Executive Summary
This article provides a comprehensive mapping of CyberSecureID Identity and Access Management (IAM) platform capabilities against the 17 CMMC Level 1 control objectives derived from FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). CMMC Level 1 is the foundational tier of the Cybersecurity Maturity Model Certification, mandatory for any defense contractor or subcontractor that processes, stores, or transmits Federal Contract Information (FCI).
CyberSecureID, deployed as a core pillar of Northern Data Solutions' Cyberwatch Advanced service, directly satisfies or materially contributes to 7 of the 17 CMMC Level 1 controls (41%) across 3 of the 6 control families. The remaining controls are addressed by the complementary endpoint, network, physical, and media-protection components included in Cyberwatch Advanced.
This document lists every CMMC Level 1 control objective, identifies which controls CyberSecureID addresses, describes the technical approach, and provides real-world deployment examples drawn from Federal Contract Information (FCI) handling engagements in the defense industrial base (DIB).
CMMC Level 1 Control Objective Inventory
CMMC Level 1 contains 17 security requirements (practices) organized into 6 control families (domains). The breakdown is as follows:
Domain | Code | Control Count | CyberSecureID Coverage |
|---|---|---|---|
Access Control | AC | 4 | 4 (Full) |
Identification and Authentication | IA | 2 | 2 (Full) |
Media Protection | MP | 1 | 0 |
Physical Protection | PE | 4 | 0 |
System and Communications Protection | SC | 2 | 1 (Partial) |
System and Information Integrity | SI | 4 | 0 |
TOTAL | 17 | 7 |
Domain 1: Access Control (AC) — 4 Controls
CyberSecureID provides comprehensive coverage for the entire CMMC Level 1 Access Control family.
AC.L1-3.1.1 — Limit Information System Access to Authorized Users, Processes, and Devices
Approach: CyberSecureID Universal Directory serves as the authoritative identity source for users, service accounts, and devices that touch FCI. Provisioning is automated through HR system integrations (Workday, BambooHR, ADP, Paylocity); deprovisioning is triggered automatically on termination. Default access is denied; every grant is explicit.
Real-World Example: A 145-employee DoD machine shop processing Federal Contract Information consolidated identities from 6 disconnected systems (Active Directory, QuickBooks, Microsoft 365, ShopFloor MES, two custom apps) into CyberSecureID Universal Directory. The migration audit identified 89 orphaned accounts — including 11 belonging to long-departed employees with active credentials — all immediately revoked.
AC.L1-3.1.2 — Limit System Access to the Types of Transactions and Functions Authorized Users Are Permitted to Execute
Approach: CyberSecureID Groups, Group Rules, and Access Policies enforce role-based and attribute-based access control. Application entitlements (read, write, approve, admin) are pushed via SCIM provisioning and SAML attribute statements, ensuring users only invoke transactions appropriate to their role.
Real-World Example: A defense subcontractor producing FCI-bearing engineering drawings uses CyberSecureID group-based entitlements to ensure only the QA team can mark drawings "Released," only Engineering can revise, and only Contracts can transmit to the prime contractor — eliminating cross-functional FCI mishandling risk.
AC.L1-3.1.20 — Verify and Control/Limit Connections to and Use of External Information Systems
Approach: CyberSecureID Network Zones define trusted vs. untrusted network locations. External federation (B2B partner identity, supplier portal access) is governed via Identity Governance with explicit lifecycle controls and expiration. Conditional access policies block FCI applications from untrusted networks unless additional verification is met.
Real-World Example: A FAR-regulated parts manufacturer established federated B2D access for 4 prime contractor partners via CyberSecureID Org-to-Org federation, with CyberSecureID enforcing quarterly access certification and automatic deprovisioning when prime contracts ended.
AC.L1-3.1.22 — Control Information Posted or Processed on Publicly Accessible Information Systems
Approach: CyberSecureID controls administrative access to public-facing CMS platforms (WordPress, Drupal, Sitecore, marketing automation), ensuring only authorized content publishers can post information. Workflow approvals can be required prior to publication.
Real-World Example: A defense services firm's public website edits require CyberSecureID-authenticated access by approved marketing staff, plus a second-approver workflow before any blog post or press release is published — preventing accidental disclosure of FCI such as program names, contract numbers, or capability statements that should remain non-public.
Domain 2: Identification and Authentication (IA) — 2 Controls
CyberSecureID provides comprehensive coverage for the entire CMMC Level 1 IA family — identity is its core mission.
IA.L1-3.5.1 — Identify Information System Users, Processes Acting on Behalf of Users, or Devices
Approach: CyberSecureID Universal Directory provides unique identity for every human user and service principal. Service accounts are managed as first-class identities with explicit owners and lifecycle policies. CyberSecureID Device Trust assigns cryptographic identity to every endpoint via X.509 certificates or hardware TPM attestation.
Real-World Example: A 60-person FCI-handling defense supplier issued unique CyberSecureID identities to 60 users, 14 service accounts, and 78 endpoints. Every authentication event is attributable to a specific user, process, or device — satisfying the assessor's "uniquely identified" evidence request without manual cross-referencing.
IA.L1-3.5.2 — Authenticate (or Verify) the Identities of Those Users, Processes, or Devices, as a Prerequisite to Allowing Access to Organizational Information Systems
Approach: CyberSecureID supports password, FIDO2/WebAuthn, smart card (PIV/CAC), biometric, and OTP factors. Even at CMMC Level 1, Northern Data Solutions strongly recommends MFA enforcement on all FCI-touching applications via CyberSecureID Adaptive MFA. SMS factors are disabled by default per NIST 800-63B guidance.
Real-World Example: A small defense electronics shop (38 employees) deployed CyberSecureID password + FIDO2 (YubiKey) MFA across 100% of FCI-touching applications in 4 weeks. A subsequent phishing simulation produced zero successful credential captures — the FIDO2 origin-binding made phishing economically unviable.
Domain 3: Media Protection (MP) — 1 Control
MP.L1-3.8.3 — Sanitize or Destroy Information System Media Containing FCI Before Disposal or Release for Reuse
Approach: Not directly addressed by CyberSecureID. This control is addressed by Cyberwatch Advanced media sanitization procedures (NIST 800-88 compliant wipe/destruction) and contracted ITAD partners.
Domain 4: Physical Protection (PE) — 4 Controls
Physical Protection controls are not directly addressed by CyberSecureID. These are handled via badge access systems (Lenel, CCURE, HID), visitor management platforms (Envoy, SwipedOn), and physical security operations within Cyberwatch Advanced.
PE.L1-3.10.1 — Limit Physical Access to Organizational Information Systems, Equipment, and the Respective Operating Environments to Authorized Individuals
Approach: Not directly addressed by CyberSecureID.
PE.L1-3.10.3 — Escort Visitors and Monitor Visitor Activity
Approach: Not directly addressed by CyberSecureID.
PE.L1-3.10.4 — Maintain Audit Logs of Physical Access
Approach: Not directly addressed by CyberSecureID, but identity-correlated physical access logs from badge systems can be ingested into the same SIEM that receives CyberSecureID System Log streams, enabling unified audit review.
PE.L1-3.10.5 — Control and Manage Physical Access Devices
Approach: Not directly addressed by CyberSecureID.
Domain 5: System and Communications Protection (SC) — 2 Controls
SC.L1-3.13.1 — Monitor, Control, and Protect Organizational Communications at the External Boundaries and Key Internal Boundaries of the Information Systems
Approach: CyberSecureID gates application access at the identity boundary; all authentication communications are monitored, logged, and protected via TLS 1.2/1.3 with FIPS 140-2 validated cryptography. Integration with SASE/ZTNA solutions extends boundary protection to remote workforces and cloud applications.
Real-World Example: A FCI-handling defense supplier eliminated 5 separate VPN/SSO endpoints by consolidating remote access behind CyberSecureID + a ZTNA partner. Every remote session is now authenticated, monitored, and TLS-encrypted at a single audited control point with comprehensive logging.
SC.L1-3.13.5 — Implement Subnetworks for Publicly Accessible System Components That Are Physically or Logically Separated from Internal Networks
Approach: Not directly addressed by CyberSecureID. This control is addressed by network segmentation (DMZ design, micro-segmentation) within Cyberwatch Advanced.
Domain 6: System and Information Integrity (SI) — 4 Controls
System and Information Integrity controls (flaw remediation, malicious code protection, scanning) are addressed by EDR, patching, and vulnerability management components of Cyberwatch Advanced — not directly by CyberSecureID. However, CyberSecureID-issued device trust attestations validate that these endpoint controls are active before granting application access.
SI.L1-3.14.1 — Identify, Report, and Correct Information and Information System Flaws in a Timely Manner
Approach: Not directly addressed by CyberSecureID.
SI.L1-3.14.2 — Provide Protection from Malicious Code at Appropriate Locations Within Organizational Information Systems
Approach: Not directly addressed by CyberSecureID.
SI.L1-3.14.4 — Update Malicious Code Protection Mechanisms When New Releases Are Available
Approach: Not directly addressed by CyberSecureID.
SI.L1-3.14.5 — Perform Periodic Scans of the Information System and Real-Time Scans of Files from External Sources as Files Are Downloaded, Opened, or Executed
Approach: Not directly addressed by CyberSecureID. Periodic vulnerability scanning is delivered through Northern Data Solutions' Cyberwatch — Risk Identification through 3rd party pen testing, validation and vulnerability identification service.
Coverage Summary
Coverage Type | Count | % of CMMC L1 |
|---|---|---|
Fully Addressed by CyberSecureID | 6 | 35% |
Substantially Contributing | 1 | 6% |
Total CyberSecureID Coverage | 7 | 41% |
Addressed by Other Cyberwatch Advanced Components | 10 | 59% |
Total CMMC Level 1 Controls | 17 | 100% |
Why CyberSecureID Within Cyberwatch Advanced for CMMC Level 1
CMMC Level 1 is often perceived as "the easy level" — just self-attestation, basic safeguarding. But the cost of failure is the same as Level 2: contract loss, False Claims Act exposure, and reputational damage in the DIB community. Identity is the most frequently exploited attack vector even against small FCI handlers.
CyberSecureID alone covers 41% of Level 1 directly — the remaining 59% requires complementary controls. Northern Data Solutions packages CyberSecureID inside Cyberwatch Advanced, which delivers a complete Level 1 control footprint:
CyberSecureID for Identity Access Management with adaptive MFA, Principle of Least Privilege enforcement, and Zero Trust Architecture — covering all 4 AC controls and both IA controls
EDR with anti-malware, signature updates, and on-access scanning — covering all 4 SI controls
Network segmentation and SASE for SC.L1-3.13.5 boundary protection
NIST 800-88 compliant media sanitization procedures and ITAD partnerships for MP.L1-3.8.3
Physical security advisory and badge system integration recommendations for the 4 PE controls
Attack surface visibility tooling for continuous external posture monitoring
Password management and rotation for both human and machine identities
Cybersecurity training platform with attestation and conditional access enforcement
Combined with Cyberwatch third-party penetration testing for ongoing validation, our Compliance-as-a-Service platform that manages your CMMC Level 1 self-attestation program end-to-end, and our vCSO executive offering for governance and audit readiness — CyberSecureID becomes the identity backbone of a complete, audit-ready CMMC Level 1 posture.
Recommended Next Steps for CMMC Level 1 Aspirants
Schedule a Cyberwatch Risk Identification engagement — third-party penetration testing identifies your current FCI attack surface and provides a gap baseline against the 17 Level 1 practices.
Deploy CyberSecureID through Cyberwatch Advanced — Northern Data Solutions handles tenant standup, baseline policy hardening, MFA enforcement, and integration with your HR system, MDM, and SIEM — typical Level 1 deployment is 4-6 weeks for a sub-100 employee shop.
Engage Compliance-as-a-Service — automated FCI flow documentation, self-attestation evidence collection, and annual recertification readiness — with CyberSecureID configuration baselined as authoritative source for the 6 controls it satisfies directly.
Add vCSO oversight — executive-level governance, board reporting, and primary contractor liaison through your CMMC Level 1 self-attestation cycle. Especially valuable for sub-prime contractors needing to demonstrate maturity to their primes.
Contact Northern Data Solutions to schedule a CMMC Level 1 readiness consultation and CyberSecureID deployment scoping session for your FCI-handling environment.