Cybersecurity Maturity Model Certification (CMMC) Level 1 Assessment Dashboard

Here are three concrete compliance examples for the CMMC Level 1 objective AC.L1-B.1.I, tailored to a real estate consulting firm working with government clients:

**Example 1:**

Scenario: A real estate consultant, Sarah, is assigned to a project involving the assessment of government-owned facilities for potential renovation. This project involves accessing facility inspection reports stored on the firm's internal project management system, which contains FCI data (e.g., the physical condition of buildings, security vulnerabilities). To comply with AC.L1-B.1.I, the firm ensures that Sarah is an authorized user in the system. This authorization is documented in a central "Authorized User List" maintained by the IT department. This list specifies Sarah's access privileges, granting her access only to the specific project folder containing the facility inspection reports and related documents. The IT department reviews and updates this list quarterly, verifying continued need-to-know and removing access when employees leave the firm or change roles.

**Example 2:**

Scenario: The consulting firm uses a cloud-based software platform to manage lease negotiations for a government client. This platform contains sensitive lease documents, client correspondence with the GSA, and financial data related to lease agreements – all considered FCI. Only authorized employees, such as the lead negotiator, the project manager, and designated administrative staff, are granted access to this platform. The firm implements multi-factor authentication (MFA) for all users accessing the platform. The firm maintains a record of authorized users within the software platform's administration panel, and this list is reviewed and updated whenever an employee joins or leaves the project team. Access is revoked immediately upon an employee's departure from the project or the firm.

**Example 3:**

Scenario: The firm is conducting a site selection study for a new federal agency office building. This study involves accessing and analyzing CUI-marked site plans and environmental impact assessments stored on a shared network drive. To comply with AC.L1-B.1.I, the firm restricts access to the shared drive folder containing this information to only those employees directly involved in the site selection study. This access is managed through Active Directory groups. A designated "Site Selection Study Group" is created, and only employees listed in the "Authorized User List" for this project are added to this group. Access rights are granted based on the principle of least privilege, ensuring users only have the necessary permissions to perform their assigned tasks. The project manager is responsible for reviewing and updating the group membership as the project progresses and personnel roles change.

Here are three concrete, realistic compliance examples for the AC.L1-B.1.I objective, tailored to a real estate consulting firm working with government clients:

**Example 1:** Access to Government Property Database via API

* **Scenario:** The consulting firm uses a custom-built application to analyze government-owned property data, retrieved via an API from a GSA database. This database contains FCI related to property values, square footage, and past uses. To comply, the application must be configured to only access the GSA database using a dedicated service account (a process acting on behalf of authorized users) that is specifically authorized by GSA for data retrieval. The application's code must ensure that all API calls to the GSA database are made using this service account's credentials. Furthermore, the application's logs must record each data retrieval request, associating it with the service account and the authorized user who initiated the analysis within the consulting firm's application. This ensures that every process accessing the FCI is identified and traceable to an authorized user. The firm would maintain documentation outlining the service account's purpose, authorized access levels, and the application's code snippets demonstrating its usage for API calls.

**Example 2:** Automated Processing of Lease Documents

* **Scenario:** The firm uses an automated workflow to process lease documents containing FCI (e.g., rent amounts, lease terms, building security provisions) received from federal agencies like DoD. This workflow involves optical character recognition (OCR) software extracting data from scanned lease agreements and storing it in a secure database. The OCR process runs as a scheduled task under a specific system account (a process acting on behalf of authorized users) on a dedicated server. To comply, this system account must be explicitly authorized to access the folder containing the scanned lease documents and the database where the extracted data is stored. The firm must maintain a system configuration document detailing the system account's permissions, the scheduled task's configuration, and the software's configuration to use this account for data processing. Furthermore, audit logs must track each time the system account accesses the lease document folder or the database, creating a record of the automated process acting on behalf of authorized users (e.g., the contract administrator who initiated the workflow).

**Example 3:** Facility Inspection Report Generation

* **Scenario:** The firm uses a mobile application to generate facility inspection reports that include FCI such as structural vulnerabilities, security deficiencies, and environmental hazards. These reports are compiled from data collected by field inspectors using mobile devices. The mobile application uploads the collected data to a central server where a report generation process (a process acting on behalf of authorized users) creates a PDF document. To comply, the report generation process must be configured to run under a specific system account with restricted privileges. This account should only have the necessary permissions to access the uploaded data, generate the PDF report, and store it in a designated secure location. The mobile application must authenticate the user and associate the user's ID with the data being uploaded. The server logs must capture the activity of the report generation process, including the user ID associated with the uploaded data and the system account used to generate the report. The firm would maintain a configuration management plan documenting the system account's permissions, the report generation process's configuration, and the mobile application's authentication mechanism.

Here are three concrete examples of how the real estate consulting firm could satisfy the CMMC Level 1 objective AC.L1-B.1.I, specifically focusing on identifying authorized devices connecting to the system:

**Example 1:** Scenario: A new consultant, Sarah, joins the firm to work on a project involving the lease negotiation for a GSA-occupied building. She needs access to the firm's internal project management system (PMS) where all project-related documents, including lease agreements containing FCI, are stored. She will also be using a company-issued laptop.

Compliance Implementation:

* **Device Identification and Authorization:** Before Sarah can access the PMS or connect her company-issued laptop to the network, the IT department records the laptop's MAC address and serial number in a central asset management system. This system serves as the firm's authorized device list. Sarah's laptop is only permitted on the network after this information is recorded and verified.
* **User Account Creation and Device Association:** Sarah's user account in the PMS is created and linked to her authorized laptop. The IT department configures the network to only allow access to the PMS from authorized devices, effectively preventing unauthorized devices from accessing FCI.
* **Documentation:** A record of Sarah's laptop being added to the authorized device list is maintained in the asset management system. This record includes the date of authorization, the authorizing IT staff member, and the project(s) Sarah is working on.

**Example 2:** Scenario: The firm uses a dedicated server to store facility inspection reports containing FCI, including photos and diagrams of government-owned properties. A field inspector, John, uses a company-issued tablet to upload these reports directly from the field.

Compliance Implementation:

* **Tablet Identification and Authorization:** John's company-issued tablet is pre-approved and registered in the firm's authorized device list, including its serial number and MAC address. This registration is completed before John can use the tablet to upload any data.
* **Secure Upload Process:** The tablet is configured to only upload reports to the dedicated server via a secure, encrypted connection (e.g., HTTPS). The server is configured to only accept connections from devices listed in the authorized device list.
* **Regular Review:** The IT department conducts quarterly reviews of the authorized device list, removing devices that are no longer in use or assigned to authorized personnel. The review process is documented, and any changes to the list are recorded.

**Example 3:** Scenario: The firm utilizes a cloud-based storage solution (e.g., AWS GovCloud) to store CUI-marked site plans and environmental impact assessments for a DoD project. Consultants need to access these files from their company-issued laptops and desktops.

Compliance Implementation:

* **Cloud Access Control:** Access to the cloud storage solution is restricted to authorized devices. The firm uses a combination of multi-factor authentication (MFA) and IP address whitelisting. Only devices with a registered IP address and MFA enabled are allowed to connect.
* **Endpoint Security:** All company-issued laptops and desktops are equipped with endpoint detection and response (EDR) software. The EDR software helps identify and prevent unauthorized software or devices from accessing the cloud storage solution.
* **Device Management:** The IT department uses a mobile device management (MDM) solution to monitor and manage all company-issued devices. The MDM solution ensures that all devices are compliant with the firm's security policies and that only authorized applications are installed. The MDM solution also provides the ability to remotely wipe or lock devices in case of loss or theft.

Here are three concrete, realistic compliance examples for the CMMC Level 1 objective AC.L1-B.1.I, tailored to a real estate consulting firm working with federal and local government clients:

**Example 1:**

Scenario: The consulting firm uses a cloud-based project management system (e.g., Asana, Monday.com) to manage projects involving government property data. These projects often contain FCI such as facility assessments, lease documents, and site selection studies. To limit system access to authorized users, each employee is assigned a unique user account with role-based access control. For example, a junior analyst might have read-only access to facility assessment reports stored within the project management system, while a senior consultant would have read/write access to create and modify these reports. The system administrator maintains a list of all authorized users and their assigned roles within the project management system. This list is reviewed and updated quarterly to reflect personnel changes (e.g., new hires, terminations, role changes). When an employee leaves the company, their account is immediately disabled to prevent unauthorized access to FCI. The firm documents this process in its System Security Plan (SSP) and maintains records of account creation, modification, and deletion.

**Example 2:**

Scenario: The consulting firm utilizes a secure file sharing platform (e.g., SharePoint, Box) to exchange sensitive documents, including CUI-marked site plans and client correspondence with federal agencies like GSA or DoD, with its government clients. Access to these folders and files is restricted based on the "need-to-know" principle. For example, a folder containing lease negotiation documents for a specific DoD facility is only accessible to the consultants directly working on that project and the designated project manager. Access is granted by the IT administrator upon project assignment and revoked upon project completion. The firm maintains an audit log of access requests and approvals for these sensitive folders. Before sharing any files with external clients, the firm verifies that the client has the necessary permissions and security controls in place to protect the FCI.

**Example 3:**

Scenario: Consultants conduct on-site facility assessments and use company-issued laptops to record their findings and take photographs. These laptops contain software for generating reports and storing digital images, which may contain FCI regarding the physical condition of government properties. Access to these laptops is restricted to authorized employees via strong passwords and multi-factor authentication. The firm enforces a policy requiring employees to lock their laptops when unattended, especially during on-site assessments. Furthermore, the laptops are configured with full disk encryption to protect the data at rest in case of loss or theft. The firm maintains an inventory of all company-issued laptops and tracks which employees are assigned to each device. The IT department regularly monitors the laptops for unauthorized access attempts and installs security updates to protect against vulnerabilities.

Here are three concrete, realistic compliance examples for the CMMC Level 1 objective AC.L1-B.1.I, tailored to a real estate consulting firm advising government clients:

**Example 1:** *Restricting Access to Government Property Databases*

Scenario: The consulting firm uses a cloud-based project management system to store and process data related to government property leases. This includes sensitive information extracted from GSA lease agreements, facility inspection reports containing FCI (e.g., details about HVAC systems requiring upgrades), and client correspondence. Only authorized project team members directly involved in the specific lease management project should have access to this data.

Compliance Implementation:

* **Role-Based Access Control:** The project management system is configured with role-based access control. A role like "Lease Analyst" is created with permissions to view, edit, and download lease documents and related data. Another role, "Project Manager," has broader access, including the ability to add/remove users from the project.
* **Project-Specific Permissions:** When a new lease management project is created (e.g., "GSA Region 3 - Building 123"), access to the project's data is restricted to users assigned the "Lease Analyst" or "Project Manager" roles *and* specifically added to the "GSA Region 3 - Building 123" project within the system.
* **Principle of Least Privilege:** The "Lease Analyst" role is configured to only allow viewing and editing of relevant lease documents and facility inspection reports, but not the ability to modify user access controls. This ensures that users only have the minimum necessary access to perform their duties.
* **Regular Review:** Project access lists are reviewed monthly by the Project Manager to ensure that only authorized personnel have access. When a team member leaves the project or the firm, their access is immediately revoked.

**Example 2:** *Controlling Access to CUI-Marked Site Plans*

Scenario: The consulting firm conducts site selection studies for a DoD client. These studies involve creating and storing site plans that are marked as CUI, containing sensitive information about potential locations for a new military facility. These site plans are stored on a network file share.

Compliance Implementation:

* **Access Control Lists (ACLs):** The network file share where the CUI-marked site plans are stored is protected using Access Control Lists (ACLs).
* **Need-to-Know Basis:** Access to the file share is restricted to only those employees who are actively working on the DoD site selection project and have a demonstrated need-to-know. This includes the lead architect, the site selection analyst, and the project manager.
* **Group-Based Permissions:** Instead of assigning permissions to individual user accounts, a security group (e.g., "DoD Site Selection Team") is created in the Active Directory. Users are added to this group to grant them access to the file share.
* **Documentation:** A record is maintained documenting who has access to the CUI-marked site plans and the justification for their access. This record is reviewed and updated whenever personnel changes occur on the project.
* **Watermarking:** All CUI-marked site plans are watermarked with a CUI designation and a statement indicating that access is restricted to authorized personnel only.

**Example 3:** *Securing Access to Facility Assessment Data*

Scenario: The consulting firm performs facility assessments for HUD properties. These assessments generate reports containing FCI, such as details about security vulnerabilities, infrastructure weaknesses, and sensitive building systems. These reports are delivered to HUD via a secure file transfer protocol (SFTP) server.

Compliance Implementation:

* **SFTP User Accounts:** Each authorized employee who needs to upload facility assessment reports to the HUD SFTP server is provided with a unique SFTP user account

Here are three concrete compliance examples for the consulting firm, tailored to the CMMC Level 1 objective AC.L1-B.1.I, focusing on authorized device access to FCI:

**Example 1:**

Scenario: A real estate consultant, Jane, needs to access a secure, cloud-based project management system (e.g., hosted on AWS GovCloud) containing facility inspection reports (marked as FCI) for a GSA-leased property. Jane attempts to access the system from her personal laptop, which is not managed by the firm's IT department. The system is configured to only allow access from devices with approved device certificates and endpoint detection and response (EDR) software managed by the firm. Jane's attempt to log in is blocked, and she receives an error message stating that the device is not authorized. To gain access, Jane must use her company-issued laptop, which has the necessary security controls and is registered with the firm's device management system. This ensures that only authorized and secured devices can access the FCI data.

**Example 2:**

Scenario: The consulting firm uses a dedicated server to store sensitive site selection studies containing CUI-marked site plans for a potential DoD facility. A new intern, Mark, is assigned to assist with the project. Before Mark can access the server, the IT department must authorize his company-issued laptop for access. This involves installing necessary security software (antivirus, firewall, EDR), updating the device's operating system to the latest security patches, and registering the device's MAC address with the server's access control list (ACL). Mark is also required to authenticate using multi-factor authentication (MFA) each time he accesses the server. This process ensures that only authorized and secured devices, associated with approved personnel, can access the sensitive site selection studies.

**Example 3:**

Scenario: The consulting firm utilizes a secure file transfer protocol (SFTP) server to exchange lease documents and client correspondence (potentially containing FCI) with a federal agency client, like HUD. Only authorized devices, specifically those with pre-approved IP addresses and configured with the firm's VPN, are allowed to connect to the SFTP server. If a consultant attempts to connect to the SFTP server from an unauthorized device, such as a personal tablet or a device connected to a public Wi-Fi network, the connection is automatically rejected. This prevents unauthorized devices from accessing or transmitting FCI data related to lease negotiations and client communications.

Here are three concrete compliance examples for AC.L1-B.1.II, tailored to a real estate consulting firm working with federal and local government clients and handling FCI:

**Example 1:**

Scenario: The firm uses a cloud-based project management system to store all project-related documents, including facility assessments containing FCI (e.g., structural integrity reports of a DoD-leased building). The system has role-based access control. Project Managers are granted "Read/Write" access to all documents within their assigned projects, allowing them to upload, modify, and download files. Real Estate Analysts, who primarily conduct market research and data analysis, are granted "Read-Only" access to these same documents. This prevents Analysts from accidentally or intentionally altering critical assessment data. Interns are granted access to a limited set of folders containing only publicly available information and training materials, preventing them from accessing any FCI. The access levels are documented in the firm's Access Control Policy and enforced through the project management system's user permission settings.

**Example 2:**

Scenario: The firm uses a secure internal database to manage lease negotiations and track government property details, including CUI-marked site plans received from the GSA. Access to this database is controlled based on job function. The lead negotiator on a specific lease agreement is granted full "CRUD" (Create, Read, Update, Delete) access to the relevant lease record, allowing them to update terms, upload correspondence, and manage associated documents. The firm's IT support staff are granted "Read-Only" access to all lease records for troubleshooting purposes, ensuring they can assist with technical issues without modifying sensitive data. All other employees, such as administrative assistants, have no access to the database unless specifically granted a temporary exception based on a documented and approved business need. This exception is documented in the access control logs.

**Example 3:**

Scenario: The firm conducts site selection studies that involve accessing and analyzing sensitive demographic and environmental data, some of which may be considered FCI. To control access to this data, the firm implements a "data enclave" within its network. Only designated Site Selection Specialists, who have received specialized training on handling FCI, are granted access to this enclave. They are permitted to run specific pre-approved analytical tools and generate reports. These tools are configured with built-in controls to prevent the unauthorized export or dissemination of the underlying data. Other employees, such as marketing staff, are explicitly blocked from accessing the data enclave and the analytical tools. Access to the enclave is controlled via Active Directory group policies and monitored through regular security audits.

Here are three concrete compliance examples for AC.L1-B.1.II, tailored to a real estate consulting firm working with government clients:

**Example 1:**

A new analyst, Sarah, is hired to assist with facility assessments for a DoD client. Her initial role focuses on data entry and basic report generation. The firm uses a centralized project management system (e.g., a SharePoint site) to store facility inspection reports, CUI-marked site plans, and client correspondence. Sarah's user account is initially granted "read-only" access to the project management system and the specific client folder containing FCI. She can view facility assessments, site plans, and correspondence but cannot modify, delete, or upload any documents. Her manager must approve a request to IT to grant her "contributor" access if her role expands to include updating reports or uploading new documents. This ensures she only has access to the transactions and functions needed for her current responsibilities.

**Example 2:**

The firm utilizes a secure, cloud-based database to manage lease agreements and property data for various government agencies, including sensitive information like lease rates, renewal options, and tenant contact details. Access to this database is strictly controlled based on the "least privilege" principle. A real estate agent, John, is assigned to negotiate a new lease for a GSA-occupied building. John's access to the database is limited to the specific GSA portfolio and only allows him to view and edit the relevant lease documents. He cannot access lease data for other government agencies or perform administrative functions within the database, such as creating new user accounts or modifying system configurations. This prevents unauthorized access to sensitive FCI related to other clients.

**Example 3:**

The firm's senior leadership team requires access to all client data for oversight and strategic decision-making. However, even within this group, access is differentiated based on function. For example, the CFO needs access to financial data related to government contracts (e.g., billing rates, invoices), while the COO needs access to project-related data (e.g., project timelines, resource allocation). The firm implements role-based access control (RBAC) within its internal financial system and project management platform. The CFO's role grants access to financial reports and billing modules, while the COO's role grants access to project dashboards and resource management tools. Neither can access the other's area without specific authorization, effectively limiting their access to only the transactions and functions required for their respective roles and preventing unnecessary exposure to FCI.

Here are three concrete, realistic compliance examples for the consulting firm, addressing the CMMC Level 1 objective AC.L1-B.1.III: External Connections [FCI Data]:

**Example 1:** External Cloud Storage for Project Collaboration

* **Scenario:** The firm uses a cloud storage service (e.g., Box, Dropbox, Google Drive) to collaborate with a federal agency (e.g., GSA) on a facility assessment project. This project involves sharing documents containing FCI, such as facility inspection reports with CUI markings, site plans with sensitive infrastructure details, and lease agreements.
* **Compliance:**
1. **Identify the External Connection:** The firm documents the use of the cloud storage service as an external connection in its system security plan (SSP). This documentation includes the cloud service provider's name, purpose of the connection (project collaboration with GSA), and the types of FCI data stored and shared.
2. **Control/Limit the Connection:** The firm implements a policy prohibiting the storage of FCI in personal cloud accounts. Employees are required to use the firm's approved and managed cloud storage account. Access to the cloud storage folder containing FCI is restricted to authorized personnel (project team members) via role-based access control. Multi-factor authentication (MFA) is enforced for all users accessing the cloud storage service. The firm reviews and accepts the cloud service provider's terms of service, ensuring they align with CMMC Level 1 requirements for protecting FCI. The firm also implements data loss prevention (DLP) policies to prevent unauthorized uploading or downloading of FCI.

**Example 2:** Consultant Accessing Internal Systems from Home

* **Scenario:** A consultant needs to access the firm's internal project management system (which contains FCI related to government real estate projects) from their home computer to update a site selection study for a DoD client.
* **Compliance:**
1. **Identify the External Connection:** The firm identifies remote access from personal devices as an external connection in its SSP.
2. **Control/Limit the Connection:** The firm mandates that all remote access to internal systems containing FCI must be done through a secure Virtual Private Network (VPN). The consultant's home computer must meet minimum security requirements (e.g., up-to-date antivirus software, enabled firewall) as outlined in the firm's remote access policy. The firm implements endpoint detection and response (EDR) on the consultant's computer while accessing the internal project management system. The consultant is required to acknowledge and adhere to the firm's Acceptable Use Policy, which prohibits unauthorized access, data sharing, or storage of FCI on personal devices. The firm also uses session monitoring to detect and respond to any suspicious activity during remote access sessions.

**Example 3:** Third-Party Vendor Accessing Property Database

* **Scenario:** The firm contracts with a third-party vendor to perform data analysis on a government property database containing FCI. The vendor requires remote access to the database to perform their work.
* **Compliance:**
1. **Identify the External Connection:** The firm identifies the vendor's remote access as an external connection in its SSP.
2. **Control/Limit the Connection:** The firm implements a formal agreement with the vendor that outlines security requirements for protecting FCI. This agreement includes clauses requiring the vendor to comply with CMMC Level 1 controls, restrict access to the database to authorized personnel only, and implement appropriate security measures (e.g., encryption, access controls, audit logging). The firm implements a dedicated VPN connection for the vendor's access to the database. The firm monitors the vendor's access activity and conducts periodic security assessments to ensure compliance with the agreement. The firm also implements a data use agreement that limits the vendor's use of the data to the specific purpose outlined in

Here are three concrete examples of how the real estate consulting firm can satisfy the CMMC Level 1 objective AC.L1-B.1.III, focusing on identifying the use of external systems when handling FCI data:

**Example 1:**

* **Scenario:** A consultant is performing a site selection study for a new federal agency office. This study involves accessing and analyzing data from the GSA's Federal Real Property Profile (FRPP) database (which may contain FCI related to existing federal facilities) and potentially downloading CUI marked site plans from a DoD client's secure portal. The consultant needs to access these resources from their company-issued laptop while working from home.
* **Compliance:** The firm maintains an inventory of all approved external systems used to access, process, or store FCI. This inventory includes the GSA's FRPP database and the DoD client's secure portal. The inventory documents the purpose of each external system, the types of FCI accessed, and the approved methods for accessing them (e.g., multi-factor authentication required, specific browser versions allowed, VPN connection mandated). Before accessing the FRPP database or the DoD portal, the consultant must acknowledge a pop-up reminder on their company laptop confirming they are using an approved device and connection method as documented in the system inventory. The firm also maintains a record of all external systems accessed by each employee.

**Example 2:**

* **Scenario:** The firm is managing a portfolio of leased properties for HUD. Lease documents, facility inspection reports, and correspondence with HUD personnel (containing FCI) are stored in the firm's internal project management system. A subcontractor is engaged to perform data entry and quality assurance on these documents. The subcontractor will need temporary access to the firm's project management system.
* **Compliance:** Before granting the subcontractor access, the firm identifies the subcontractor's system as an external system. The firm documents the subcontractor's system in the inventory of approved external systems (even if it's a temporary entry). The firm requires the subcontractor to use a dedicated virtual machine (VM) hosted on the firm's approved cloud environment to access the project management system. The VM is configured with specific security controls (e.g., limited internet access, data loss prevention tools) to prevent unauthorized data transfer. A written agreement with the subcontractor explicitly outlines the terms and conditions for accessing and handling FCI, including the requirement to use the designated VM and abide by the firm's security policies. The agreement also defines the process for revoking access once the subcontractor's work is complete.

**Example 3:**

* **Scenario:** A senior consultant is preparing a proposal for a new contract with the Department of Veterans Affairs (VA). The proposal requires referencing past performance data and case studies involving similar VA projects, some of which contain FCI. The consultant wants to access these documents from their personal iPad while traveling.
* **Compliance:** The firm has a strict policy prohibiting the use of personal devices for accessing, processing, or storing FCI. The consultant is reminded of this policy during regular security awareness training. The firm provides secure remote access to the firm's systems via a company-issued laptop and VPN. The consultant is directed to use the company-issued laptop and VPN to access the relevant documents from the firm's secure file server. The firm maintains logs of all VPN connections to monitor for unauthorized access attempts from non-approved devices.

Here are three concrete compliance examples for the CMMC Level 1 requirement AC.L1-B.1.III, tailored to a real estate consulting firm working with government clients:

Example 1: **Secure Access to Cloud-Based Project Management System:**
Scenario: The consulting firm uses a cloud-based project management system (e.g., Asana, Monday.com) to manage projects involving FCI, such as facility assessments containing sensitive infrastructure details or lease negotiations involving government-owned properties. Some consultants access this system using their personally owned laptops while working remotely or on-site at client locations.
Compliance:
* The firm implements multi-factor authentication (MFA) for all users accessing the cloud-based project management system, regardless of the device used.
* The firm implements conditional access policies that restrict access to the project management system from personal devices that do not meet minimum security requirements (e.g., up-to-date operating system, antivirus software). This could involve a Mobile Device Management (MDM) solution or a BYOD policy requiring specific security configurations.
* The firm maintains an inventory of authorized devices (company-issued and approved personal devices) that can access the system.
* The firm requires users to acknowledge and adhere to a "Acceptable Use Policy" that outlines responsible use of the cloud-based system and protection of FCI.

Example 2: **Controlled Access to Government Property Databases:**
Scenario: The firm's analysts access government property databases (e.g., GSA's FedBizOpps, DoD's Real Property Inventory) to conduct site selection studies and market research. These databases may contain FCI related to government facilities and planned projects.
Compliance:
* The firm restricts access to these databases to authorized personnel only, based on a defined "need-to-know" basis. Access requests are documented and approved by a designated authority (e.g., the firm's CMMC compliance officer or project manager).
* The firm uses dedicated, secure workstations or virtual desktop infrastructure (VDI) environments for accessing these databases. These workstations/VDI environments are configured with security controls such as data loss prevention (DLP) software to prevent unauthorized copying or transfer of FCI.
* The firm implements network segmentation to isolate the workstations/VDI environments used for accessing government databases from other parts of the firm's network.
* The firm monitors access logs to identify any suspicious activity or unauthorized access attempts.

Example 3: **Secure Transmission of CUI-Marked Documents:**
Scenario: The firm exchanges CUI-marked documents (e.g., site plans, facility inspection reports, lease agreements) with government agencies (e.g., GSA, DoD, HUD) via email or file transfer protocols.
Compliance:
* The firm mandates the use of secure email encryption (e.g., S/MIME, PGP) or secure file transfer protocols (e.g., SFTP, FTPS) for all communications involving CUI-marked documents.
* The firm trains employees on how to properly identify and handle CUI-marked documents, including the correct procedures for encrypting emails and files.
* The firm implements a policy requiring that all CUI-marked documents be stored in a designated, secure repository with access controls.
* The firm verifies that the government agency's system is also compliant with CMMC Level 1 or higher, to ensure the protection of FCI during transmission. This could involve confirming the agency's compliance status through publicly available information or direct communication.

Here are three concrete compliance examples for AC.L1-B.1.III relevant to a real estate consulting firm handling FCI for government clients:

**Example 1:** Remote Access to the Firm's Project Management System.

* **Scenario:** A consultant is working remotely from their home office on a site selection study for a new GSA facility. They need to access the firm's internal project management system (which contains FCI, such as proposed site plans marked CUI, lease cost analyses, and correspondence with GSA representatives) via a VPN connection on their personal laptop. To satisfy AC.L1-B.1.III, the firm implements a policy that requires all personal devices accessing the project management system to have up-to-date antivirus software installed and running. Before granting VPN access, the firm's IT department verifies the consultant’s device meets this requirement through a software scan or attestation from the consultant. Furthermore, the firm logs all VPN connections and monitors for suspicious activity. The VPN itself must also be configured to only allow access to the specific resources required for the consultant's work, limiting lateral movement within the network.

**Example 2:** Secure Data Exchange with a Government Agency via Cloud Service.

* **Scenario:** The firm is contracted by the Department of Defense (DoD) to conduct a facility assessment of several military bases. The DoD requires the firm to use a specific cloud-based file sharing service (e.g., DoD SAFE) to exchange documents containing FCI, such as facility inspection reports, photographs of security vulnerabilities, and floor plans. To comply with AC.L1-B.1.III, the firm verifies that the cloud service meets the government's security requirements for handling FCI. This verification could involve reviewing the cloud service provider's certifications (e.g., FedRAMP authorization), reviewing the service's security documentation, and confirming that the firm's use of the service aligns with the cloud service provider's terms and conditions. The firm also implements internal procedures for how employees are to access and use the cloud service, including multi-factor authentication, encryption of data at rest and in transit, and regular security awareness training.

**Example 3:** Third-Party Vendor Access to the Firm's Network for Software Maintenance.

* **Scenario:** The firm uses a specialized software application for real estate portfolio management that contains FCI related to lease agreements and property valuations. The software vendor requires remote access to the firm's network to perform routine maintenance and updates. To satisfy AC.L1-B.1.III, the firm implements a formal agreement with the vendor that outlines the security requirements for their access, including the use of a secure remote access tool, limitations on the scope of access, and a requirement for the vendor to provide a log of all actions taken during the maintenance session. The firm monitors the vendor's activity during the maintenance session and reviews the logs afterward to ensure compliance with the agreement. The firm also requires the vendor to provide evidence of their own security controls, such as a SOC 2 report or a security questionnaire.

Here are three concrete compliance examples for the consulting firm, addressing the "External Connections [FCI Data]" requirement, AC.L1-B.1.III:

Example 1: **Restricting Personal Device Access to FCI**.

Scenario: Consultants frequently use their personal laptops and tablets while working remotely or visiting client sites. To prevent uncontrolled access to FCI, the firm implements a policy prohibiting the use of personal devices to directly access, process, or store FCI. This policy is documented and communicated to all employees and contractors. If a consultant needs to review facility inspection reports containing CUI-marked site plans while at a GSA field office, they are required to use a company-issued, managed laptop. The policy is enforced through technical controls, such as blocking access to the firm's project management system (where FCI is stored) from non-company devices. The firm maintains an inventory of all authorized company-issued devices. Consultants acknowledge the policy in writing upon onboarding and annually thereafter.

Example 2: **Controlling Access to Cloud-Based Real Estate Data Platforms**.

Scenario: The firm utilizes a cloud-based platform (e.g., hosted by Amazon Web Services or Microsoft Azure) to manage real estate portfolio data for a DoD client. This platform contains sensitive lease documents, facility assessments, and site selection studies, all of which are considered FCI. To control external connections, the firm strictly limits access to this platform to authorized personnel only. Access is granted based on the principle of least privilege, meaning users only have access to the data they need to perform their job functions. Multi-factor authentication (MFA) is enforced for all users accessing the platform. Furthermore, the firm has a documented agreement with the cloud provider outlining security responsibilities and ensuring the provider meets CMMC Level 1 requirements for data protection. The firm also regularly audits user access logs to identify and investigate any suspicious activity.

Example 3: **Managing Vendor Access to Internal Systems**.

Scenario: The firm contracts with a third-party IT vendor for network maintenance and support. This vendor requires occasional remote access to the firm's internal systems, which may inadvertently expose them to FCI, such as client correspondence with HUD regarding property acquisitions. To control this external connection, the firm implements a formal vendor management process. Before granting access, the firm conducts a security assessment of the vendor's security practices. A written agreement is established outlining the vendor's responsibilities for protecting FCI and limiting their access to only the systems necessary for their work. The firm uses a secure remote access solution that requires MFA and provides audit trails of all vendor activity. Access is granted for a limited time and is revoked immediately upon completion of the vendor's work. The firm also monitors vendor activity logs for any unauthorized access or data exfiltration attempts.

Here are three concrete compliance examples for the consulting firm, addressing the CMMC Level 1 requirement AC.L1-B.1.III, focusing on controlling/limiting external connections when handling FCI:

**Example 1:**

Scenario: A real estate consultant is conducting a site selection study for a new federal agency office location. This involves accessing the GSA's Federal Real Property Profile (FRPP) database, which contains FCI related to federal properties. The consultant needs to download property data, including floor plans, occupancy rates, and security classifications, to their laptop for analysis. To comply with AC.L1-B.1.III, the consultant is *required* to use their company-issued, CMMC-compliant laptop that is connected to the firm's secure network. The consultant is *prohibited* from accessing the FRPP database or downloading FCI onto a personal device or an unsecured public Wi-Fi network. Furthermore, the consultant must use multi-factor authentication to access the FRPP and the firm's network. The firm maintains a documented "Acceptable Use Policy" that explicitly forbids the use of personal devices for accessing FCI and outlines the approved methods for accessing government databases.

**Example 2:**

Scenario: The firm is managing a portfolio of leased properties for a Department of Defense (DoD) agency. This involves exchanging lease documents, facility inspection reports, and CUI-marked site plans with the agency via email. To comply with AC.L1-B.1.III, the firm *mandates* the use of its approved, encrypted email system for all communications containing FCI. Consultants are *prohibited* from using personal email accounts (e.g., Gmail, Yahoo) or unapproved file-sharing services (e.g., Dropbox, Google Drive) to transmit or store these documents. The IT department regularly monitors email traffic for potential violations of this policy and provides training to all employees on proper handling of FCI in email communications. The firm maintains a documented "Data Handling Policy" that outlines approved communication channels and storage locations for FCI.

**Example 3:**

Scenario: A team of consultants is conducting a facility assessment for a HUD-owned property. They are using a mobile application on company-issued tablets to record observations, take photos, and generate a preliminary report. The application is designed to store all data locally on the tablet until it can be securely uploaded to the firm's internal project management system. To comply with AC.L1-B.1.III, the firm *requires* that all tablets are configured with full-disk encryption and a strong password. The tablets are also configured to *prevent* the installation of unauthorized applications and the use of public Wi-Fi networks. Upon returning to the office, the consultants must immediately upload the data to the secure project management system via the firm's wired network, and the data is automatically wiped from the tablet after successful upload. The firm maintains a documented "Mobile Device Security Policy" that outlines these requirements and provides instructions for securely using company-issued tablets in the field.

Here are three concrete examples of how the real estate consulting firm can satisfy the CMMC Level 1 objective AC.L1-B.1.IV, controlling public information (FCI data) on publicly accessible systems:

**Example 1:**

*Scenario:* The consulting firm maintains a public-facing website that showcases its past projects to attract new clients. One project involved conducting a site selection study for a new GSA office building. The final report, containing details about potential locations (including addresses and property characteristics), was delivered to the GSA and contains FCI. To showcase this project on the firm's website, the marketing team wants to include a summary of the project and images of the proposed site.

*Compliance:*
1. *Identify Authorized Personnel:* Only the Marketing Manager and the Senior Project Manager are authorized to post content related to government projects on the firm's website. This authorization is documented in the firm's Access Control Policy.
2. *Pre-Publication Review Process:* Before any content related to the GSA site selection project (or any other government project) is published, the Senior Project Manager *must* review the content. This review includes verifying that no FCI is included in the summary, images, or any associated metadata. Specifically, the Senior Project Manager checks to ensure that no specific addresses, property characteristics deemed sensitive by the GSA, or any other information that could be considered FCI is present. This review is documented using a checklist that is completed and signed by the Senior Project Manager before content is uploaded.
3. *Training:* The Marketing Manager and Senior Project Manager receive annual training on identifying FCI and the firm's policy on controlling public information.

**Example 2:**

*Scenario:* The consulting firm uses a publicly accessible social media platform (e.g., LinkedIn, Twitter) to share industry insights and promote its services. An employee wants to post an article summarizing recent trends in federal government leasing, referencing data from a publicly available GSA report, but also wants to include a brief anecdote about a recent lease negotiation they worked on for a DoD facility.

*Compliance:*
1. *Identify Authorized Personnel:* Only the designated social media coordinator and their supervisor are authorized to post on the firm's social media accounts. This is documented in the firm's Social Media Policy.
2. *Pre-Publication Review Process:* Before the social media coordinator posts anything related to government projects, the supervisor reviews the content. The supervisor must ensure that the anecdote about the DoD lease negotiation does not inadvertently reveal any FCI, such as specific lease terms, facility details not already publicly available, or any information that could be considered sensitive. The supervisor will specifically check to ensure the anecdote only references publicly available information from the GSA report and does not reveal any non-public information learned during the lease negotiation. The review is documented via email approval from the supervisor to the social media coordinator.
3. *Training:* The social media coordinator and supervisor receive annual training on identifying FCI and the firm's policy on controlling public information, including the risks associated with sharing seemingly innocuous details that could, in combination, reveal FCI.

**Example 3:**

*Scenario:* The consulting firm uses a publicly accessible online project management system (e.g., Asana, Trello) for internal task management. While these systems are generally used for internal collaboration, there is a risk that project names or task descriptions could inadvertently contain or reference FCI.

*Compliance:*
1. *Identify Authorized Personnel:* All employees are authorized to use the project management system for internal task management, but specific training is required.
2. *Training and Policy:* All employees receive training on identifying FCI and the firm's policy on controlling public information *before* being granted access to the project management system. The training emphasizes the importance of using generic project names and task descriptions that do not reveal FCI

Here are three concrete examples of how a real estate consulting firm working with government clients can comply with CMMC Level 1 requirement AC.L1-B.1.iv:

Example 1: **Website Content Review for FCI**

Scenario: The consulting firm maintains a public-facing website to showcase its expertise and services. This website includes project summaries and case studies. Before publishing any new content, particularly project summaries related to government clients, a designated employee (e.g., Marketing Manager, Compliance Officer) reviews the content to ensure it does not inadvertently disclose FCI. This review includes checking for any government property addresses, specific lease terms, or details about facility vulnerabilities that could be considered FCI. For example, a case study about a GSA lease negotiation would be reviewed to ensure it doesn't include the specific rental rate or square footage of a facility that is marked as FCI. The reviewer documents the review process, noting the date and any changes made to remove potential FCI. This documentation is kept for audit purposes.

Example 2: **Social Media Policy and Training**

Scenario: The firm has a social media presence used for marketing and networking. All employees are required to adhere to a social media policy that explicitly prohibits posting or sharing any information related to government projects that could be considered FCI. This includes avoiding sharing photos of government facilities that might reveal security vulnerabilities or sharing details about ongoing lease negotiations. New employees receive training on this policy during onboarding, with specific examples of what constitutes FCI in the context of their work. The training covers scenarios such as accidentally posting a photo of a CUI-marked site plan during a site visit or sharing details about a facility assessment that contains sensitive information about the building's infrastructure. The firm maintains records of employee training completion.

Example 3: **Secure Document Sharing Protocol**

Scenario: The firm uses a publicly accessible file sharing service (e.g., Dropbox, Google Drive) for general business purposes. To prevent accidental disclosure of FCI, the firm implements a strict protocol that prohibits storing or sharing any documents containing FCI on these publicly accessible platforms. All documents related to government projects, including lease agreements, facility inspection reports, and site selection studies, are classified and stored on a separate, secure, and controlled system that meets the requirements for handling FCI. Employees are trained to identify FCI and to use the appropriate secure system for storing and sharing these documents. The firm regularly audits the publicly accessible file sharing service to ensure no FCI is inadvertently stored there.

Here are three concrete compliance examples for the CMMC Level 1 objective AC.L1-B.1.IV, tailored to a real estate consulting firm working with government clients:

**Example 1:**

*Scenario:* The firm is contracted by the General Services Administration (GSA) to conduct a site selection study for a new federal office building in a major metropolitan area. As part of this study, the firm analyzes various properties, including government-owned and privately-owned parcels. The firm intends to publish a summary report of its findings on its website to showcase its expertise and attract new clients. This report will include anonymized demographic data and general summaries of the properties considered, but not specific addresses or parcel numbers.

*Compliance Action:* Before posting the summary report to the firm's website, the Project Manager (designated as the authorized reviewer) reviews the document. The review process includes:
* Checking for any explicit references to specific property addresses, parcel numbers, or other identifying information that could be traced back to the original government property databases or lease documents containing FCI.
* Ensuring that any maps or diagrams included in the report do not contain CUI-marked site plan information, such as utility locations or security features, that were obtained during facility assessments.
* Verifying that no client correspondence, such as emails with GSA representatives discussing specific property details, is inadvertently included or referenced in the report.
* Documenting the review in a simple log (e.g., a spreadsheet) that includes the date of review, the name of the reviewer, the title of the document reviewed, and a statement confirming that no FCI was identified.

**Example 2:**

*Scenario:* The firm is managing a portfolio of leased properties for the Department of Defense (DoD). The firm wants to create a publicly accessible case study on its website highlighting its successful management of these properties. The case study will focus on the firm's ability to optimize lease terms and reduce costs for the government.

*Compliance Action:* Before publishing the case study, the Director of Operations (designated as the authorized reviewer) conducts a thorough review to ensure no FCI is exposed. This review includes:
* Redacting any specific lease terms, rental rates, or property values that are considered FCI. Instead, the case study will use general statements such as "achieved significant cost savings" or "negotiated favorable lease terms."
* Avoiding the inclusion of any photographs or images of the properties that might reveal sensitive security features or restricted access points.
* Ensuring that the case study does not include any information that could be used to identify specific government agencies or personnel involved in the lease agreements.
* Removing any metadata from the document (e.g., author, creation date, revision history) that might inadvertently contain FCI.
* Maintaining a record of the review, similar to Example 1, to demonstrate compliance.

**Example 3:**

*Scenario:* The firm is conducting facility assessments for a Housing and Urban Development (HUD) project. The firm wants to share general information about its facility assessment services on its website. The firm intends to post a blog post describing the types of assessments it conducts and the benefits of these assessments for government agencies.

*Compliance Action:* Before posting the blog post, the Marketing Manager (designated as the authorized reviewer) reviews the content. The review includes:
* Ensuring that the blog post does not include any specific details about the HUD project, such as the location of the facilities being assessed, the types of deficiencies identified, or any sensitive information about the residents or occupants.
* Avoiding the use of any examples or case studies that could be traced back to specific government clients or projects.
* Verifying that the blog post does not contain any information that could be considered personally identifiable information (

Here are three concrete compliance examples for the consulting firm, addressing the CMMC Level 1 objective AC.L1-B.1.IV:

**Example 1:**

Scenario: The firm maintains a public-facing website showcasing its expertise and past projects. A recent project involved a site selection study for a new GSA office building. The project write-up on the website initially included a map showing several potential site locations, overlaid with demographic data and preliminary cost estimates. This map was derived from a CUI-marked site plan received from the GSA.

Compliance Action: Before publishing the project write-up, the designated website content reviewer (e.g., the marketing manager or a senior consultant) meticulously examines the map. They identify that the cost estimates and specific locations, while seemingly innocuous, could potentially reveal sensitive information about the GSA's real estate strategy and budget. They redact the cost estimates and blur the exact locations on the map before it is published on the website. The reviewer documents this redaction process in a simple log, noting the date, the project name, and the type of information removed. Only authorized personnel are permitted to upload content to the website.

**Example 2:**

Scenario: The firm publishes a quarterly newsletter highlighting industry trends and recent successes. One article details the successful negotiation of a lease agreement for a DoD facility. The initial draft of the article included excerpts from the lease agreement, including the specific square footage of the leased space and the annual lease rate. This information constitutes FCI.

Compliance Action: The designated newsletter editor reviews the article before publication. They recognize that disclosing the exact square footage and lease rate could provide competitors with valuable insights into the DoD's real estate footprint and spending habits. The editor replaces the specific numbers with general terms like "significant square footage" and "competitive lease rate." The final article is reviewed and approved by the firm's CMMC compliance officer before being distributed via email and posted on the firm's website. A record of this review and approval is maintained.

**Example 3:**

Scenario: The firm uses a publicly accessible social media platform (e.g., LinkedIn) to promote its services and share industry insights. A consultant wants to post an article summarizing key findings from a recent facility assessment conducted for a HUD-owned property. The assessment report contains FCI, including details about the building's infrastructure, security vulnerabilities, and occupancy rates.

Compliance Action: Before the consultant posts the article, their manager (who is trained on CMMC Level 1 requirements) reviews the content. The manager identifies that specific details about the building's security vulnerabilities could be misused. The manager instructs the consultant to remove all references to security vulnerabilities and to generalize the discussion of infrastructure issues. The final post focuses on the overall condition of the building and the firm's recommendations for improvements, without revealing any sensitive information. The manager approves the post before it is published.

Here are three concrete, realistic compliance examples for the consulting firm, addressing CMMC Level 1 requirement AC.L1-B.1.IV:

Example 1: **Website Content Review Process:** The consulting firm maintains a publicly accessible website showcasing its expertise and past projects. Before any new content is published (e.g., case studies, blog posts, team member bios), a designated Marketing Team member (e.g., the Marketing Manager) reviews the content for inadvertently included FCI. This review includes, but is not limited to, ensuring that no specific addresses of government facilities are published, that no detailed financial terms of lease agreements are disclosed (beyond general statements like "negotiated favorable lease terms"), and that no CUI-marked site plans or facility inspection reports are uploaded. The Marketing Manager documents this review using a simple checklist within the firm's project management system (e.g., Asana or Monday.com) indicating that the content has been checked for FCI and approved for public release. This checklist includes the date of review and the reviewer's initials.

Example 2: **Social Media Policy and Training:** The consulting firm has a social media policy that explicitly prohibits employees from posting FCI on public platforms such as LinkedIn, Twitter, or Facebook. This policy is part of the employee handbook and is reinforced during onboarding training. The training includes examples of what constitutes FCI in the context of the firm's work (e.g., photos of government facilities with visible CUI markings, discussions about ongoing lease negotiations with GSA, or sharing details from a HUD-funded project that haven't been officially released). The training also emphasizes the importance of avoiding even seemingly innocuous details that, when combined with other publicly available information, could lead to the unauthorized disclosure of FCI. Employees are required to acknowledge the policy annually through an online form that is stored in the firm's HR system.

Example 3: **Presentation and Conference Materials:** The consulting firm frequently presents at industry conferences and webinars. Before any presentation slides or handouts are made publicly available (e.g., uploaded to a conference website or shared with attendees), a designated Project Manager (PM) responsible for the project referenced in the presentation reviews the materials for FCI. This review includes ensuring that no specific details from facility assessments (e.g., vulnerabilities identified in a DoD building), no portions of client correspondence with federal agencies containing FCI (e.g., specific dollar amounts from a GSA lease negotiation), and no CUI-marked portions of site plans are included. The PM documents this review by adding a "FCI Review Complete" status to the presentation file in the firm's document management system (e.g., SharePoint or Google Drive), along with the date and their initials. If FCI is identified, it is removed or redacted before the materials are made public.

Here are three concrete compliance examples for the CMMC Level 1 objective IA.L1-B.1.V, tailored to a real estate consulting firm working with government clients and handling FCI:

**Example 1:**

Scenario: Our firm utilizes a cloud-based project management system (e.g., Monday.com, Asana, or a custom solution) to track all projects involving government clients and associated FCI. This system stores data such as facility assessments, lease documents, and client correspondence. To comply with IA.L1-B.1.V, each employee accessing the system is assigned a unique username and password (their individual identifier). The system logs all user activity, including login times, accessed files (e.g., a CUI-marked site plan for a DoD facility), and modifications made to project data. Furthermore, automated processes that generate reports on government property databases (e.g., pulling data on GSA-leased properties) are identified by a specific service account, separate from individual user accounts. This service account is also logged for all activities.

**Example 2:**

Scenario: Our firm conducts facility inspections and assessments for government agencies, often involving sensitive information like security vulnerabilities or structural weaknesses. Field inspectors use company-issued tablets to collect data and upload it to a secure server. Each tablet is uniquely identified by its MAC address and a device-specific name (e.g., "InspectorTablet01"). Before a tablet can connect to the secure server and transmit inspection reports containing FCI, the device's identifier must be registered and authorized by the IT administrator. This ensures that only approved devices can access and transmit FCI. If a device is lost or stolen, its identifier is immediately revoked, preventing unauthorized access.

**Example 3:**

Scenario: Our firm uses a secure email system (e.g., Microsoft 365 GCC High) to communicate with government clients, including the exchange of documents containing FCI (e.g., lease negotiations with HUD, facility inspection reports for DoD, or site selection studies for GSA). To ensure proper identification, all email accounts are assigned to individual employees with unique usernames. Furthermore, any automated email processes (e.g., sending automated reports on lease expirations to government clients) are identified by a specific service account. Multi-factor authentication (MFA) is enforced for all user accounts, adding an extra layer of security and ensuring that only authorized users can access FCI through email. The email system's audit logs track all user logins, sent/received emails, and access to attachments, providing a record of who accessed what information and when.

Here are three concrete, realistic compliance examples for the CMMC Level 1 objective IA.L1-B.1.V, tailored to a real estate consulting firm working with federal government clients:

**Example 1:**

The firm utilizes a project management system (e.g., a cloud-based application like Asana or Monday.com) to track tasks, deadlines, and resource allocation for each government project. Each employee accessing this system, regardless of their role (analyst, project manager, senior partner), is assigned a unique username and password. This username serves as their unique identifier within the system. The system's audit logs record all user activity, including logins, data access, and modifications, linking each action back to the specific user identifier. Furthermore, for projects involving FCI, access to specific folders or documents within the project management system is restricted based on the "need-to-know" principle, and tied to the user's unique identifier and pre-approved access rights. This ensures that only authorized individuals can access sensitive information related to facility assessments or lease negotiations involving government agencies.

**Example 2:**

The firm uses a dedicated server to store and manage sensitive government property data, including scanned lease documents, facility inspection reports, and CUI-marked site plans. Access to this server is controlled via Active Directory. Each employee requiring access to the server is assigned a unique Active Directory account, which serves as their identifier. When an employee logs into their workstation, their Active Directory credentials are used to authenticate them and grant them access to the server. The server's security logs record all login attempts (successful and failed), file access, and modifications, linking each event to the user's unique Active Directory identifier. Additionally, the firm implements multi-factor authentication (MFA) for all Active Directory accounts to further strengthen user identification and prevent unauthorized access.

**Example 3:**

The firm utilizes a fleet of company-issued laptops for employees working on government projects, particularly when conducting site selection studies or facility assessments. Each laptop is assigned a unique asset tag (e.g., "REALESTATE-LAP-001") that is physically affixed to the device and recorded in an asset management database. The laptops are configured to require users to log in with their unique Active Directory credentials, and the device's MAC address is also recorded in the asset management database and linked to the user assigned to that device. This allows the firm to identify both the user and the specific device accessing sensitive information. If a device is lost or stolen, its identifier (asset tag and MAC address) can be used to quickly disable access and track its location (if location services are enabled). This ensures that even if a device falls into the wrong hands, the firm can identify it and prevent unauthorized access to FCI.

Here are three concrete compliance examples for CMMC Level 1 objective IA.L1-B.1.VI, tailored to a real estate consulting firm working with government clients:

**Example 1:**

Scenario: Our firm uses a cloud-based project management system (e.g., Asana, Monday.com) to manage projects involving FCI, such as site selection studies for a new federal courthouse. These projects involve uploading and sharing documents like CUI-marked site plans, facility inspection reports containing sensitive security details, and client correspondence with the GSA regarding property requirements. To comply with IA.L1-B.1.VI, all employees accessing this project management system are required to use multi-factor authentication (MFA). This includes using a mobile authenticator app (e.g., Google Authenticator, Microsoft Authenticator) in addition to their username and password. The IT department has implemented a policy mandating MFA for all users accessing the system, and regularly monitors user accounts to ensure MFA is enabled. New employees receive training on how to set up and use MFA during onboarding.

**Example 2:**

Scenario: Our firm conducts facility assessments for government-owned properties. These assessments often involve collecting and storing FCI, such as detailed floor plans, security system layouts, and vulnerability assessments. This information is stored on company-issued laptops. To comply with IA.L1-B.1.VI, all laptops are configured with strong password policies (minimum length, complexity requirements, and regular password resets). Furthermore, each laptop is configured with BitLocker drive encryption, which requires users to authenticate with their Windows account password before the operating system and the encrypted data are accessible. The firm maintains a written password policy that is distributed to all employees and enforced through group policy settings on the company domain.

**Example 3:**

Scenario: Our firm negotiates lease agreements on behalf of the Department of Defense (DoD). These lease agreements contain FCI, such as specific security requirements for the leased space, contact information for government personnel, and details about the intended use of the property. These documents are stored on a secure network file share. Access to this file share is restricted to authorized personnel only, based on the principle of least privilege. To comply with IA.L1-B.1.VI, access is controlled through Active Directory user accounts and group memberships. Each employee accessing the file share must authenticate with their domain credentials (username and password). The IT department regularly reviews and updates user access rights to ensure that only individuals with a legitimate business need have access to the FCI contained within the lease agreements.

Here are three concrete, realistic compliance examples for the CMMC Level 1 assessment objective IA.L1-B.1.VI, tailored to a real estate consulting firm working with government clients and handling FCI:

**Example 1:** Accessing Government Property Databases Containing FCI

**Scenario:** A real estate consultant needs to access the General Services Administration's (GSA) Real Property Management System (RPMS) to gather information on federally owned properties for a site selection study for a new Department of Defense (DoD) facility. RPMS contains FCI such as property locations, building sizes, and current occupancy details. To comply with IA.L1-B.1.VI, the consultant must authenticate their identity before accessing RPMS.

**Compliance:** The consultant authenticates via a Common Access Card (CAC) or a GSA-approved multi-factor authentication (MFA) method (e.g., username/password plus a one-time code generated by an authenticator app on their mobile device) before gaining access to RPMS. The system verifies the consultant's CAC or MFA credentials against a pre-approved list of authorized users maintained by the GSA. The firm maintains a record of authorized users and their approved authentication methods, reviewed quarterly.

**Example 2:** Accessing Lease Documents and Facility Inspection Reports Containing FCI

**Scenario:** An employee needs to access a shared network drive containing scanned lease documents and facility inspection reports related to a property leased to the Department of Housing and Urban Development (HUD). These documents contain FCI, including tenant information, lease terms, and details about the physical condition of the property.

**Compliance:** The employee must authenticate to the network drive using a strong password that meets complexity requirements (e.g., minimum length, mixed case, special characters) and is changed at least every 90 days. In addition, the firm implements multi-factor authentication (MFA) for access to the network drive. This could involve requiring the employee to enter a code sent to their registered mobile device after entering their password. The firm maintains a written password policy and provides annual cybersecurity awareness training that includes guidance on creating and maintaining strong passwords and using MFA.

**Example 3:** Accessing Internal Project Management System Containing CUI-Marked Site Plans

**Scenario:** Project managers use the firm's internal project management system to track progress on a project involving the development of a new site plan for a Veterans Affairs (VA) medical facility. The site plan, stored within the system, is marked as CUI (Controlled Unclassified Information) due to its potential impact on national security if disclosed.

**Compliance:** The firm requires all project managers to authenticate to the project management system using a username and password, coupled with a hardware security key (e.g., YubiKey) that generates a one-time password. The system verifies the user's credentials and the validity of the one-time password before granting access to the project data, including the CUI-marked site plan. The firm maintains an inventory of all issued hardware security keys and a process for revoking access when an employee leaves the company or no longer requires access to the system.

Here are three concrete examples of how the real estate consulting firm can satisfy the CMMC Level 1 objective IA.L1-B.1.VI, focusing on authentication of devices accessing FCI data:

**Example 1:**

Scenario: A real estate consultant is conducting a site selection study for a new GSA office building. This involves accessing a government property database containing Controlled Unclassified Information (CUI) related to existing federal facilities, including floor plans, security assessments, and lease terms. The consultant uses a company-issued laptop to access this database remotely.

Compliance: To ensure only authorized devices access the GSA property database, the firm implements a device authentication protocol. Before the consultant can access the database, the laptop must be authenticated using a multi-factor authentication (MFA) system. This includes a password and a one-time code generated by an authenticator app on the consultant's company-issued smartphone. The system checks the laptop's device certificate to verify it is a known and managed device within the firm's IT infrastructure. If the device fails the authentication process (e.g., incorrect password, invalid certificate), access to the GSA property database is denied. Furthermore, the firm maintains an inventory of all authorized devices that can access FCI, and any unauthorized or personal devices are strictly prohibited from connecting to the system where FCI is stored or processed.

**Example 2:**

Scenario: The firm uses a cloud-based project management system to store and collaborate on facility inspection reports for DoD properties. These reports contain FCI in the form of detailed infrastructure assessments, security vulnerabilities, and maintenance schedules. Consultants access this system using both company-issued laptops and tablets while on-site.

Compliance: The firm configures the cloud-based project management system to require device authentication before granting access. This is achieved through the use of a Mobile Device Management (MDM) solution. The MDM solution enforces a policy that requires all devices accessing the system to be registered and compliant with security standards, including having up-to-date operating systems, anti-malware software, and password protection. When a consultant attempts to access the facility inspection reports, the MDM solution verifies the device's compliance status. If the device is not registered, out of compliance, or is an unknown device, access is blocked. A log is maintained of all device authentication attempts, successful and failed, for auditing purposes.

**Example 3:**

Scenario: A lease negotiator is working on behalf of HUD to secure a new office space. This involves emailing draft lease agreements and related documents, some containing FCI (e.g., financial terms, security provisions), between the negotiator's company email account and HUD officials. The negotiator uses a company-issued desktop computer to compose and send these emails.

Compliance: The firm implements email security measures that require device authentication for accessing email containing FCI. This includes enabling Transport Layer Security (TLS) encryption for all email communications to ensure secure transmission. The firm also implements a policy that prohibits accessing company email on personal devices. The company desktop computer used by the negotiator has a device certificate installed, and the email system is configured to verify this certificate before allowing access to emails marked as containing FCI. The email system also uses multi-factor authentication (MFA) for login, requiring the negotiator to enter their password and a code from their company-issued security token. The firm maintains audit logs of all email access attempts, including device authentication information.

Here are three concrete compliance examples for the given CMMC Level 1 objective, tailored to a real estate consulting firm working with government clients:

**Example 1:**

Scenario: A consultant completes a facility assessment report for a GSA-leased building. The report contains FCI, including details about the building's security systems, occupancy rates, and structural integrity. The consultant saves a digital copy of the report (including supporting photographs) on their company-issued laptop. Several years later, the laptop is being decommissioned and replaced with a newer model. Before returning the laptop to IT for repurposing or disposal, the consultant ensures the hard drive is securely wiped using a DoD-approved data sanitization method (e.g., using a software tool like DBAN or a physical degausser). The IT department maintains a record of the hard drive sanitization, including the date, method used, and serial number of the laptop, as evidence of proper media disposal.

**Example 2:**

Scenario: The firm is managing a portfolio of properties for the Department of Housing and Urban Development (HUD). This involves storing physical lease agreements, site plans (some potentially marked as CUI if they contain security information), and correspondence with HUD representatives in a secure filing cabinet. After the lease term for a particular property expires and the information is no longer needed for business or legal reasons, the physical documents are shredded using a cross-cut shredder that meets NIST standards for document destruction. A log is kept documenting the date of destruction, the type of documents destroyed (e.g., "HUD Lease Agreement - Property Address"), and the name of the employee who performed the shredding.

**Example 3:**

Scenario: A project team is conducting a site selection study for a new DoD facility. The study involves collecting and analyzing sensitive data about potential locations, including demographic information, environmental impact assessments, and property ownership records. This data is stored on a shared network drive accessible to the project team. Once the site selection study is complete and the project is closed, the project manager archives the final report and associated data. After the retention period defined in the firm's data retention policy expires, the archived data is permanently deleted from the network drive. The deletion process is documented in the project's closeout report, including the date of deletion, the name of the files/folders deleted, and confirmation that the deletion was performed by an authorized employee. The firm's IT department verifies the deletion as part of a periodic data governance audit.

Here are three concrete, realistic compliance examples for the "MP.L1-B.1.VII – MEDIA DISPOSAL [FCI DATA]" requirement, tailored to a real estate consulting firm advising government clients:

**Example 1:** Physical Disposal of Printed Lease Documents and Facility Reports

* **Scenario:** A real estate consultant completes a lease negotiation for a new office space for the Department of Housing and Urban Development (HUD). The consultant has printed copies of the lease agreement (containing FCI like rent amounts, address, and lease terms), internal notes related to negotiation strategy, and a facility condition assessment report (containing FCI about the building's infrastructure and security). Upon completion of the project and after the electronic versions are securely archived, the printed documents are no longer needed. To comply with MP.L1-B.1.VII, the consultant shreds these documents using a cross-cut shredder that meets NIST standards for destroying sensitive information before discarding them in the office recycling bins. A record of the shredding (date, type of documents, consultant initials) is logged in a simple disposal log maintained by the office manager.

**Example 2:** Secure Wiping of Laptops Used for Site Selection Studies

* **Scenario:** A consultant uses a company-issued laptop to conduct a site selection study for a new General Services Administration (GSA) data center. The laptop contains various files with FCI, including site plans marked as CUI, demographic data, cost analyses, and correspondence with GSA personnel regarding potential locations. After the project is completed and the data is securely transferred to the firm's central server, the consultant is assigned a new laptop. Before the old laptop is re-imaged or sent for repair, the IT department uses a NIST 800-88 compliant data sanitization tool (e.g., DBAN, Blancco) to securely wipe the hard drive, ensuring all FCI is irrecoverable. A certificate of data erasure is generated and stored in the IT department's asset management system, documenting the date, method, and serial number of the laptop.

**Example 3:** Secure Deletion of Electronic Files from Project Management System

* **Scenario:** A team of consultants uses an internal project management system (e.g., Asana, Monday.com) to manage a real estate portfolio for the Department of Defense (DoD). The system contains various electronic files with FCI, including scanned copies of lease agreements, facility inspection reports, and internal communications regarding property valuations. After a specific project within the portfolio is completed and archived, the corresponding project files within the project management system are permanently deleted. The system administrator verifies that the deletion process overwrites the data (if the system supports it) or that the data is otherwise rendered unrecoverable. A log of the deletion is maintained within the project management system's audit trail, showing the date, user who performed the deletion, and the specific files or project folders that were deleted.

Here are three concrete examples of how the real estate consulting firm can meet the CMMC Level 1 objective PE.L1-B.1.VIII – Limit Physical Access [FCI Data]:

Example 1: **Securing the Server Room Containing Government Property Data**

Scenario: The firm maintains a dedicated server room where it stores a database containing sensitive information about government-owned properties, including facility assessments, lease agreements, and site selection studies. This database contains FCI related to building security systems, floor plans, and utility infrastructure. To limit physical access:

* **Authorized Individuals:** Only the IT Director and two designated IT support staff are authorized to enter the server room. Their names are documented in the firm's Access Control Policy.
* **Access Control Mechanism:** The server room door is secured with a keycard access system. Each authorized individual has a unique keycard. The access log is automatically recorded and reviewed monthly by the IT Director to detect any unauthorized access attempts.
* **Documentation:** The Access Control Policy explicitly states the purpose of the server room, the types of FCI stored within, and the procedures for granting and revoking access. The policy is readily available to all employees via the company intranet.
* **Physical Security:** The server room also has no windows and is located in an area of the office that is not publicly accessible.

Example 2: **Controlling Access to Project Files Containing CUI-Marked Site Plans**

Scenario: A team is working on a site selection study for a new federal agency office. The project involves handling CUI-marked site plans obtained from the GSA that detail sensitive infrastructure information. These plans are stored both digitally and in hard copy. To limit physical access to the hard copy versions:

* **Designated Storage Area:** All hard copy CUI-marked site plans are stored in a locked file cabinet located within a designated "Controlled Documents Area" in the project team's workspace.
* **Authorized Individuals:** Only members of the project team, as identified in the project's security plan, are authorized to access the file cabinet. A list of authorized individuals is maintained by the Project Manager.
* **Check-Out/Check-In Procedure:** A log is maintained near the file cabinet to record when project team members check out and check in the site plans. This log includes the date, time, name of the individual, and the specific document accessed.
* **Visitor Control:** When visitors (e.g., subcontractors, client representatives) are present in the project team's workspace, the file cabinet is kept locked, and the CUI-marked site plans are not left visible. Visitors are escorted at all times within the office.

Example 3: **Protecting Laptops with FCI During Off-Site Facility Assessments**

Scenario: Consulting staff conduct on-site facility assessments for government clients. During these assessments, they use laptops to access and record FCI, including digital photographs of facility infrastructure and notes on building security vulnerabilities. To limit physical access to the laptops and the FCI they contain:

* **Authorized Individuals:** Only designated assessment team members are authorized to use the laptops containing FCI.
* **Physical Security Measures:** When not in use, laptops are stored in locked briefcases or secured with a Kensington lock in the employee's hotel room or vehicle.
* **Accountability During Travel:** Consultants are responsible for maintaining physical control of their laptops at all times during travel, including in airports, hotels, and client sites.
* **Documentation:** The firm's Mobile Device Security Policy outlines these physical security requirements and is provided to all employees who handle FCI on laptops. Training is provided to reinforce these procedures.

Here are three concrete compliance examples for the CMMC Level 1 objective PE.L1-B.1.VIII, tailored to a real estate consulting firm working with government clients:

**Example 1:**

*Scenario:* The firm maintains a secure server room containing servers that store FCI related to a DoD base realignment project. This FCI includes digitized facility inspection reports, CUI-marked site plans obtained from the DoD, and a proprietary database containing sensitive property information used for site selection studies. To limit physical access, the server room door is equipped with a keycard access system. Only authorized IT staff and the designated project manager for the DoD project are issued keycards granting access. A log is maintained electronically, recording all entries and exits to the server room, and is reviewed monthly by the IT security officer to ensure no unauthorized access has occurred. The keycard system is configured to automatically lock the door upon closing, preventing unauthorized entry.

**Example 2:**

*Scenario:* A team is working on a lease negotiation for a new office space for a GSA agency. The team uses laptops to access and process FCI, including lease documents containing sensitive financial information and draft client correspondence with the GSA. When not in use, these laptops are stored in locked file cabinets within the team's assigned office space. The office space itself is secured by a door with a standard lock and key. Only members of the lease negotiation team are issued keys to the office. Additionally, a "clean desk" policy is enforced, requiring all physical documents containing FCI to be stored in locked file cabinets or taken home at the end of each workday. This policy is documented and communicated to all team members.

**Example 3:**

*Scenario:* The firm conducts on-site facility assessments for HUD properties. During these assessments, team members collect FCI, including photographs of building infrastructure, notes on security vulnerabilities, and potentially sensitive data about tenants. To ensure this information remains secure during and after the assessment, team members use company-issued tablets with password protection and encryption. Upon returning to the office, the tablets are stored in a locked safe when not in use. The safe is located in a restricted area of the office, accessible only to the designated team lead and the firm's security officer. The data collected during the assessments is then uploaded to the secure server described in Example 1, following documented procedures for handling FCI.

Here are three concrete, realistic compliance examples for the consulting firm, addressing the CMMC Level 1 objective PE.L1-B.1.VIII:

**Example 1:**

Scenario: The consulting firm maintains a secure server room where it stores electronic copies of facility assessments containing FCI related to government-owned properties. This data includes detailed floor plans with CUI markings indicating sensitive areas, structural integrity reports, and security vulnerability assessments. Access to the server room is restricted using a keycard access system. Only authorized personnel, specifically the IT manager, the CMMC compliance officer, and designated project managers working on relevant government contracts, are granted keycard access. The keycard access logs are regularly reviewed (at least monthly) by the IT manager to ensure that only authorized individuals are accessing the server room and to identify any anomalies. A sign is posted outside the server room stating "Authorized Personnel Only - CMMC Controlled Environment." The server room also houses physical backups of the FCI data, further emphasizing the need for controlled access. If a consultant leaves the firm, their keycard access is immediately revoked.

**Example 2:**

Scenario: The firm uses laptops to conduct site selection studies for a federal agency, storing FCI such as maps with CUI-designated critical infrastructure, environmental impact assessments, and preliminary lease agreements. When not in use, these laptops are stored in locked cabinets within the office. Only employees directly involved in the site selection projects are authorized to access these cabinets. The cabinet keys are kept in a secure lockbox, and a log is maintained documenting who checks out and returns the keys. The log includes the date, time, employee name, and the project the laptop is being used for. The office space itself is secured after hours with an alarm system that is activated each evening and deactivated each morning by designated staff members. The alarm system is monitored by a third-party security company.

**Example 3:**

Scenario: During lease negotiations with the GSA for a new federal agency office space, the consulting firm receives physical documents containing FCI, including security specifications, blueprints with CUI markings, and internal GSA memoranda regarding building security. These documents are stored in locked filing cabinets within a designated "Controlled Document Area" in the firm's office. Access to this area is limited to the lead negotiator, the project manager, and the CMMC compliance officer. A sign-in/sign-out log is maintained for anyone entering the Controlled Document Area, including the date, time, purpose of entry, and the specific documents accessed. Upon completion of the lease negotiation, the original documents are returned to the GSA, and any copies retained by the firm are securely shredded using a cross-cut shredder. The shredding process is documented, including the date, time, and the names of the individuals who performed the shredding.

Here are three concrete, realistic compliance examples for the consulting firm, directly related to limiting physical access to FCI data, based on the provided CMMC Level 1 objective:

**Example 1:**

Scenario: The consulting firm is conducting a site selection study for a new GSA regional office. This involves accessing and analyzing sensitive property data, including floor plans, building security assessments, and historical lease information, some of which is marked as FCI. This data is stored on laptops used by the project team. To limit physical access, the firm implements a "clean desk" policy at the end of each workday. All laptops containing FCI are locked in a secure cabinet within the project team's office. The cabinet is accessed using a key, and the key is controlled by the Project Manager. Only team members who have completed CMMC awareness training and signed a non-disclosure agreement related to FCI are authorized to access the cabinet. A log is kept of who accesses the cabinet and when. This log is reviewed weekly by the Project Manager to ensure compliance.

**Example 2:**

Scenario: The consulting firm is performing a facility assessment for a DoD-owned building. The assessment involves creating detailed site plans that include the location of sensitive infrastructure (e.g., communication hubs, server rooms). These site plans, marked as CUI, are stored electronically on the firm's internal network and printed copies are used during site visits. To limit physical access to the printed copies, the firm implements the following: 1) Printed copies of the site plans are only made on a "need-to-know" basis. 2) During site visits, the plans are kept in the possession of authorized personnel (e.g., the lead assessor). 3) At the end of each site visit day, all printed copies are either shredded using a cross-cut shredder or stored in a locked briefcase. 4) The briefcase is stored in a locked office overnight. 5) The shredding is documented in a log.

**Example 3:**

Scenario: The consulting firm manages a real estate portfolio for HUD. This involves storing and processing lease documents, facility inspection reports, and correspondence with HUD, all of which contain FCI. The firm uses a dedicated server room to house the servers that store this data. To limit physical access to the server room, the firm implements the following: 1) Access to the server room is restricted to authorized IT personnel only. 2) Access is controlled using a keycard system. 3) Each access attempt is logged. 4) The server room door is kept locked at all times. 5) A sign is posted on the door stating "Authorized Personnel Only - FCI Data Stored Here." 6) The access logs are reviewed monthly by the IT Manager to identify any unauthorized access attempts.

Here are three concrete, realistic compliance examples for the consulting firm, addressing the CMMC Level 1 requirement PE.L1-B.1.IX:

**Example 1:** A government client (e.g., a representative from the GSA) visits the consulting firm's office to review a draft facility assessment report containing FCI related to a potential property acquisition. Upon arrival, the receptionist verifies the client's identity (e.g., reviewing their government-issued ID) and issues a visitor badge. The receptionist then immediately notifies the project manager responsible for the assessment, who personally escorts the client to a designated conference room. The project manager remains with the client throughout the meeting, monitoring their access to any physical documents (e.g., printed site plans marked CUI) or electronic displays showing FCI. Upon the client's departure, the project manager ensures all documents are secured and the visitor badge is returned to the receptionist. The receptionist logs the visitor's name, affiliation, arrival/departure times, and escort's name in a visitor logbook kept at the reception desk.

**Example 2:** A subcontractor, hired to perform a specialized environmental survey on a property being considered for a DoD lease, needs access to the consulting firm's secure server room to upload the survey data, which contains FCI. The consulting firm's IT administrator meets the subcontractor at the reception area, verifies their identity with government-issued ID, and issues a temporary visitor badge. The IT administrator escorts the subcontractor directly to the server room, monitors their activity while they upload the data, and ensures they only access the designated server share. The IT administrator logs the subcontractor's name, affiliation, purpose of visit, and arrival/departure times in the server room access log. The IT administrator also retrieves the visitor badge upon the subcontractor's departure and ensures the server room door is securely locked.

**Example 3:** A prospective seller of a property being considered for a federal agency site selection study visits the consulting firm's office to provide supplemental documentation, including floor plans and utility schematics that could contain FCI. The consulting firm's real estate advisor, who is managing the site selection study, greets the seller at reception. After confirming their identity, the advisor issues a visitor badge and escorts the seller directly to their private office, where the documentation is reviewed. The advisor remains with the seller throughout the meeting and collects all documentation at the conclusion. The advisor logs the seller's name, affiliation, and purpose of visit in a visitor log maintained by the real estate advisory team, and ensures the visitor badge is returned to reception. The advisor then secures the collected documentation in a locked file cabinet designated for FCI.

Here are three concrete, realistic compliance examples for the consulting firm, addressing the CMMC Level 1 objective PE.L1-B.1.IX, focusing on monitoring visitor activity:

Example 1: **Visitor Log and Escort Policy for Client Meetings Involving CUI**

*Scenario:* A consultant is hosting a meeting with a representative from the General Services Administration (GSA) to discuss a potential lease agreement for a new federal office building. The meeting will involve reviewing site plans marked as CUI and discussing sensitive details about the government's space requirements.

*Compliance:*
1. **Visitor Log:** Upon arrival, the GSA representative is required to sign a physical visitor log located at the reception desk. The log includes fields for the visitor's name, organization, purpose of visit, time of arrival, time of departure, and the name of the consulting firm employee they are visiting.
2. **Escort:** The consultant, upon being notified of the visitor's arrival, personally escorts the GSA representative from the reception area to the conference room where the CUI will be discussed. The consultant remains with the GSA representative throughout the meeting.
3. **Monitoring:** The consultant ensures that the visitor remains within the designated conference room or escorted areas at all times during the visit.
4. **Departure Log:** Upon departure, the GSA representative signs out of the visitor log, noting the time of departure. The receptionist then reviews the log daily for any anomalies or discrepancies.

Example 2: **Controlled Access to Server Room Containing Government Property Data**

*Scenario:* The consulting firm maintains a secure server room that houses a database containing sensitive property data related to government-owned and leased facilities, including facility assessment reports, lease documents, and CUI-marked site plans. An IT vendor needs to access the server room to perform routine maintenance.

*Compliance:*
1. **Prior Authorization:** The IT vendor's visit is pre-approved by the firm's IT Manager and documented in a service request ticket within the firm's internal IT support system. This ticket serves as authorization for the visit.
2. **Escort and Monitoring:** The IT Manager (or a designated employee with appropriate security clearance) escorts the IT vendor into the server room and remains with them for the duration of the maintenance activity. The escort ensures the vendor only accesses the equipment necessary for the approved maintenance and does not access or attempt to access any other systems or data.
3. **Server Room Access Log:** A separate physical access log is maintained specifically for the server room. The IT Manager records the vendor's name, company, purpose of visit, date, time of entry, and time of exit in the log.
4. **Post-Visit Review:** After the vendor leaves, the IT Manager reviews the server room access log and the service request ticket to verify that the vendor's activities aligned with the authorized scope of work and that no unauthorized access occurred.

Example 3: **Monitoring Access During Site Visits to Federal Properties**

*Scenario:* A team of consultants is conducting a site assessment of a federally-owned building on behalf of the Department of Housing and Urban Development (HUD). The assessment involves collecting data about the building's physical condition, security measures, and compliance with accessibility standards.

*Compliance:*
1. **Coordination with Federal Security:** The consulting firm coordinates the site visit with the designated security contact at the HUD facility. The firm provides a list of all team members who will be participating in the site visit, along with their identification information.
2. **Visitor Badges:** Upon arrival at the facility, each consultant receives a visitor badge from the facility's security desk. The badge clearly identifies them as a visitor.
3. **Escort (if required by the facility):** If required by the

Here are three concrete, realistic compliance examples for the CMMC Level 1 objective PE.L1-B.1.IX, tailored to a real estate consulting firm working with government clients:

**Example 1:**
Scenario: The firm's office houses a secure room where sensitive government property databases (containing FCI related to federal land holdings) are accessed and analyzed. Access to this room is restricted. To comply with audit log requirements, the firm implements a physical access logbook located directly outside the secure room. Any visitor, including temporary contractors brought in to assist with a surge in a project related to a DoD installation site selection study, must sign in, stating their name, company (if applicable), the date and time of entry, the purpose of their visit (e.g., "Reviewing GSA lease documents"), and the name of the employee they are visiting. Upon exiting, they must sign out, noting the time of departure. The designated security officer (or office manager) reviews the logbook weekly to ensure completeness and identify any anomalies. The completed logbooks are stored in a locked cabinet for one year, along with the badge access logs.
**Example 2:**
Scenario: A senior consultant needs to bring a potential sub-contractor into the office to review CUI-marked site plans for a new HUD housing development project. These plans are stored on a dedicated, password-protected server within the firm's network, but the physical review requires access to a specific workstation within the main office area. To manage visitor access and maintain audit logs, the consultant informs the office manager in advance of the visitor's arrival. The office manager issues the visitor a temporary badge that is clearly marked "Visitor" and logs the issuance in a visitor log, along with the date, time, and purpose of the visit ("Review HUD Site Plans"). The consultant escorts the visitor at all times while they are in the office and ensures the visitor returns the badge upon departure. The office manager then logs the badge return and the visitor's departure time in the visitor log. The visitor log is kept electronically in a secure SharePoint folder accessible only to authorized personnel (office manager, security officer).
**Example 3:**
Scenario: The firm conducts a facility assessment of a government-owned building on behalf of the GSA. This assessment involves taking photographs and detailed notes, some of which may contain FCI (e.g., building security systems, infrastructure details). A junior analyst accompanies the lead consultant on the site visit. To manage physical access and maintain audit logs, the firm requires the analyst to document all access points used during the assessment in a standardized "Site Visit Access Log" form. This includes the date, time, location of each access point (e.g., "Main entrance," "Electrical room - key obtained from building manager"), the method of entry (e.g., "Key," "Escorted by GSA representative"), and the names of all individuals present. The completed form is then submitted to the security officer upon return to the office and stored electronically with the project documentation in the firm's secure project management system (e.g., Deltek Costpoint), accessible only to authorized project team members.

Here are three concrete compliance examples for the consulting firm, addressing the CMMC Level 1 objective PE.L1-B.1.IX, focusing on identifying physical access devices:

**Example 1:**

Scenario: The firm uses a combination of keycard access and traditional keyed locks to secure its office space where FCI related to government real estate projects is stored and processed. This includes client files, facility assessment reports, and CUI-marked site plans. To meet the objective, the firm maintains an inventory of all physical access devices. This inventory is documented in the firm's Physical Security Policy document and is reviewed and updated quarterly by the IT Security Manager. The inventory includes:

* **Keycards:** A list of all active keycards, their assigned employee (or visitor, if applicable), and the access levels granted to each card. This list is maintained in a secure spreadsheet on a password-protected server. The spreadsheet also includes the date the keycard was issued and the date it was deactivated (if applicable).
* **Keys:** A log of all physical keys to the office space, file cabinets containing FCI, and any other secured areas. The log includes the key number, who the key is assigned to, and a signature acknowledging receipt of the key. This log is stored in a locked cabinet within the IT Security Manager's office.
* **Door Locks:** A description of each type of door lock (e.g., brand, model, mechanical or electronic) used on exterior doors, server room doors, and file storage areas. This information is included in the Physical Security Policy document and is cross-referenced with the key and keycard inventory.

**Example 2:**

Scenario: A consultant from the firm is conducting a site selection study for a new GSA office building. The consultant needs to visit several potential locations, some of which are already occupied by other government agencies or private entities. To gain access, the consultant receives temporary keycard access to these facilities.

To comply with the objective, the consultant:

* **Documents the Keycard:** Immediately upon receiving the temporary keycard, the consultant records the keycard's unique identifier, the date of issuance, the expiration date, and the specific areas the keycard grants access to in a digital log. This log is stored on the consultant's company-issued laptop, which is encrypted and password-protected.
* **Escort Requirement:** The consultant confirms with the site contact whether an escort is required. If an escort is required, the consultant documents the name of the escort and the dates/times of each escorted visit in the digital log.
* **Return and Deactivation:** Upon completion of the site visit, the consultant returns the keycard to the designated contact and obtains confirmation of its return. The consultant then updates the digital log with the date of return and confirmation of deactivation from the site contact.

**Example 3:**

Scenario: The firm manages a real estate portfolio for a local government agency. This includes maintaining physical access to various properties, some of which contain sensitive information related to infrastructure projects.

To comply with the objective, the firm:

* **Maintains a Centralized Inventory:** The firm maintains a centralized inventory of all physical access devices (keys, keycards, combinations to locks) for each property within the portfolio. This inventory is stored within the firm's secure project management system, accessible only to authorized personnel.
* **Tracks Access Device Distribution:** The firm tracks the distribution of these access devices to employees, contractors, and government personnel. This includes recording the date of issuance, the recipient's name and contact information, and the specific areas the access device grants access to. A signed acknowledgement form is obtained from each recipient.
* **Regular Audits:** The firm conducts regular audits of the physical access device inventory to ensure that all devices are accounted for.

Here are three concrete, realistic compliance examples for the consulting firm, addressing the CMMC Level 1 requirement PE.L1-B.1.IX:

**Example 1:**

Scenario: A federal client representative from the GSA (General Services Administration) is visiting the consulting firm's office to review a draft site selection study that contains FCI related to potential locations for a new federal courthouse. The study includes CUI-marked site plans and cost analyses.

Compliance:

1. **Visitor Log:** Upon arrival, the GSA representative is required to sign in at the reception desk, providing their name, agency affiliation, and purpose of visit. The receptionist records this information in a physical visitor logbook or an electronic visitor management system.
2. **Escort:** The GSA representative is escorted by a designated employee of the consulting firm (e.g., the project manager or a senior analyst) at all times while in the office, particularly when accessing areas where FCI is stored or discussed (e.g., project team work areas, conference rooms).
3. **Access Control:** Access to the conference room where the site selection study is reviewed is controlled by a keycard system. Only authorized employees (those with a need-to-know) have access to this room. The escorting employee uses their keycard to grant access to the GSA representative.
4. **Monitoring:** The escorting employee actively monitors the GSA representative's activity to ensure they only access or view information relevant to the site selection study and do not attempt to access other sensitive data.
5. **Departure:** Upon departure, the GSA representative signs out of the visitor log. The escorting employee confirms their departure and ensures no sensitive documents or devices are taken from the office.

**Example 2:**

Scenario: The consulting firm employs a cleaning service that operates after business hours. This service requires access to the office, including areas where FCI is stored digitally and physically (e.g., servers, filing cabinets containing lease agreements with CUI).

Compliance:

1. **Background Checks:** The consulting firm conducts background checks on all employees of the cleaning service prior to granting them access to the facility.
2. **Limited Access:** The cleaning service is provided with a specific access code to the building's main entrance and a physical key to the office suite. The access code and key only grant access during pre-defined hours (e.g., 6:00 PM to 8:00 PM).
3. **Restricted Areas:** The cleaning service is explicitly instructed and contractually obligated to avoid accessing or interacting with any IT equipment, filing cabinets, or desks containing sensitive information. Signage is posted in sensitive areas reminding cleaning staff of these restrictions.
4. **Monitoring:** The consulting firm's security system records all entries and exits to the office using the assigned access code. The firm reviews these logs periodically to ensure the cleaning service adheres to the agreed-upon schedule. Additionally, the firm's IT staff conducts periodic checks to ensure no IT equipment has been tampered with.
5. **Key Control:** The physical key to the office is secured when not in use and a log is maintained to track its issuance and return.

**Example 3:**

Scenario: A new employee, a junior analyst, is hired and needs access to the office building and specific areas where FCI is handled, such as the project team work area where facility assessment reports containing CUI are stored.

Compliance:

1. **Background Check:** The new employee undergoes a background check as part of the hiring process.
2. **Access Card Issuance:** Upon completion of onboarding, the employee is issued a personalized access card.
3. **Access Level Assignment:** The employee's access card is programmed to grant access only to the areas required

Here are three concrete compliance examples for the CMMC Level 1 requirement PE.L1-B.1.IX, tailored to a real estate consulting firm working with government clients:

**Example 1:** A consultant is assigned to a project involving the assessment of a GSA-leased property containing FCI related to facility security plans. The consultant requires temporary access to a secure server room on-site to review digital blueprints stored on a dedicated workstation. The consultant is issued a temporary access card by the GSA facility manager. Upon completion of the assessment, the consultant returns the access card to the facility manager, who deactivates the card and records its return in the facility's access control system (audit log). The consultant also signs a visitor log acknowledging the return of the card, with the date and time noted. The consulting firm maintains a record of the project, the consultant assigned, and a confirmation email from the GSA facility manager acknowledging the card's return.

**Example 2:** A team is conducting a site selection study for a new DoD facility. This involves accessing a secure data room within the consulting firm's office where CUI-marked site plans and environmental impact assessments are stored on a dedicated server. The project manager, who is authorized to access the data room, temporarily lends their physical access card to a junior analyst for a specific task (e.g., printing a specific document). Before lending the card, the project manager logs the transaction in a physical access logbook at the entrance to the data room, noting the date, time, card number, the analyst's name, and the specific reason for access. Upon the analyst's return, the project manager retrieves the card, verifies the analyst's return, and updates the logbook with the return time. The consulting firm's security policy explicitly prohibits the sharing of access cards except under documented and controlled circumstances, as described in the logbook.

**Example 3:** The firm utilizes a key lockbox to store keys for various properties under management for HUD. The lockbox is physically located within the firm's secure office space. Access to the lockbox is controlled by a combination code that is changed quarterly and known only to a limited number of authorized personnel (e.g., the property management team lead). When a new property is added to the firm's portfolio, the team lead updates the lockbox inventory log, documenting the key's unique identifier, the property address, and the date the key was placed in the lockbox. When a team member needs to access a key, they must sign out the key in the lockbox log, noting the date, time, their name, the key's identifier, and the reason for access (e.g., property inspection). Upon return, they sign the key back in, and the team lead periodically audits the lockbox log to ensure all keys are accounted for and the log is being properly maintained.

Here are three concrete, realistic compliance examples for the consulting firm, directly relevant to CMMC Level 1 requirement SC.L1-B.1.X, focusing on boundary protection of FCI data:

**Example 1:**

*Scenario:* The consulting firm utilizes a cloud-based project management system (e.g., Asana, Monday.com) to manage real estate projects involving FCI, such as facility assessments for a DoD installation. This system is used to store client correspondence, facility inspection reports (containing FCI), and project timelines. To define and protect the external boundary, the firm configures the cloud service provider's firewall to restrict access to the project management system based on IP address. Only authorized personnel working from pre-approved office locations or using a company-issued VPN with multi-factor authentication can access the system. This ensures that unauthorized external entities cannot access the FCI stored within the project management system. The firm documents these configurations in a "System Security Plan" and reviews the firewall logs on a monthly basis to verify the effectiveness of the boundary protection.

**Example 2:**

*Scenario:* The firm receives site plans marked as CUI from the GSA via email. These site plans contain sensitive information about government properties. To protect this data at the external boundary, the firm implements a policy that all email communication containing FCI must be encrypted using a secure email gateway (e.g., Microsoft Purview Information Protection, Proofpoint). This gateway scans all incoming and outgoing emails for sensitive keywords and automatically encrypts emails containing FCI before they are transmitted outside the organization's network. The firm also trains employees on identifying FCI and properly marking emails for encryption. A record of encrypted emails is maintained for auditing purposes. This prevents unauthorized interception of FCI during email transmission.

**Example 3:**

*Scenario:* The firm uses a shared network drive to store lease documents, site selection studies, and real estate portfolio management data related to its government clients. Some of this data is considered FCI. The firm implements network segmentation using a firewall to create a dedicated virtual LAN (VLAN) for storing this sensitive data. Access to this VLAN is restricted to a specific group of authorized employees based on their roles and responsibilities. The firewall is configured to block all unauthorized traffic between the FCI VLAN and other parts of the network, preventing potential data breaches. The firm maintains a network diagram showing the VLAN configuration and access control rules. Regular vulnerability scans are conducted on the firewall to ensure its effectiveness in protecting the boundary.

Here are three concrete, realistic compliance examples for the real estate consulting firm, focusing on CMMC Level 1 requirement SC.L1-B.1.X (Boundary Protection [FCI Data]):

**Example 1:**

*Scenario:* The firm uses a cloud-based project management system (e.g., Asana, Monday.com) to manage real estate projects for government clients. This system contains FCI related to facility assessments, lease terms, and property details. To define and protect a key internal boundary, the firm implements role-based access control within the project management system. Only designated employees (e.g., project managers, senior analysts) who have undergone CMMC awareness training are granted access to projects containing FCI. Access to specific projects and data within those projects is further restricted based on the principle of least privilege. For example, an intern assisting with data entry might have access to upload facility inspection reports but not to view sensitive lease negotiation documents. The firm maintains a documented access control policy outlining these roles and permissions, and reviews/updates this policy at least annually. This policy will be referenced in the System Security Plan (SSP).

**Example 2:**

*Scenario:* The firm utilizes a shared network drive to store all project-related documents, including CUI-marked site plans received from the Department of Defense, lease agreements with the GSA, and facility assessment reports containing sensitive information. To protect this data at a key internal boundary, the firm implements network segmentation. The shared drive containing FCI is placed on a separate Virtual LAN (VLAN) from the general office network used for internet browsing and email. Access to this VLAN is controlled by a firewall that only allows authorized employees (identified by their computer's MAC address and user account) to connect. A rule is implemented to block all external access to the FCI VLAN. The firm maintains firewall logs, which are reviewed weekly by the IT administrator to identify and address any unauthorized access attempts. These logs are stored for at least one year.

**Example 3:**

*Scenario:* The firm uses email to communicate with government clients, often exchanging documents containing FCI, such as draft lease agreements, property appraisals, and correspondence regarding site selection for new federal facilities. To protect organizational communications at the external boundary, the firm implements an email security gateway (e.g., Proofpoint, Mimecast) that scans all incoming and outgoing emails for malware and phishing attempts. The gateway is configured to automatically quarantine emails containing suspicious attachments or links. Additionally, the firm mandates the use of encryption for all emails containing FCI. Employees are trained on how to properly encrypt emails using S/MIME or a similar encryption protocol. The firm maintains a policy requiring all emails containing FCI to be encrypted and monitors employee compliance through periodic audits of sent email logs.

Here are three concrete, realistic compliance examples for the consulting firm related to CMMC Level 1 requirement SC.L1-B.1.X:

**Example 1:**

*Scenario:* The consulting firm uses a cloud-based project management system (e.g., Asana, Monday.com) to manage projects involving FCI, such as facility assessments for a Department of Defense (DoD) installation. This system is used to store and share documents like facility inspection reports containing FCI, CUI-marked site plans, and client correspondence with DoD personnel regarding security vulnerabilities. To monitor communications at the external boundary, the firm configures the cloud service provider's built-in intrusion detection system (IDS) to send alerts to the firm's IT administrator whenever suspicious activity is detected originating from outside the firm's authorized IP address range. These alerts are reviewed daily to identify potential unauthorized access attempts to the project management system and the FCI it contains. The IT administrator documents these reviews in a log, noting any alerts, actions taken, and resolutions.

**Example 2:**

*Scenario:* The consulting firm uses email to communicate with the General Services Administration (GSA) regarding lease negotiations for a new federal building. These emails may contain FCI related to the government's requirements, budget, and security considerations for the property. To protect email communications at the external boundary, the firm implements a spam filter and anti-malware solution on its email server. This solution scans all incoming and outgoing emails for malicious attachments, phishing attempts, and suspicious URLs. The solution is configured to automatically quarantine suspicious emails and generate reports that are reviewed weekly by the IT administrator. The IT administrator documents these reviews in a log, noting any quarantined emails, actions taken, and resolutions.

**Example 3:**

*Scenario:* The consulting firm conducts site selection studies for a new Housing and Urban Development (HUD) office. The resulting reports contain FCI related to demographic data, environmental impact assessments, and security considerations for potential sites. These reports are stored on the firm's internal file server. To protect access to this data, the firm implements a firewall that restricts access to the file server to only authorized employees and devices. The firewall rules are configured to allow only specific ports and protocols necessary for file sharing and remote access. The firewall logs are reviewed monthly to identify any unauthorized access attempts or suspicious network traffic. The IT administrator documents these reviews in a log, noting any anomalies, actions taken, and resolutions.

Here are three concrete, realistic compliance examples for the consulting firm, addressing the CMMC Level 1 requirement SC.L1-B.1.X, Boundary Protection [FCI Data]:

Example 1: **Monitoring Email Communications Containing FCI**

Scenario: The consulting firm uses Microsoft 365 for email and stores client correspondence containing FCI, such as lease documents with sensitive financial information or facility assessments containing CUI-marked site plans, in SharePoint. To meet the monitoring objective, the firm configures Microsoft Defender for Office 365 to scan all inbound and outbound email traffic for keywords and patterns associated with FCI (e.g., "GSA Lease Agreement," "CUI," "DoD Property ID," "Personally Identifiable Information"). When a potential FCI-related email is detected, the system automatically flags it for review by a designated security administrator. The administrator then examines the email content and attachments to ensure proper handling and labeling of the FCI, and to identify any potential data leaks or unauthorized disclosures. The administrator logs all flagged incidents and their resolutions in an incident response log. This log serves as evidence of ongoing monitoring and control of communications containing FCI.

Example 2: **Controlling Access to a Secure File Server Containing Government Property Data**

Scenario: The consulting firm maintains a secure file server (e.g., a dedicated Windows Server instance) to store sensitive government property data, facility inspection reports, and site selection studies containing FCI. Access to this server is restricted to authorized personnel only, based on the principle of least privilege. To monitor communications at this internal boundary, the firm implements network monitoring software (e.g., SolarWinds Network Performance Monitor or similar) that tracks all network traffic to and from the secure file server. The monitoring system is configured to alert the security administrator to any unusual activity, such as attempts to access the server from unauthorized IP addresses, large data transfers outside of normal business hours, or failed login attempts. The firm also enables auditing on the file server itself to track which users are accessing which files and when. These logs are regularly reviewed to detect any unauthorized access or data exfiltration attempts.

Example 3: **Protecting Remote Access to Project Management Systems Containing Client Data**

Scenario: The consulting firm uses a cloud-based project management system (e.g., Asana, Monday.com, or a custom-built system) to manage projects involving federal government clients. This system contains client correspondence, project plans, and potentially sensitive information related to real estate transactions. Since employees frequently access this system remotely, the firm implements a Virtual Private Network (VPN) that requires multi-factor authentication (MFA) for all remote access. The VPN creates an encrypted tunnel for all communications between the employee's device and the project management system, protecting the data in transit. The firm also configures the VPN to log all connection attempts, including the user's IP address, timestamp, and connection status. The security administrator regularly reviews these logs to identify any suspicious activity, such as login attempts from unusual locations or failed authentication attempts. This monitoring helps to protect the internal boundary of the project management system and ensure that only authorized users can access sensitive client data.

Here are three concrete, realistic compliance examples for the consulting firm, directly addressing the CMMC Level 1 objective SC.L1-B.1.X:

Example 1: **Firewall Configuration for Government Property Database Access:** The consulting firm uses a cloud-based government property database (e.g., a GSA-managed system containing lease information) to conduct market analyses for federal clients. To comply with SC.L1-B.1.X, the firm configures its firewall to restrict access to this database to only authorized employee IP addresses and devices. Furthermore, the firewall is configured with intrusion detection and prevention systems (IDS/IPS) to monitor traffic to and from the database, looking for suspicious activity like brute-force login attempts or unusual data transfer patterns. A log of all firewall activity, including blocked connections and detected intrusions, is reviewed weekly by the IT administrator to ensure the system is functioning as intended and to identify any potential security breaches. This ensures that only authorized personnel can access the CUI contained in the government property database.

Example 2: **Secure Email Communication with Federal Agencies:** The firm frequently exchanges emails with federal agencies like DoD and HUD, often containing CUI related to site selection studies, facility assessments, or lease negotiations. To protect these communications, the firm mandates the use of a secure email gateway that scans all incoming and outgoing emails for sensitive data (e.g., PII, CUI markings, keywords related to specific government projects). The gateway is configured to encrypt all emails containing CUI in transit and at rest. Furthermore, the firewall is configured to block unauthorized email protocols (e.g., unencrypted SMTP) and to enforce the use of TLS encryption for all email traffic. Employees are trained to identify and properly mark emails containing CUI to ensure the email gateway can accurately identify and protect the sensitive data. This helps prevent unauthorized access to CUI transmitted via email.

Example 3: **VPN Access for Remote Site Assessments:** Consulting firm employees conduct on-site facility assessments, often accessing internal systems and databases containing CUI-marked site plans and facility inspection reports from remote locations. To protect this data in transit, the firm requires all employees to use a Virtual Private Network (VPN) when accessing internal resources from outside the office network. The firewall is configured to only allow access to internal systems through the VPN. The VPN uses strong encryption protocols (e.g., AES-256) to secure the connection between the employee's device and the firm's network. Multi-factor authentication (MFA) is also required for all VPN connections to further secure access. This prevents unauthorized interception of CUI during remote access.

Here are three concrete, realistic compliance examples for the CMMC Level 1 requirement SC.L1-B.1.X, tailored to a real estate consulting firm working with government clients:

**Example 1: Internal Network Segmentation for CUI Data**

*Scenario:* The consulting firm uses a shared network environment for all employees. However, the team working on a site selection study for a new DoD facility handles Controlled Unclassified Information (CUI) in the form of CUI-marked site plans and facility specifications. To control access to this CUI at a key internal boundary, the firm implements network segmentation. The project team's computers and the file server where the CUI data is stored are placed on a separate Virtual Local Area Network (VLAN). Access to this VLAN is restricted to only the authorized project team members via network access control lists (ACLs) configured on the firm's router. Employees outside the project team, even if on the same physical network, cannot access the CUI data on the restricted VLAN. The firm maintains documentation of this network segmentation, including a network diagram showing the VLAN configuration and the ACL rules. This ensures that only authorized personnel can access the DoD facility site selection data.

**Example 2: Secure Email Gateway for Client Communication**

*Scenario:* The consulting firm frequently exchanges emails containing sensitive real estate data with government agencies like GSA and HUD. These emails may include lease negotiation documents, facility assessment reports, and financial information related to government-owned properties. To protect communications at the external boundary, the firm implements a secure email gateway with advanced threat protection and data loss prevention (DLP) capabilities. The email gateway scans all incoming and outgoing emails for malicious content (e.g., phishing attempts targeting government employees) and for sensitive data patterns (e.g., Social Security numbers, government contract numbers) that might indicate unauthorized disclosure of CUI. If a potential violation is detected, the email is quarantined, and the security administrator is notified. The firm maintains logs of all email gateway activity, including blocked emails and DLP incidents. This ensures that sensitive information exchanged with government clients is protected from unauthorized access and data breaches.

**Example 3: Controlled Access to Cloud-Based Project Management System**

*Scenario:* The consulting firm uses a cloud-based project management system to manage real estate portfolio data for various government clients. This system contains facility inspection reports, lease agreements, and client correspondence, some of which may be considered CUI. To protect this data at a key internal boundary (i.e., access to the cloud system), the firm implements multi-factor authentication (MFA) for all users accessing the system. Furthermore, role-based access control (RBAC) is implemented within the project management system. Employees are assigned roles based on their job responsibilities, and these roles determine the level of access they have to different projects and data within the system. For example, a junior analyst may have read-only access to certain reports, while a senior project manager has full access to all data related to their assigned projects. The firm maintains documentation of the RBAC configuration, including a matrix showing the roles and their associated permissions. This ensures that only authorized personnel can access and modify the sensitive data stored in the cloud-based project management system.

Here are three concrete, realistic compliance examples for the consulting firm, addressing the CMMC Level 1 requirement SC.L1-B.1.X related to boundary protection of FCI data:

**Example 1:**

*Scenario:* The consulting firm uses a cloud-based project management system (e.g., Asana, Monday.com) to manage real estate projects involving FCI, such as facility assessments containing sensitive information about government-owned properties. To protect communications at the external boundary, the firm configures the project management system to enforce multi-factor authentication (MFA) for all employees accessing the system, regardless of location. This ensures that only authorized personnel with verified identities can access FCI. Furthermore, the firm implements IP address whitelisting within the project management system, restricting access to only known and approved IP addresses associated with the firm's office and authorized remote work locations. This prevents unauthorized access to FCI from untrusted networks. The firm maintains a documented procedure outlining the MFA and IP whitelisting configuration, including steps for adding/removing authorized IP addresses as needed. The firm also reviews the project management system's audit logs quarterly to identify and investigate any suspicious login attempts or unauthorized access attempts.

**Example 2:**

*Scenario:* The firm utilizes email to exchange FCI with government clients, including lease documents containing Personally Identifiable Information (PII) and site selection studies with CUI-marked maps. To protect these communications, the firm implements email encryption using a solution like Microsoft Purview Information Protection or Virtru. All emails containing FCI are automatically encrypted before being sent outside the firm's network. The firm also establishes a policy that requires employees to verify the identity of recipients before sending any email containing FCI, particularly when sending to new or unfamiliar email addresses. The firm also configures its email server to scan all incoming and outgoing emails for potential phishing attempts and malware, blocking any suspicious emails before they reach employees' inboxes. The firm maintains a documented incident response plan that outlines the steps to take in the event of a suspected email breach or compromise of FCI.

**Example 3:**

*Scenario:* The consulting firm uses a secure file transfer protocol (SFTP) server to exchange large files containing FCI, such as facility inspection reports with detailed photographs and CUI-marked architectural drawings, with government clients. The SFTP server is configured with a firewall that only allows access from authorized IP addresses belonging to the firm and its government clients. The SFTP server also requires strong passwords and regularly audits user accounts to ensure that only authorized personnel have access. All files stored on the SFTP server are encrypted at rest and in transit. The firm maintains a documented procedure for using the SFTP server, including instructions on how to properly encrypt files before uploading them and how to securely download files. The firm also implements intrusion detection and prevention systems (IDS/IPS) on the network to monitor for any malicious activity targeting the SFTP server.

Here are three concrete, realistic compliance examples for the CMMC Level 1 assessment objective SC.L1-B.1.X, tailored to a real estate consulting firm working with government clients:

**Example 1:**

*Scenario:* The consulting firm utilizes a shared network drive to store and collaborate on facility assessment reports containing FCI data for a GSA-owned building. These reports include photos, floor plans, and notes on the building's condition. The firm needs to ensure that access to this sensitive information is restricted to authorized personnel within the project team and protected from unauthorized internal access.

*Compliance Action:* The firm implements access control lists (ACLs) on the shared network drive folder containing the facility assessment reports. Only members of the designated project team (identified by their Active Directory accounts) are granted read/write access. All other employees, even those within the firm, are denied access. The firm maintains a documented list of authorized personnel for each project folder and reviews/updates the ACLs whenever team membership changes (e.g., when a consultant is added or removed from the project). This is documented in the firm's access control policy.

**Example 2:**

*Scenario:* The consulting firm uses email to exchange lease documents containing FCI, such as lease rates, square footage, and tenant information, with federal agencies like HUD. These emails are sent both internally and externally.

*Compliance Action:* The firm implements email encryption for all emails containing FCI. This can be achieved through a solution like Microsoft Information Protection (MIP) or similar email encryption service. A rule is established that any email containing keywords related to sensitive government projects (e.g., "GSA Lease," "HUD Property," "DoD Facility") and/or specific FCI data (e.g., "Lease Rate," "Square Footage," "Government Property Database ID") is automatically encrypted. Employees are trained on the policy and how to manually encrypt emails if the automatic rule doesn't trigger. The firm maintains a log of encrypted emails sent and received, demonstrating that communications containing FCI are protected in transit.

**Example 3:**

*Scenario:* The firm's project managers utilize a cloud-based project management system to track the progress of site selection studies for a DoD agency. This system contains FCI such as proposed site locations, cost estimates, and environmental impact assessments.

*Compliance Action:* The firm configures the cloud-based project management system to restrict access to the DoD site selection project data to only authorized personnel. This is achieved through role-based access control (RBAC) within the project management system. Only project managers and consultants specifically assigned to the DoD project are granted access to the project's data. All other employees, even those with administrative access to the overall project management system, are denied access to the DoD project's information. The firm documents the RBAC configuration and maintains an audit log of access attempts, demonstrating that access to the FCI is controlled at a key internal boundary (the project management system). The firm also ensures that the cloud provider has appropriate security certifications (e.g., FedRAMP) to protect the data at rest and in transit.

Here are three examples of how the real estate consulting firm could satisfy the CMMC Level 1 objective SC.L1-B.1.XI, focusing on realistic scenarios:

**Example 1:**

Scenario: The firm hosts a public-facing website to showcase its real estate expertise and services to potential government clients. This website includes a "Contact Us" form that allows visitors to submit inquiries. While the website itself doesn't directly handle FCI, the firm wants to ensure that any potential vulnerabilities in the website cannot be exploited to access internal systems where FCI is stored, such as databases containing GSA lease agreements or DoD facility inspection reports.

Compliance: The firm implements a Demilitarized Zone (DMZ) for the website. The web server is hosted on a separate subnet, logically isolated from the internal network where FCI is stored. A firewall is configured with strict rules allowing only necessary traffic (e.g., HTTP/HTTPS) to the web server from the internet and only specific, limited traffic from the web server to a designated email server within the internal network for processing "Contact Us" form submissions. The firewall rules are documented, reviewed, and updated regularly. This prevents direct access to internal FCI data from a compromised public-facing website.

**Example 2:**

Scenario: The firm uses a cloud-based Customer Relationship Management (CRM) system to manage client interactions and track project progress. While the CRM primarily contains business contact information, it also stores summaries of client meetings that *could* contain incidental references to FCI, such as project names or facility locations that are considered CUI. The CRM system is accessible to employees both on the internal network and remotely via the internet.

Compliance: The firm implements a policy requiring that any CRM data that *could* be considered FCI be stored with appropriate security controls. The firm uses a cloud-based CRM system that offers the capability to isolate the CRM data in a dedicated virtual network (VNet) within the cloud provider's infrastructure. This VNet is logically separated from the firm's internal network and other public-facing services. Access to the VNet is controlled via a firewall and multi-factor authentication (MFA). Further, the firm implements data loss prevention (DLP) rules within the CRM to detect and prevent the entry of sensitive keywords (e.g., "Controlled Unclassified Information," "FOUO," specific facility codes) into the CRM system, further reducing the risk of accidental FCI exposure.

**Example 3:**

Scenario: The firm provides a public-facing portal for government clients to access non-sensitive project status updates and download publicly available documents (e.g., zoning regulations, environmental impact assessments). However, the portal is hosted on the same physical server as a database containing CUI-marked site plans and facility assessments.

Compliance: The firm virtualizes the public-facing portal and the CUI database on separate virtual machines (VMs). Each VM is placed on a separate virtual network (VLAN) logically isolated from each other. A firewall is configured to restrict communication between the VLANs, preventing the public-facing portal from accessing the CUI database. The firm also implements intrusion detection and prevention systems (IDS/IPS) to monitor network traffic and detect any unauthorized attempts to access the CUI database from the public-facing portal. This ensures that even if the public-facing portal is compromised, the CUI database remains protected.

Here are three concrete compliance examples for SC.L1-B.1.XI, tailored to a real estate consulting firm working with government clients:

**Example 1:**

*Scenario:* The firm hosts a public-facing web portal to allow government agencies to access non-sensitive information about available commercial properties for lease. This portal includes property addresses, square footage, and publicly available zoning information. However, the firm’s internal network stores sensitive facility assessment reports (containing FCI related to structural vulnerabilities) and lease documents with confidential government terms. To comply with SC.L1-B.1.XI, the firm implements a Demilitarized Zone (DMZ) for the web portal. The portal is hosted on a separate server, logically isolated from the internal network using a firewall. The firewall is configured with strict rules to prevent any traffic from the public-facing web server from accessing the internal network where FCI resides. Regular penetration testing is conducted on the DMZ to ensure the firewall rules are effective and no unauthorized access is possible. The firm maintains documentation of the network architecture, firewall rules, and penetration testing results.

**Example 2:**

*Scenario:* The firm utilizes a cloud-based project management system to track real estate portfolio management activities for a federal agency. This system contains project timelines, budget information, and client correspondence. While the project management system itself is not directly storing FCI, some documents attached to the project records, such as CUI-marked site plans received from the client (e.g., DoD), are considered FCI. The firm also uses a separate, internal file server to store the actual CUI-marked site plans. To comply with SC.L1-B.1.XI, the firm ensures that the cloud-based project management system is treated as a "public-access system component" even though it requires authentication. The firm configures the cloud environment with network segmentation, logically separating the project management system from the internal network where the file server containing the original CUI-marked site plans resides. Access control lists (ACLs) are implemented to restrict network traffic between the cloud environment and the internal network. This prevents any potential compromise of the cloud system from leading to unauthorized access to the internal FCI.

**Example 3:**

*Scenario:* The firm uses a third-party vendor to conduct drone-based facility inspections for government properties. The drones collect visual and thermal imagery, which may contain FCI if the properties are deemed critical infrastructure. The vendor uploads the raw data to a secure cloud storage location accessible to the firm. To comply with SC.L1-B.1.XI, the firm treats the vendor's secure cloud storage as a public-access system component. The firm ensures that the cloud storage is logically separated from its internal network using a firewall or other network segmentation techniques. The firm implements strict access controls to limit access to the cloud storage to only authorized personnel. Furthermore, the firm establishes a secure Virtual Private Network (VPN) connection for authorized personnel to access the cloud storage from their internal network. The VPN connection is configured with strong encryption and multi-factor authentication to protect the data in transit.

Here are three concrete, realistic compliance examples for SI.L1-B.1.XII – FLAW REMEDIATION [FCI DATA], tailored to a real estate consulting firm advising government clients:

**Example 1:**
The firm uses a cloud-based project management system (e.g., Asana, Monday.com) to track all client engagements, including those involving FCI like facility assessments and lease negotiations. This system contains client names, property addresses, lease terms, and other sensitive information. The IT Manager is responsible for monitoring the project management system vendor's security advisories and patch release notes. The firm establishes a policy requiring the IT Manager to check the vendor's security portal at least twice per month for newly identified vulnerabilities. If a vulnerability is identified that could impact the confidentiality, integrity, or availability of FCI stored in the project management system, the IT Manager is required to assess the severity of the vulnerability using the vendor's rating or a standardized system like CVSS. High and Critical vulnerabilities must be addressed (e.g., by applying a patch or implementing a workaround) within 72 hours. Medium vulnerabilities must be addressed within one week, and Low vulnerabilities must be addressed within one month. All remediation activities are documented in a vulnerability management log, including the vulnerability ID, affected system, remediation action taken, and date of completion.

**Example 2:**
The firm utilizes a GIS (Geographic Information System) software (e.g., ArcGIS) to create and manage maps containing sensitive property data, including CUI-marked site plans provided by government clients. These maps are often used in site selection studies and portfolio management. The firm's GIS specialist is designated as the point of contact for monitoring security updates and patches released by the GIS software vendor. A written procedure dictates that the GIS specialist will check the vendor's support website weekly for new security patches. When a patch is released, the GIS specialist will evaluate its impact on the firm's GIS workflows and FCI data. If the patch addresses a vulnerability that could expose CUI or disrupt critical operations, the GIS specialist will apply the patch within one week on a test environment. After successful testing, the patch will be deployed to the production GIS environment within two weeks. The GIS specialist maintains a record of all applied patches, including the patch ID, date of application, and any known issues.

**Example 3:**
The firm uses Microsoft Office 365, including Outlook, Word, and Excel, for day-to-day operations, including client communication and document creation. These documents often contain FCI related to government properties and lease agreements. The IT department has enabled automatic updates for Microsoft Office 365 on all employee workstations. The IT department also subscribes to Microsoft's Security Update Guide and actively monitors for critical security updates related to Office 365 applications. If a critical vulnerability is identified in a Microsoft Office 365 application that could lead to the compromise of FCI, the IT department will send an email to all employees within 24 hours warning them about the vulnerability and providing instructions on how to mitigate the risk (e.g., avoiding opening suspicious attachments, being cautious about clicking on links in emails). The IT department will also prioritize the deployment of the security update to all workstations as quickly as possible, aiming for a 72-hour turnaround for critical updates. A record of all security alerts and employee notifications is maintained by the IT department.

Here are three concrete, realistic compliance examples for the consulting firm, demonstrating how they would satisfy the CMMC Level 1 objective SI.L1-B.1.XII – Flaw Remediation [FCI Data]:

**Example 1:**

Scenario: The firm uses a cloud-based project management system (e.g., Asana, Monday.com) to track all real estate projects, including those involving FCI like facility assessments for a DoD client. This system contains sensitive information such as property addresses, lease terms, and planned renovations. The project management system vendor releases a security update addressing a vulnerability that could allow unauthorized access to project data.

Compliance Action:

1. The firm's IT support staff subscribes to the vendor's security advisory mailing list and monitors the vendor's website for security announcements (objective a).
2. Upon receiving the security update notification, the IT support staff assesses the severity of the vulnerability based on the vendor's rating and potential impact on FCI stored within the system.
3. The IT support staff applies the update within one week of the vendor's release (objective c,e).
4. The IT support staff documents the vulnerability, the assessment, and the remediation steps taken in an internal log (objective f).

**Example 2:**

Scenario: The firm utilizes a Geographic Information System (GIS) software package (e.g., Esri ArcGIS) to create and manage maps containing FCI, such as CUI-marked site plans of government properties. This software is installed on employee workstations. The GIS software vendor releases a patch to address a flaw that could potentially expose sensitive location data.

Compliance Action:

1. The firm's IT support staff configures the GIS software to automatically check for updates weekly (objective b,e).
2. When the software detects the patch, the IT support staff reviews the release notes to understand the nature of the flaw and its potential impact on FCI.
3. The IT support staff tests the patch in a non-production environment to ensure compatibility with existing workflows and data.
4. After successful testing, the IT support staff deploys the patch to all workstations with the GIS software within one week (objective c,e).
5. The IT support staff documents the patch deployment process, including the date of deployment and any issues encountered, in a central log (objective f).

**Example 3:**

Scenario: A consultant within the firm uses Microsoft Office (Word, Excel) on their company laptop to create reports containing FCI related to lease negotiations with the GSA. A zero-day vulnerability is announced affecting Microsoft Office that could allow malicious code execution if a specially crafted document is opened.

Compliance Action:

1. The firm's IT support staff monitors security news sources and receives alerts about the zero-day vulnerability (objective a).
2. Given the severity of the zero-day vulnerability, the IT support staff immediately notifies all employees via email, warning them about the potential threat and advising them to exercise caution when opening email attachments or documents from untrusted sources.
3. The IT support staff deploys a temporary workaround, such as disabling macros or enabling enhanced security features in Microsoft Office, while awaiting a formal patch from Microsoft (objective c,e).
4. Once Microsoft releases a patch, the IT support staff deploys the patch to all company laptops within 72 hours using a centralized patch management system or by providing clear instructions to employees on how to install the update (objective c,e).
5. The IT support staff verifies that the patch has been successfully installed on all laptops and documents the remediation efforts in a central log (objective f).

Here are three concrete, realistic compliance examples for the given CMMC Level 1 objective, tailored to a real estate consulting firm working with government clients:

**Example 1:**
Scenario: The firm uses a cloud-based project management system (e.g., Asana, Monday.com, or a custom solution) to track all real estate projects involving FCI, such as facility assessments containing security vulnerabilities of government-owned buildings. The system stores project documents, including facility inspection reports, CUI-marked site plans, and client correspondence with federal agencies. The firm establishes a policy that the IT department will monitor security advisories for the project management system and any integrated applications (e.g., document storage, communication tools) on a bi-weekly basis. Critical vulnerabilities (rated High or Critical by the vendor) must be patched or mitigated within 72 hours of notification. Non-critical vulnerabilities must be patched or mitigated within 30 days. The IT department documents the monitoring process, the vulnerabilities identified, and the remediation actions taken in a vulnerability tracking log.

**Example 2:**
Scenario: The firm utilizes a commercial GIS (Geographic Information System) software (e.g., ArcGIS, QGIS) to create and manage maps containing sensitive property data and facility locations. This software is used for site selection studies and real estate portfolio management for government clients. The firm implements a policy requiring the designated GIS administrator to subscribe to the GIS software vendor's security notification service. Upon receiving a security alert, the administrator assesses the potential impact on the firm's systems and data, prioritizing those affecting the GIS software and its extensions used to process FCI. A risk assessment is documented, and patching is prioritized based on the severity of the vulnerability and the potential impact to FCI. The patching schedule and completed actions are documented in a patch management log.

**Example 3:**
Scenario: The firm uses commercially available software (e.g., Adobe Acrobat, Microsoft Office) to create, edit, and store documents containing FCI, such as lease agreements, facility assessments, and client reports. The firm implements a policy requiring all employees to enable automatic updates for these software applications. The policy also mandates that employees restart their computers at least once per week to ensure that updates are fully installed. The IT department uses a centralized software deployment tool (e.g., Microsoft Endpoint Manager, PDQ Deploy) to push out critical security updates to all employee computers within 7 days of their release. The IT department generates reports from the deployment tool to verify that updates have been successfully installed on all systems and addresses any failures promptly.

Here are three concrete, realistic compliance examples for the consulting firm, addressing the CMMC Level 1 objective SI.L1-B.1.XII (Flaw Remediation):

Example 1: **Vulnerability Scanning of Real Estate Portfolio Management Software:**

The firm uses a cloud-based real estate portfolio management software platform to manage government property data, including lease terms, facility assessments, and property values. This platform is critical for managing CUI-marked site plans and generating reports for clients like GSA and DoD. The firm subscribes to the software vendor's security update notifications. When the vendor announces a critical vulnerability in the platform (e.g., a SQL injection flaw that could expose sensitive lease data), the designated IT personnel (or a managed service provider) immediately reviews the vendor's remediation guidance. Within 72 hours (a defined "timely manner" based on the severity of the vulnerability), the firm applies the vendor-provided patch or implements the recommended workaround. The IT personnel then verifies the fix and documents the remediation steps, including the vulnerability identifier (e.g., CVE number), date of discovery, date of remediation, and verification results. This documentation is retained as evidence of compliance.

Example 2: **Anti-Virus Updates on Workstations Handling Facility Inspection Reports:**

Consultants use company-issued laptops to conduct facility inspections and generate reports that contain sensitive information about government properties. These reports, often containing CUI, are stored on the laptops and shared internally via the company's network. The firm implements a centrally managed anti-virus solution on all workstations. The anti-virus software is configured to automatically download and install the latest virus definition updates daily. If an update fails on a specific workstation (e.g., due to a network connectivity issue), the anti-virus software generates an alert. The IT help desk monitors these alerts and immediately contacts the affected user to troubleshoot and ensure the update is installed. A record of successful and failed updates is maintained by the anti-virus management console and reviewed weekly to ensure all systems are protected.

Example 3: **Patching of Server Hosting Internal Project Management System:**

The firm uses an internal project management system hosted on a local server to track project progress, manage client communications (including emails with federal agencies like HUD), and store documents related to site selection studies. The IT department has a defined process for patching the server operating system (e.g., Windows Server) and applications (e.g., database software). The IT team subscribes to Microsoft security update notifications. Upon receiving notification of a critical security vulnerability in the Windows Server operating system, the IT team schedules a maintenance window. Within one week of the notification (a defined "timely manner" based on the severity of the vulnerability and the need to coordinate downtime), the IT team applies the security patch to the server. Before applying the patch to the production server, the IT team tests it on a non-production environment. A record of the patching process, including the date of the patch installation, the vulnerability identifier, and the test results, is documented and retained.

Here are three compliance examples for the CMMC Level 1 objective SI.L1-B.1.XII, tailored for a real estate consulting firm working with government clients:

**Example 1:**

Scenario: The firm uses a cloud-based project management system (e.g., Asana, Monday.com) to track all real estate projects involving FCI, such as lease negotiations with the GSA. This system stores client data, including property addresses, lease terms, and financial information related to government leases. The IT Manager is responsible for monitoring security advisories from the project management system vendor. The firm establishes a policy stating that security patches identified as "critical" by the vendor (e.g., those addressing remote code execution vulnerabilities) will be applied to the system within 72 hours of their release. "High" priority patches will be applied within one week. A log is maintained documenting the date of the advisory, the patch applied, and the date of application. The IT Manager documents the patch process in the system's configuration management documentation. For example, if the project management system vendor releases a critical patch addressing a vulnerability that could allow unauthorized access to FCI, the IT Manager will immediately schedule the patch, apply it within 72 hours, and document the action in the system's change log.

**Example 2:**

Scenario: The consulting firm uses specialized Geographic Information System (GIS) software (e.g., ESRI ArcGIS) to create and manage maps containing FCI, such as site plans and facility assessments for DoD properties. These maps may include CUI markings. The firm's policy dictates that the GIS administrator will check for software updates and security patches from the GIS vendor on a monthly basis. Any security patches identified will be assessed for severity and applicability to the firm's GIS environment. Patches deemed "critical" or "high" severity will be applied within 30 days. The GIS administrator will maintain a spreadsheet documenting the date of the patch release, the severity rating, the date the patch was applied, and the systems that were patched. For instance, if a patch is released that addresses a vulnerability in the GIS software's ability to handle geospatial data containing FCI, the GIS administrator will prioritize the patch and apply it according to the established timeframe, documenting the action in the patch management spreadsheet.

**Example 3:**

Scenario: The firm uses Microsoft Office 365 for email, document creation, and collaboration. This includes storing and transmitting FCI related to government real estate projects, such as lease agreements and correspondence with HUD. The firm's policy mandates that automatic updates are enabled for Microsoft Office 365 applications on all employee workstations. The IT department uses Microsoft Intune to manage updates and ensure that all devices are running the latest versions. The IT department monitors Microsoft's Security Update Guide for critical vulnerabilities and ensures that any necessary configuration changes or manual interventions are implemented within 14 days of the update's release. For example, if a vulnerability is announced affecting the handling of attachments in Microsoft Outlook that could expose FCI, the IT department will review the advisory, implement any recommended configuration changes (e.g., disabling certain attachment types), and verify that all workstations have received the relevant security updates. The actions taken are documented in the IT department's change management system.

Here are three concrete examples of how the real estate consulting firm could comply with CMMC Level 1's SI.L1-B.1.XII requirement, specifically focusing on the "Flaw Remediation [FCI Data]" objective:

**Example 1:**

The firm uses a cloud-based project management system (e.g., Asana, Monday.com) to manage all real estate projects involving FCI data. This system contains tasks, timelines, and documents related to government property assessments, lease negotiations, and site selection studies. The system vendor regularly releases security updates and patches. The firm implements a policy requiring the IT administrator to subscribe to the project management system vendor's security advisory mailing list and check their security bulletin webpage at least twice per month. Upon receiving a notification of a critical vulnerability affecting the system, the IT administrator will assess the potential impact on FCI data stored within the system (e.g., reviewing which projects are actively using the vulnerable feature). If the vulnerability is deemed critical and exploitable, the IT administrator will apply the vendor-provided patch or implement a workaround within 72 hours. This action and its justification are documented in a vulnerability management log, including the date of notification, vulnerability description, affected systems, remediation steps taken, and date of remediation. Screenshots or other evidence of the patch installation are also included.

**Example 2:**

The firm utilizes a GIS (Geographic Information System) software (e.g., ArcGIS) to create and analyze maps containing FCI, such as site plans with CUI markings, facility locations, and property boundaries. The GIS software is installed on several workstations used by project managers and analysts. The firm establishes a process where the IT department runs a monthly vulnerability scan on all workstations using a vulnerability scanning tool (e.g., Nessus, OpenVAS). The scan results are reviewed by the IT administrator, who identifies any vulnerabilities related to the GIS software or its underlying operating system. If a vulnerability is identified that could compromise the confidentiality, integrity, or availability of FCI stored or processed by the GIS software (e.g., a remote code execution vulnerability), the IT administrator will prioritize patching the affected workstations. Patches are applied within one week of discovery for critical vulnerabilities, and within one month for high-severity vulnerabilities. The scan results, vulnerability assessment, and patching activities are documented in a vulnerability management report.

**Example 3:**

The firm uses Microsoft Office 365 (including Word, Excel, and PowerPoint) to create reports, presentations, and other documents containing FCI related to lease negotiations, facility inspection reports, and real estate portfolio management. The firm enables automatic updates for Microsoft Office 365 on all employee workstations. The IT administrator also monitors Microsoft's Security Update Guide (SUG) website for any security advisories related to Office 365 applications. If a critical security vulnerability is identified in an Office 365 application that could potentially lead to the exfiltration or modification of FCI data, the IT administrator will verify that the automatic updates have been successfully applied to all workstations. If any workstations are found to be missing the necessary updates, the IT administrator will manually install the updates and verify their successful installation. The IT administrator also sends an email to all employees reminding them to restart their computers to ensure the updates are fully applied. A log is kept of the vulnerability, the remediation steps taken (verifying automatic updates, manual installation), and the date of remediation.

Here are three concrete compliance examples for SI.L1-B.1.XIII tailored to a real estate consulting firm working with government clients:

**Example 1:** A consultant is preparing a comprehensive facility assessment report for a GSA-leased property containing FCI related to the building's security systems. This report includes photographs taken on-site and is compiled using a company-issued laptop. To protect against malicious code, the laptop has a centrally managed anti-malware solution (e.g., CrowdStrike, Microsoft Defender) with regularly updated signature definitions (at least daily). Before opening any attachments received via email related to the project (e.g., architectural drawings, prior assessment reports), the consultant scans them with the anti-malware software. The consultant also scans the completed report and all associated files before uploading it to the firm's secure cloud storage solution for review and delivery to the GSA client.

**Example 2:** The firm's site selection team uses a web-based government database (e.g., a DoD real property database) to identify potential properties for a new federal agency office. To protect against malicious code, the firm implements a web filtering solution that blocks access to known malicious websites and scans downloaded files for malware. Additionally, all team members are required to complete annual cybersecurity awareness training that covers identifying phishing emails and avoiding suspicious websites. The team also uses a secure browser extension that flags potentially risky websites based on community feedback and reputation.

**Example 3:** The firm's project managers use a cloud-based project management system to track tasks, deadlines, and deliverables for a lease negotiation project involving CUI-marked site plans. To protect against malicious code, the firm requires all employees accessing the system to use multi-factor authentication (MFA) and ensures that the project management system itself has robust anti-malware protection built-in and regularly updated. Furthermore, any files uploaded to the project management system, including lease documents and site plans, are automatically scanned for malware by the system's security features. A log of these scans is maintained and reviewed periodically by the IT department.

Here are three concrete examples of how the real estate consulting firm could satisfy the CMMC Level 1 objective SI.L1-B.1.XIII, focusing on protection from malicious code when handling FCI data:

**Example 1:**

*Scenario:* The firm's real estate analysts frequently download property data from government websites, including the GSA's Real Property Profile (RPP) database. This data contains FCI as it details sensitive information about federal properties. To prevent malicious code from entering the system via these downloads, the firm implements the following:
* **Anti-Malware on Workstations:** All workstations used to access and download data from the GSA RPP database have active, up-to-date anti-malware software installed and configured for real-time scanning.
* **Download Scanning:** The anti-malware software is configured to automatically scan all downloaded files from the GSA RPP website before they are opened or saved to the firm's network.
* **Restricted Access:** Analysts are trained to only download data from official government websites and to verify the website's authenticity (e.g., checking the SSL certificate). They are prohibited from using personal devices to access or download government data.
* **Artifacts:** The firm maintains a software inventory list showing the anti-malware software installed on each workstation, along with the date of the last virus definition update. They also keep records of security awareness training provided to analysts on safe downloading practices.

**Example 2:**

*Scenario:* The firm's project managers regularly exchange emails containing facility inspection reports (which may include photographs and assessments of building security), lease documents, and CUI-marked site plans with government clients like DoD and HUD. To protect against malicious code transmitted via email, the firm implements the following:
* **Email Server Anti-Malware:** The firm's email server has anti-malware software installed that scans all incoming and outgoing emails and attachments for malicious code.
* **Attachment Restrictions:** The firm's email security policy restricts the types of attachments that can be sent and received. Executable files (.exe, .bat, .scr) are blocked, and users are warned about opening attachments from unknown senders.
* **Phishing Awareness Training:** Employees receive regular phishing awareness training to help them identify and avoid malicious emails that may contain links to malicious websites or attachments.
* **Artifacts:** The firm keeps logs of email server anti-malware scans, documenting any detected threats. They also maintain records of phishing awareness training provided to employees, including the dates and topics covered.

**Example 3:**

*Scenario:* The firm uses a central project management system to store and manage all project-related documents, including client correspondence, site selection studies, and real estate portfolio management data. To protect this system from malicious code, the firm implements the following:
* **Server Anti-Malware:** The server hosting the project management system has active, up-to-date anti-malware software installed.
* **Regular System Scans:** The server is regularly scanned for malware, and any detected threats are promptly addressed.
* **Access Controls:** Access to the project management system is restricted to authorized personnel only, and users are required to use strong passwords and multi-factor authentication.
* **Software Integrity Monitoring:** The firm utilizes a software integrity monitoring tool to detect unauthorized changes to the project management system's files and configurations.
* **Artifacts:** The firm maintains a system security plan that outlines the security measures in place to protect the project management system. They also keep logs of server anti-malware scans, access control lists, and software integrity monitoring alerts.

Here are three compliance examples tailored to the real estate consulting firm, addressing the SI.L1-B.1.XIV requirement:

**Example 1:** The firm utilizes laptops to conduct on-site facility assessments and generate inspection reports containing FCI, such as identifying vulnerabilities within a government-owned building's security system. These laptops are protected by a centrally managed anti-malware solution. To comply with SI.L1-B.1.XIV, the IT department configures the anti-malware software on all company-issued laptops to automatically check for and install new signature updates at least once per day. Furthermore, the IT department maintains a log of successful and failed update attempts for each laptop. This log is reviewed weekly to ensure all systems are receiving updates, and any failures are promptly investigated and remediated. Evidence of compliance includes screenshots of the anti-malware configuration showing automatic updates enabled, and a sample of the weekly log review report.

**Example 2:** The firm uses a cloud-based project management system to store and manage documents related to lease negotiations with the General Services Administration (GSA). This system contains FCI, including lease terms, property appraisals, and sensitive communications. The firm's IT security policy mandates that all endpoints accessing the project management system (including employee workstations and mobile devices) must have up-to-date anti-malware software. To ensure compliance with SI.L1-B.1.XIV, the firm implements a policy requiring all employees to verify that their anti-malware software is configured for automatic updates and is actively running before accessing the project management system. Employees are required to acknowledge this verification with a click-through confirmation within the project management system each time they log in. The system logs these acknowledgements, providing an audit trail demonstrating that users are aware of the requirement and are actively confirming their anti-malware is up-to-date.

**Example 3:** The firm's GIS analysts use specialized software on their workstations to create and analyze site plans containing CUI, such as maps depicting the location of sensitive government facilities. These workstations are protected by a commercial anti-malware solution. To ensure prompt updating of malicious code protection mechanisms, the IT department subscribes to the vendor's security advisory mailing list. Upon receiving notification of a new release or critical signature update, the IT department immediately tests the update in a non-production environment. Once verified as stable, the update is deployed to all GIS workstations within 24 hours, either automatically through the central management console or via a scripted installation process. The IT department maintains records of the security advisory notifications, the testing results, and the deployment schedule, demonstrating timely response to new threats and proactive updating of the anti-malware software.

Here are three concrete, realistic compliance examples for the CMMC Level 1 objective SI.L1-B.1.XV, tailored to a real estate consulting firm specializing in government clients:

**Example 1:** Scenario: Handling Facility Assessment Reports Containing FCI

The firm conducts facility assessments for a Department of Defense (DoD) installation. These assessments, stored as PDF documents on the firm's file server, contain FCI such as detailed floor plans, security system layouts, and infrastructure vulnerabilities. To comply with SI.L1-B.1.XV, the firm configures its file server's antivirus software (e.g., Windows Defender or a third-party solution) to perform a full system scan for malicious code every 24 hours. The scan schedule is documented in the firm's System Security Plan (SSP). Furthermore, the antivirus software is configured to perform real-time scanning of any files accessed or modified on the file server, including the facility assessment reports. If malicious code is detected, the software automatically quarantines the affected file and alerts the IT administrator via email. The IT administrator then investigates the incident, removes the malware, and documents the event in the firm's incident response log.

**Example 2:** Scenario: Receiving Lease Documents with Potential Malware from a GSA Contracting Officer

A GSA contracting officer sends the firm a lease agreement document via email for review. This document, containing lease terms and conditions, is considered FCI. To comply with SI.L1-B.1.XV, the firm's email system (e.g., Microsoft 365 with Defender for Office 365 enabled) is configured to scan all incoming email attachments for malicious code in real-time. Before the employee can open the lease agreement, the email system scans the attachment. If malicious code is detected, the email is automatically quarantined, and the employee receives a notification that the attachment was blocked due to a potential security threat. The IT administrator is also notified and investigates the incident. The firm also requires all employees to use the firm-provided laptops with up-to-date antivirus software, which performs real-time scans of files as they are downloaded, opened, or executed, providing an additional layer of protection.

**Example 3:** Scenario: Downloading Site Selection Study Data from a HUD Database

The firm is conducting a site selection study for a new HUD-funded housing project. This involves downloading data from a HUD database, which may include CUI-marked site plans, demographic information, and environmental impact assessments. To comply with SI.L1-B.1.XV, the firm implements a policy requiring all employees to scan downloaded files from external sources, including government databases, with the firm's antivirus software immediately after download and before opening them. The firm also configures its web browser security settings to block downloads from untrusted sources and to warn users about potentially malicious websites. The firm's antivirus software is configured to perform real-time scanning of files as they are downloaded, opened, or executed. The firm maintains a log of all scanned files, including the date, time, user, and any detected threats. This log is reviewed periodically by the IT administrator to identify any potential security incidents.

Here are three concrete compliance examples for the CMMC Level 1 requirement SI.L1-B.1.XV, tailored to a real estate consulting firm working with government clients:

**Example 1:**

*Scenario:* The firm's project team is conducting a site selection study for a new GSA office building. They receive a large ZIP file containing architectural drawings and environmental impact assessments from a subcontractor. These files are marked as CUI due to the sensitive nature of the proposed location and building specifications. Before any team member opens or extracts the files, the firm's endpoint detection and response (EDR) software, installed on all company laptops and desktops, automatically scans the ZIP file in real-time. The EDR software is configured to scan for malicious code upon download and execution. If any threat is detected, the file is immediately quarantined, and an alert is sent to the IT help desk. The IT help desk reviews the alert and confirms whether the file is safe or needs to be deleted and the sender notified. The team also runs a scheduled weekly full system scan on all computers that access, store, or process CUI, including the laptops used by the site selection team. This is documented in the firm's System Security Plan (SSP) and verified through regular audit logs of the EDR software.

**Example 2:**

*Scenario:* A real estate portfolio manager is accessing a government property database (e.g., a secure portal managed by the Department of Defense) to review lease terms and facility data for several government-owned properties. The firm's web filtering and anti-malware solution scans all files downloaded from the government portal in real-time. This includes lease agreements, facility inspection reports, and CUI-marked site plans. The solution also scans URLs visited within the portal to prevent access to malicious websites or phishing attempts. Additionally, the firm implements a policy requiring all employees to use only company-approved web browsers with security extensions enabled for real-time scanning. A weekly vulnerability scan is performed on the server hosting the firm's internal project management system, which stores metadata related to these government properties, to ensure no vulnerabilities exist that could be exploited by malicious code.

**Example 3:**

*Scenario:* The firm uses a cloud-based document management system (DMS) to store and collaborate on documents related to lease negotiations with HUD. This DMS is configured to automatically scan all uploaded files for malicious code in real-time. This includes scanned copies of signed lease documents, client correspondence with HUD officials, and internal memos containing sensitive negotiation strategies. The DMS also performs regular scheduled scans of all stored files to detect any latent threats that may have bypassed initial scans. The firm's IT team receives automated reports from the DMS detailing the results of these scans. The IT team also conducts a monthly review of the DMS security logs to ensure the scanning functionality is operating correctly and that no malicious code has been detected. The firm's incident response plan outlines the procedures to be followed in the event that malicious code is detected within the DMS.

Here are three concrete, realistic compliance examples for the consulting firm, addressing the SI.L1-B.1.XV requirement:

**Example 1:** *Real-time Scanning of Downloaded Government Property Data*

Scenario: A real estate consultant is tasked with performing a site selection study for a new federal agency office. They need to download a large dataset of available properties from the General Services Administration's (GSA) publicly accessible, but controlled, property database. This database contains FCI related to property characteristics, past uses, and environmental assessments. To comply with SI.L1-B.1.XV, the consultant's computer, and specifically the web browser used to access the GSA database, has real-time scanning enabled. As the consultant downloads the property data file (e.g., a CSV or shapefile), the antivirus/anti-malware software automatically scans the file before it is saved to the local hard drive. If the scan detects malicious code, the file is immediately quarantined, and the consultant receives an alert. The consultant then reports the incident to the firm's IT department and the GSA point of contact.

**Example 2:** *Scanning Attachments in Client Communications Containing Lease Negotiation Details*

Scenario: A consultant is negotiating a lease agreement with a federal agency on behalf of a private landlord. Communications regarding lease terms, security requirements, and facility modifications are exchanged via email. These emails often contain attachments such as draft lease documents (potentially marked CUI), floor plans, and facility inspection reports. The firm's email system is configured with real-time scanning capabilities. As the consultant receives an email with a floor plan attachment from the federal agency, the email server automatically scans the attachment for malicious code before it is delivered to the consultant's inbox. Similarly, the consultant's local machine also scans the attachment as it is opened. If malicious code is detected, the email or attachment is quarantined, and both the consultant and the IT department are notified.

**Example 3:** *Scanning Files Uploaded to Internal Project Management System*

Scenario: The consulting firm uses an internal project management system to store and share documents related to client projects. This system contains FCI, including facility assessment reports, CUI-marked site plans, and client correspondence with federal agencies like DoD and HUD. To comply with SI.L1-B.1.XV, the project management system is configured to perform real-time scans on all files uploaded by consultants. For example, when a consultant uploads a newly completed facility assessment report (potentially containing sensitive information about building security or infrastructure) to the project management system, the system automatically scans the file for malicious code before it is permanently stored. If malicious code is detected, the upload is blocked, and the consultant and the IT department receive an alert.