CCA Blueprint

From CMMC Toolkit Wiki
Jump to navigation Jump to search

Source of Reference: The CCA blueprint document from Cybersecurity Maturity Model Certification Accreditation Body, Inc.

For inquiries and reporting errors on this wiki, please contact us. Thank you.


Upon successful completion of this exam, the candidate will be able to apply skills and knowledge to the below domains:

Domain Exam Weight
1. Evaluating Organizations Seeking Certification (OSC) against CMMC Level 2 requirement 15%
2. CMMC Level 2 Assessment Scoping 20%
3. CMMC Assessment Process (CAP) 25%
4. Assessing CMMC Level 2 Practices 40%

Domain 1: Evaluating Organizations Seeking Certification (OSC) against CMMC Level 2 requirements

Task 1. Assess the various environmental considerations of Organizations Seeking Certification (OSCs) against CMMC L2 practices.

Lesson Topic Objective Objective Description
4C 1.1.1 # The difference between logical (virtual) and physical locations
4C 1.1.2 # The difference between professional and industrial environments
4C 1.1.3 # Single and multi-site environmental constraints and Evidence requirements
4C 1.1.4 # Cloud and hybrid environment constraints and Evidence requirements
4C 1.1.5 # On-premises environmental constraints
4C 1.1.6 # Environmental exclusions for a level 2 CMMC assessment

Domain 2: Scoping

Task 1. Analyze the CMMC Assessment Scope of Controlled Unclassified Information (CUI) Assets as they pertain to a CMMC assessment using the five categories of CUI assets as defined in the CMMC Level 2 Assessment Scoping Guide.

Lesson Topic Objective Objective Description
4B 2.1.1 1. Categorization of CUI data in the form of Assets that are in scope:
4B 2.1.1.A
A. #1: Controlled Unclassified Information (CUI) Assets
4B 2.1.1.A(1)
(1) Process, store, or transmit CUI
4B 2.1.1.B
B. #2: Security Protection Assets
4B 2.1.1.B(1)
(1) Assets that provide security functions and capabilities to contractor’s CMMC Assessment Scope
4B 2.1.1.C
C. #3: Contractor Risked Managed Assets
4B 2.1.1.C(1)
(1) Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
4B 2.1.1.D
D. #4: Specialized Assets
4B 2.1.1.D(1)
(1) Assets that may/may not process, store, or transmit CUI
4B 2.1.1.D(2)
(2) Assets include government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment
4B 2.1.1.E
E. #5: Out-of-Scope Assets
4B 2.1.1.E(1)
(1) Assets that cannot process, store, or transmit CUI

Task 2. Given a scenario, analyze the CMMC Assessment Scope based on the predetermined CUI categories within the CMMC Level 2 Assessment Scoping Guide.

Lesson Topic Objective Objective Description
4B 2.2.1 1. CMMC assessment asset categories (In-scope)
4B 2.2.1.A
A. CUI Assets
4B 2.2.1.B
B. Security Protection Assets
4B 2.2.1.C
C. Contractor Risked Managed Assets
4B 2.2.1.D
D. Specialized Assets
4B 2.2.2 2. CMMC assessment asset categories (Out-of-scope)
4A 2.2.3 3. Separation Techniques
4A 2.2.3.A
A. Logical separation
4A 2.2.3.A(1)
(1) Firewalls; and
4A 2.2.3.A(2)
(2) Virtual Local Area Network (VLANs)
4A 2.2.3.B
B. Physical separation
4A 2.2.3.B(1)
(1) Gates;
4A 2.2.3.B(2)
(2) Locks;
4A 2.2.3.B(3)
(3) Badge access; and
4A 2.2.3.B(4)
(4) Guards

Task 3. Evaluate CMMC assessment scope considerations based on the CMMC Level 2 Assessment Scoping Guide.

Lesson Topic Objective Objective Description
4E 2.3.1 1. FCI and CUI within the same Assessment Scope:
4E 2.3.1.A
A. Contractor defines FCI/CUI assets (In-scope)
4E 2.3.1.B
B. CMMC Assessor certifies implementation of Level 1 & 2 practices
4E 2.3.2 2. FCI and CUI NOT within the same Assessment Scope:
4E 2.3.2.A
A. Contractor defines Self-Assessment of FCI assets (In-scope)
4E 2.3.2.B
B. Contractor defines CUI assets (In-scope), CMMC Assessor certifies implementation of Level 1 & 2 practices
4C, 4D 2.3.3 3. External Services Providers
4D 2.3.3.A
A. Evaluation of responsibility matrix
2C, 4E 2.3.3.B
B. Non-Duplication
4D 2.3.3.C
C. Agreements, Service-Level Agreements (SLAs)

Domain 3: CMMC Assessment Process (CAP) v5.X

Task 1. Given a scenario, apply the appropriate phases and steps to plan, prepare, conduct, and report on a CMMC Level 2 Assessment.

Lesson Topic Objective Objective Description
3A, 3B, 3C 3.1.1 1. Phase 1 - Plan and Prepare Assessments:
3B 3.1.1.A
A. Analyze requirements
3C 3.1.1.B
B. Develop Assessment plan
3B 3.1.1.C
C. Verify readiness to conduct assessment
3A, 3D 3.1.2 2. Phase 2 - Conduct assessment:
3D 3.1.2.A
a. Collect and examine Evidence
3D 3.1.2.B
b. Score practices and validate preliminary results
3D 3.1.2.C
c. Generate final recommended Assessment Results
3A 3.1.3 3. Phase 3 - Report Recommended Assessment Results:
3F 3.1.3.A
a. Deliver Recommended Assessment Results

Domain 4: CMMC Levels 2 Practices

Task 1. Identify evidence verification/validation methods and objects for Practices based on the CMMC Level 2 Assessment Guide and CMMC Assessment Process (CAP) documentation.

Lesson Topic Objective Objective Description
3D 4.1.1 1. Methods and objects for determining evidence
3D 4.1.1.A
A. Examine
3D 4.1.1.B
B. Interview
3D 4.1.1.C
C. Test
3D 4.1.2 2. Adequacy and sufficiency related to Evidence around all below practices
3D 4.1.2.A
A. Characteristics of acceptable Evidence
3D 4.1.2.B
B. Evidence of enabling persistent and habitual application of practices
3D 4.1.2.B(1)
(1) Policy
3D 4.1.2.B(2)
(2) Plan
3D 4.1.2.B(3)
(3) Resourcing
3D 4.1.2.B(4)
(4) Communication
3D 4.1.2.B(5)
(5) Training
3D 4.1.2.C
C. Characterization of evidence
2C, 3D 4.1.2.C(1)
(1) Validate that evidence effectively meets intent of standard
3D 4.1.2.C(2)
(2) An objective and systematic examination of evidence for the purpose of providing an independent assessment of the performance of CMMC
5A, 6A, 7A, 8A, 9A, 10A, 11A, 12A, 13A, 14A, 15A, 16, 17A, 18A 4.1.3 3. CMMC Level 2 Assessment Practice objectives including potential methods, objects, and assessment considerations (by domain):

(at a minimum the practices listed below must be evaluated for CCA candidates)

5A, 5B 4.1.3.A A. Access Control (AC)
5A 4.1.3.A(1)
(1) AC.L2-3.1.3 – Control CUI Flow
5A 4.1.3.A(2)
(2) AC.L2-3.1.4 – Separation of Duties
5A 4.1.3.A(3)
(3) AC.L2-3.1.5 – Least Privilege
5A 4.1.3.A(4)
(4) AC.L2-3.1.6 – Non-Privileged Account Use
5A 4.1.3.A(5)
(5) AC.L2-3.1.7 – Privileged Functions
5A 4.1.3.A(6)
(6) AC.L2-3.1.8 – Unsuccessful Logon Attempts
5A 4.1.3.A(7)
(7) AC.L2-3.1.9 – Privacy & Security Notices
5A 4.1.3.A(8)
(8) AC.L2-3.1.10 – Session Lock
5A 4.1.3.A(9)
(9) AC.L2-3.1.11 – Session Termination
5A 4.1.3.A(10)
(10) AC.L2-3.1.12 – Control Remote Access
5A 4.1.3.A(11)
(11) AC.L2-3.1.13 – Remote Access Confidentiality
5A 4.1.3.A(12)
(12) AC.L2-3.1.14 – Remote Access Routing
5A 4.1.3.A(13)
(13) AC.L2-3.1.15 – Privileged Remote Access
5A 4.1.3.A(14)
(14) AC.L2-3.1.16 – Wireless Access Authorization
5A 4.1.3.A(15)
(15) AC.L2-3.1.17 – Wireless Access Protection
5A 4.1.3.A(16)
(16) AC.L2-3.1.18 – Mobile Device Connection
5A 4.1.3.A(17)
(17) AC.L2-3.1.19 – Encrypt CUI on Mobile
5A 4.1.3.A(18)
(18) AC.L2-3.1.21 – Portable Storage Use
6A, 6B 4.1.3.B B. Awareness & Training (AT)
6A 4.1.3.B(1)
(1) AT.L2-3.2.1 – Role-Based Risk Awareness
6A 4.1.3.B(2)
(2) AT.L2-3.2.2 – Role-Based Training
6A 4.1.3.B(3)
(3) AT.L2-3.2.3 – Insider Threat Awareness
7A, 7B 4.1.3.C C. Audit & Accountability (AU)
7A 4.1.3.C(1)
(1) AU.L2-3.3.1 – System Auditing
7A 4.1.3.C(2)
(2) AU.L2-3.3.2 – User Accountability
7A 4.1.3.C(3)
(3) AU.L2-3.3.3 – Event Review
7A 4.1.3.C(4)
(4) AU.L2-3.3.4 – Audit Failure Alerting
7A 4.1.3.C(5)
(5) AU.L2-3.3.5 – Audit Correlation
7A 4.1.3.C(6)
(6) AU.L2-3.3.6 – Reduction & Reporting
7A 4.1.3.C(7)
(7) AU.L2-3.3.7 – Authoritative Time Source
7A 4.1.3.C(8)
(8) AU.L2-3.3.8 – Audit Protection
7A 4.1.3.C(9)
(9) AU.L2-3.3.9 – Audit Management
9A, 9B 4.1.3.D D. Configuration Management (CM)
9A 4.1.3.D(1)
(1) CM.L2-3.4.1 – System Baselining
9A 4.1.3.D(2)
(2) CM.L2-3.4.2 – Security Configuration Enforcement
9A 4.1.3.D(3)
(3) CM.L2-3.4.3 – System Change Management
9A 4.1.3.D(4)
(4) CM.L2-3.4.4 – Security Impact Analysis
9A 4.1.3.D(5)
(5) CM.L2-3.4.5 – Access Restrictions for Change
9A 4.1.3.D(6)
(6) CM.L2-3.4.6 – Least Functionality
9A 4.1.3.D(7)
(7) CM.L2-3.4.7 – Nonessential Functionality
9A 4.1.3.D(8)
(8) CM.L2-3.4.8 – Application Execution Policy
9A 4.1.3.D(9)
(9) CM.L2-3.4.9 – User-Installed Software
10A, 10B 4.1.3.E E. Identification & Authentication (IA)
10A 4.1.3.E(1)
(1) IA.L2-3.5.3 – Multifactor Authentication
10A 4.1.3.E(2)
(2) IA.L2-3.5.4 – Replay-Resistant Authentication
10A 4.1.3.E(3)
(3) IA.L2-3.5.5 – Identifier Reuse
10A 4.1.3.E(4)
(4) IA.L2-3.5.6 – Identifier Handling
10A 4.1.3.E(5)
(5) IA.L2-3.5.7 – Password Complexity
10A 4.1.3.E(6)
(6) IA.L2-3.5.8 – Password Reuse
10A 4.1.3.E(7)
(7) IA.L2-3.5.9 – Temporary Passwords
10A 4.1.3.E(8)
(8) IA.L2-3.5.10 – Cryptographically-Protected Passwords
10A 4.1.3.E(9)
(9) IA.L2-3.5.11 – Obscure Feedback
11A, 11B 4.1.3.F F. Incident Response (IR)
11A 4.1.3.F(1)
(1) IR.L2-3.6.1 – Incident Handling
11A 4.1.3.F(2)
(2) IR.L2-3.6.2 – Incident Reporting
11A 4.1.3.F(3)
(3) IR.L2-3.6.3 – Incident Response Testing
12A, 12B 4.1.3.G G. Maintenance (MA)
12A 4.1.3.G(1)
(1) MA.L2-3.7.1 – Perform Maintenance
12A 4.1.3.G(2)
(2) MA.L2-3.7.2 – System Maintenance Control
12A 4.1.3.G(3)
(3) MA.L2-3.7.3 – Equipment Sanitization
12A 4.1.3.G(4)
(4) MA.L2-3.7.4 – Media Inspection
12A 4.1.3.G(5)
(5) MA.L2-3.7.5 – Nonlocal Maintenance
12A 4.1.3.G(6)
(6) MA.L2-3.7.6 – Maintenance Personnel
13A, 13B 4.1.3.H H. Media Protection (MP)
13A 4.1.3.H(1)
(1) MP.L2-3.8.1 – Media Protection
13A 4.1.3.H(2)
(2) MP.L2-3.8.2 – Media Access
13A 4.1.3.H(3)
(3) MP.L2-3.8.4 – Media Markings
13A 4.1.3.H(4)
(4) MP.L2-3.8.5 – Media Accountability
13A 4.1.3.H(5)
(5) MP.L2-3.8.6 – Portable Storage Encryption
13A 4.1.3.H(6)
(6) MP.L2-3.8.7 – Removeable Media
13A 4.1.3.H(7)
(7) MP.L2-3.8.8 – Shared Media
13A 4.1.3.H(8)
(8) MP.L2-3.8.9 – Protect Backups
15A, 15B 4.1.3.I I. Personnel Security (PS)
15A 4.1.3.I(1)
(1) PS.L2-3.9.1 – Screen Individuals
15A 4.1.3.I(2)
(2) PS.L2-3.9.2 – Personnel Actions
14A, 14B 4.1.3.J J. Physical Protection (PE)
14A 4.1.3.J(1)
(1) PE.L2-3.10.2 – Monitor Facility
14A 4.1.3.J(2)
(2) PE.L2-3.10.6 – Alternative Work Sites
16A, 16B 4.1.3.K K. Risk Assessment (RA)
16A 4.1.3.K(1)
(1) RA.L2-3.11.1 – Risk Assessments
16A 4.1.3.K(2)
(2) RA.L2-3.11.2 – Vulnerability Scan
16A 4.1.3.K(3)
(3) RA.L2-3.11.3 – Vulnerability Remediation
8A, 8B 4.1.3.L L. Security Assessment (CA)
8A 4.1.3.L(1)
(1) CA.L2-3.12.1 – Security Control Assessment
8A 4.1.3.L(2)
(2) CA.L2-3.12.2 – Plan of Action
8A 4.1.3.L(3)
(3) CA.L2-3.12.3 – Security Control Monitoring
8A 4.1.3.L(4)
(4) CA.L2-3.12.4 – System Security Plan
17A, 17B 4.1.3.M M. System & Communications Protection (SC)
17A 4.1.3.M(1)
(1) SC.L2-3.13.2 – Security Engineering
17A 4.1.3.M(2)
(2) SC.L2-3.13.3 – Role Separation
17A 4.1.3.M(3)
(3) SC.L2-3.13.4 – Shared Resource Control
17A 4.1.3.M(4)
(4) SC.L2-3.13.6 – Network Communication by Exception
17A 4.1.3.M(5)
(5) SC.L2-3.13.7 – Split Tunneling
17A 4.1.3.M(6)
(6) SC.L2-3.13.8 – Data in Transit
17A 4.1.3.M(7)
(7) SC.L2-3.13.9 – Connections Termination
17A 4.1.3.M(8)
(8) SC.L2-3.13.10 – Key Management
17A 4.1.3.M(9)
(9) SC.L2-3.13.11 – CUI Encryption
17A 4.1.3.M(10)
(10) SC.L2-3.13.12 – Collaborative Device Control
17A 4.1.3.M(11)
(11) SC.L2-3.13.13 – Mobile Code
17A 4.1.3.M(12)
(12) SC.L2-3.13.14 – Voice over Internet Protocol
17A 4.1.3.M(13)
(13) SC.L2-3.13.15 – Communications Authenticity
17A 4.1.3.M(14)
(14) SC.L2-3.13.16 – Data at Rest
18A, 18B 4.1.3.N N. System & Information Integrity (SI)
18A 4.1.3.N(1)
(1) SI.L2-3.14.3 – Security Alerts & Advisories
18A 4.1.3.N(2)
(2) SI.L2-3.14.6 – Monitor Communications for Attacks
18A 4.1.3.N(3)
(3) SI.L2-3.14.7 – Identify Unauthorized Use