CMMC110
CMMC
Requirements in this framework
- CMMC Level 2 Practice 3.1.1: Limit system access to authorized users, processes acting on behalf of authorized users, and
- CMMC Level 2 Practice 3.1.10: Use session lock with pattern-hiding displays to prevent access and viewing of data after a
- CMMC Level 2 Practice 3.1.11: Terminate (automatically) a user session after a defined condition
- CMMC Level 2 Practice 3.1.12: Monitor and control remote access sessions
- CMMC Level 2 Practice 3.1.13: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
- CMMC Level 2 Practice 3.1.14: Route remote access via managed access control points
- CMMC Level 2 Practice 3.1.15: Authorize remote execution of privileged commands and remote access to security-relevant
- CMMC Level 2 Practice 3.1.16: Authorize wireless access prior to allowing such connections
- CMMC Level 2 Practice 3.1.17: Protect wireless access using authentication and encryption
- CMMC Level 2 Practice 3.1.18: Control connection of mobile devices
- CMMC Level 2 Practice 3.1.19: Encrypt CUI on mobile devices and mobile computing platforms.23
- CMMC Level 2 Practice 3.1.2: Limit system access to the types of transactions and functions that authorized users are
- CMMC Level 2 Practice 3.1.20: Verify and control/limit connections to and use of external systems
- CMMC Level 2 Practice 3.1.21: Limit use of portable storage devices on external systems
- CMMC Level 2 Practice 3.1.22: Control CUI posted or processed on publicly accessible systems
- CMMC Level 2 Practice 3.1.3: Control the flow of CUI in accordance with approved authorizations
- CMMC Level 2 Practice 3.1.4: Separate the duties of individuals to reduce the risk of malevolent activity without collusion
- CMMC Level 2 Practice 3.1.5: Employ the principle of least privilege, including for specific security functions and privileged
- CMMC Level 2 Practice 3.1.6: Use non-privileged accounts or roles when accessing nonsecurity functions
- CMMC Level 2 Practice 3.1.7: Prevent non-privileged users from executing privileged functions and capture the execution of
- CMMC Level 2 Practice 3.1.8: Limit unsuccessful logon attempts
- CMMC Level 2 Practice 3.1.9: Provide privacy and security notices consistent with applicable CUI rules
- CMMC Level 2 Practice 3.10.1: addresses physical access for individuals whose maintenance
- CMMC Level 2 Practice 3.10.2: Protect and monitor the physical facility and support infrastructure for organizational systems
- CMMC Level 2 Practice 3.10.3: Escort visitors and monitor visitor activity
- CMMC Level 2 Practice 3.10.4: Maintain audit logs of physical access
- CMMC Level 2 Practice 3.10.5: Control and manage physical access devices
- CMMC Level 2 Practice 3.10.6: Enforce safeguarding measures for CUI at alternate work sites
- CMMC Level 2 Practice 3.11.1: Periodically assess the risk to organizational operations (including mission, functions, image, or
- CMMC Level 2 Practice 3.11.2: Scan for vulnerabilities in organizational systems and applications periodically and when new
- CMMC Level 2 Practice 3.11.3: Remediate vulnerabilities in accordance with risk assessments
- CMMC Level 2 Practice 3.12.1: Periodically assess the security controls in organizational systems to determine if the controls
- CMMC Level 2 Practice 3.12.2: Develop and implement plans of action designed to correct deficiencies and reduce or
- CMMC Level 2 Practice 3.12.3: Monitor security controls on an ongoing basis to ensure the continued effectiveness of the
- CMMC Level 2 Practice 3.12.4: Develop, document, and periodically update system security plans that describe system
- CMMC Level 2 Practice 3.13.1: Monitor, control, and protect communications (i.e., information transmitted or received by
- CMMC Level 2 Practice 3.13.10: Establish and manage cryptographic keys for cryptography employed in organizational
- CMMC Level 2 Practice 3.13.11: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI
- CMMC Level 2 Practice 3.13.12: Prohibit remote activation of collaborative computing devices and provide indication of
- CMMC Level 2 Practice 3.13.13: Control and monitor the use of mobile code
- CMMC Level 2 Practice 3.13.14: Control and monitor the use of Voice over Internet Protocol (VoIP) technologies
- CMMC Level 2 Practice 3.13.15: Protect the authenticity of communications sessions
- CMMC Level 2 Practice 3.13.16: Protect the confidentiality of CUI at rest
- CMMC Level 2 Practice 3.13.2: Employ architectural designs, software development techniques, and systems engineering
- CMMC Level 2 Practice 3.13.3: Separate user functionality from system management functionality
- CMMC Level 2 Practice 3.13.4: Prevent unauthorized and unintended information transfer via shared system resources
- CMMC Level 2 Practice 3.13.5: Implement subnetworks for publicly accessible system components that are physically or
- CMMC Level 2 Practice 3.13.6: Deny network communications traffic by default and allow network communications traffic by
- CMMC Level 2 Practice 3.13.7: Prevent remote devices from simultaneously establishing non-remote connections with
- CMMC Level 2 Practice 3.13.8: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during
- CMMC Level 2 Practice 3.13.9: Terminate network connections associated with communications sessions at the end of the
- CMMC Level 2 Practice 3.14.1: Identify, report, and correct system flaws in a timely manner
- CMMC Level 2 Practice 3.14.2: Provide protection from malicious code at designated locations within organizational systems
- CMMC Level 2 Practice 3.14.3: Monitor system security alerts and advisories and take action in response
- CMMC Level 2 Practice 3.14.4: Update malicious code protection mechanisms when new releases are available
- CMMC Level 2 Practice 3.14.5: Perform periodic scans of organizational systems and real-time scans of files from external
- CMMC Level 2 Practice 3.14.6: Monitor organizational systems, including inbound and outbound communications traffic, to
- CMMC Level 2 Practice 3.14.7: Identify unauthorized use of organizational systems
- CMMC Level 2 Practice 3.2.1: Ensure that managers, systems administrators, and users of organizational systems are made
- CMMC Level 2 Practice 3.2.2: Ensure that personnel are trained to carry out their assigned information security-related
- CMMC Level 2 Practice 3.2.3: Provide security awareness training on recognizing and reporting potential indicators of insider
- CMMC Level 2 Practice 3.3.1: Create and retain system audit logs and records to the extent needed to enable the
- CMMC Level 2 Practice 3.3.2: Ensure that the actions of individual system users can be uniquely traced to those users, so
- CMMC Level 2 Practice 3.3.3: Review and update logged events
- CMMC Level 2 Practice 3.3.4: Alert in the event of an audit logging process failure
- CMMC Level 2 Practice 3.3.5: Correlate audit record review, analysis, and reporting processes for investigation and response
- CMMC Level 2 Practice 3.3.6: Provide audit record reduction and report generation to support on-demand analysis and
- CMMC Level 2 Practice 3.3.7: Provide a system capability that compares and synchronizes internal system clocks with an
- CMMC Level 2 Practice 3.3.8: Protect audit information and audit logging tools from unauthorized access, modification, and
- CMMC Level 2 Practice 3.3.9: Limit management of audit logging functionality to a subset of privileged users
- CMMC Level 2 Practice 3.4.1: Establish and maintain baseline configurations and inventories of organizational systems
- CMMC Level 2 Practice 3.4.2: Establish and enforce security configuration settings for information technology products
- CMMC Level 2 Practice 3.4.3: Track, review, approve or disapprove, and log changes to organizational systems
- CMMC Level 2 Practice 3.4.4: Analyze the security impact of changes prior to implementation
- CMMC Level 2 Practice 3.4.5: Define, document, approve, and enforce physical and logical access restrictions associated with
- CMMC Level 2 Practice 3.4.6: Employ the principle of least functionality by configuring organizational systems to provide
- CMMC Level 2 Practice 3.4.7: Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and
- CMMC Level 2 Practice 3.4.8: Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or
- CMMC Level 2 Practice 3.4.9: Control and monitor user-installed software
- CMMC Level 2 Practice 3.5.1: Identify system users, processes acting on behalf of users, and devices
- CMMC Level 2 Practice 3.5.10: Store and transmit only cryptographically-protected passwords
- CMMC Level 2 Practice 3.5.11: Obscure feedback of authentication information
- CMMC Level 2 Practice 3.5.2: Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to
- CMMC Level 2 Practice 3.5.3: Use multifactor authentication for local and network access to privileged accounts and for
- CMMC Level 2 Practice 3.5.4: Employ replay-resistant authentication mechanisms for network access to privileged and non-
- CMMC Level 2 Practice 3.5.5: Prevent reuse of identifiers for a defined period
- CMMC Level 2 Practice 3.5.6: Disable identifiers after a defined period of inactivity
- CMMC Level 2 Practice 3.5.7: Enforce a minimum password complexity and change of characters when new passwords are
- CMMC Level 2 Practice 3.5.8: Prohibit password reuse for a specified number of generations
- CMMC Level 2 Practice 3.5.9: Allow temporary password use for system logons with an immediate change to a permanent
- CMMC Level 2 Practice 3.6.1: Establish an operational incident-handling capability for organizational systems that includes
- CMMC Level 2 Practice 3.6.2: Track, document, and report incidents to designated officials and/or authorities both internal
- CMMC Level 2 Practice 3.6.3: Test the organizational incident response capability
- CMMC Level 2 Practice 3.7.1: Perform maintenance on organizational systems.26
- CMMC Level 2 Practice 3.7.2: Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system
- CMMC Level 2 Practice 3.7.3: Ensure equipment removed for off-site maintenance is sanitized of any CUI
- CMMC Level 2 Practice 3.7.4: Check media containing diagnostic and test programs for malicious code before the media are
- CMMC Level 2 Practice 3.7.5: Require multifactor authentication to establish nonlocal maintenance sessions via external
- CMMC Level 2 Practice 3.7.6: Supervise the maintenance activities of maintenance personnel without required access
- CMMC Level 2 Practice 3.8.1: Protect (i.e., physically control and securely store) system media containing CUI, both paper and
- CMMC Level 2 Practice 3.8.2: Limit access to CUI on system media to authorized users
- CMMC Level 2 Practice 3.8.3: Sanitize or destroy system media containing CUI before disposal or release for reuse
- CMMC Level 2 Practice 3.8.4: Mark media with necessary CUI markings and distribution limitations
- CMMC Level 2 Practice 3.8.5: Control access to media containing CUI and maintain accountability for media during transport
- CMMC Level 2 Practice 3.8.6: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital
- CMMC Level 2 Practice 3.8.7: Control the use of removable media on system components
- CMMC Level 2 Practice 3.8.8: Prohibit the use of portable storage devices when such devices have no identifiable owner
- CMMC Level 2 Practice 3.8.9: Protect the confidentiality of backup CUI at storage locations
- CMMC Level 2 Practice 3.9.1: Screen individuals prior to authorizing access to organizational systems containing CUI
- CMMC Level 2 Practice 3.9.2: Ensure that organizational systems containing CUI are protected during and after personnel