Commonly Accepted and Practiced CMMC Operation Matrix
Jump to navigation
Jump to search
The Commonly Accepted and Practiced CMMC Operation Matrix (CAPCOM) serves as an experimental repository for all CMMC Level 2 security requirements, assessment objectives, and AI-enhanced methodologies for evidence collection and evaluation.
Powered by advanced Large Language Model (LLM) technology, CAPCOM provides guidance for evaluating information system compliance with the CMMC program. Security professionals and IT leaders can leverage this AI-enhanced model to systematically identify gaps between their organizational infrastructure and CMMC requirements, enabling strategic remediation planning and implementation.
DISCLAIMER: The LLM-based AI is pretty cool, but it can also create erroneous responses. Always double-check a response before using it.
For inquiries and reporting errors on this wiki, please contact us. Thank you.
Access Control (AC)
AC.L2-3.1.1 – Authorized Access Control [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). | Sample Prompt Template | N/A |
| [a] authorized users are identified. | Sample Prompt | Sample Response |
| [b] processes acting on behalf of authorized users are identified. | Sample Prompt | Sample Response |
| [c] devices (and other systems) authorized to connect to the system are identified. | Sample Prompt | Sample Response |
| [d] system access is limited to authorized users. | Sample Prompt | Sample Response |
| [e] system access is limited to processes acting on behalf of authorized users. | Sample Prompt | Sample Response |
| [f] system access is limited to authorized devices (including other systems). | Sample Prompt | Sample Response |
AC.L2-3.1.2 – Transaction & Function Control [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | Sample Prompt Template | N/A |
| [a] the types of transactions and functions that authorized users are permitted to execute are defined. | Sample Prompt | Sample Response |
| [b] system access is limited to the defined types of transactions and functions for authorized users. | Sample Prompt | Sample Response |
AC.L2-3.1.3 – Control CUI Flow
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.1.3 Control the flow of CUI in accordance with approved authorizations. | Sample Prompt Template | N/A |
| [a] information flow control policies are defined. | Sample Prompt | Sample Response |
| [b] methods and enforcement mechanisms for controlling the flow of CUI are defined. | Sample Prompt | Sample Response |
| [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified. | Sample Prompt | Sample Response |
| [d] authorizations for controlling the flow of CUI are defined. | Sample Prompt | Sample Response |
| [e] approved authorizations for controlling the flow of CUI are enforced. | Sample Prompt | Sample Response |
AC.L2-3.1.4 – Separation of Duties
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | Sample Prompt Template | N/A |
| [a] the duties of individuals requiring separation are defined. | Sample Prompt | Sample Response |
| [b] responsibilities for duties that require separation are assigned to separate individuals. | Sample Prompt | Sample Response |
| [c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals. | Sample Prompt | Sample Response |
AC.L2-3.1.5 – Least Privilege
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts. | Sample Prompt Template | N/A |
| [a] privileged accounts are identified. | Sample Prompt | Sample Response |
| [b] access to privileged accounts is authorized in accordance with the principle of least privilege. | Sample Prompt | Sample Response |
| [c] security functions are identified. | Sample Prompt | Sample Response |
| [d] access to security functions is authorized in accordance with the principle of least privilege. | Sample Prompt | Sample Response |
AC.L2-3.1.6 – Non-Privileged Account Use
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions. | Sample Prompt Template | N/A |
| [a] nonsecurity functions are identified. | Sample Prompt | Sample Response |
| [b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions. | Sample Prompt | Sample Response |
AC.L2-3.1.7 – Privileged Functions
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | Sample Prompt Template | N/A |
| [a] privileged functions are defined. | Sample Prompt | Sample Response |
| [b] non-privileged users are defined. | Sample Prompt | Sample Response |
| [c] non-privileged users are prevented from executing privileged functions. | Sample Prompt | Sample Response |
| [d] the execution of privileged functions is captured in audit logs. | Sample Prompt | Sample Response |
AC.L2-3.1.8 – Unsuccessful Logon Attempts
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Limit unsuccessful logon attempts. | Sample Prompt Template | N/A |
| [a] the means of limiting unsuccessful logon attempts is defined. | Sample Prompt | Sample Response |
| [b] the defined means of limiting unsuccessful logon attempts is implemented. | Sample Prompt | Sample Response |
| More Practice Details... |
AC.L2-3.1.9 – Privacy & Security Notices
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Provide privacy and security notices consistent with applicable CUI rules. | Sample Prompt Template | N/A |
| [a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category. | Sample Prompt | Sample Response |
| [b] privacy and security notices are displayed. | Sample Prompt | Sample Response |
| More Practice Details... |
AC.L2-3.1.10 – Session Lock
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. | Sample Prompt Template | N/A |
| [a] the period of inactivity after which the system initiates a session lock is defined. | Sample Prompt | Sample Response |
| [b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity. | Sample Prompt | Sample Response |
| [c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity. | Sample Prompt | Sample Response |
| More Practice Details... |
AC.L2-3.1.11 – Session Termination
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Terminate (automatically) a user session after a defined condition. | Sample Prompt Template | N/A |
| [a] conditions requiring a user session to terminate are defined. | Sample Prompt | Sample Response |
| [b] a user session is automatically terminated after any of the defined conditions | ||
| More Practice Details... |
AC.L2-3.1.12 – Control Remote Access
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Monitor and control remote access sessions. | Sample Prompt Template | N/A |
| [a] remote access sessions are permitted. | Sample Prompt | Sample Response |
| [b] the types of permitted remote access are identified. | Sample Prompt | Sample Response |
| [c] remote access sessions are controlled. | Sample Prompt | Sample Response |
| [d] remote access sessions are monitored. | Sample Prompt | Sample Response |
| More Practice Details... |
AC.L2-3.1.13 – Remote Access Confidentiality
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. | Sample Prompt Template | N/A |
| [a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified. | Sample Prompt | Sample Response |
| [b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented. | Sample Prompt | Sample Response |
| More Practice Details... |
AC.L2-3.1.14 – Remote Access Routing
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Route remote access via managed access control points. | Sample Prompt Template | N/A |
| [a] managed access control points are identified and implemented. | Sample Prompt | Sample Response |
| [b] remote access is routed through managed network access control points. | Sample Prompt | Sample Response |
| More Practice Details... |
AC.L2-3.1.15 – Privileged Remote Access
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Authorize remote execution of privileged commands and remote access to security-relevant information. | Sample Prompt Template | N/A |
| [a] privileged commands authorized for remote execution are identified. | Sample Prompt | Sample Response |
| [b] security-relevant information authorized to be accessed remotely is identified. | Sample Prompt | Sample Response |
| [c] the execution of the identified privileged commands via remote access is authorized. | Sample Prompt | Sample Response |
| [d] access to the identified security-relevant information via remote access is authorized. | Sample Prompt | Sample Response |
| More Practice Details... |
AC.L2-3.1.16 – Wireless Access Authorization
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Authorize wireless access prior to allowing such connections. | Sample Prompt Template | N/A |
| [a] wireless access points are identified. | Sample Prompt | Sample Response |
| [b] wireless access is authorized prior to allowing such connections. | Sample Prompt | Sample Response |
| More Practice Details... |
AC.L2-3.1.17 – Wireless Access Protection
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Protect wireless access using authentication and encryption. | Sample Prompt Template | N/A |
| [a] wireless access to the system is protected using authentication. | Sample Prompt | Sample Response |
| [b] wireless access to the system is protected using encryption. | Sample Prompt | Sample Response |
| More Practice Details... |
AC.L2-3.1.18 – Mobile Device Connection
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Control connection of mobile devices. | Sample Prompt Template | N/A |
| [a] mobile devices that process, store, or transmit CUI are identified. | Sample Prompt | Sample Response |
| [b] mobile device connections are authorized. | Sample Prompt | Sample Response |
| [c] mobile device connections are monitored and logged. | Sample Prompt | Sample Response |
| More Practice Details... |
AC.L2-3.1.19 – Encrypt CUI on Mobile
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Encrypt CUI on mobile devices and mobile computing platforms. | Sample Prompt Template | N/A |
| [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified. | Sample Prompt | Sample Response |
| [b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms. | Sample Prompt | Sample Response |
| More Practice Details... |
AC.L2-3.1.20 – External Connections [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Verify and control/limit connections to and use of external information systems. | Sample Prompt Template | N/A |
| [a] connections to external systems are identified. | Sample Prompt | Sample Response |
| [b] the use of external systems is identified. | Sample Prompt | Sample Response |
| [c] connections to external systems are verified. | Sample Prompt | Sample Response |
| [d] the use of external systems is verified. | Sample Prompt | Sample Response |
| [e] connections to external systems are controlled/limited. | Sample Prompt | Sample Response |
| [f] the use of external systems is controlled/limited. | Sample Prompt | Sample Response |
| More Practice Details... |
AC.L2-3.1.21 – Portable Storage Use
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Limit use of portable storage devices on external systems. | Sample Prompt Template | N/A |
| [a] the use of portable storage devices containing CUI on external systems is identified and documented. | Sample Prompt | Sample Response |
| [b] limits on the use of portable storage devices containing CUI on external systems are defined. | Sample Prompt | Sample Response |
| [c] the use of portable storage devices containing CUI on external systems is limited as defined. | Sample Prompt | Sample Response |
| More Practice Details... |
AC.L2-3.1.22 – Control Public Information [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Control information posted or processed on publicly accessible information systems. | Sample Prompt Template | N/A |
| [a] individuals authorized to post or process information on publicly accessible systems are identified. | Sample Prompt | Sample Response |
| [b] procedures to ensure CUI is not posted or processed on publicly accessible systems are identified. | Sample Prompt | Sample Response |
| [c] a review process is in place prior to posting of any content to publicly accessible systems. | Sample Prompt | Sample Response |
| [d] content on publicly accessible systems is reviewed to ensure that it does not include CUI. | Sample Prompt | Sample Response |
| [e] mechanisms are in place to remove and address improper posting of CUI. | Sample Prompt | Sample Response |
| More Practice Details... |
Awareness and Training (AT)
AT.L2-3.2.1 – Role-Based Risk Awareness
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. | Sample Prompt Template | N/A |
| [a] security risks associated with organizational activities involving CUI are identified. | Sample Prompt | Sample Response |
| [b] policies, standards, and procedures related to the security of the system are identified. | Sample Prompt | Sample Response |
| [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities. | Sample Prompt | Sample Response |
| [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system. | Sample Prompt | Sample Response |
| More Practice Details... |
AT.L2-3.2.2 – Role-Based Training
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. | Sample Prompt Template | N/A |
| [a] information security-related duties, roles, and responsibilities are defined. | Sample Prompt | Sample Response |
| [b] information security-related duties, roles, and responsibilities are assigned to designated personnel. | Sample Prompt | Sample Response |
| [c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities. | Sample Prompt | Sample Response |
| More Practice Details... |
AT.L2-3.2.3 – Insider Threat Awareness
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Provide security awareness training on recognizing and reporting potential indicators of insider threat. | Sample Prompt Template | N/A |
| [a] potential indicators associated with insider threats are identified. | Sample Prompt | Sample Response |
| [b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees. | Sample Prompt | Sample Response |
| More Practice Details... |
Audit and Accountability (AU)
AU.L2-3.3.1 – System Auditing
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | Sample Prompt Template | N/A |
| [a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified. | Sample Prompt | Sample Response |
| [b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined. | Sample Prompt | Sample Response |
| [c] audit records are created (generated). | Sample Prompt | Sample Response |
| [d] audit records, once created, contain the defined content. | Sample Prompt | Sample Response |
| [e] retention requirements for audit records are defined. | Sample Prompt | Sample Response |
| [f] audit records are retained as defined. | Sample Prompt | Sample Response |
| More Practice Details... |
AU.L2-3.3.2 – User Accountability
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | Sample Prompt Template | N/A |
| [a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined. | Sample Prompt | Sample Response |
| [b] audit records, once created, contain the defined content. | Sample Prompt | Sample Response |
| More Practice Details... |
AU.L2-3.3.3 – Event Review
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Review and update logged events. | Sample Prompt Template | N/A |
| [a] a process for determining when to review logged events is defined. | Sample Prompt | Sample Response |
| [b] event types being logged are reviewed in accordance with the defined review process. | Sample Prompt | Sample Response |
| [c] event types being logged are updated based on the review. | Sample Prompt | Sample Response |
| More Practice Details... |
AU.L2-3.3.4 – Audit Failure Alerting
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Alert in the event of an audit logging process failure. | Sample Prompt Template | N/A |
| [a] personnel or roles to be alerted in the event of an audit logging process failure are identified. | Sample Prompt | Sample Response |
| [b] types of audit logging process failures for which alert will be generated are defined. | Sample Prompt | Sample Response |
| [c] identified personnel or roles are alerted in the event of an audit logging process failure. | Sample Prompt | Sample Response |
| More Practice Details... |
AU.L2-3.3.5 – Audit Correlation
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Sample Prompt Template | N/A |
| [a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined. | Sample Prompt | Sample Response |
| [b] defined audit record review, analysis, and reporting processes are correlated. | Sample Prompt | Sample Response |
| More Practice Details... |
AU.L2-3.3.6 – Reduction & Reporting
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Provide audit record reduction and report generation to support on-demand analysis and reporting. | Sample Prompt Template | N/A |
| [a] an audit record reduction capability that supports on-demand analysis is provided. | Sample Prompt | Sample Response |
| [b] a report generation capability that supports on-demand reporting is provided. | Sample Prompt | Sample Response |
| More Practice Details... |
AU.L2-3.3.7 – Authoritative Time Source
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. | Sample Prompt Template | N/A |
| [a] internal system clocks are used to generate time stamps for audit records. | Sample Prompt | Sample Response |
| [b] an authoritative source with which to compare and synchronize internal system clocks is specified. | Sample Prompt | Sample Response |
| [c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source. | Sample Prompt | Sample Response |
| More Practice Details... |
AU.L2-3.3.8 – Audit Protection
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Protect audit information and audit logging tools from unauthorized access, modification, and deletion. | Sample Prompt Template | N/A |
| [a] audit information is protected from unauthorized access. | Sample Prompt | Sample Response |
| [b] audit information is protected from unauthorized modification. | Sample Prompt | Sample Response |
| [c] audit information is protected from unauthorized deletion. | Sample Prompt | Sample Response |
| [d] audit logging tools are protected from unauthorized access. | Sample Prompt | Sample Response |
| [e] audit logging tools are protected from unauthorized modification. | Sample Prompt | Sample Response |
| [f] audit logging tools are protected from unauthorized deletion. | Sample Prompt | Sample Response |
| More Practice Details... |
AU.L2-3.3.9 – Audit Management
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Limit management of audit logging functionality to a subset of privileged users. | Sample Prompt Template | N/A |
| [a] a subset of privileged users granted access to manage audit logging functionality is defined. | Sample Prompt | Sample Response |
| [b] management of audit logging functionality is limited to the defined subset of privileged users. | Sample Prompt | Sample Response |
| More Practice Details... |
Configuration Management (CM)
CM.L2-3.4.1 – System Baselining
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| CM.L2-3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Sample Prompt Template | N/A |
| [a] a baseline configuration is established. | Sample Prompt | Sample Response |
| [b] the baseline configuration includes hardware, software, firmware, and documentation. | Sample Prompt | Sample Response |
| [c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle. | Sample Prompt | Sample Response |
| [d] a system inventory is established. | Sample Prompt | Sample Response |
| [e] the system inventory includes hardware, software, firmware, and documentation. | Sample Prompt | Sample Response |
| [f] the inventory is maintained (reviewed and updated) throughout the system development life cycle. | Sample Prompt | Sample Response |
CM.L2-3.4.2 – Security Configuration Enforcement
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| CM.L2-3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems. | Sample Prompt Template | N/A |
| [a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration. | Sample Prompt | Sample Response |
| [b] security configuration settings for information technology products employed in the system are enforced. | Sample Prompt | Sample Response |
CM.L2-3.4.3 – System Change Management
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| CM.L2-3.4.3 Track, review, approve or disapprove, and log changes to organizational systems. | Sample Prompt Template | N/A |
| [a] changes to the system are tracked. | Sample Prompt | Sample Response |
| [b] changes to the system are reviewed. | Sample Prompt | Sample Response |
| [c] changes to the system are approved or disapproved. | Sample Prompt | Sample Response |
| [d] changes to the system are logged. | Sample Prompt | Sample Response |
CM.L2-3.4.4 – Security Impact Analysis
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| CM.L2-3.4.4 Analyze the security impact of changes prior to implementation. | Sample Prompt Template | N/A |
| [a] the security impact of changes to the system is analyzed prior to implementation. | Sample Prompt | Sample Response |
CM.L2-3.4.5 – Access Restrictions for Change
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| CM.L2-3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. | Sample Prompt Template | N/A |
| [a] physical access restrictions associated with changes to the system are defined. | Sample Prompt | Sample Response |
| [b] physical access restrictions associated with changes to the system are documented. | Sample Prompt | Sample Response |
| [c] physical access restrictions associated with changes to the system are approved. | Sample Prompt | Sample Response |
| [d] physical access restrictions associated with changes to the system are enforced. | Sample Prompt | Sample Response |
| [e] logical access restrictions associated with changes to the system are defined. | Sample Prompt | Sample Response |
| [f] logical access restrictions associated with changes to the system are documented. | Sample Prompt | Sample Response |
| [g] logical access restrictions associated with changes to the system are approved. | Sample Prompt | Sample Response |
| [h] logical access restrictions associated with changes to the system are enforced. | Sample Prompt | Sample Response |
CM.L2-3.4.6 – Least Functionality
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| CM.L2-3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. | Sample Prompt Template | N/A |
| [a] essential system capabilities are defined based on the principle of least functionality. | Sample Prompt | Sample Response |
| [b] the system is configured to provide only the defined essential capabilities. | Sample Prompt | Sample Response |
CM.L2-3.4.7 – Nonessential Functionality
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| CM.L2-3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. | Sample Prompt Template | N/A |
| [a] essential programs are defined. | Sample Prompt | Sample Response |
| [b] the use of nonessential programs is defined. | Sample Prompt | Sample Response |
| [c] the use of nonessential programs is restricted, disabled, or prevented as defined. | Sample Prompt | Sample Response |
| [d] essential functions are defined. | Sample Prompt | Sample Response |
| [e] the use of nonessential functions is defined. | Sample Prompt | Sample Response |
| [f] the use of nonessential functions is restricted, disabled, or prevented as defined. | Sample Prompt | Sample Response |
| [g] essential ports are defined. | Sample Prompt | Sample Response |
| [h] the use of nonessential ports is defined. | Sample Prompt | Sample Response |
| [i] the use of nonessential ports is restricted, disabled, or prevented as defined. | Sample Prompt | Sample Response |
| [j] essential protocols are defined. | Sample Prompt | Sample Response |
| [k] the use of nonessential protocols is defined. | Sample Prompt | Sample Response |
| [l] the use of nonessential protocols is restricted, disabled, or prevented as defined. | Sample Prompt | Sample Response |
| [m] essential services are defined. | Sample Prompt | Sample Response |
| [n] the use of nonessential services is defined. | Sample Prompt | Sample Response |
| [o] the use of nonessential services is restricted, disabled, or prevented as defined. | Sample Prompt | Sample Response |
CM.L2-3.4.8 – Application Execution Policy
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| CM.L2-3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. | Sample Prompt Template | N/A |
| [a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified. | Sample Prompt | Sample Response |
| [b] the software allowed to execute under whitelisting or denied use under blacklisting is specified. | Sample Prompt | Sample Response |
| [c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified. | Sample Prompt | Sample Response |
CM.L2-3.4.9 – User-Installed Software
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| CM.L2-3.4.9 Control and monitor user-installed software. | Sample Prompt Template | N/A |
| [a] a policy for controlling the installation of software by users is established. | Sample Prompt | Sample Response |
| [b] installation of software by users is controlled based on the established policy. | Sample Prompt | Sample Response |
| [c] installation of software by users is monitored. | Sample Prompt | Sample Response |
Identification and Authentication (IA)
IA.L2-3.5.1 – Identification [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Identify information system users, processes acting on behalf of users, or devices. | Sample Prompt Template | N/A |
| [a] system users are identified. | Sample Prompt | Sample Response |
| [b] processes acting on behalf of users are identified. | Sample Prompt | Sample Response |
| [c] devices accessing the system are identified. | Sample Prompt | Sample Response |
| More Practice Details... |
IA.L2-3.5.2 – Authentication [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | Sample Prompt Template | N/A |
| [a] the identity of each user is authenticated or verified as a prerequisite to system access. | Sample Prompt | Sample Response |
| [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access. | Sample Prompt | Sample Response |
| [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access. | Sample Prompt | Sample Response |
| More Practice Details... |
IA.L2-3.5.3 – Multifactor Authentication
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. | Sample Prompt Template | N/A |
| [a] privileged accounts are identified. | Sample Prompt | Sample Response |
| [b] multifactor authentication is implemented for local access to privileged accounts. | Sample Prompt | Sample Response |
| [c] multifactor authentication is implemented for network access to privileged accounts. | Sample Prompt | Sample Response |
| [d] multifactor authentication is implemented for network access to non-privileged accounts. | Sample Prompt | Sample Response |
| More Practice Details... |
IA.L2-3.5.4 – Replay-Resistant Authentication
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. | Sample Prompt Template | N/A |
| [a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts. | Sample Prompt | Sample Response |
| More Practice Details... |
IA.L2-3.5.5 – Identifier Reuse
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Prevent reuse of identifiers for a defined period. | Sample Prompt Template | N/A |
| [a] a period within which identifiers cannot be reused is defined. | Sample Prompt | Sample Response |
| [b] reuse of identifiers is prevented within the defined period. | Sample Prompt | Sample Response |
| More Practice Details... |
IA.L2-3.5.6 – Identifier Handling
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Disable identifiers after a defined period of inactivity. | Sample Prompt Template | N/A |
| [a] a period of inactivity after which an identifier is disabled is defined. | Sample Prompt | Sample Response |
| [b] identifiers are disabled after the defined period of inactivity. | Sample Prompt | Sample Response |
| More Practice Details... |
IA.L2-3.5.7 – Password Complexity
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Enforce a minimum password complexity and change of characters when new passwords are created. | Sample Prompt Template | N/A |
| [a] password complexity requirements are defined. | Sample Prompt | Sample Response |
| [b] password change of character requirements are defined. | Sample Prompt | Sample Response |
| [c] minimum password complexity requirements as defined are enforced when new passwords are created. | Sample Prompt | Sample Response |
| [d] minimum password change of character requirements as defined are enforced when new passwords are created. | Sample Prompt | Sample Response |
| More Practice Details... |
IA.L2-3.5.8 – Password Reuse
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Prohibit password reuse for a specified number of generations. | Sample Prompt Template | N/A |
| [a] the number of generations during which a password cannot be reused is specified and [b] reuse of passwords is prohibited during the specified number of generations. | Sample Prompt | Sample Response |
| More Practice Details... |
IA.L2-3.5.9 – Temporary Passwords
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Allow temporary password use for system logons with an immediate change to a permanent password. | Sample Prompt Template | N/A |
| [a] an immediate change to a permanent password is required when a temporary password is used for system logon. | Sample Prompt | Sample Response |
| More Practice Details... |
IA.L2-3.5.10 – Cryptographically-Protected Passwords
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Store and transmit only cryptographically-protected passwords. | Sample Prompt Template | N/A |
| [a] passwords are cryptographically protected in storage. | Sample Prompt | Sample Response |
| [b] passwords are cryptographically protected in transit. | Sample Prompt | Sample Response |
| More Practice Details... |
IA.L2-3.5.11 – Obscure Feedback
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Obscure feedback of authentication information. | Sample Prompt Template | N/A |
| [a] authentication information is obscured during the authentication process. | Sample Prompt | Sample Response |
| More Practice Details... |
Incident Response (IR)
IR.L2-3.6.1 – Incident Handling
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Sample Prompt Template | N/A |
| [a] an operational incident-handling capability is established. | Sample Prompt | Sample Response |
| [b] the operational incident-handling capability includes preparation. | Sample Prompt | Sample Response |
| [c] the operational incident-handling capability includes detection. | Sample Prompt | Sample Response |
| [d] the operational incident-handling capability includes analysis. | Sample Prompt | Sample Response |
| [e] the operational incident-handling capability includes containment. | Sample Prompt | Sample Response |
| [f] the operational incident-handling capability includes recovery. | Sample Prompt | Sample Response |
| [g] the operational incident-handling capability includes user response | ||
| More Practice Details... |
IR.L2-3.6.2 – Incident Reporting
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. | Sample Prompt Template | N/A |
| [a] incidents are tracked. | Sample Prompt | Sample Response |
| [b] incidents are documented. | Sample Prompt | Sample Response |
| [c] authorities to whom incidents are to be reported are identified. | Sample Prompt | Sample Response |
| [d] organizational officials to whom incidents are to be reported are identified. | Sample Prompt | Sample Response |
| [e] identified authorities are notified of incidents. | Sample Prompt | Sample Response |
| [f] identified organizational officials are notified of incidents. | Sample Prompt | Sample Response |
| More Practice Details... |
IR.L2-3.6.3 – Incident Response Testing
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Test the organizational incident response capability. | Sample Prompt Template | N/A |
| [a] the incident response capability is tested. | Sample Prompt | Sample Response |
| More Practice Details... |
Maintenance (MA)
MA.L2-3.7.1 – Perform Maintenance
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| MA.L2-3.7.1 Perform maintenance on organizational systems. | Sample Prompt Template | N/A |
| [a] system maintenance is performed. | Sample Prompt | Sample Response |
MA.L2-3.7.2 – System Maintenance Control
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| MA.L2-3.7.2 Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. | Sample Prompt Template | N/A |
| [a] tools used to conduct system maintenance are controlled. | Sample Prompt | Sample Response |
| [b] techniques used to conduct system maintenance are controlled. | Sample Prompt | Sample Response |
| [c] mechanisms used to conduct system maintenance are controlled. | Sample Prompt | Sample Response |
| [d] personnel used to conduct system maintenance are controlled. | Sample Prompt | Sample Response |
MA.L2-3.7.3 – Equipment Sanitization
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| MA.L2-3.7.3 Ensure equipment removed for off-site maintenance is sanitized of any CUI. | Sample Prompt Template | N/A |
| [a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI. | Sample Prompt | Sample Response |
MA.L2-3.7.4 – Media Inspection
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| MA.L2-3.7.4 Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. | Sample Prompt Template | N/A |
| [a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI. | Sample Prompt | Sample Response |
MA.L2-3.7.5 – Nonlocal Maintenance
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| MA.L2-3.7.5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. | Sample Prompt Template | N/A |
| [a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections. | Sample Prompt | Sample Response |
| [b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete. | Sample Prompt | Sample Response |
MA.L2-3.7.6 – Maintenance Personnel
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| MA.L2-3.7.6 Supervise the maintenance activities of maintenance personnel without required access authorization. | Sample Prompt Template | N/A |
| [a] maintenance personnel without required access authorization are supervised during maintenance activities. | Sample Prompt | Sample Response |
| More Practice Details... |
Media Protection (MP)
MP.L2-3.8.1 – Media Protection
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| MP.L2-3.8.1 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. | Sample Prompt Template | N/A |
| [a] paper media containing CUI is physically controlled. | Sample Prompt | Sample Response |
| [b] digital media containing CUI is physically controlled. | Sample Prompt | Sample Response |
| [c] paper media containing CUI is securely stored. | Sample Prompt | Sample Response |
| [d] digital media containing CUI is securely stored. | Sample Prompt | Sample Response |
MP.L2-3.8.2 – Media Access
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| MP.L2-3.8.2 Limit access to CUI on system media to authorized users. | Sample Prompt Template | N/A |
| [a] access to CUI on system media is limited to authorized users. | Sample Prompt | Sample Response |
MP.L2-3.8.3 – Media Disposal [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| MP.L2-3.8.3 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. | Sample Prompt Template | N/A |
| [a] system media containing CUI is sanitized or destroyed before disposal. | Sample Prompt | Sample Response |
| [b] system media containing CUI is sanitized before it is released for reuse. | Sample Prompt | Sample Response |
MP.L2-3.8.4 – Media Markings
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| MP.L2-3.8.4 Mark media with necessary CUI markings and distribution limitations. | Sample Prompt Template | N/A |
| [a] media containing CUI is marked with applicable CUI markings. | Sample Prompt | Sample Response |
| [b] media containing CUI is marked with distribution limitations. | Sample Prompt | Sample Response |
MP.L2-3.8.5 – Media Accountability
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| MP.L2-3.8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. | Sample Prompt Template | N/A |
| [a] access to media containing CUI is controlled. | Sample Prompt | Sample Response |
| [b] accountability for media containing CUI is maintained during transport outside of controlled areas. | Sample Prompt | Sample Response |
MP.L2-3.8.6 – Portable Storage Encryption
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| MP.L2-3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. | Sample Prompt Template | N/A |
| [a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards. | Sample Prompt | Sample Response |
MP.L2-3.8.7 – Removable Media
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| MP.L2-3.8.7 Control the use of removable media on system components. | Sample Prompt Template | N/A |
| [a] the use of removable media on system components is controlled. | Sample Prompt | Sample Response |
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| MP.L2-3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner. | Sample Prompt Template | N/A |
| [a] the use of portable storage devices is prohibited when such devices have no identifiable owner. | Sample Prompt | Sample Response |
MP.L2-3.8.9 – Protect Backups
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| MP.L2-3.8.9 Protect the confidentiality of backup CUI at storage locations. | Sample Prompt Template | N/A |
| [a] the confidentiality of backup CUI is protected at storage locations. | Sample Prompt | Sample Response |
Personnel Security (PS)
PS.L2-3.9.1 – Screen Individuals
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| PS.L2-3.9.1 Screen individuals prior to authorizing access to organizational systems containing CUI. | Sample Prompt Template | N/A |
| [a] individuals are screened prior to authorizing access to organizational systems containing CUI. | Sample Prompt | Sample Response |
PS.L2-3.9.2 – Personnel Actions
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| PS.L2-3.9.2 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. | Sample Prompt Template | N/A |
| [a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established. | Sample Prompt | Sample Response |
| [b] system access and credentials are terminated consistent with personnel actions such as termination or transfer. | Sample Prompt | Sample Response |
| [c] the system is protected during and after personnel transfer actions. | Sample Prompt | Sample Response |
Physical Protection (PE)
PE.L2-3.10.1 – Limit Physical Access [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. | Sample Prompt Template | N/A |
| [a] authorized individuals allowed physical access are identified. | Sample Prompt | Sample Response |
| [b] physical access to organizational systems is limited to authorized individuals. | Sample Prompt | Sample Response |
| [c] physical access to equipment is limited to authorized individuals. | Sample Prompt | Sample Response |
| [d] physical access to operating environments is limited to authorized. | Sample Prompt | Sample Response |
| More Practice Details... |
PE.L2-3.10.2 – Monitor Facility
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Protect and monitor the physical facility and support infrastructure for organizational systems. | Sample Prompt Template | N/A |
| [a] the physical facility where organizational systems reside is protected. | Sample Prompt | Sample Response |
| [b] the support infrastructure for organizational systems is protected. | Sample Prompt | Sample Response |
| [c] the physical facility where organizational systems reside is monitored. | Sample Prompt | Sample Response |
| [d] the support infrastructure for organizational systems is monitored. | Sample Prompt | Sample Response |
| More Practice Details... |
PE.L2-3.10.3 – Escort Visitors [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Escort visitors and monitor visitor activity. | Sample Prompt Template | N/A |
| [a] visitors are escorted. | Sample Prompt | Sample Response |
| [b] visitor activity is monitored. | Sample Prompt | Sample Response |
| More Practice Details... |
PE.L2-3.10.4 – Physical Access Logs [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Maintain audit logs of physical access. | Sample Prompt Template | N/A |
| [a] audit logs of physical access are maintained. | Sample Prompt | Sample Response |
| More Practice Details... |
PE.L2-3.10.5 – Manage Physical Access [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Control and manage physical access devices. | Sample Prompt Template | N/A |
| [a] physical access devices are identified. | Sample Prompt | Sample Response |
| [b] physical access devices are controlled. | Sample Prompt | Sample Response |
| [c] physical access devices are managed. | Sample Prompt | Sample Response |
| More Practice Details... |
PE.L2-3.10.6 – Alternative Work Sites
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Enforce safeguarding measures for CUI at alternate work sites. | Sample Prompt Template | N/A |
| [a] safeguarding measures for CUI are defined for alternate work sites. | Sample Prompt | Sample Response |
| [b] safeguarding measures for CUI are enforced for alternate work sites. | Sample Prompt | Sample Response |
| More Practice Details... |
Risk Assessment (RA)
RA.L2-3.11.1 – Risk Assessments
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | Sample Prompt Template | N/A |
| [a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined. | Sample Prompt | Sample Response |
| [b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency. | Sample Prompt | Sample Response |
| More Practice Details... |
RA.L2-3.11.2 – Vulnerability Scan
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Sample Prompt Template | N/A |
| [a] the frequency to scan for vulnerabilities in organizational systems and applications is defined. | Sample Prompt | Sample Response |
| [b] vulnerability scans are performed on organizational systems with the defined frequency. | Sample Prompt | Sample Response |
| [c] vulnerability scans are performed on applications with the defined frequency. | Sample Prompt | Sample Response |
| [d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified. | Sample Prompt | Sample Response |
| [e] vulnerability scans are performed on applications when new vulnerabilities are
identified. || Sample Prompt || Sample Response | ||
| More Practice Details... |
RA.L2-3.11.3 – Vulnerability Remediation
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Remediate vulnerabilities in accordance with risk assessments. | Sample Prompt Template | N/A |
| [a] vulnerabilities are identified. | Sample Prompt | Sample Response |
| [b] vulnerabilities are remediated in accordance with risk assessments. | Sample Prompt | Sample Response |
| More Practice Details... |
Security Assessment (CA)
CA.L2-3.12.1 – Security Control Assessment
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | Sample Prompt Template | N/A |
| [a] the frequency of security control assessments is defined. | Sample Prompt | Sample Response |
| [b] security controls are assessed with the defined frequency to determine if the controls are effective in their application. | Sample Prompt | Sample Response |
| More Practice Details... |
CA.L2-3.12.2 – Operational Plan of Action
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. | Sample Prompt Template | N/A |
| [a] deficiencies and vulnerabilities to be addressed by the plan of action are identified. | Sample Prompt | Sample Response |
| [b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities. | Sample Prompt | Sample Response |
| [c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities. | Sample Prompt | Sample Response |
| More Practice Details... |
CA.L2-3.12.3 – Security Control Monitoring
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. | Sample Prompt Template | N/A |
| [a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls. | Sample Prompt | Sample Response |
| More Practice Details... |
CA.L2-3.12.4 – System Security Plan =
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. | Sample Prompt Template | N/A |
| [a] a system security plan is developed. | Sample Prompt | Sample Response |
| [b] the system boundary is described and documented in the system security plan. | Sample Prompt | Sample Response |
| [c] the system environment of operation is described and documented in the system security plan. | Sample Prompt | Sample Response |
| [d] the security requirements identified and approved by the designated authority as non-applicable are identified. | Sample Prompt | Sample Response |
| [e] the method of security requirement implementation is described and documented in the system security plan. | Sample Prompt | Sample Response |
| [f] the relationship with or connection to other systems is described and documented in the system security plan. | Sample Prompt | Sample Response |
| [g] the frequency to update the system security plan is defined. | Sample Prompt | Sample Response |
| [h] system security plan is updated with the defined frequency. | Sample Prompt | Sample Response |
| More Practice Details... |
System and Communications Protection (SC)
SC.L2-3.13.1 – Boundary Protection [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. | Sample Prompt Template | N/A |
| [a] the external system boundary is defined. | Sample Prompt | Sample Response |
| [b] key internal system boundaries are defined. | Sample Prompt | Sample Response |
| [c] communications are monitored at the external system boundary. | Sample Prompt | Sample Response |
| [d] communications are monitored at key internal boundaries. | Sample Prompt | Sample Response |
| [e] communications are controlled at the external system boundary. | Sample Prompt | Sample Response |
| [f] communications are controlled at key internal boundaries. | Sample Prompt | Sample Response |
| [g] communications are protected at the external system boundary. | Sample Prompt | Sample Response |
| [h] communications are protected at key internal boundaries. | Sample Prompt | Sample Response |
| More Practice Details... |
SC.L2-3.13.2 – Security Engineering
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | Sample Prompt Template | N/A |
| [a] architectural designs that promote effective information security are identified. | Sample Prompt | Sample Response |
| [b] software development techniques that promote effective information security are identified. | Sample Prompt | Sample Response |
| [c] systems engineering principles that promote effective information security are identified. | Sample Prompt | Sample Response |
| [d] identified architectural designs that promote effective information security are employed. | Sample Prompt | Sample Response |
| [e] identified software development techniques that promote effective information security are employed. | Sample Prompt | Sample Response |
| [f] identified systems engineering principles that promote effective information security are employed. | Sample Prompt | Sample Response |
| More Practice Details... |
SC.L2-3.13.3 – Role Separation
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Separate user functionality from system management functionality. | Sample Prompt Template | N/A |
| [a] user functionality is identified. | Sample Prompt | Sample Response |
| [b] system management functionality is identified. | Sample Prompt | Sample Response |
| [c] user functionality is separated from system management functionality. | Sample Prompt | Sample Response |
| More Practice Details... |
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Prevent unauthorized and unintended information transfer via shared system resources. | Sample Prompt Template | N/A |
| [a] unauthorized and unintended information transfer via shared system resources is prevented. | Sample Prompt | Sample Response |
| More Practice Details... |
SC.L2-3.13.5 – Public-Access System Separation [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | Sample Prompt Template | N/A |
| [a] publicly accessible system components are identified. | Sample Prompt | Sample Response |
| [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks. | Sample Prompt | Sample Response |
| More Practice Details... |
SC.L2-3.13.6 – Network Communication by Exception
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Sample Prompt Template | N/A |
| [a] network communications traffic is denied by default. | Sample Prompt | Sample Response |
| [b] network communications traffic is allowed by exception. | Sample Prompt | Sample Response |
| More Practice Details... |
SC.L2-3.13.7 – Split Tunneling
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). | Sample Prompt Template | N/A |
| [a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling). | Sample Prompt | Sample Response |
| More Practice Details... |
SC.L2-3.13.8 – Data in Transit
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | Sample Prompt Template | N/A |
| [a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified. | Sample Prompt | Sample Response |
| [b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified. | Sample Prompt | Sample Response |
| [c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission. | Sample Prompt | Sample Response |
| More Practice Details... |
SC.L2-3.13.9 – Connections Termination
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. | Sample Prompt Template | N/A |
| [a] a period of inactivity to terminate network connections associated with communications sessions is defined. | Sample Prompt | Sample Response |
| [b] network connections associated with communications sessions are terminated at the end of the sessions. | Sample Prompt | Sample Response |
| [c] network connections associated with communications sessions are terminated after the defined period of inactivity. | Sample Prompt | Sample Response |
| More Practice Details... |
SC.L2-3.13.10 – Key Management
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Establish and manage cryptographic keys for cryptography employed in organizational systems. | Sample Prompt Template | N/A |
| [a] cryptographic keys are established whenever cryptography is employed. | Sample Prompt | Sample Response |
| [b] cryptographic keys are managed whenever cryptography is employed. | Sample Prompt | Sample Response |
| More Practice Details... |
SC.L2-3.13.11 – CUI Encryption
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. | Sample Prompt Template | N/A |
| [a] FIPS-validated cryptography is employed to protect the confidentiality of CUI. | Sample Prompt | Sample Response |
| More Practice Details... |
SC.L2-3.13.12 – Collaborative Device Control
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. | Sample Prompt Template | N/A |
| [a] collaborative computing devices are identified. | Sample Prompt | Sample Response |
| [b] collaborative computing devices provide indication to users of devices in use. | Sample Prompt | Sample Response |
| [c] remote activation of collaborative computing devices is prohibited. | Sample Prompt | Sample Response |
| More Practice Details... |
SC.L2-3.13.13 – Mobile Code
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Control and monitor the use of mobile code. | Sample Prompt Template | N/A |
| [a] use of mobile code is controlled. | Sample Prompt | Sample Response |
| [b] use of mobile code is monitored. | Sample Prompt | Sample Response |
| More Practice Details... |
SC.L2-3.13.14 – Voice over Internet Protocol
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. | Sample Prompt Template | N/A |
| [a] use of Voice over Internet Protocol (VoIP) technologies is controlled. | Sample Prompt | Sample Response |
| [b] use of Voice over Internet Protocol (VoIP) technologies is monitored. | Sample Prompt | Sample Response |
| More Practice Details... |
SC.L2-3.13.15 – Communications Authenticity
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Protect the authenticity of communications sessions. | Sample Prompt Template | N/A |
| [a] the authenticity of communications sessions is protected. | Sample Prompt | Sample Response |
| More Practice Details... |
SC.L2-3.13.16 – Data at Rest
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Protect the confidentiality of CUI at rest. | Sample Prompt Template | N/A |
| [a] the confidentiality of CUI at rest is protected. | Sample Prompt | Sample Response |
| More Practice Details... |
System and Information Integrity (SI)
SI.L2-3.14.1 – Flaw Remediation [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Identify, report, and correct information and information system flaws in a timely manner. | Sample Prompt Template | N/A |
| [a] the time within which to identify system flaws is specified. | Sample Prompt | Sample Response |
| [b] system flaws are identified within the specified time frame. | Sample Prompt | Sample Response |
| [c] the time within which to report system flaws is specified. | Sample Prompt | Sample Response |
| [d] system flaws are reported within the specified time frame. | Sample Prompt | Sample Response |
| [e] the time within which to correct system flaws is specified. | Sample Prompt | Sample Response |
| [f] system flaws are corrected within the specified time frame. | Sample Prompt | Sample Response |
| More Practice Details... |
SI.L2-3.14.2 – Malicious Code ProTection [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Provide protection from malicious code at appropriate locations within organizational information systems. | Sample Prompt Template | N/A |
| [a] designated locations for malicious code protection are identified. | Sample Prompt | Sample Response |
| [b] protection from malicious code at designated locations is provided. | Sample Prompt | Sample Response |
| More Practice Details... |
SI.L2-3.14.3 – Security Alerts & Advisories
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Monitor system security alerts and advisories and take action in response. | Sample Prompt Template | N/A |
| [a] response actions to system security alerts and advisories are identified. | Sample Prompt | Sample Response |
| [b] system security alerts and advisories are monitored. | Sample Prompt | Sample Response |
| [c] actions in response to system security alerts and advisories are taken. | Sample Prompt | Sample Response |
| More Practice Details... |
SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Update malicious code protection mechanisms when new releases are available. | Sample Prompt Template | N/A |
| [a] malicious code protection mechanisms are updated when new releases are available. | Sample Prompt | Sample Response |
| More Practice Details... |
SI.L2-3.14.5 – System & File Scanning [CUI Data]
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. | Sample Prompt Template | N/A |
| [a] the frequency for malicious code scans is defined. | Sample Prompt | Sample Response |
| [b] malicious code scans are performed with the defined frequency. | Sample Prompt | Sample Response |
| [c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed. | Sample Prompt | Sample Response |
| More Practice Details... |
SI.L2-3.14.6 – Monitor Communications for Attacks
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Sample Prompt Template | N/A |
| [a] the system is monitored to detect attacks and indicators of potential attacks. | Sample Prompt | Sample Response |
| [b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks. | Sample Prompt | Sample Response |
| [c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks. | Sample Prompt | Sample Response |
| More Practice Details... |
SI.L2-3.14.7 – Identify Unauthorized Use
| Practice and Assessment Objectives | LLM Prompt | LLM Response |
|---|---|---|
| AC.L2-3.x.1 Identify unauthorized use of organizational systems. | Sample Prompt Template | N/A |
| [a] authorized use of the system is defined. | Sample Prompt | Sample Response |
| [b] unauthorized use of the system is identified. | Sample Prompt | Sample Response |
| More Practice Details... |