CMMC Level 1 - Mapping to Microsoft 365 Solutions

What is CMMC? 

CMMC Cybersecurity Maturity Model Certification is a DoD unified cybersecurity framework intended to provide a security standard focused on reducing the exfiltration of Controlled Unclassified Information (CUI) from the defense industrial base. CMMC combines various cybersecurity standards and best practices from across FAR, DFARS, ITAR, NIST 800-171, etc. One focus in the drafting process is to make CMMC Level 1 compliance cost-effective for small businesses to implement. For more information about CMMC, read our blog,

What Is CMMC? Update: Microsoft recently released their official assessment templates for CMMC in Microsoft 365 Compliance Manager. Check out our demo and walk through.

CMMC is a a Real Certification 

CMMC is built upon the existing regulation found in DFARS 252.204.7012. While DFARS is based on trust, CMMC adds a verification component, and is intended to provide for 3rd party consultants to conduct audits and inform risks. Certification requirements will be included in RFIs beginning in June 2020, and included in RFPs starting in Fall 2020 (September is the anticipated time frame). The Office of the Under Secretary of Defense(OUSD), responsible for managing CMMC is planning a staged role out with 1500 certified prime and subcontractors in fiscal year, 48,000 in fiscal year 25, and ALL new DOD contracts in FY 2026 requiring CMMC certification.   

What is CMMC Level 1? 

CMMC Level 1 is the lowest of the CMMC certification levels. It is intended to be achievable for small businesses, and consists of basic cybersecurity practices such as access control, anti-malware, physical controls, and sanitizing data prior to removing devices from use. It is important to remember that CMMC is additive, meaning that to meet CMMC Level 2, you must also meet CMMC level 1, and so on, With CMMC Level 5 requiring all former practices be also be in place. 

CMMC is broken up into domains that are based on best practices. These domains are then broken down to capabilities, which are measurable achievements to ensure cybersecurity within each domain. Finally, these capabilities are composed of practices and processes which are activities required to achieve a capability.  

Domain: Access Control 

Capability 001 - Establish System Access Requirements 

Practice 1001 

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). 

Control who can use organizational devices and computers and who can log on to the company network. Limit services and devices, like printers, that are accessible by those computers. Set up your system so that unauthorized users and devices cannot get on the company network. Assure there are no shared accounts, and that accounts are disables as employees leave the company.  

  • FAR Clause 52.204-21 b.1.i
  • NIST SP 800-171 3.1.1
  • AU ACSC Essential Eight
Relevant Microsoft 365 Tools 
  • Active Directory 
  • Azure Active Directory 

Capability 002 - Control Internal Systems Access 

Practice 1002 

Limit information system access to the types of transactions and functions that authorized users are permitted to execute. 

Make sure to limit users/employees to only the systems, roles, or applications they are permitted to use and that are needed for their job. (Just enough access) 

  • FAR Clause 52.204-21 b.1.ii
  • NIST SP 800-171 3.1.2
 Relevant Microsoft 365 Tools 
  • Active Directory 
  • Azure Active Directory 
  • O365 Groups

Capability 004 - Limit Data Access to Authorized Users and Processes 

Practice 1003 

Verify and control/limit connections to and use of external information systems. 

Control and manage connections between your company network and outside networks, such as the internet or networks that do not belong to your company. Be aware of applications that can be run by outside systems. Control and limit personal devices like laptops, tablets, and phones from accessing the company networks and information. You can also limit how and when your network is connected to outside systems and decide that only certain employees can connect to outside systems from network resources. 

  • FAR Clause 52.204-21 b.1.iii
Relevant Microsoft 365 Tools 
  • Active Directory 
  • Azure Active Directory 
  • O365 Groups

Practice 1004 

Control information posted or processed on publicly accessible information systems. 

Do not allow sensitive information, including FCI and CUI, to become public. Identify which users/employees are allowed to publish information on publicly accessible systems, like your company website. Limit and control information that is posted on your company’s website(s) that can be accessed by the public. 

  • FAR Clause 52.204-21 b.1.iv
  • NIST SP 800-171 3.1.22
Relevant Microsoft 365 Tools 
  • Azure Information Protection 
  • Cloud App Security 

Domain: Identification and Authentication 

Capability 015 - Grant Access to Authenticated Entities 

Practice 1076 

Identify information system users, processes acting on behalf of users, or devices. 

Device identifiers include media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Managing individual identifiers is not applicable to shared system accounts. Individual identifiers are generally the user names associated with system accounts assigned to those individuals. Organizations should require unique identification of individuals in group accounts and detailed accountability of individual activity. This requirement also addresses individual identifiers not associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device.  

  • FAR Clause 52.204-21 b.1.v
  • NIST SP 800-171 3.5.1
Relevant Microsoft 365 Tools 
  • Cloud App Security 
  • Azure Sentinel 

Practice 1077 

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. 

Individual authenticators are things like passwords, key cards, crypto devices, and onetime password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, requirements about authenticator content include minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are VERY well known, easily discoverable, and present a significant security risk if left unmodified. 

  • FAR Clause 52.204-21 b.1.vi
  • NIST SP 800-171 3.5.2
  • UK NCSC Cyber Essentials
Relevant Microsoft 365 Tools 

  • Azure Active Directory P2 

  • Conditional Access 

  • Multifactor Authentication 

 Domain: Media Protection 

Capability 024 - Sanitize Media 

Practice 1118 

Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. 

This requirement applies to all media; both digital and traditional, subject to disposal or reuse. Examples include: digital media found in workstations, network components, scanners, and copiers, printers, notebook computers, and mobile devices; and all non-digital media such as paper, microfilm, photos, etc. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when released for reuse or disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction may be necessary when other methods cannot be applied to the media requiring sanitization. NARA sanitization processes for controlled unclassified information. [SP 800-88] provides guidance on media sanitization practices. 

Relevant Microsoft 365 Tools 
  • Microsoft Intune (Microsoft Endpoint Manager)

Domain: Physical Protection 

Capability 028 - Limit Physical Access 

Practice 1131 

Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. 

This requirement applies to employees, individuals with permanent physical access authorization credentials, and visitors. Authorized individuals have credentials that include badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, directives, policies, regulations, standards, procedures, and guidelines. This requirement applies only to areas within facilities that have not been designated as publicly accessible. 

  • FAR Clause 52.204-21 b.1.viii
  • NIST SP 800-171 3.10.1
  • CERT RMM v1.2KIM
    .SP2
Relevant Microsoft 365 Tools 
  • N/A, however 3rd party access systems such as OpenPath synch with Active Directory for access control and logging. 

Practice 1132 

Escort visitors and monitor visitor activity. 

Do not allow visitors, even those people you know well, to walk around your facility without an escort. Make sure that all non-employees wear special visitor badges and/or are escorted by an employee at all times while on your property. 

  • FAR Clause 52.204-21 Partial b.1.ix
  • NIST SP 800-171 3.10.3
Relevant Microsoft 365 Tools 
  • N/A, However 3rd party solutions such as Envoy provide kiosks for visitor logging, badges, and notifications.  

Practice 1133 

Maintain audit logs of physical access. 

Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both. System components (e.g., workstations, notebook computers) may be in areas designated as publicly accessible with organizations safeguarding access to such devices. 

  • FAR Clause 52.204-21 Partial b.1.ix
  • NIST SP 800-171 3.10.4
Relevant Microsoft 365 Tools 
  • N/A, However 3rd party solutions such as Envoy provide kiosks for visitor logging and notifications. Solutions can also be quickly created with PowerApps and PowerAutomate

Practice 1134 

Control and manage physical access devices.  

Controlling physical access devices like locks, badging, key cards, etc. is just as important as monitoring and limiting who is able to physically access certain equipment. Locks, badges, and key cards are only strong protection if you know who has them and what access they allow. 

  • FAR Clause 52.204-21 Partial b.1.ix
  • NIST SP 800-171 3.10.5
  • CERT RMM v1.2KIM
    .SP2
 Relevant Microsoft 365 Tools 
  • N/A 

 Domain: Systems and Communication Protection 

Capability 040 - Control Communications at System Boundaries 

Practice 1175 

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. 

Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.  [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies. 

  • FAR Clause 52.204-21 b.1.x
  • NIST SP 800-171 3.13.1
  • UK NCSC Cyber Essentials
 Relevant Microsoft 365 Tools 
  • Azure Information Protection, Cloud App Security, Azure Firewall 

Practice 1176 

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. 

Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies. 

  • FAR Clause 52.204-21 b.1.xi
  • NIST SP 800-171 3.13.5
  • UK NCSC Cyber Essentials
Relevant Microsoft 365 Tools 
  • Azure Firewall 

Domain: System and Information Integrity 

Capability 041 - Identify and Manage Information System Flaws 

Practice 1210 

Identify, report, and correct information and information system flaws in a timely manner. 

Be aware of problems in the software and computer equipment your company uses. Consider purchasing support from your hardware and software vendors/suppliers, getting patches, and signing up for IT newsletters with updates about common problems or weaknesses in software. Install security updates promptly. 

  • FAR Clause 52.204-21 b.1.xii
  • NIST SP 800-171 3.14.1
  • UK NCSC Cyber Essentials
  • AU ACSC Essential Eight
Relevant Microsoft 365 Tools 
  • Microsoft Intune 

Capability 042 - Identify Malicious Content 

Practice 1211 

Provide protection from malicious code at appropriate locations within organizational information systems. 

Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. [SP 800-83] provides guidance on malware incident prevention. 

  • FAR Clause 52.204-21 b.1.xiii
  • NIST SP 800-171 3.14.2
  • AU ACSC Essential Eight
Relevant Microsoft 365 Tools 
  • Microsoft Defender Advanced Threat Protection 

Practice 1212 

Update malicious code protection mechanisms when new releases are available. 

You can protect your company’s valuable IT systems by staying up to date on new security releases that stop malicious code and monitoring the system regularly. Malicious code is program code that is always changing, so it is important to always have up-to-date protections, such as anti-malware tools. 

  • FAR Clause 52.204-21 b.1.xiv
  • NIST SP 800-171 3.14.4
Relevant Microsoft 365 Tools 
  • Microsoft Defender Advanced Threat Protection 

Practice 1213 

Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. 

Companies should use anti-malware software to scan and identify viruses in their computer systems, and have a plan for how often scans are conducted. Real-time scans will look at the system whenever new files are downloaded, opened, and saved. Periodic scans check previously saved files against updated malware information. 

  • FAR Clause 52.204-21 b.1.xv
  • NIST SP 800-171 3.14.5

 Relevant Microsoft 365 Tools 

  • Microsoft Defender Advanced Threat Protection 

Meeting CMMC Level 1 with Microsoft 365

Agile IT is one of only 8 Microsoft AOS-G partners authorized to license, implement, migrate and manage GCC High, Microsoft’s solution for DOD contractors seeking to meet NIST 800-171, ITAR, DFARS and CMMC Compliance. We not only provide the licensing, but establish security and compliance baselines within your environment to assure you can meet your cybersecurity requirements. For more information, contact us today:

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

How can we help?

Loading...

Let's start a conversation

location Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

telephone-icon + 1 (619) 292-0800 mail-icon Sales@AgileIT.com

Don’t want to wait for us to get back to you?