilities: Determine the amount of effort your organization can support for CMMC. Evaluate internal staffing and expertise; engage external support if necessary.
4. Map System and Data Flow: Document your IT environment and identify where Federal Contract Information (FCI) resides.
5. Conduct a Gap Analysis: Compare your current practices against CMMC Level 1 requirements to identify deficiencies.
6. Implement Remediation Measures: Address and resolve any identified gaps or vulnerabilities.
7. Maintain Comprehensive Documentation: Record all actions, findings, and implemented controls for audit readiness.
8. Submit Your SPRS Score: File your Supplier Performance Risk System (SPRS) self-assessment report.
9. Pursue DoD Opportunities: Leverage compliance to compete for and secure Department of Defense contracts.
10.Plan for Ongoing Compliance: Schedule your next internal review (semi-yearly) and self-assessment (Once a year) to ensure continued adherence.
In conclusions CMMC L1 does not need to be over complicated; Overall, any organization seeking with a few hours a week can achieve it in no time!
For More Information
Cyber Florida Risk Assessment
SPRS Cyber Reports
CMMC L1 Breakdown
Definitions
The following definitions are common security related terms.
Access — The ability and opportunity to obtain knowledge of classified information.
Adverse Information — Any information that adversely reflects on the integrity or character of a cleared employee, which suggests that his or her ability to safeguard classified information may be impaired or that his or her access to classified information clearly may be in the interest of national security.
Authorized Person — A person who has a need-to-know for the classified information involved, and has been granted a personnel clearance at the required level.
Access Control — Rules and methods used to ensure only authorized users can access certain data, systems, or areas.
Antivirus Software — A program designed to detect, block, and remove malicious code such as viruses or ransomware.
Artifact — Documentation, screenshots, logs, or other evidence that show a security control is in place and working.
Audit Log — A record of events on a system, such as logins, changes, or access to data, used to track activity and detect misuse.
Authentication — The process of verifying a user’s identity—usually with a password, code, or secure login method.
Backup — A copy of data stored separately to protect against loss, corruption, or system failure.
Boundary Network — The dividing line between trusted internal networks and untrusted external networks, such as the internet.
Classified Contract — Any contract that requires, or will require, access to classified information by the contractor or its employees in the performance of the contract.
Classified Information — Official Government information which has been determined to require protection against unauthorized disclosure in the interest of national security.
Cleared Employees — All BLUE OBSIDIAN SOLUTIONS, INC. employees granted a personnel clearance or who are in process for a personnel clearance.
Closed/Open Area — An area that meets the requirements outlined in the 32 CFR 117 NISPOM RULE for safeguarding classified information that, because of its size, nature, and operational necessity, cannot be adequately protected by the normal safeguards, or stored during nonworking hours in approved containers.
Communication Security (COMSEC) — COMSEC refers to protective measures taken to deny unauthorized persons information derived from telecommunications of the U.S. Government relating to national security and to ensure the authenticity of such communications.
Compromise — An unauthorized disclosure of classified information.
CONFIDENTIAL — Classified information or material that requires protection whereby unauthorized disclosure could reasonably be expected to cause damage to our national security.
Facility (Security) Clearance — An administrative determination that, from a security viewpoint, a facility is eligible for access to classified information of a certain category (and all lower categories).
Foreign Interest — Any foreign government, agency of a foreign government, or representative of a foreign government; any form of business enterprise or legal entity organized, chartered or incorporated under the laws of any country other than the United States or its territories, and any person who is not a citizen or national of the United States.
Foreign National — Any person who is not a citizen or national of the United States.
Need-to-Know (NTK) — A determination made by an authorized holder of classified information that a prospective recipient has a requirement for access to, knowledge of, or possession of the classified information in order to perform tasks or services to fulfill a classified contract or program.
Personnel Security Clearance (PCL) — An administrative determination that an individual is eligible, from a security point of view, for access to classified information of the same or lower category as the level of the personnel clearance being granted.
Public Disclosure — The passing of information and/or material pertaining to a classified contract to the public or any member of the public by any means of communication.
SECRET — Classified information or material that requires a substantial degree of protection, the unauthorized disclosure of which could reasonably be expected to cause serious damage to our national security.
Security Violation — Failure to comply with policy and procedures established by the 32 CFR 117 NISPOM RULE that could reasonably result in the loss or compromise of classified information.
Standard Practice Procedures (SPP) — A document prepared by contractors outlining the applicable requirements of the 32 CFR 117 NISPOM RULE for the contractor’s operations and involvement with classified information at the contractor’s facility.
Subcontractor — A supplier, distributor, vendor, or firm that furnishes supplies or services to or for a prime contractor or another subcontractor.
TOP SECRET — Classified information or material that requires the highest degree of protection, the unauthorized disclosure of which could reasonably be expected to cause exceptionally grave damage to our national security.
Unauthorized Person — A person not authorized to have access to specific classified information in accordance with the requirements of the 32 CFR 117 NISPOM RULE.
Abbreviations & Acronyms
AFSO — Assistant Facility Security Officer
AIS — Automated Information System
C — Confidential
CAGE — Commercial and Government Entity
COMSEC — Communication Security
CSA — Cognizant Security Agency
CSO — Cognizant Security Office
DoW — Department of War
DoW CAF — Department of War Central Adjudication Facility
DOE — Department of Energy
DCSA — Defense Counterintelligence and Security Agency
DTIC — Defense Technical Information Center
DISS — Defense Information Security System
e-QIP — Electronic Questionnaires for Investigation Processing
FBI — Federal Bureau of Investigation
FCL — Facility (Security) Clearance
FSO — Facility Security Officer
GCA — Government Contracting Activity
GSA — General Services Administration
ISFD — Industrial Security Facilities Database
ISR — Industrial Security Representative
ISSM — Information System Security Manager
ISSO — Information System Security Officer
ITP — Insider Threat Plan
ITPSO — Insider Threat Program Senior Official
ITAR — International Traffic in Arms
KMP — Key Management Personnel
NISP — National Industrial Security Program
NISPOM — National Industrial Security Program Operating Manual
NISS — National Industrial Security System
NTK — Need-To-Know
OPM — Office of Personnel Management
PCL — Personnel Security Clearance
POC — Point of Contact
PR — Periodic Reinvestigation
S
— Secret
SCG — Security Classification Guide
SPRS — Supplier Performance Risk System
SPP — Standard Practice Procedures
