Level 2 Assessment Guide: Difference between revisions

Latest revision as of 16:00, 11 April 2025

Source of Reference: The official CMMC Level 2 Assessment Guide Version 2.13, September 2024 from the Department of Defense Chief Information Officer (DoD CIO).

For inquiries and reporting errors on this wiki, please contact us. Thank you.

NOTICES

The contents of this document do not have the force and effect of law and are not meant to bind the public in any way. This document is intended only to provide clarity to the public regarding existing requirements under the law or departmental policies.

DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.

Introduction

This document provides guidance in the preparation for and conduct of a Level 2 self-assessment or Level 2 certification assessment under the Cybersecurity Maturity Model Certification (CMMC) Program as set forth in section 170.16 of title 32, Code of Federal Regulations (CFR) and 32 CFR § 170.17 respectively. Certification at each CMMC level occurs independently. Guidance for conducting a Level 1 self-assessment can be found in CMMC Assessment Guide – Level 1. Guidance for conducting a Level 3 certification assessment can be found in CMMC Assessment Guide – Level 3. More details on the model can be found in the CMMC Model Overview document.

An Assessment as defined in 32 CFR § 170.4 means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization as defined in 32 CFR § 170.15 to 32 CFR § 170.18.

For Level 2 there are two types of assessments:

A self-assessment is the term for the activity performed by an entity to evaluate its own CMMC Level, as applied to Level 1 and some Level 2.
A Level 2 certification assessment is the term for the activity performed by a Certified Third-Party Assessment Organization (C3PAO)to evaluate the CMMC level of an OSC.

32 CFR § 170.16(b) describes contract or subcontract eligibility for any contract with a Level 2 self-assessment requirement, and 32 CFR § 170.17(b) describes contract or subcontract eligibility for any contract with a Level 2 certification assessment requirement. Level 2 certification assessment requires the Organization Seeking Assessment (OSA) achieve the CMMC Status of either Conditional Level 2 (C3PAO) or Final Level 2 (C3PAO), as described in 32 § CFR 170.4, obtained through an assessment by an accredited C3PAO.

Level 2 Description

Level 2 incorporates the security requirements specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Level 2 addresses the protection of Controlled Unclassified Information (CUI), as defined in 32 CFR § 2002.4(h):

Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.

Level 2 certification assessments provides increased assurance to the DoD that an OSA can adequately protect CUI at a level commensurate with the adversarial risk, including protecting information flow with subcontractors in a multi-tier supply chain.

Purpose and Audience

This guide is intended for assessors, OSAs, cybersecurity professionals, and individuals and companies that support CMMC efforts. This document can be used as part of preparation for and conducting a Level 2 self-assessment or a Level 2 certification assessment. The term Level 2 assessment encompasses both Level 2 self-assessment and Level 2 certification assessment.

Document Organization

This document is organized into the following sections:

Assessment and Certification: provides an overview of the Level 2 self-assessment processes set forth in 32 CFR §170.16 as well as the Level 2 certification assessment processes set forth in 32 CFR § 170.17. It provides guidance regarding the scope requirements set forth in 32 CFR § 170.19(c).
CMMC-Custom Terms: incorporates definitions from 32 CFR § 170.4 and definitions included by reference from 32 CFR § 170.2, and provides clarification of the intent and scope of custom terms as used in the context of CMMC.
Assessment Criteria and Methodology: provides guidance on the criteria and methodology (i.e., interview, examine, and test) to be employed during a Level 2 assessment, as well as on assessment findings.
Requirement Descriptions: provides guidance specific to each Level 2 security requirement.

Assessment and Certification

Certified Assessors as described in 32 CFR § 170.11 will use the assessment methods defined in NIST SP 800-171A^[1], Assessing Security Requirements for Controlled Unclassified Information, along with the supplemental information in this guide, to conduct Level 2 certification assessments. Certified Assessors will review information and evidence to verify that an OSC meets the stated assessment objectives for all of the requirements.

An OSC can obtain a Level 2 certification assessment for an entire enterprise network or for a specific enclave(s), depending upon how the CMMC Assessment Scope is defined in accordance with 32 CFR § 170.19(c).

OSAs conducting self-assessments in accordance with 32 CFR § 170.16 are expected to evaluate their compliance with CMMC requirements using the same criteria established in NIST SP 800-171A and this assessment guide and used for third-party assessments.

Assessment Scope

The CMMC Assessment Scope must be specified prior to assessment in accordance with the requirements of 32 CFR § 170.19. The CMMC Assessment Scope is the set of all assets in the OSA’s environment that will be assessed against CMMC security requirements.

Because the scoping of a Level 2 certification assessment is not the same as the scoping of a Level 3 certification assessment, before determining the CMMC Assessment Scope it is important to first consider whether the goal is a Level 2 or Level 3 CMMC Status. If the intent is not to achieve a CMMC Status of Final Level 3 (DIBCAC) as defined in 32 CFR § 170.18, refer to the guidance provided in the CMMC Scoping Guide – Level 2 document which summarizes 32 CFR § 170.19(c). If the intent is to achieve a CMMC Status of Final Level 3 (DIBCAC), refer to the guidance provided in the CMMC Scoping Guide – Level 3 document which summarizes 32 CFR § 170.19(d). Both documents are available on the official CMMC documentation site at https://dodcio.defense.gov/CMMC/Documentation/.

CMMC-Custom Terms

The CMMC Program has custom terms that align with program requirements. Although some terms may have other definitions in open forums, it is important to understand these terms as they apply to the CMMC Program.

The specific terms as associated with Level 2 are:

Assessment: As defined in 32 CFR § 170.4 means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization, as defined in 32 CFR § 170.15 to 32 CFR § 170.18.
- Level 2 self-assessment is the term for the activity performed by an OSA to evaluate its own information system when seeking a CMMC Status of Level 2 (Self).
- Level 2 certification assessment is the term for the activity performed by a C3PAO to evaluate the information system of an OSC when seeking a CMMC Status of Level 2 (C3PAO).
- POA&M closeout self-assessment is the term for the activity performed by an OSA to evaluate only the NOT MET requirements that were identified with POA&M during the initial assessment, when seeking a CMMC Status of Final Level 2 (Self).
- POA&M closeout certification assessment is the term for the activity performed by a C3PAO or DCMA DIBCAC to evaluate only the NOT MET requirements that were identified with POA&M during the initial assessment, when seeking a CMMC Status of Final Level 2 (C3PAO) or Final Level 3 (DIBCAC) respectively.
Assessment Objective: As defined in 32 CFR § 170.4 means a set of determination statements that, taken together, expresses the desired outcome for the assessment of a security requirement. Successful implementation of the corresponding CMMC security requirement requires meeting all applicable assessment objectives defined in NIST SP 800–171A or NIST SP 800-172A.
Asset: An item of value to stakeholders. An asset may be tangible (e.g., a physical item such as hardware, firmware, computing platform, network device, or other technology component) or intangible (e.g., humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation). The value of an asset is determined by stakeholders in consideration of loss concerns across the entire system life cycle. Such concerns include but are not limited to business or mission concerns, as defined in NIST SP 800-160 Rev 1.
CMMC Assessment Scope: As defined in 32 CFR § 170.4 means the set of all assets in the OSA’s environment that will be assessed against CMMC security requirements.
CMMC Status: As defined in 32 CFR § 170.4 is the result of meeting or exceeding the minimum required score for the corresponding assessment. The CMMC Status of an OSA information system is officially stored in SPRS and additionally issued on a Certificate of CMMC Status, if the assessment was conducted by a C3PAO or DCMA DIBCAC.
- Conditional Level 2 (Self) is defined in § 170.16(a)(1)(ii). The OSA has conducted a Level 2 self-assessment, submitted compliance results in the Supplier Performance Risk System (SPRS), and created a CMMC POA&M that meets all CMMC POA&M requirements listed in 32 CFR §170.16(a)(1)(ii).
- Final Level 2 (Self) is defined in § 170.16(a)(1)(iii). The OSA will achieve a CMMC Status of Final Level 2 (Self) for the information system(s) within the CMMC Assessment Scope upon implementation of all security requirements and close out of the POA&M, as applicable.
- Conditional Level 2 (C3PAO) is defined in § 170.17(a)(1)(ii). The OSC will achieve a CMMC Status of Conditional Level 2 (C3PAO) if a POA&M exists upon completion of the assessment and the POA&M meets all Level 2 POA&M requirements listed in 32 CFR § 170.21(a)(2).
- Final Level 2 (C3PAO) is defined in § 170.17(a)(1)(iii). The OSC will achieve a CMMC Status of Final Level 2 (C3PAO) for the information systems within the CMMC Assessment Scope upon implementation of all security requirements and as applicable, a POA&M closeout assessment conducted by the C3PAO within 180 days. Additional guidance can be found in 32 CFR § 170.21.
Component: A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware^[2]. A component is one type of asset.
Enduring Exception: As defined in 32 CFR § 170.4 means a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible. Examples include systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT. No operational plan of action is required but the circumstance must be documented within a system security plan. Specialized Assets and GFE may be Enduring Exceptions.
Event: Any observable occurrence in a system^[3]. As described in NIST SP 800-171A^[4], the terms “information system” and “system” can be used interchangeably. Events sometimes provide indication that an incident is occurring.
Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.^[5]
Information System (IS): As defined in 32 CFR § 170.4 means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. An IS is one type of asset.
Monitoring: The act of continually checking, supervising, critically observing, or determining the status in order to identify change from the performance level required or expected at an organization-defined frequency and rate.^[6]
Operational plan of action: As used in security requirement CA.L2-3.12.2, means the formal artifact which identifies temporary vulnerabilities and temporary deficiencies in implementation of requirements and documents how and when they will be mitigated, corrected, or eliminated. The OSA defines the format (e.g., document, spreadsheet, database) and specific content of its operational plan of action. An operational plan of action is not the same as a POA&M associated with an assessment.
Organization-defined: As determined by the OSA being assessed except as defined in the case of Organization-Defined Parameter (ODP). This can be applied to a frequency or rate at which something occurs within a given time period, or it could be associated with describing the configuration of an OSA’s solution.
Periodically: Occurring at a regular interval as determined by the OSA that may not exceed one year. As used in many requirements within CMMC, the interval length is organization-defined to provide OSA flexibility, with an interval length of no more than one year.
Security Protection Data (SPD): As defined in 32 CFR § 170.4 means data stored or processed by Security Protection Assets (SPA) that are used to protect an OSC's assessed environment. SPD is security relevant information and includes, but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment.
System Security Plan (SSP): As defined in 32 CFR § 170.4 means the formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. The system security plan describes the system components that are included within the system, the environment in which the system operates, how the security requirements are implemented, and the relationships with or connections to other systems, as defined in NIST SP 800-53 Rev 5.
Temporary deficiency: As defined in 32 CFR § 170.4 means a condition where remediation of a discovered deficiency is feasible and a known fix is available or is in process. The deficiency must be documented in an operational plan of action. A temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC security requirement but arises after implementation. A temporary deficiency may apply during the initial implementation of a security requirement if, during roll-out, specific issues with a very limited subset of equipment is discovered that must be separately addressed. There is no standard duration for which a temporary deficiency may be active. For example, FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version may be a temporary deficiency.

Assessment Criteria and Methodology

The CMMC Assessment Guide – Level 2 leverages the assessment procedure described in NIST SP 800-171A Section 2.1^[7]:

An assessment procedure consists of an assessment objective and a set of potential assessment methods and assessment objects that can be used to conduct the assessment. Each assessment objective includes a determination statement related to the requirement that is the subject of the assessment. The determination statements are linked to the content of the requirement to ensure traceability of the assessment results to the requirements. The application of an assessment procedure to a requirement produces assessment findings. These findings reflect, or are subsequently used, to help determine if the requirement has been satisfied.

Assessment objects identify the specific items being assessed and can include specifications, mechanisms, activities, and individuals.

* Specifications are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with a system.

* Mechanisms are the specific hardware, software, or firmware safeguards employed within a system.

* Activities are the protection-related actions supporting a system that involve people (e.g., conducting system backup operations, exercising a contingency plan, and monitoring network traffic).

* Individuals, or groups of individuals, are people applying the specifications, mechanisms, or activities described above.

The assessment methods define the nature and the extent of the assessor’s actions. The methods include examine, interview, and test.

* The examine method is the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specifications, mechanisms, activities). The purpose of the examine method is to facilitate understanding, achieve clarification, or obtain evidence.

* The interview method is the process of holding discussions with individuals or groups of individuals to facilitate understanding, achieve clarification, or obtain evidence.

* And finally, the test method is the process of exercising assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior.

In all three assessment methods, the results are used in making specific determinations called for in the determination statements and thereby achieving the objectives for the assessment procedure.

Criteria

Assessment objectives are provided for each requirement and are based on existing criteria from NIST SP 800-171A. The criteria are authoritative and provide a basis for the assessment of a requirement.

Methodology

To verify and validate that an OSA is meeting CMMC requirements, evidence needs to exist demonstrating that the OSA has fulfilled the objectives of the Level 2 requirements. Because different assessment objectives can be met in different ways (e.g., through documentation, computer configuration, network configuration, or training), a variety of techniques may be used to determine if the OSA meets the Level 2 requirements, including any of the three assessment methods from NIST SP 800-171A.

The assessor will follow the guidance in NIST SP 800-171A when determining which assessment methods to use:

Organizations [Certified Assessors] are not expected to employ all assessment methods and objects contained within the assessment procedures identified in this publication. Rather, organizations [Certified Assessors] have the flexibility to determine the level of effort needed and the assurance required for an assessment (e.g., which assessment methods and assessment objects are deemed to be the most useful in obtaining the desired results). This determination is made based on how the organization [contractor] can accomplish the assessment objectives in the most cost-effective manner and with sufficient confidence to support the determination that the CUI requirements have been satisfied.^[8]

The primary deliverable of an assessment is a compliance score and accompanying report that contains the findings associated with each requirement. For more detailed information on assessment methods, see Appendix D of NIST SP 800-171A, incorporated by reference per 32 CFR § 170.2.

Who Is Interviewed

Interviews of applicable staff (possibly at different organizational levels) may provide information to help an assessor determine if security requirements have been implemented, as well as if adequate resourcing, training, and planning have occurred for individuals to perform the requirements.

What Is Examined

Examination includes reviewing, inspecting, observing, studying, or analyzing assessment objects. The objects can be documents, mechanisms, or activities.

For some security requirements, review of documentation may assist assessors in determining if the assessment objectives have been met. Interviews with staff may help identify relevant documents. Documents need to be in their final forms; drafts of policies or documentation are not eligible to be used as evidence because they are not yet official and still subject to change. Common types of documents that may be used as evidence include:

policy, process, and procedure documents;
training materials;
plans and planning documents; and
system, network, and data flow diagrams.

This list of documents is not exhaustive or prescriptive. An OSA may not have these specific documents, and other documents may be reviewed. In other cases, the security requirement is best self-assessed by observing that safeguards are in place by viewing hardware, associated configuration information, or observing staff following a process.

What Is Tested

Testing is an important part of the self-assessment process. Interviews provide information about what the OSA staff believe to be true, documentation provides evidence of implementing policies and procedures, and testing demonstrates what has or has not been done. For example, OSA staff may talk about how users are identified, documentation may provide details on how users are identified, but seeing a demonstration of identifying users provides evidence that the requirement is met. The assessor will determine which requirements or objectives within a requirement need demonstration or testing. Most objectives will require testing.

Assessment Findings

The assessment of a CMMC requirement results in one of three possible findings: MET, NOT MET, or NOT APPLICABLE as defined in 32 CFR § 170.24. To achieve a Final Level 2 (Self) or Final Level 2 (C3PAO) CMMC Status, the OSA will need a finding of MET or NOT APPLICABLE on all Level 2 security requirements.

MET: All applicable assessment objectives for the security requirement are satisfied based on evidence. All evidence must be in final form and not draft. Unacceptable forms of evidence include working papers, drafts, and unofficial or unapproved policies. For each security requirement marked MET, it is best practice to record statements that indicate the response conforms to all objectives and document the appropriate evidence to support the response.
- Enduring Exceptions when described, along with any mitigations, in the system security plan shall be assessed as MET.
- Temporary deficiencies that are appropriately addressed in operational plans of action (i.e., include deficiency reviews, milestones, and show progress towards the implementation of corrections to reduce or eliminate identified vulnerabilities) shall be assessed as MET.
NOT MET: One or more objectives for the security requirement is not satisfied. For each security requirement marked NOT MET, it is best practice to record statements that explain why and document the appropriate evidence showing that the OSA does not conform fully to all of the objectives. During Level 2 certification assessments, for each requirement objective marked NOT MET, the assessor will document why the evidence does not conform.
NOT APPLICABLE (N/A): A security requirement and/or objective does not apply at the time of the assessment. For each security requirement marked N/A, it is best practice to record a statement that explains why the requirement does not apply to the OSA. For example, Public-Access System Separation (SC.L2-3.13.5) might be N/A if there are no publicly accessible systems within the CMMC Assessment Scope. During an assessment, an assessment objective assessed as N/A is equivalent to the same assessment objective being assessed as MET.

If an OSC previously received a favorable adjudication from the DoD CIO indicating that a requirement is not applicable or that an alternative security measure is equally effective, the DoD CIO adjudication must be included in the system security plan to receive consideration during an assessment. Implemented security measures adjudicated by the DoD CIO as equally effective are assessed as MET if there have been no changes in the environment.

Each assessment objective in NIST SP 800-171A must yield a finding of MET or NOT APPLICABLE in order for the overall security requirement to be scored as MET. Assessors exercise judgment in determining when sufficient and adequate evidence has been presented to make an assessment finding.

CMMC assessments are conducted and results are captured at the assessment objective level. One NOT MET assessment objective results in a failure of the entire security requirement.

A security requirement can be applicable even when assessment objectives included in the security requirement are scored as N/A. The security requirement is NOT MET when one or more applicable assessment objectives is NOT MET.

Satisfaction of security requirements may be accomplished by other parts of the enterprise or an External Service Provider (ESP), as defined in 32 CFR § 170.4. A security requirement is considered MET if adequate evidence is provided that the enterprise or External Service Provider (ESP), implements the requirement objectives. An ESP may be external people, technology, or facilities that the OSA uses, including cloud service providers, managed service providers, managed security service providers, or cybersecurity-as-a-service providers.

Requirement Descriptions

Introduction

This section provides detailed information and guidance for assessing each Level 2 security requirement. The section is organized first by domain and then by individual security requirement. Each requirement description contains the following elements as described in 32 CFR § 170.14(c):

Requirement Number, Name, and Statement: Headed by the requirement identification number in the format, DD.L#-REQ (e.g., AC.L2-3.1.1); followed by the requirement short name identifier, meant to be used for quick reference only; and finally followed by the complete CMMC security requirement statement.
Assessment Objectives [NIST SP 800-171A]: Identifies the specific set of objectives that must be met to receive MET for the requirement as defined in NIST SP 800-171A.^[9]
Potential Assessment Methods and Objects [NIST SP 800-171A]: Describes the nature and the extent of the assessment actions as set forth in NIST SP 800-171A. The methods include examine, interview, and test. Assessment objects identify the items being assessed and can include specifications, mechanisms, activities, and individuals.^[10]
Discussion [NIST SP 800-171 Rev. 2]: Contains discussion from the associated NIST SP 800-171 security requirement.
Further Discussion:
- Expands upon the NIST SP 800-171 Rev. 2 discussion content to provide additional guidance.
- Contains examples illustrating application of the requirements. These examples are intended to provide insight but are not prescriptive of how the requirement must be implemented, nor are they comprehensive of all assessment objectives necessary to achieve the requirement. The assessment objectives met within the example are referenced by letter in a bracket (e.g., [a, d] for objectives “a” and “d”) within the text.
- Examples are written from the perspective of an organization or an employee of an organization implementing solutions or researching approaches to satisfy CMMC requirements. The objective is to put the reader into the role of implementing or maintaining alternatives to satisfy security requirements. Examples are not all-inclusive or prescriptive and do not imply any personal responsibility for complying with CMMC requirements.
- Provides potential assessment considerations. These may include common considerations for assessing the requirement and potential questions that may be asked when assessing the objectives.
Key References: Lists the basic safeguarding requirement from NIST SP 800-171 Rev. 2.

Access Control (AC)

AC.L2-3.1.1 – Authorized Access Control [CUI Data]

SECURITY REQUIREMENT Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
ASSESSMENT OBJECTIVES [a] authorized users are identified; [b] processes acting on behalf of authorized users are identified; [c] devices (and other systems) authorized to connect to the system are identified; [d] system access is limited to authorized users; [e] system access is limited to processes acting on behalf of authorized users; and [f] system access is limited to authorized devices (including other systems).
More Practice Details...

AC.L2-3.1.2 – Transaction & Function Control [CUI Data]

SECURITY REQUIREMENT Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
ASSESSMENT OBJECTIVES [a] the types of transactions and functions that authorized users are permitted to execute are defined; and [b] system access is limited to the defined types of transactions and functions for authorized users.
More Practice Details...

AC.L2-3.1.3 – Control CUI Flow

SECURITY REQUIREMENT Control the flow of CUI in accordance with approved authorizations.
ASSESSMENT OBJECTIVES [a] information flow control policies are defined; [b] methods and enforcement mechanisms for controlling the flow of CUI are defined; [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified; [d] authorizations for controlling the flow of CUI are defined; and [e] approved authorizations for controlling the flow of CUI are enforced.
More Practice Details...

AC.L2-3.1.4 – Separation of Duties

SECURITY REQUIREMENT Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
ASSESSMENT OBJECTIVES [a] the duties of individuals requiring separation are defined; [b] responsibilities for duties that require separation are assigned to separate individuals; and [c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
More Practice Details...

AC.L2-3.1.5 – Least Privilege

SECURITY REQUIREMENT Employ the principle of least privilege, including for specific security functions and privileged accounts.
ASSESSMENT OBJECTIVES [a] privileged accounts are identified; [b] access to privileged accounts is authorized in accordance with the principle of least privilege; [c] security functions are identified; and [d] access to security functions is authorized in accordance with the principle of least privilege.
More Practice Details...

AC.L2-3.1.6 – Non-Privileged Account Use

SECURITY REQUIREMENT Use non-privileged accounts or roles when accessing nonsecurity functions.
ASSESSMENT OBJECTIVES [a] nonsecurity functions are identified; and [b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions.
More Practice Details...

AC.L2-3.1.7 – Privileged Functions

SECURITY REQUIREMENT Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
ASSESSMENT OBJECTIVES [a] privileged functions are defined; [b] non-privileged users are defined; [c] non-privileged users are prevented from executing privileged functions; and [d] the execution of privileged functions is captured in audit logs.
More Practice Details...

AC.L2-3.1.8 – Unsuccessful Logon Attempts

SECURITY REQUIREMENT Limit unsuccessful logon attempts.
ASSESSMENT OBJECTIVES [a] the means of limiting unsuccessful logon attempts is defined; and [b] the defined means of limiting unsuccessful logon attempts is implemented.
More Practice Details...

AC.L2-3.1.9 – Privacy & Security Notices

SECURITY REQUIREMENT Provide privacy and security notices consistent with applicable CUI rules.
ASSESSMENT OBJECTIVES [a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and [b] privacy and security notices are displayed.
More Practice Details...

AC.L2-3.1.10 – Session Lock

SECURITY REQUIREMENT Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
ASSESSMENT OBJECTIVES [a] the period of inactivity after which the system initiates a session lock is defined; [b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and [c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.
More Practice Details...

AC.L2-3.1.11 – Session Termination

SECURITY REQUIREMENT Terminate (automatically) a user session after a defined condition.
ASSESSMENT OBJECTIVES [a] conditions requiring a user session to terminate are defined; and [b] a user session is automatically terminated after any of the defined conditions
More Practice Details...

AC.L2-3.1.12 – Control Remote Access

SECURITY REQUIREMENT Monitor and control remote access sessions.
ASSESSMENT OBJECTIVES [a] remote access sessions are permitted; [b] the types of permitted remote access are identified; [c] remote access sessions are controlled; and [d] remote access sessions are monitored.
More Practice Details...

AC.L2-3.1.13 – Remote Access Confidentiality

SECURITY REQUIREMENT Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
ASSESSMENT OBJECTIVES [a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and [b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
More Practice Details...

AC.L2-3.1.14 – Remote Access Routing

SECURITY REQUIREMENT Route remote access via managed access control points.
ASSESSMENT OBJECTIVES [a] managed access control points are identified and implemented; and [b] remote access is routed through managed network access control points.
More Practice Details...

AC.L2-3.1.15 – Privileged Remote Access

SECURITY REQUIREMENT Authorize remote execution of privileged commands and remote access to security-relevant information.
ASSESSMENT OBJECTIVES [a] privileged commands authorized for remote execution are identified; [b] security-relevant information authorized to be accessed remotely is identified; [c] the execution of the identified privileged commands via remote access is authorized; and [d] access to the identified security-relevant information via remote access is authorized.
More Practice Details...

AC.L2-3.1.16 – Wireless Access Authorization

SECURITY REQUIREMENT Authorize wireless access prior to allowing such connections.
ASSESSMENT OBJECTIVES [a] wireless access points are identified; and [b] wireless access is authorized prior to allowing such connections.
More Practice Details...

AC.L2-3.1.17 – Wireless Access Protection

SECURITY REQUIREMENT Protect wireless access using authentication and encryption.
ASSESSMENT OBJECTIVES [a] wireless access to the system is protected using authentication; and [b] wireless access to the system is protected using encryption.
More Practice Details...

AC.L2-3.1.18 – Mobile Device Connection

SECURITY REQUIREMENT Control connection of mobile devices.
ASSESSMENT OBJECTIVES [a] mobile devices that process, store, or transmit CUI are identified; [b] mobile device connections are authorized; and [c] mobile device connections are monitored and logged.
More Practice Details...

AC.L2-3.1.19 – Encrypt CUI on Mobile

SECURITY REQUIREMENT Encrypt CUI on mobile devices and mobile computing platforms.
ASSESSMENT OBJECTIVES [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and [b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
More Practice Details...

AC.L2-3.1.20 – External Connections [CUI Data]

SECURITY REQUIREMENT Verify and control/limit connections to and use of external information systems.
ASSESSMENT OBJECTIVES [a] connections to external systems are identified; [b] the use of external systems is identified; [c] connections to external systems are verified; [d] the use of external systems is verified; [e] connections to external systems are controlled/limited; and [f] the use of external systems is controlled/limited.
More Practice Details...

AC.L2-3.1.21 – Portable Storage Use

SECURITY REQUIREMENT Limit use of portable storage devices on external systems.
ASSESSMENT OBJECTIVES [a] the use of portable storage devices containing CUI on external systems is identified and documented; [b] limits on the use of portable storage devices containing CUI on external systems are defined; and [c] the use of portable storage devices containing CUI on external systems is limited as defined.
More Practice Details...

AC.L2-3.1.22 – Control Public Information [CUI Data]

SECURITY REQUIREMENT Control information posted or processed on publicly accessible information systems.
ASSESSMENT OBJECTIVES [a] individuals authorized to post or process information on publicly accessible systems are identified; [b] procedures to ensure CUI is not posted or processed on publicly accessible systems are identified; [c] a review process is in place prior to posting of any content to publicly accessible systems; [d] content on publicly accessible systems is reviewed to ensure that it does not include CUI; and [e] mechanisms are in place to remove and address improper posting of CUI.
More Practice Details...

Awareness and Training (AT)

AT.L2-3.2.1 – Role-Based Risk Awareness

SECURITY REQUIREMENT Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
ASSESSMENT OBJECTIVES [a] security risks associated with organizational activities involving CUI are identified; [b] policies, standards, and procedures related to the security of the system are identified; [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
More Practice Details...

AT.L2-3.2.2 – Role-Based Training

SECURITY REQUIREMENT Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.\|-
ASSESSMENT OBJECTIVES [a] information security-related duties, roles, and responsibilities are defined; [b] information security-related duties, roles, and responsibilities are assigned to designated personnel; and [c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.
More Practice Details...

AT.L2-3.2.3 – Insider Threat Awareness

SECURITY REQUIREMENT Provide security awareness training on recognizing and reporting potential indicators of insider threat.
ASSESSMENT OBJECTIVES [a] potential indicators associated with insider threats are identified; and [b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
More Practice Details...

Audit and Accountability (AU)

AU.L2-3.3.1 – System Auditing

SECURITY REQUIREMENT Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
ASSESSMENT OBJECTIVES [a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified; [b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined; [c] audit records are created (generated); [d] audit records, once created, contain the defined content; [e] retention requirements for audit records are defined; and [f] audit records are retained as defined.
More Practice Details...

AU.L2-3.3.2 – User Accountability

SECURITY REQUIREMENT Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
ASSESSMENT OBJECTIVES [a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined; and [b] audit records, once created, contain the defined content.
More Practice Details...

AU.L2-3.3.3 – Event Review

SECURITY REQUIREMENT Review and update logged events.
ASSESSMENT OBJECTIVES [a] a process for determining when to review logged events is defined; [b] event types being logged are reviewed in accordance with the defined review process; and [c] event types being logged are updated based on the review.
More Practice Details...

AU.L2-3.3.4 – Audit Failure Alerting

SECURITY REQUIREMENT Alert in the event of an audit logging process failure.
ASSESSMENT OBJECTIVES [a] personnel or roles to be alerted in the event of an audit logging process failure are identified; [b] types of audit logging process failures for which alert will be generated are defined; and [c] identified personnel or roles are alerted in the event of an audit logging process failure.
More Practice Details...

AU.L2-3.3.5 – Audit Correlation

SECURITY REQUIREMENT Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
ASSESSMENT OBJECTIVES [a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and [b] defined audit record review, analysis, and reporting processes are correlated.
More Practice Details...

AU.L2-3.3.6 – Reduction & Reporting

SECURITY REQUIREMENT Provide audit record reduction and report generation to support on-demand analysis and reporting.
ASSESSMENT OBJECTIVES [a] an audit record reduction capability that supports on-demand analysis is provided; and [b] a report generation capability that supports on-demand reporting is provided.
More Practice Details...

AU.L2-3.3.7 – Authoritative Time Source

SECURITY REQUIREMENT Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
ASSESSMENT OBJECTIVES [a] internal system clocks are used to generate time stamps for audit records; [b] an authoritative source with which to compare and synchronize internal system clocks is specified; and [c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.
More Practice Details...

AU.L2-3.3.8 – Audit Protection

SECURITY REQUIREMENT Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
ASSESSMENT OBJECTIVES [a] audit information is protected from unauthorized access; [b] audit information is protected from unauthorized modification; [c] audit information is protected from unauthorized deletion; [d] audit logging tools are protected from unauthorized access; [e] audit logging tools are protected from unauthorized modification; and [f] audit logging tools are protected from unauthorized deletion.
More Practice Details...

AU.L2-3.3.9 – Audit Management

SECURITY REQUIREMENT Limit management of audit logging functionality to a subset of privileged users.
ASSESSMENT OBJECTIVES [a] a subset of privileged users granted access to manage audit logging functionality is defined; and [b] management of audit logging functionality is limited to the defined subset of privileged users.
More Practice Details...

Configuration Management (CM)

CM.L2-3.4.1 – System Baselining

SECURITY REQUIREMENT Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
ASSESSMENT OBJECTIVES [a] a baseline configuration is established; [b] the baseline configuration includes hardware, software, firmware, and documentation; [c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle; [d] a system inventory is established; [e] the system inventory includes hardware, software, firmware, and documentation; and [f] the inventory is maintained (reviewed and updated) throughout the system development life cycle.
More Practice Details...

CM.L2-3.4.2 – Security Configuration Enforcement

SECURITY REQUIREMENT Establish and enforce security configuration settings for information technology products employed in organizational systems.
ASSESSMENT OBJECTIVES [a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration; and [b] security configuration settings for information technology products employed in the system are enforced.
More Practice Details...

CM.L2-3.4.3 – System Change Management

SECURITY REQUIREMENT Track, review, approve or disapprove, and log changes to organizational systems.
ASSESSMENT OBJECTIVES [a] changes to the system are tracked; [b] changes to the system are reviewed; [c] changes to the system are approved or disapproved; and [d] changes to the system are logged.
More Practice Details...

CM.L2-3.4.4 – Security Impact Analysis

SECURITY REQUIREMENT Analyze the security impact of changes prior to implementation.
ASSESSMENT OBJECTIVES [a] the security impact of changes to the system is analyzed prior to implementation.
More Practice Details...

CM.L2-3.4.5 – Access Restrictions for Change

SECURITY REQUIREMENT Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
ASSESSMENT OBJECTIVES [a] physical access restrictions associated with changes to the system are defined; [b] physical access restrictions associated with changes to the system are documented; [c] physical access restrictions associated with changes to the system are approved; [d] physical access restrictions associated with changes to the system are enforced; [e] logical access restrictions associated with changes to the system are defined; [f] logical access restrictions associated with changes to the system are documented; [g] logical access restrictions associated with changes to the system are approved; and [h] logical access restrictions associated with changes to the system are enforced.
More Practice Details...

CM.L2-3.4.6 – Least Functionality

SECURITY REQUIREMENT Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
ASSESSMENT OBJECTIVES [a] essential system capabilities are defined based on the principle of least functionality; and [b] the system is configured to provide only the defined essential capabilities.
More Practice Details...

CM.L2-3.4.7 – Nonessential Functionality

SECURITY REQUIREMENT Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
ASSESSMENT OBJECTIVES [a] essential programs are defined; [b] the use of nonessential programs is defined; [c] the use of nonessential programs is restricted, disabled, or prevented as defined; [d] essential functions are defined; [e] the use of nonessential functions is defined; [f] the use of nonessential functions is restricted, disabled, or prevented as defined; [g] essential ports are defined; [h] the use of nonessential ports is defined; [i] the use of nonessential ports is restricted, disabled, or prevented as defined; [j] essential protocols are defined; [k] the use of nonessential protocols is defined; [l] the use of nonessential protocols is restricted, disabled, or prevented as defined; [m] essential services are defined; [n] the use of nonessential services is defined; and [o] the use of nonessential services is restricted, disabled, or prevented as defined.
More Practice Details...

CM.L2-3.4.8 – Application Execution Policy

SECURITY REQUIREMENT Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
ASSESSMENT OBJECTIVES [a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified; [b] the software allowed to execute under whitelisting or denied use under blacklisting is specified; and [c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
More Practice Details...

CM.L2-3.4.9 – User-Installed Software

SECURITY REQUIREMENT Control and monitor user-installed software.
ASSESSMENT OBJECTIVES [a] a policy for controlling the installation of software by users is established; [b] installation of software by users is controlled based on the established policy; and [c] installation of software by users is monitored.
More Practice Details...

Identification and Authentication (IA)

IA.L2-3.5.1 – Identification [CUI Data]

SECURITY REQUIREMENT Identify information system users, processes acting on behalf of users, or devices.
ASSESSMENT OBJECTIVES [a] system users are identified; [b] processes acting on behalf of users are identified; and [c] devices accessing the system are identified.
More Practice Details...

IA.L2-3.5.2 – Authentication [CUI Data]

SECURITY REQUIREMENT Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
ASSESSMENT OBJECTIVES [a] the identity of each user is authenticated or verified as a prerequisite to system access; [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
More Practice Details...

IA.L2-3.5.3 – Multifactor Authentication

SECURITY REQUIREMENT Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
ASSESSMENT OBJECTIVES [a] privileged accounts are identified; [b] multifactor authentication is implemented for local access to privileged accounts; [c] multifactor authentication is implemented for network access to privileged accounts; and [d] multifactor authentication is implemented for network access to non-privileged accounts.
More Practice Details...

IA.L2-3.5.4 – Replay-Resistant Authentication

SECURITY REQUIREMENT Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
ASSESSMENT OBJECTIVES [a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.
More Practice Details...

IA.L2-3.5.5 – Identifier Reuse

SECURITY REQUIREMENT Prevent reuse of identifiers for a defined period.
ASSESSMENT OBJECTIVES [a] a period within which identifiers cannot be reused is defined; and [b] reuse of identifiers is prevented within the defined period.
More Practice Details...

IA.L2-3.5.6 – Identifier Handling

SECURITY REQUIREMENT Disable identifiers after a defined period of inactivity.
ASSESSMENT OBJECTIVES [a] a period of inactivity after which an identifier is disabled is defined; and [b] identifiers are disabled after the defined period of inactivity.
More Practice Details...

IA.L2-3.5.7 – Password Complexity

SECURITY REQUIREMENT Enforce a minimum password complexity and change of characters when new passwords are created.
ASSESSMENT OBJECTIVES [a] password complexity requirements are defined; [b] password change of character requirements are defined; [c] minimum password complexity requirements as defined are enforced when new passwords are created; and [d] minimum password change of character requirements as defined are enforced when new passwords are created.
More Practice Details...

IA.L2-3.5.8 – Password Reuse

SECURITY REQUIREMENT Prohibit password reuse for a specified number of generations.
ASSESSMENT OBJECTIVES [a] the number of generations during which a password cannot be reused is specified and [b] reuse of passwords is prohibited during the specified number of generations.
More Practice Details...

IA.L2-3.5.9 – Temporary Passwords

SECURITY REQUIREMENT Allow temporary password use for system logons with an immediate change to a permanent password.
ASSESSMENT OBJECTIVES [a] an immediate change to a permanent password is required when a temporary password is used for system logon.
More Practice Details...

IA.L2-3.5.10 – Cryptographically-Protected Passwords

SECURITY REQUIREMENT Store and transmit only cryptographically-protected passwords.
ASSESSMENT OBJECTIVES [a] passwords are cryptographically protected in storage; and [b] passwords are cryptographically protected in transit.
More Practice Details...

IA.L2-3.5.11 – Obscure Feedback

SECURITY REQUIREMENT Obscure feedback of authentication information.
ASSESSMENT OBJECTIVES [a] authentication information is obscured during the authentication process.
More Practice Details...

Incident Response (IR)

IR.L2-3.6.1 – Incident Handling

SECURITY REQUIREMENT Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
ASSESSMENT OBJECTIVES [a] an operational incident-handling capability is established; [b] the operational incident-handling capability includes preparation; [c] the operational incident-handling capability includes detection; [d] the operational incident-handling capability includes analysis; [e] the operational incident-handling capability includes containment; [f] the operational incident-handling capability includes recovery; and [g] the operational incident-handling capability includes user response
More Practice Details...

IR.L2-3.6.2 – Incident Reporting

SECURITY REQUIREMENT Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
ASSESSMENT OBJECTIVES [a] incidents are tracked; [b] incidents are documented; [c] authorities to whom incidents are to be reported are identified; [d] organizational officials to whom incidents are to be reported are identified; [e] identified authorities are notified of incidents; and [f] identified organizational officials are notified of incidents.
More Practice Details...

IR.L2-3.6.3 – Incident Response Testing

SECURITY REQUIREMENT Test the organizational incident response capability.
ASSESSMENT OBJECTIVES [a] the incident response capability is tested.
More Practice Details...

Maintenance (MA)

MA.L2-3.7.1 – Perform Maintenance

SECURITY REQUIREMENT Perform maintenance on organizational systems.
ASSESSMENT OBJECTIVES [a] system maintenance is performed.
More Practice Details...

MA.L2-3.7.2 – System Maintenance Control

SECURITY REQUIREMENT Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
ASSESSMENT OBJECTIVES [a] tools used to conduct system maintenance are controlled; [b] techniques used to conduct system maintenance are controlled; [c] mechanisms used to conduct system maintenance are controlled; and [d] personnel used to conduct system maintenance are controlled.
More Practice Details...

MA.L2-3.7.3 – Equipment Sanitization

SECURITY REQUIREMENT Ensure equipment removed for off-site maintenance is sanitized of any CUI.
ASSESSMENT OBJECTIVES [a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.
More Practice Details...

MA.L2-3.7.4 – Media Inspection

SECURITY REQUIREMENT Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
ASSESSMENT OBJECTIVES [a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.
More Practice Details...

MA.L2-3.7.5 – Nonlocal Maintenance

SECURITY REQUIREMENT Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
ASSESSMENT OBJECTIVES [a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections; and [b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.
More Practice Details...

MA.L2-3.7.6 – Maintenance Personnel

SECURITY REQUIREMENT Supervise the maintenance activities of maintenance personnel without required access authorization.
ASSESSMENT OBJECTIVES [a] maintenance personnel without required access authorization are supervised during maintenance activities.
More Practice Details...

Media Protection (MP)

MP.L2-3.8.1 – Media Protection

SECURITY REQUIREMENT Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
ASSESSMENT OBJECTIVES [a] paper media containing CUI is physically controlled; [b] digital media containing CUI is physically controlled; [c] paper media containing CUI is securely stored; and [d] digital media containing CUI is securely stored.
More Practice Details...

MP.L2-3.8.2 – Media Access

SECURITY REQUIREMENT Limit access to CUI on system media to authorized users.
ASSESSMENT OBJECTIVES [a] access to CUI on system media is limited to authorized users.
More Practice Details...

MP.L2-3.8.3 – Media Disposal [CUI Data]

SECURITY REQUIREMENT Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
ASSESSMENT OBJECTIVES [a] system media containing CUI is sanitized or destroyed before disposal; and [b] system media containing CUI is sanitized before it is released for reuse.
More Practice Details...

MP.L2-3.8.4 – Media Markings

SECURITY REQUIREMENT Mark media with necessary CUI markings and distribution limitations.
ASSESSMENT OBJECTIVES [a] media containing CUI is marked with applicable CUI markings; and [b] media containing CUI is marked with distribution limitations.
More Practice Details...

MP.L2-3.8.5 – Media Accountability

SECURITY REQUIREMENT Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
ASSESSMENT OBJECTIVES [a] access to media containing CUI is controlled; and [b] accountability for media containing CUI is maintained during transport outside of controlled areas.
More Practice Details...

MP.L2-3.8.6 – Portable Storage Encryption

SECURITY REQUIREMENT Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
ASSESSMENT OBJECTIVES [a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.
More Practice Details...

MP.L2-3.8.7 – Removable Media

SECURITY REQUIREMENT Control the use of removable media on system components.
ASSESSMENT OBJECTIVES [a] the use of removable media on system components is controlled.
More Practice Details...

MP.L2-3.8.8 – Shared Media

SECURITY REQUIREMENT Prohibit the use of portable storage devices when such devices have no identifiable owner.
ASSESSMENT OBJECTIVES [a] the use of portable storage devices is prohibited when such devices have no identifiable owner.
More Practice Details...

MP.L2-3.8.9 – Protect Backups

SECURITY REQUIREMENT Protect the confidentiality of backup CUI at storage locations.
ASSESSMENT OBJECTIVES [a] the confidentiality of backup CUI is protected at storage locations.
More Practice Details...

Personnel Security (PS)

PS.L2-3.9.1 – Screen Individuals

SECURITY REQUIREMENT Screen individuals prior to authorizing access to organizational systems containing CUI.
ASSESSMENT OBJECTIVES [a] individuals are screened prior to authorizing access to organizational systems containing CUI.
More Practice Details...

PS.L2-3.9.2 – Personnel Actions

SECURITY REQUIREMENT Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
ASSESSMENT OBJECTIVES [a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established; [b] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and [c] the system is protected during and after personnel transfer actions.
More Practice Details...

Physical Protection (PE)

PE.L2-3.10.1 – Limit Physical Access [CUI Data]

SECURITY REQUIREMENT Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
ASSESSMENT OBJECTIVES [a] authorized individuals allowed physical access are identified; [b] physical access to organizational systems is limited to authorized individuals; [c] physical access to equipment is limited to authorized individuals; and [d] physical access to operating environments is limited to authorized.
More Practice Details...

PE.L2-3.10.2 – Monitor Facility

SECURITY REQUIREMENT Protect and monitor the physical facility and support infrastructure for organizational systems.
ASSESSMENT OBJECTIVES [a] the physical facility where organizational systems reside is protected; [b] the support infrastructure for organizational systems is protected; [c] the physical facility where organizational systems reside is monitored; and [d] the support infrastructure for organizational systems is monitored.
More Practice Details...

PE.L2-3.10.3 – Escort Visitors [CUI Data]

SECURITY REQUIREMENT Escort visitors and monitor visitor activity.
ASSESSMENT OBJECTIVES [a] visitors are escorted; and [b] visitor activity is monitored.
More Practice Details...

PE.L2-3.10.4 – Physical Access Logs [CUI Data]

SECURITY REQUIREMENT Maintain audit logs of physical access.
ASSESSMENT OBJECTIVES [a] audit logs of physical access are maintained.
More Practice Details...

PE.L2-3.10.5 – Manage Physical Access [CUI Data]

SECURITY REQUIREMENT Control and manage physical access devices.
ASSESSMENT OBJECTIVES [a] physical access devices are identified; [b] physical access devices are controlled; and [c] physical access devices are managed.
More Practice Details...

PE.L2-3.10.6 – Alternative Work Sites

SECURITY REQUIREMENT Enforce safeguarding measures for CUI at alternate work sites.
ASSESSMENT OBJECTIVES [a] safeguarding measures for CUI are defined for alternate work sites; and [b] safeguarding measures for CUI are enforced for alternate work sites.
More Practice Details...

Risk Assessment (RA)

RA.L2-3.11.1 – Risk Assessments

SECURITY REQUIREMENT Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
ASSESSMENT OBJECTIVES [a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined; and [b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
More Practice Details...

RA.L2-3.11.2 – Vulnerability Scan

SECURITY REQUIREMENT Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
ASSESSMENT OBJECTIVES [a] the frequency to scan for vulnerabilities in organizational systems and applications is defined; [b] vulnerability scans are performed on organizational systems with the defined frequency; [c] vulnerability scans are performed on applications with the defined frequency; [d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified; and [e] vulnerability scans are performed on applications when new vulnerabilities are identified.
More Practice Details...

RA.L2-3.11.3 – Vulnerability Remediation

SECURITY REQUIREMENT Remediate vulnerabilities in accordance with risk assessments.
ASSESSMENT OBJECTIVES [a] vulnerabilities are identified; and [b] vulnerabilities are remediated in accordance with risk assessments.
More Practice Details...

Security Assessment (CA)

CA.L2-3.12.1 – Security Control Assessment

SECURITY REQUIREMENT Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
ASSESSMENT OBJECTIVES [a] the frequency of security control assessments is defined; and [b] security controls are assessed with the defined frequency to determine if the controls are effective in their application.
More Practice Details...

CA.L2-3.12.2 – Operational Plan of Action

SECURITY REQUIREMENT Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
ASSESSMENT OBJECTIVES [a] deficiencies and vulnerabilities to be addressed by the plan of action are identified; [b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities; and [c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
More Practice Details...

CA.L2-3.12.3 – Security Control Monitoring

SECURITY REQUIREMENT Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
ASSESSMENT OBJECTIVES [a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
More Practice Details...

CA.L2-3.12.4 – System Security Plan =

SECURITY REQUIREMENT Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
ASSESSMENT OBJECTIVES [a] a system security plan is developed; [b] the system boundary is described and documented in the system security plan; [c] the system environment of operation is described and documented in the system security plan; [d] the security requirements identified and approved by the designated authority as non-applicable are identified; [e] the method of security requirement implementation is described and documented in the system security plan; [f] the relationship with or connection to other systems is described and documented in the system security plan; [g] the frequency to update the system security plan is defined; and [h] system security plan is updated with the defined frequency.
More Practice Details...

System and Communications Protection (SC)

SC.L2-3.13.1 – Boundary Protection [CUI Data]

SECURITY REQUIREMENT Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
ASSESSMENT OBJECTIVES [a] the external system boundary is defined; [b] key internal system boundaries are defined; [c] communications are monitored at the external system boundary; [d] communications are monitored at key internal boundaries; [e] communications are controlled at the external system boundary; [f] communications are controlled at key internal boundaries; [g] communications are protected at the external system boundary; and [h] communications are protected at key internal boundaries.
More Practice Details...

SC.L2-3.13.2 – Security Engineering

SECURITY REQUIREMENT Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
ASSESSMENT OBJECTIVES [a] architectural designs that promote effective information security are identified; [b] software development techniques that promote effective information security are identified; [c] systems engineering principles that promote effective information security are identified; [d] identified architectural designs that promote effective information security are employed; [e] identified software development techniques that promote effective information security are employed; and [f] identified systems engineering principles that promote effective information security are employed.
More Practice Details...

SC.L2-3.13.3 – Role Separation

SECURITY REQUIREMENT Separate user functionality from system management functionality.
ASSESSMENT OBJECTIVES [a] user functionality is identified; [b] system management functionality is identified; and [c] user functionality is separated from system management functionality.
More Practice Details...

SC.L2-3.13.4 – Shared Resource Control

SECURITY REQUIREMENT Prevent unauthorized and unintended information transfer via shared system resources.
ASSESSMENT OBJECTIVES [a] unauthorized and unintended information transfer via shared system resources is prevented.
More Practice Details...

SC.L2-3.13.5 – Public-Access System Separation [CUI Data]

SECURITY REQUIREMENT Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
ASSESSMENT OBJECTIVES [a] publicly accessible system components are identified; and [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.
More Practice Details...

SC.L2-3.13.6 – Network Communication by Exception

SECURITY REQUIREMENT Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
ASSESSMENT OBJECTIVES [a] network communications traffic is denied by default; and [b] network communications traffic is allowed by exception.
More Practice Details...

SC.L2-3.13.7 – Split Tunneling

SECURITY REQUIREMENT Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
ASSESSMENT OBJECTIVES [a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).
More Practice Details...

SC.L2-3.13.8 – Data in Transit

SECURITY REQUIREMENT Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
ASSESSMENT OBJECTIVES [a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified; [b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified; and [c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.
More Practice Details...

SC.L2-3.13.9 – Connections Termination

SECURITY REQUIREMENT Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
ASSESSMENT OBJECTIVES [a] a period of inactivity to terminate network connections associated with communications sessions is defined; [b] network connections associated with communications sessions are terminated at the end of the sessions; and [c] network connections associated with communications sessions are terminated after the defined period of inactivity.
More Practice Details...

SC.L2-3.13.10 – Key Management

SECURITY REQUIREMENT Establish and manage cryptographic keys for cryptography employed in organizational systems.
ASSESSMENT OBJECTIVES [a] cryptographic keys are established whenever cryptography is employed; and [b] cryptographic keys are managed whenever cryptography is employed.
More Practice Details...

SC.L2-3.13.11 – CUI Encryption

SECURITY REQUIREMENT Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
ASSESSMENT OBJECTIVES [a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
More Practice Details...

SC.L2-3.13.12 – Collaborative Device Control

SECURITY REQUIREMENT Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
ASSESSMENT OBJECTIVES [a] collaborative computing devices are identified; [b] collaborative computing devices provide indication to users of devices in use; and [c] remote activation of collaborative computing devices is prohibited.
More Practice Details...

SC.L2-3.13.13 – Mobile Code

SECURITY REQUIREMENT Control and monitor the use of mobile code.
ASSESSMENT OBJECTIVES [a] use of mobile code is controlled; and [b] use of mobile code is monitored.
More Practice Details...

SC.L2-3.13.14 – Voice over Internet Protocol

SECURITY REQUIREMENT Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
ASSESSMENT OBJECTIVES [a] use of Voice over Internet Protocol (VoIP) technologies is controlled; and [b] use of Voice over Internet Protocol (VoIP) technologies is monitored.
More Practice Details...

SC.L2-3.13.15 – Communications Authenticity

SECURITY REQUIREMENT Protect the authenticity of communications sessions.
ASSESSMENT OBJECTIVES [a] the authenticity of communications sessions is protected.
More Practice Details...

SC.L2-3.13.16 – Data at Rest

SECURITY REQUIREMENT Protect the confidentiality of CUI at rest.
ASSESSMENT OBJECTIVES [a] the confidentiality of CUI at rest is protected.
More Practice Details...

System and Information Integrity (SI)

SI.L2-3.14.1 – Flaw Remediation [CUI Data]

SECURITY REQUIREMENT Identify, report, and correct information and information system flaws in a timely manner.
ASSESSMENT OBJECTIVES [a] the time within which to identify system flaws is specified; [b] system flaws are identified within the specified time frame; [c] the time within which to report system flaws is specified; [d] system flaws are reported within the specified time frame; [e] the time within which to correct system flaws is specified; and [f] system flaws are corrected within the specified time frame.
More Practice Details...

SI.L2-3.14.2 – Malicious Code ProTection [CUI Data]

SECURITY REQUIREMENT Provide protection from malicious code at appropriate locations within organizational information systems.
ASSESSMENT OBJECTIVES [a] designated locations for malicious code protection are identified; and [b] protection from malicious code at designated locations is provided.
More Practice Details...

SI.L2-3.14.3 – Security Alerts & Advisories

SECURITY REQUIREMENT Monitor system security alerts and advisories and take action in response.
ASSESSMENT OBJECTIVES [a] response actions to system security alerts and advisories are identified; [b] system security alerts and advisories are monitored; and [c] actions in response to system security alerts and advisories are taken.
More Practice Details...

SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data]

SECURITY REQUIREMENT Update malicious code protection mechanisms when new releases are available.
ASSESSMENT OBJECTIVES [a] malicious code protection mechanisms are updated when new releases are available.
More Practice Details...

SI.L2-3.14.5 – System & File Scanning [CUI Data]

SECURITY REQUIREMENT Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
ASSESSMENT OBJECTIVES [a] the frequency for malicious code scans is defined; [b] malicious code scans are performed with the defined frequency; and [c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
More Practice Details...

SI.L2-3.14.6 – Monitor Communications for Attacks

SECURITY REQUIREMENT Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
ASSESSMENT OBJECTIVES [a] the system is monitored to detect attacks and indicators of potential attacks; [b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks; and [c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks.
More Practice Details...

SI.L2-3.14.7 – Identify Unauthorized Use

SECURITY REQUIREMENT Identify unauthorized use of organizational systems.
ASSESSMENT OBJECTIVES [a] authorized use of the system is defined; and [b] unauthorized use of the system is identified.
More Practice Details...

Appendix A – Acronyms and Abbreviations

AC	Access Control
CD-ROM	Compact Disk Read-Only Memory
CFR	Code of Federal Regulations
CMMC	Cybersecurity Maturity Model Certification
CUI	Controlled Unclassified Information
CVE	Common Vulnerabilities and Exposures
CWE	Common Weakness Enumeration
DFARS	Defense Federal Acquisition Regulation Supplement
DMZ	Demilitarized Zone
DoD	Department of Defense
ESP	External Service Provider
FAR	Federal Acquisition Regulation
FCI	Federal Contract Information
IT	Information Technology
NIST	National Institute of Standards and Technology
OSA	Organization Seeking Assessment
PIV	Personal Identity Verification
SC	System and Communications Protection
SI	System and Information Integrity
SP	Special Publication
SPRS	Supplier Performance Risk System
USB	Universal Serial Bus
UUENCODE	Unix-to-Unix Encode
VLAN	Virtual Local Area Network

↑ NIST SP 800-171A, June 2018
↑ NIST SP 800-171 Rev 2, p 59 under system component
↑ NIST SP 800-53 Rev. 5, p. 402
↑ NIST SP 800-171A, p. v
↑ NIST SP 800-171 Rev. 2, Appendix B, p. 54 (adapted)
↑ NIST SP 800-160 Vol. 1 R1, Engineering Trustworthy Secure Systems, 2022, Appendix B., p. 55
↑ NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, June 2018, pp. 4-5
↑ NIST SP 800-171A, p. 5.
↑ NIST SP 800-171A, p. 4.
↑ NIST SP 800-171A, pp. 4-5.

[1] NIST SP 800-171A, June 2018

[2] NIST SP 800-171 Rev 2, p 59 under system component

[3] NIST SP 800-53 Rev. 5, p. 402

[4] NIST SP 800-171A, p. v

[5] NIST SP 800-171 Rev. 2, Appendix B, p. 54 (adapted)

[6] NIST SP 800-160 Vol. 1 R1, Engineering Trustworthy Secure Systems, 2022, Appendix B., p. 55

[7] NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, June 2018, pp. 4-5

[8] NIST SP 800-171A, p. 5.

[9] NIST SP 800-171A, p. 4.

[10] NIST SP 800-171A, pp. 4-5.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

@@ Line 9: / Line 9: @@
 == Introduction ==
-This document provides guidance in the preparation for and conduct  of a Level  2  self-assessment or Level 2 certification  assessment  under the Cybersecurity Maturity Model Certification (CMMC) Program as set forth in  section  170.16  of title  32,  Code of Federal Regulations (CFR) and 32 CFR § 170.17 respectively. Certification at each CMMC level occurs independently. Guidance for conducting a Level 1 self-assessment can be found in ''CMMC Assessment Guide – Level 1''. Guidance for conducting a Level 3 certification assessment can be found in ''CMMC'' ''Assessment Guide – Level 3''. More details on the model can be found in the ''CMMC Model Overview'' document.
+This document provides guidance in the preparation for and conduct of a Level 2 self-assessment or Level 2 certification assessment under the Cybersecurity Maturity Model Certification (CMMC) Program as set forth in section 170.16 of title 32, Code of Federal Regulations (CFR) and 32 CFR § 170.17 respectively. Certification at each CMMC level occurs independently. Guidance for conducting a Level 1 self-assessment can be found in ''CMMC Assessment Guide – Level 1''. Guidance for conducting a Level 3 certification assessment can be found in ''CMMC'' ''Assessment Guide – Level 3''. More details on the model can be found in the ''CMMC Model Overview'' document.
-An  ''Assessment''  as defined in 32 CFR  § 170.4  means  ''the testing or evaluation of security ''
+An ''Assessment'' as defined in 32 CFR § 170.4 means ''the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization as defined in 32 CFR § 170.15 to 32 CFR § 170.18''.
-''controls to determine the extent to which the controls are implemented correctly, operating as ''
+For Level 2 there are two types of assessments:
+* A ''self-assessment'' is the term for the activity performed by an entity to evaluate its own CMMC Level, as applied to Level 1 and some Level 2.
+* A ''Level 2 certification assessment'' is the term for the activity performed by a Certified Third-Party Assessment Organization (C3PAO)to evaluate the CMMC level of an OSC.
-''intended, and producing the desired outcome with respect to meeting the security requirements ''
+CFR § 170.16(b) describes contract or subcontract eligibility for any contract with a Level 2 self-assessment requirement, and 32 CFR § 170.17(b) describes contract or subcontract eligibility for any contract with a Level 2 certification assessment requirement. Level 2 certification assessment requires the Organization Seeking Assessment (OSA) achieve the CMMC Status of either Conditional Level 2 (C3PAO) or Final Level 2 (C3PAO), as described in 32 § CFR 170.4, obtained through an assessment by an accredited C3PAO.
-''for an information system or organization as defined in 32 CFR § 170.15 to 32 CFR § 170.18''.
+=== Level 2 Description ===
+Level 2 incorporates the security requirements specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations''.
-For Level 2 there are two types of assessments:
+Level 2 addresses the protection of Controlled Unclassified Information (CUI), as defined in 32 CFR § 2002.4(h):
-•
+: ''Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.''
-  A s''elf-assessment'' is the term for the activity performed by an entity to evaluate its own
+Level 2 certification assessments provides increased assurance to the DoD that an OSA can adequately protect CUI at a level commensurate with the adversarial risk, including protecting information flow with subcontractors in a multi-tier supply chain.
-CMMC Level, as applied to Level 1 and some Level 2.
+=== Purpose and Audience ===
+This guide is intended for assessors, OSAs, cybersecurity professionals, and individuals and companies that support CMMC efforts. This document can be used as part of preparation for and conducting a Level 2 self-assessment or a Level 2 certification assessment. The term Level 2 assessment encompasses both Level 2 self-assessment and Level 2 certification assessment.
-•
+=== Document Organization ===
+This document is organized into the following sections:
+* '''Assessment and Certification:''' provides an overview of the Level 2 self-assessment processes set forth in 32 CFR §170.16 as well as the Level 2 certification assessment processes set forth in 32 CFR § 170.17. It provides guidance regarding the scope requirements set forth in 32 CFR § 170.19(c).
+* '''CMMC-Custom Terms:''' incorporates definitions from 32 CFR § 170.4 and definitions included by reference from 32 CFR § 170.2, and provides clarification of the intent and scope of custom terms as used in the context of CMMC.
+* '''Assessment Criteria and Methodology:''' provides guidance on the criteria and methodology (i.e., ''interview'', ''examine'', and ''test'') to be employed during a Level 2 assessment, as well as on assessment findings.
+* '''Requirement Descriptions:''' provides guidance specific to each Level 2 security requirement.
-  A ''Level 2 certification assessment ''is the term for the activity performed by a Certified
+== Assessment and Certification ==
+Certified Assessors as described in 32 CFR § 170.11 will use the assessment methods defined in NIST SP 800-171A<ref>NIST SP 800-171A, June 2018</ref>, ''Assessing Security Requirements for Controlled Unclassified Information'', along with the supplemental information in this guide, to conduct Level 2 certification assessments. Certified Assessors will review information and evidence to verify that an OSC meets the stated assessment objectives for all of the requirements.
-Third-Party Assessment Organization (C3PAO)to evaluate the CMMC level of an OSC.
+An OSC can obtain a Level 2 certification assessment for an entire enterprise network or for a specific enclave(s), depending upon how the CMMC Assessment Scope is defined in accordance with 32 CFR § 170.19(c).
-CFR § 170.16(b) describes contract or subcontract eligibility for any contract with a Level
+OSAs conducting self-assessments in accordance with 32 CFR § 170.16 are expected to evaluate their compliance with CMMC requirements using the same criteria established in NIST SP 800-171A and this assessment guide and used for third-party assessments.
-self-assessment requirement, and 32 CFR § 170.17(b) describes contract or subcontract
+=== Assessment Scope ===
+The CMMC Assessment Scope must be specified prior to assessment in accordance with the requirements of 32 CFR § 170.19. The CMMC Assessment Scope is the set of all assets in the OSA’s environment that will be assessed against CMMC security requirements.
-eligibility for any contract with a Level 2 certification  assessment  requirement. Level 2
+Because the scoping of a Level 2 certification assessment is not the same as the scoping of a Level 3 certification assessment, before determining the CMMC Assessment Scope it is important to first consider whether the goal is a Level 2 or Level 3 CMMC Status. If the intent is not to achieve a CMMC Status of Final Level 3 (DIBCAC) as defined in 32 CFR § 170.18, refer to the guidance provided in the ''CMMC Scoping Guide – Level 2'' document which summarizes 32 CFR § 170.19(c). If the intent is to achieve a CMMC Status of Final Level 3 (DIBCAC), refer to the guidance provided in the ''CMMC Scoping Guide – Level 3'' document which summarizes 32 CFR § 170.19(d). Both documents are available on the official CMMC documentation site at https://dodcio.defense.gov/CMMC/Documentation/.
-certification assessment requires the Organization Seeking Assessment (OSA) achieve the
+== CMMC-Custom Terms ==
+The CMMC Program has custom terms that align with program requirements. Although some terms may have other definitions in open forums, it is important to understand these terms as they apply to the CMMC Program.
-CMMC Status of either Conditional Level 2 (C3PAO) or Final Level 2 (C3PAO), as described
+The specific terms as associated with Level 2 are:
+* '''Assessment:''' As defined in 32 CFR § 170.4 means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization, as defined in 32 CFR § 170.15 to 32 CFR § 170.18.
+** ''Level 2 self-assessment'' is the term for the activity performed by an OSA to evaluate its own information system when seeking a CMMC Status of Level 2 (Self).
+** ''Level 2 certification assessment'' is the term for the activity performed by a C3PAO to evaluate the information system of an OSC when seeking a CMMC Status of Level 2 (C3PAO).
+** ''POA&M closeout self-assessment'' is the term for the activity performed by an OSA to evaluate only the NOT MET requirements that were identified with POA&M during the initial assessment, when seeking a CMMC Status of Final Level 2 (Self).
+** ''POA&M closeout certification assessment'' is the term for the activity performed by a C3PAO or DCMA DIBCAC to evaluate only the NOT MET requirements that were identified with POA&M during the initial assessment, when seeking a CMMC Status of Final Level 2 (C3PAO) or Final Level 3 (DIBCAC) respectively.
+* '''Assessment Objective:''' As defined in 32 CFR § 170.4 means a set of determination statements that, taken together, expresses the desired outcome for the assessment of a security requirement. Successful implementation of the corresponding CMMC security requirement requires meeting all applicable assessment objectives defined in NIST SP 800–171A or NIST SP 800-172A.
+* '''Asset:''' An item of value to stakeholders. An asset may be tangible (e.g., a physical item such as hardware, firmware, computing platform, network device, or other technology component) or intangible (e.g., humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation). The value of an asset is determined by stakeholders in consideration of loss concerns across the entire system life cycle. Such concerns include but are not limited to business or mission concerns, as defined in NIST SP 800-160 Rev 1.
+* '''CMMC Assessment Scope:''' As defined in 32 CFR § 170.4 means the set of all assets in the OSA’s environment that will be assessed against CMMC security requirements.
+* '''CMMC Status:''' As defined in 32 CFR § 170.4 is the result of meeting or exceeding the minimum required score for the corresponding assessment. The CMMC Status of an OSA information system is officially stored in SPRS and additionally issued on a Certificate of CMMC Status, if the assessment was conducted by a C3PAO or DCMA DIBCAC.
+** ''Conditional Level 2 (Self)'' is defined in § 170.16(a)(1)(ii). The OSA has conducted a Level 2 self-assessment, submitted compliance results in the Supplier Performance Risk System (SPRS), and created a CMMC POA&amp;M that meets all CMMC POA&amp;M requirements listed in 32 CFR §170.16(a)(1)(ii).
+** ''Final Level 2 (Self)'' is defined in § 170.16(a)(1)(iii). The OSA will achieve a CMMC Status of Final Level 2 (Self) for the information system(s) within the CMMC Assessment Scope upon implementation of all security requirements and close out of the POA&M, as applicable.
+** ''Conditional Level 2 (C3PAO)'' is defined in § 170.17(a)(1)(ii). The OSC will achieve a CMMC Status of Conditional Level 2 (C3PAO) if a POA&M exists upon completion of the assessment and the POA&M meets all Level 2 POA&M requirements listed in 32 CFR § 170.21(a)(2).
+** ''Final Level 2 (C3PAO)'' is defined in § 170.17(a)(1)(iii). The OSC will achieve a CMMC Status of Final Level 2 (C3PAO) for the information systems within the CMMC Assessment Scope upon implementation of all security requirements and as applicable, a POA&M closeout assessment conducted by the C3PAO within 180 days. Additional guidance can be found in 32 CFR § 170.21.
+* '''Component:''' A discrete identifiable information technology ''asset'' that represents a building block of a system and may include hardware, software, and firmware<ref>NIST SP 800-171 Rev 2, p 59 under system component</ref>. A ''component'' is one type of ''asset''.
+* '''Enduring Exception:''' As defined in 32 CFR § 170.4 means a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible. Examples include systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT. No operational plan of action is required but the circumstance must be documented within a system security plan. Specialized Assets and GFE may be Enduring Exceptions.
+* '''Event:''' Any observable occurrence in a system<ref>NIST SP 800-53 Rev. 5, p. 402</ref>. As described in NIST SP 800-171A<ref>NIST SP 800-171A, p. v</ref>, the terms “information system” and “system” can be used interchangeably. ''Events'' sometimes provide indication that an ''incident'' is occurring.
+* '''Incident:''' An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.<ref>NIST SP 800-171 Rev. 2, Appendix B, p. 54 (adapted)</ref>
+* '''Information System (IS):''' As defined in 32 CFR § 170.4 means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. An ''IS'' is one type of ''asset''.
+* '''Monitoring:''' The act of continually checking, supervising, critically observing, or determining the status in order to identify change from the performance level required or expected at an ''organization-defined'' frequency and rate.<ref>NIST SP 800-160 Vol. 1 R1, Engineering Trustworthy Secure Systems, 2022, Appendix B., p. 55</ref>
+* '''Operational plan of action:''' As used in security requirement CA.L2-3.12.2, means the formal artifact which identifies temporary vulnerabilities and temporary deficiencies in implementation of requirements and documents how and when they will be mitigated, corrected, or eliminated. The OSA defines the format (e.g., document, spreadsheet, database) and specific content of its operational plan of action. An operational plan of action is not the same as a POA&amp;M associated with an assessment.
+* '''Organization-defined:''' As determined by the OSA being assessed except as defined in the case of Organization-Defined Parameter (ODP). This can be applied to a frequency or rate at which something occurs within a given time period, or it could be associated with describing the configuration of an OSA’s solution.
+* '''Periodically:''' Occurring at a regular interval as determined by the OSA that may not exceed one year. As used in many requirements within CMMC, the interval length is ''organization-defined'' to provide OSA flexibility, with an interval length of no more than one year.
+* '''Security Protection Data (SPD):''' As defined in 32 CFR § 170.4 means data stored or processed by Security Protection Assets (SPA) that are used to protect an OSC's assessed environment. SPD is security relevant information and includes, but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment.
+* '''System Security Plan (SSP):''' As defined in 32 CFR § 170.4 means the formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. The system security plan describes the system components that are included within the system, the environment in which the system operates, how the security requirements are implemented, and the relationships with or connections to other systems, as defined in NIST SP 800-53 Rev 5.
+* '''Temporary deficiency:''' As defined in 32 CFR § 170.4 means a condition where remediation of a discovered deficiency is feasible and a known fix is available or is in process. The deficiency must be documented in an operational plan of action. A temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC security requirement but arises after implementation. A temporary deficiency may apply during the initial implementation of a security requirement if, during roll-out, specific issues with a very limited subset of equipment is discovered that must be separately addressed. There is no standard duration for which a temporary deficiency may be active. For example, FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version may be a temporary deficiency.
-in 32 § CFR 170.4, obtained through an assessment by an accredited C3PAO.
+== Assessment Criteria and Methodology ==
+The ''CMMC Assessment Guide – Level 2'' leverages the assessment procedure described in NIST SP 800-171A Section 2.1<ref>NIST SP 800-171A, ''Assessing Security Requirements for Controlled Unclassified Information'', June 2018, pp. 4-5</ref>:
+: ''An assessment procedure consists of an assessment objective and a set of potential assessment methods and assessment objects that can be used to conduct the assessment. Each assessment objective includes a determination statement related to the requirement that is the subject of the assessment. The determination statements are linked to the content of the requirement to ensure traceability of the assessment results to the requirements. The application of an assessment procedure to a requirement produces assessment findings. These findings reflect, or are subsequently used, to help determine if the requirement has been satisfied.
-Level 2 Description
+: Assessment objects identify the specific items being assessed and can include specifications, mechanisms, activities, and individuals.
+: * ''Specifications are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with a system.''
+: * ''Mechanisms are the specific hardware, software, or firmware safeguards employed within a system.''
+: * ''Activities are the protection-related actions supporting a system that involve people (e.g., conducting system backup operations, exercising a contingency plan, and monitoring network traffic).''
+: * ''Individuals, or groups of individuals, are people applying the specifications, mechanisms, or activities described above.''
-Level 2 incorporates the security requirements specified in National Institute of Standards
+: ''The assessment methods define the nature and the extent of the assessor’s actions. The methods include ''examine'', ''interview'', and ''test.
+: * ''The ''examine'' method is the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specifications, mechanisms, activities). The purpose of the ''examine'' method is to facilitate understanding, achieve clarification, or obtain evidence.''
+: * ''The ''interview'' method is the process of holding discussions with individuals or groups of individuals to facilitate understanding, achieve clarification, or obtain evidence.''
+: * ''And finally, the ''test'' method is the process of exercising assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior.''
-and Technology (NIST) Special Publication (SP) 800-171 Revision 2, ''Protecting Controlled ''
+: ''In all three assessment methods, the results are used in making specific determinations called for in the determination statements and thereby achieving the objectives for the assessment procedure.''
-''Unclassified Information in Nonfederal Systems and Organizations''. <br />
+=== Criteria ===
-Level 2 addresses the protection of Controlled Unclassified Information (CUI), as defined in
+Assessment objectives are provided for each requirement and are based on existing criteria from NIST SP 800-171A. The criteria are authoritative and provide a basis for the assessment of a requirement.
-CFR § 2002.4(h):
+=== Methodology ===
+To verify and validate that an OSA is meeting CMMC requirements, evidence needs to exist demonstrating that the OSA has fulfilled the objectives of the Level 2 requirements. Because different assessment objectives can be met in different ways (e.g., through documentation, computer configuration, network configuration, or training), a variety of techniques may be used to determine if the OSA meets the Level 2 requirements, including any of the three assessment methods from NIST SP 800-171A.
-''Information the Government creates or possesses, or that an entity creates or ''
+The assessor will follow the guidance in NIST SP 800-171A when determining which assessment methods to use:
-''possesses for or on behalf of the Government, that a law, regulation, or ''
+: ''Organizations [Certified Assessors] are not expected to employ ''all'' assessment methods and objects contained within the assessment procedures identified in this publication. Rather, organizations [Certified Assessors] have the flexibility to determine the level of effort needed and the assurance required for an assessment (e.g., which assessment methods and assessment objects are deemed to be the most useful in obtaining the desired results). This determination is made based on how the organization [contractor] can accomplish the assessment objectives in the most cost-effective manner and with sufficient confidence to support the determination that the CUI requirements have been satisfied.<ref>NIST SP 800-171A, p. 5.</ref>''
-''Government-wide policy requires or permits an agency to handle using ''
+The primary deliverable of an assessment is a compliance score and accompanying report that contains the findings associated with each requirement. For more detailed information on assessment methods, see Appendix D of NIST SP 800-171A, incorporated by reference per 32 CFR § 170.2.
-''safeguarding or dissemination controls. However, CUI does not include classified ''
+==== Who Is Interviewed ====
+Interviews of applicable staff (possibly at different organizational levels) may provide information to help an assessor determine if security requirements have been implemented, as well as if adequate resourcing, training, and planning have occurred for individuals to perform the requirements.
-''information (see paragraph (e) of this section) or information a non-executive ''
+==== What Is Examined ====
+Examination includes reviewing, inspecting, observing, studying, or analyzing assessment objects. The objects can be documents, mechanisms, or activities.
-''branch entity possesses and maintains in its own systems that did not come from, ''
+For some security requirements, review of documentation may assist assessors in determining if the assessment objectives have been met. Interviews with staff may help identify relevant documents. Documents need to be in their final forms; drafts of policies or documentation are not eligible to be used as evidence because they are not yet official and still subject to change. Common types of documents that may be used as evidence include:
+* policy, process, and procedure documents;
+* training materials;
+* plans and planning documents; and
+* system, network, and data flow diagrams.
-''or was not created or possessed by or for, an executive branch agency or an entity ''
+This list of documents is not exhaustive or prescriptive. An OSA may not have these specific documents, and other documents may be reviewed.
+In other cases, the security requirement is best self-assessed by observing that safeguards are in place by viewing hardware, associated configuration information, or observing staff following a process.
-''acting for an agency. Law, regulation, or Government-wide policy may require ''
+==== What Is Tested ====
+Testing is an important part of the self-assessment process. Interviews provide information about what the OSA staff believe to be true, documentation provides evidence of implementing policies and procedures, and testing demonstrates what has or has not been done. For example, OSA staff may talk about how users are identified, documentation may provide details on how users are identified, but seeing a demonstration of identifying users provides evidence that the requirement is met. The assessor will determine which requirements or objectives within a requirement need demonstration or testing. Most objectives will require testing.
-''or permit safeguarding or dissemination controls in three ways: Requiring or ''
+=== Assessment Findings ===
+The assessment of a CMMC requirement results in one of three possible findings: MET, NOT MET, or NOT APPLICABLE as defined in 32 CFR § 170.24. To achieve a Final Level 2 (Self) or Final Level 2 (C3PAO) CMMC Status, the OSA will need a finding of MET or NOT APPLICABLE on all Level 2 security requirements.
+* '''MET''': All applicable assessment objectives for the security requirement are satisfied based on evidence. All evidence must be in final form and not draft. Unacceptable forms of evidence include working papers, drafts, and unofficial or unapproved policies. For each security requirement marked MET, it is best practice to record statements that indicate the response conforms to all objectives and document the appropriate evidence to support the response.
+** Enduring Exceptions when described, along with any mitigations, in the system security plan shall be assessed as MET.
+** Temporary deficiencies that are appropriately addressed in operational plans of action (i.e., include deficiency reviews, milestones, and show progress towards the implementation of corrections to reduce or eliminate identified vulnerabilities) shall be assessed as MET.
+* '''NOT MET''': One or more objectives for the security requirement is not satisfied. For each security requirement marked NOT MET, it is best practice to record statements that explain why and document the appropriate evidence showing that the OSA does not conform fully to all of the objectives. During Level 2 certification assessments, for each requirement objective marked NOT MET, the assessor will document why the evidence does not conform.
+* '''NOT APPLICABLE (N/A)''': A security requirement and/or objective does not apply at the time of the assessment. For each security requirement marked N/A, it is best practice to record a statement that explains why the requirement does not apply to the OSA. For example, Public-Access System Separation (SC.L2-3.13.5) might be N/A if there are no publicly accessible systems within the CMMC Assessment Scope. During an assessment, an assessment objective assessed as N/A is equivalent to the same assessment objective being assessed as MET.
+: If an OSC previously received a favorable adjudication from the DoD CIO indicating that a requirement is not applicable or that an alternative security measure is equally effective, the DoD CIO adjudication must be included in the system security plan to receive consideration during an assessment. Implemented security measures adjudicated by the DoD CIO as equally effective are assessed as MET if there have been no changes in the environment.
+: Each assessment objective in NIST SP 800-171A must yield a finding of MET or NOT APPLICABLE in order for the overall security requirement to be scored as MET. Assessors exercise judgment in determining when sufficient and adequate evidence has been presented to make an assessment finding.
+: CMMC assessments are conducted and results are captured at the assessment objective level. One NOT MET assessment objective results in a failure of the entire security requirement.
+: A security requirement can be applicable even when assessment objectives included in the security requirement are scored as N/A. The security requirement is NOT MET when one or more applicable assessment objectives is NOT MET.
+: Satisfaction of security requirements may be accomplished by other parts of the enterprise or an External Service Provider (ESP), as defined in 32 CFR § 170.4. A security requirement is considered MET if adequate evidence is provided that the enterprise or External Service Provider (ESP), implements the requirement objectives. An ESP may be external people, technology, or facilities that the OSA uses, including cloud service providers, managed service providers, managed security service providers, or cybersecurity-as-a-service providers.
+== Requirement Descriptions ==
+=== Introduction ===
+This section provides detailed information and guidance for assessing each Level 2 security requirement. The section is organized first by domain and then by individual security requirement. Each requirement description contains the following elements as described in 32 CFR § 170.14(c):
+* '''Requirement Number, Name, and Statement:''' Headed by the requirement identification number in the format, DD.L#-REQ (e.g., AC.L2-3.1.1); followed by the requirement short name identifier, meant to be used for quick reference only; and finally followed by the complete CMMC security requirement statement.
+* '''Assessment Objectives [NIST SP 800-171A]:''' Identifies the specific set of objectives that must be met to receive MET for the requirement as defined in NIST SP 800-171A.<ref>NIST SP 800-171A, p. 4.</ref>
+* '''Potential Assessment Methods and Objects [NIST SP 800-171A]:''' Describes the nature and the extent of the assessment actions as set forth in NIST SP 800-171A. The methods include ''examine'', ''interview'', and ''test''. Assessment objects identify the items being assessed and can include specifications, mechanisms, activities, and individuals.<ref>NIST SP 800-171A, pp. 4-5.</ref>
+* '''Discussion [NIST SP 800-171 Rev. 2]:''' Contains discussion from the associated NIST SP 800-171 security requirement.
+* '''Further Discussion:'''
+** Expands upon the NIST SP 800-171 Rev. 2 discussion content to provide additional guidance.
+** Contains examples illustrating application of the requirements. These examples are intended to provide insight but are not prescriptive of how the requirement must be implemented, nor are they comprehensive of all assessment objectives necessary to achieve the requirement. The assessment objectives met within the example are referenced by letter in a bracket (e.g., [a, d] for objectives “a” and “d”) within the text.
+** Examples are written from the perspective of an organization or an employee of an organization implementing solutions or researching approaches to satisfy CMMC requirements. The objective is to put the reader into the role of implementing or maintaining alternatives to satisfy security requirements. Examples are not all-inclusive or prescriptive and do not imply any personal responsibility for complying with CMMC requirements.
+** Provides potential assessment considerations. These may include common considerations for assessing the requirement and potential questions that may be asked when assessing the objectives.
+* '''Key References:''' Lists the basic safeguarding requirement from NIST SP 800-171 Rev. 2.
+== Access Control (AC) ==
+=== AC.L2-3.1.1 – Authorized Access Control [CUI Data] ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] authorized users are identified;
+: [b] processes acting on behalf of authorized users are identified;
+: [c] devices (and other systems) authorized to connect to the system are identified;
+: [d] system access is limited to authorized users;
+: [e] system access is limited to processes acting on behalf of authorized users; and
+: [f] system access is limited to authorized devices (including other systems).
+|-
+|[[Practice_AC.L2-3.1.1_Details|More Practice Details...]]
+|}
+=== AC.L2-3.1.2 – Transaction & Function Control [CUI Data] ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the types of transactions and functions that authorized users are permitted to execute are defined; and
+: [b] system access is limited to the defined types of transactions and functions for authorized users.
+|-
+|[[Practice_AC.L2-3.1.2_Details|More Practice Details...]]
+|}
+=== AC.L2-3.1.3 – Control CUI Flow ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Control the flow of CUI in accordance with approved authorizations.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] information flow control policies are defined;
+: [b] methods and enforcement mechanisms for controlling the flow of CUI are defined;
+: [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;
+: [d] authorizations for controlling the flow of CUI are defined; and
+: [e] approved authorizations for controlling the flow of CUI are enforced.
+|-
+|[[Practice_AC.L2-3.1.3_Details|More Practice Details...]]
+|}
+=== AC.L2-3.1.4 – Separation of Duties ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the duties of individuals requiring separation are defined;
+: [b] responsibilities for duties that require separation are assigned to separate individuals; and
+: [c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
+|-
+|[[Practice_AC.L2-3.1.4_Details|More Practice Details...]]
+|}
+=== AC.L2-3.1.5 – Least Privilege ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Employ the principle of least privilege, including for specific security functions and privileged accounts.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] privileged accounts are identified;
+: [b] access to privileged accounts is authorized in accordance with the principle of least privilege;
+: [c] security functions are identified; and
+: [d] access to security functions is authorized in accordance with the principle of least privilege.
+|-
+|[[Practice_AC.L2-3.1.5_Details|More Practice Details...]]
+|}
+=== AC.L2-3.1.6 – Non-Privileged Account Use ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Use non-privileged accounts or roles when accessing nonsecurity functions.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] nonsecurity functions are identified; and
+: [b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions.
+|-
+|[[Practice_AC.L2-3.1.6_Details|More Practice Details...]]
+|}
+=== AC.L2-3.1.7 – Privileged Functions ===
+{|class="wikitable"
-''' '''
+|'''SECURITY REQUIREMENT'''
+Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
-Introduction
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] privileged functions are defined;
+: [b] non-privileged users are defined;
+: [c] non-privileged users are prevented from executing privileged functions; and
+: [d] the execution of privileged functions is captured in audit logs.
+|-
+|[[Practice_AC.L2-3.1.7_Details|More Practice Details...]]
+|}
-CMMC Assessment Guide – Level 2 | Version 2.13
+=== AC.L2-3.1.8 – Unsuccessful Logon Attempts ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Limit unsuccessful logon attempts.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the means of limiting unsuccessful logon attempts is defined; and
+: [b] the defined means of limiting unsuccessful logon attempts is implemented.
+|-
+|[[Practice_AC.L2-3.1.8_Details|More Practice Details...]]
+|}
+=== AC.L2-3.1.9 – Privacy & Security Notices ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Provide privacy and security notices consistent with applicable CUI rules.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and
+: [b] privacy and security notices are displayed.
+|-
+|[[Practice_AC.L2-3.1.9_Details|More Practice Details...]]
+|}
+=== AC.L2-3.1.10 – Session Lock ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the period of inactivity after which the system initiates a session lock is defined;
+: [b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and
+: [c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.
+|-
+|[[Practice_AC.L2-3.1.10_Details|More Practice Details...]]
+|}
-''permitting agencies to control or protect the information but providing no ''
+=== AC.L2-3.1.11 – Session Termination ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Terminate (automatically) a user session after a defined condition.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] conditions requiring a user session to terminate are defined; and
+: [b] a user session is automatically terminated after any of the defined conditions
+|-
+|[[Practice_AC.L2-3.1.11_Details|More Practice Details...]]
+|}
-''specific controls, which makes the information CUI Basic; requiring or ''
+=== AC.L2-3.1.12 – Control Remote Access ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Monitor and control remote access sessions.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] remote access sessions are permitted;
+: [b] the types of permitted remote access are identified;
+: [c] remote access sessions are controlled; and
+: [d] remote access sessions are monitored.
+|-
+|[[Practice_AC.L2-3.1.12_Details|More Practice Details...]]
+|}
-''permitting agencies to control or protect the information and providing specific ''
+=== AC.L2-3.1.13 – Remote Access Confidentiality ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and
+: [b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
+|-
+|[[Practice_AC.L2-3.1.13_Details|More Practice Details...]]
+|}
-''controls for doing so, which makes the information CUI Specified; or requiring or ''
+=== AC.L2-3.1.14 – Remote Access Routing ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Route remote access via managed access control points.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] managed access control points are identified and implemented; and
+: [b] remote access is routed through managed network access control points.
+|-
+|[[Practice_AC.L2-3.1.14_Details|More Practice Details...]]
+|}
-''permitting agencies to control the information and specifying only some of those ''
+=== AC.L2-3.1.15 – Privileged Remote Access ===
+{|class="wikitable"
-''controls, which makes the information CUI Specified, but with CUI Basic controls ''
+|'''SECURITY REQUIREMENT'''
+Authorize remote execution of privileged commands and remote access to security-relevant information.
-''where the authority does not specify.''
+|-
+|'''ASSESSMENT OBJECTIVES'''
-Level 2 certification assessments provides increased assurance to the DoD that an OSA can
+: [a] privileged commands authorized for remote execution are identified;
+: [b] security-relevant information authorized to be accessed remotely is identified;
-adequately protect CUI at a level commensurate with the adversarial  risk,  including
+: [c] the execution of the identified privileged commands via remote access is authorized; and
+: [d] access to the identified security-relevant information via remote access is authorized.
-protecting information flow with subcontractors in a multi-tier supply chain.
+|-
+|[[Practice_AC.L2-3.1.15_Details|More Practice Details...]]
+|}
-Purpose and Audience
+=== AC.L2-3.1.16 – Wireless Access Authorization ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Authorize wireless access prior to allowing such connections.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] wireless access points are identified; and
+: [b] wireless access is authorized prior to allowing such connections.
+|-
+|[[Practice_AC.L2-3.1.16_Details|More Practice Details...]]
+|}
-This guide is intended for assessors, OSAs, cybersecurity professionals, and individuals and
+=== AC.L2-3.1.17 – Wireless Access Protection ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Protect wireless access using authentication and encryption.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] wireless access to the system is protected using authentication; and
+: [b] wireless access to the system is protected using encryption.
+|-
+|[[Practice_AC.L2-3.1.17_Details|More Practice Details...]]
+|}
-companies that support CMMC efforts. This document can be used as part of preparation for
+=== AC.L2-3.1.18 – Mobile Device Connection ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Control connection of mobile devices.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] mobile devices that process, store, or transmit CUI are identified;
+: [b] mobile device connections are authorized; and
+: [c] mobile device connections are monitored and logged.
+|-
+|[[Practice_AC.L2-3.1.18_Details|More Practice Details...]]
+|}
-and conducting a Level 2 self-assessment or a Level 2 certification assessment. The term
+=== AC.L2-3.1.19 – Encrypt CUI on Mobile ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Encrypt CUI on mobile devices and mobile computing platforms.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and
+: [b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
+|-
+|[[Practice_AC.L2-3.1.19_Details|More Practice Details...]]
+|}
-Level 2 assessment encompasses both Level 2 self-assessment  and  Level 2 certification
+=== AC.L2-3.1.20 – External Connections [CUI Data] ===
+{|class="wikitable"
-assessment. <br />
+|'''SECURITY REQUIREMENT'''
-Document Organization <br />
+Verify and control/limit connections to and use of external information systems.
-This document is organized into the following sections: <br />
+|-
-•
+|'''ASSESSMENT OBJECTIVES'''
+: [a] connections to external systems are identified;
-  '''Assessment and Certification:''  '''''provides an overview of the Level 2  self-assessment
+: [b] the use of external systems is identified;
+: [c] connections to external systems are verified;
+: [d] the use of external systems is verified;
+: [e] connections to external systems are controlled/limited; and
+: [f] the use of external systems is controlled/limited.
+|-
+|[[Practice_AC.L2-3.1.20_Details|More Practice Details...]]
+|}
-processes set forth in 32 CFR §170.16 as well as the Level 2 certification assessment
+=== AC.L2-3.1.21 – Portable Storage Use ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Limit use of portable storage devices on external systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the use of portable storage devices containing CUI on external systems is identified and documented;
+: [b] limits on the use of portable storage devices containing CUI on external systems are defined; and
+: [c] the use of portable storage devices containing CUI on external systems is limited as defined.
+|-
+|[[Practice_AC.L2-3.1.21_Details|More Practice Details...]]
+|}
-processes set forth in 32 CFR  § 170.17.  It  provides  guidance regarding the scope
+=== AC.L2-3.1.22 – Control Public Information [CUI Data] ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Control information posted or processed on publicly accessible information systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] individuals authorized to post or process information on publicly accessible systems are identified;
+: [b] procedures to ensure CUI is not posted or processed on publicly accessible systems are identified;
+: [c] a review process is in place prior to posting of any content to publicly accessible systems;
+: [d] content on publicly accessible systems is reviewed to ensure that it does not include CUI; and
+: [e] mechanisms are in place to remove and address improper posting of CUI.
+|-
+|[[Practice_AC.L2-3.1.22_Details|More Practice Details...]]
+|}
-requirements set forth in 32 CFR § 170.19(c).
+== Awareness and Training (AT) ==
+=== AT.L2-3.2.1 – Role-Based Risk Awareness ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] security risks associated with organizational activities involving CUI are identified;
+: [b] policies, standards, and procedures related to the security of the system are identified;
+: [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
+: [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
+|-
+|[[Practice_AT.L2-3.2.1_Details|More Practice Details...]]
+|}
-•
+=== AT.L2-3.2.2 – Role-Based Training ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|-
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] information security-related duties, roles, and responsibilities are defined;
+: [b] information security-related duties, roles, and responsibilities are assigned to designated personnel; and
+: [c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.
+|-
+|[[Practice_AT.L2-3.2.2_Details|More Practice Details...]]
+|}
-  '''CMMC-Custom Terms:''' incorporates definitions from 32 CFR § 170.4 and definitions
+=== AT.L2-3.2.3 – Insider Threat Awareness ===
+{|class="wikitable"
-included by reference from 32 CFR § 170.2, and provides clarification of the intent and
+|'''SECURITY REQUIREMENT'''
+Provide security awareness training on recognizing and reporting potential indicators of insider threat.
-scope of custom terms as used in the context of CMMC.
+|-
+|'''ASSESSMENT OBJECTIVES'''
-•
+: [a] potential indicators associated with insider threats are identified; and
+: [b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
-  '''Assessment Criteria and Methodology:'''  provides guidance on the criteria and
+|-
+|[[Practice_AT.L2-3.2.3_Details|More Practice Details...]]
-methodology (i.e., ''interview'',  ''examine'', and ''test'')  to be employed  during a Level 2
+|}
-assessment, as well as on assessment findings.
-•
-  '''Requirement  Descriptions:  '''provides  guidance specific to  each  Level  2  security
-requirement.
+== Audit and Accountability (AU) ==
+=== AU.L2-3.3.1 – System Auditing ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified;
+: [b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined;
+: [c] audit records are created (generated);
+: [d] audit records, once created, contain the defined content;
+: [e] retention requirements for audit records are defined; and
+: [f] audit records are retained as defined.
+|-
+|[[Practice_AU.L2-3.3.1_Details|More Practice Details...]]
+|}
+=== AU.L2-3.3.2 – User Accountability ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined; and
+: [b] audit records, once created, contain the defined content.
+|-
+|[[Practice_AU.L2-3.3.2_Details|More Practice Details...]]
+|}
+=== AU.L2-3.3.3 – Event Review ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Review and update logged events.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] a process for determining when to review logged events is defined;
+: [b] event types being logged are reviewed in accordance with the defined review process; and
+: [c] event types being logged are updated based on the review.
+|-
+|[[Practice_AU.L2-3.3.3_Details|More Practice Details...]]
+|}
+=== AU.L2-3.3.4 – Audit Failure Alerting ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Alert in the event of an audit logging process failure.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] personnel or roles to be alerted in the event of an audit logging process failure are identified;
+: [b] types of audit logging process failures for which alert will be generated are defined; and
+: [c] identified personnel or roles are alerted in the event of an audit logging process failure.
+|-
+|[[Practice_AU.L2-3.3.4_Details|More Practice Details...]]
+|}
+=== AU.L2-3.3.5 – Audit Correlation ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and
+: [b] defined audit record review, analysis, and reporting processes are correlated.
+|-
+|[[Practice_AU.L2-3.3.5_Details|More Practice Details...]]
+|}
+=== AU.L2-3.3.6 – Reduction & Reporting ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Provide audit record reduction and report generation to support on-demand analysis and reporting.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] an audit record reduction capability that supports on-demand analysis is provided; and
+: [b] a report generation capability that supports on-demand reporting is provided.
+|-
+|[[Practice_AU.L2-3.3.6_Details|More Practice Details...]]
+|}
+=== AU.L2-3.3.7 – Authoritative Time Source ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] internal system clocks are used to generate time stamps for audit records;
+: [b] an authoritative source with which to compare and synchronize internal system clocks is specified; and
+: [c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.
+|-
+|[[Practice_AU.L2-3.3.7_Details|More Practice Details...]]
+|}
+=== AU.L2-3.3.8 – Audit Protection ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] audit information is protected from unauthorized access;
+: [b] audit information is protected from unauthorized modification;
+: [c] audit information is protected from unauthorized deletion;
+: [d] audit logging tools are protected from unauthorized access;
+: [e] audit logging tools are protected from unauthorized modification; and
+: [f] audit logging tools are protected from unauthorized deletion.
+|-
+|[[Practice_AU.L2-3.3.8_Details|More Practice Details...]]
+|}
-''' '''
+=== AU.L2-3.3.9 – Audit Management ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Limit management of audit logging functionality to a subset of privileged users.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] a subset of privileged users granted access to manage audit logging functionality is defined; and
+: [b] management of audit logging functionality is limited to the defined subset of privileged users.
+|-
+|[[Practice_AU.L2-3.3.9_Details|More Practice Details...]]
+|}
-Assessment and Certification
+== Configuration Management (CM) ==
+=== CM.L2-3.4.1 – System Baselining ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] a baseline configuration is established;
+: [b] the baseline configuration includes hardware, software, firmware, and documentation;
+: [c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle;
+: [d] a system inventory is established;
+: [e] the system inventory includes hardware, software, firmware, and documentation; and
+: [f] the inventory is maintained (reviewed and updated) throughout the system development life cycle.
+|-
+|[[Practice_CM.L2-3.4.1_Details|More Practice Details...]]
+|}
-CMMC Assessment Guide – Level 2 | Version 2.13
+=== CM.L2-3.4.2 – Security Configuration Enforcement ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Establish and enforce security configuration settings for information technology products employed in organizational systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration; and
+: [b] security configuration settings for information technology products employed in the system are enforced.
+|-
+|[[Practice_CM.L2-3.4.2_Details|More Practice Details...]]
+|}
+=== CM.L2-3.4.3 – System Change Management ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Track, review, approve or disapprove, and log changes to organizational systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] changes to the system are tracked;
+: [b] changes to the system are reviewed;
+: [c] changes to the system are approved or disapproved; and
+: [d] changes to the system are logged.
+|-
+|[[Practice_CM.L2-3.4.3_Details|More Practice Details...]]
+|}
+=== CM.L2-3.4.4 – Security Impact Analysis ===
+{|class="wikitable"
-Assessment and Certification <br />
+|'''SECURITY REQUIREMENT'''
-Certified Assessors as described in 32 CFR § 170.11 will use the assessment methods defined
+Analyze the security impact of changes prior to implementation.
+|-
-in NIST  SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#11|1]],  ''Assessing Security Requirements for Controlled Unclassified ''
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the security impact of changes to the system is analyzed prior to implementation.
-''Information'',  along with the supplemental information in this guide, to conduct Level  2
+|-
+|[[Practice_CM.L2-3.4.4_Details|More Practice Details...]]
+|}
-certification assessments. Certified Assessors will review information and evidence to verify
+=== CM.L2-3.4.5 – Access Restrictions for Change ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] physical access restrictions associated with changes to the system are defined;
+: [b] physical access restrictions associated with changes to the system are documented;
+: [c] physical access restrictions associated with changes to the system are approved;
+: [d] physical access restrictions associated with changes to the system are enforced;
+: [e] logical access restrictions associated with changes to the system are defined;
+: [f] logical access restrictions associated with changes to the system are documented;
+: [g] logical access restrictions associated with changes to the system are approved; and
+: [h] logical access restrictions associated with changes to the system are enforced.
+|-
+|[[Practice_CM.L2-3.4.5_Details|More Practice Details...]]
+|}
-that an OSC meets the stated assessment objectives for all of the requirements. <br />
+=== CM.L2-3.4.6 – Least Functionality ===
-An OSC can obtain a Level 2 certification assessment for an entire enterprise network or for
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] essential system capabilities are defined based on the principle of least functionality; and
+: [b] the system is configured to provide only the defined essential capabilities.
+|-
+|[[Practice_CM.L2-3.4.6_Details|More Practice Details...]]
+|}
-a specific  enclave(s), depending upon how the CMMC  Assessment  Scope  is  defined  in
+=== CM.L2-3.4.7 – Nonessential Functionality ===
+{|class="wikitable"
-accordance with 32 CFR § 170.19(c). <br />
+|'''SECURITY REQUIREMENT'''
-OSAs  conducting self-assessments  in accordance with 32  CFR  § 170.16  are expected to
+Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
+|-
-evaluate their compliance with CMMC requirements using the same criteria established in
+|'''ASSESSMENT OBJECTIVES'''
+: [a] essential programs are defined;
-NIST SP 800-171A and this assessment guide and used for third-party assessments.
+: [b] the use of nonessential programs is defined;
+: [c] the use of nonessential programs is restricted, disabled, or prevented as defined;
-Assessment Scope
+: [d] essential functions are defined;
+: [e] the use of nonessential functions is defined;
-The CMMC Assessment Scope must be specified prior to assessment in accordance with the
+: [f] the use of nonessential functions is restricted, disabled, or prevented as defined;
+: [g] essential ports are defined;
-requirements of 32 CFR § 170.19. The CMMC Assessment Scope is the set of all assets in the
+: [h] the use of nonessential ports is defined;
+: [i] the use of nonessential ports is restricted, disabled, or prevented as defined;
-OSA’s environment that will be assessed against CMMC security requirements. <br />
+: [j] essential protocols are defined;
-Because the scoping of a Level 2 certification assessment is not the same as the scoping of a
+: [k] the use of nonessential protocols is defined;
+: [l] the use of nonessential protocols is restricted, disabled, or prevented as defined;
-Level  3  certification  assessment,  before determining the CMMC Assessment Scope it is
+: [m] essential services are defined;
+: [n] the use of nonessential services is defined; and
-important to first consider whether the goal is a Level 2 or Level 3 CMMC Status. If the intent
+: [o] the use of nonessential services is restricted, disabled, or prevented as defined.
+|-
-is not to achieve a CMMC Status of Final Level 3 (DIBCAC) as defined in 32 CFR § 170.18,
+|[[Practice_CM.L2-3.4.7_Details|More Practice Details...]]
+|}
-refer to the guidance provided in the  ''CMMC Scoping Guide  –  Level  2''  document  which
+=== CM.L2-3.4.8 – Application Execution Policy ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified;
+: [b] the software allowed to execute under whitelisting or denied use under blacklisting is specified; and
+: [c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
+|-
+|[[Practice_CM.L2-3.4.8_Details|More Practice Details...]]
+|}
-summarizes 32 CFR § 170.19(c). If the intent is to achieve a CMMC Status of Final Level 3
+=== CM.L2-3.4.9 – User-Installed Software ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Control and monitor user-installed software.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] a policy for controlling the installation of software by users is established;
+: [b] installation of software by users is controlled based on the established policy; and
+: [c] installation of software by users is monitored.
+|-
+|[[Practice_CM.L2-3.4.9_Details|More Practice Details...]]
+|}
-(DIBCAC), refer to the guidance provided in the ''CMMC Scoping Guide – Level 3'' document
+== Identification and Authentication (IA) ==
+=== IA.L2-3.5.1 – Identification [CUI Data] ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Identify information system users, processes acting on behalf of users, or devices.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] system users are identified;
+: [b] processes acting on behalf of users are identified; and
+: [c] devices accessing the system are identified.
+|-
+|[[Practice_IA.L2-3.5.1_Details|More Practice Details...]]
+|}
-which summarizes 32 CFR § 170.19(d). Both documents are available on the official CMMC
+=== IA.L2-3.5.2 – Authentication [CUI Data] ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the identity of each user is authenticated or verified as a prerequisite to system access;
+: [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and
+: [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
+|-
+|[[Practice_IA.L2-3.5.2_Details|More Practice Details...]]
+|}
-documentation site at https://dodcio.defense.gov/CMMC/Documentation/.
+=== IA.L2-3.5.3 – Multifactor Authentication ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] privileged accounts are identified;
+: [b] multifactor authentication is implemented for local access to privileged accounts;
+: [c] multifactor authentication is implemented for network access to privileged accounts; and
+: [d] multifactor authentication is implemented for network access to non-privileged accounts.
+|-
+|[[Practice_IA.L2-3.5.3_Details|More Practice Details...]]
+|}
- NIST SP 800-171A, June 2018
+=== IA.L2-3.5.4 – Replay-Resistant Authentication ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.
+|-
+|[[Practice_IA.L2-3.5.4_Details|More Practice Details...]]
+|}
+=== IA.L2-3.5.5 – Identifier Reuse ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Prevent reuse of identifiers for a defined period.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] a period within which identifiers cannot be reused is defined; and
+: [b] reuse of identifiers is prevented within the defined period.
+|-
+|[[Practice_IA.L2-3.5.5_Details|More Practice Details...]]
+|}
+=== IA.L2-3.5.6 – Identifier Handling ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Disable identifiers after a defined period of inactivity.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] a period of inactivity after which an identifier is disabled is defined; and
+: [b] identifiers are disabled after the defined period of inactivity.
+|-
+|[[Practice_IA.L2-3.5.6_Details|More Practice Details...]]
+|}
+=== IA.L2-3.5.7 – Password Complexity ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Enforce a minimum password complexity and change of characters when new passwords are created.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] password complexity requirements are defined;
+: [b] password change of character requirements are defined;
+: [c] minimum password complexity requirements as defined are enforced when new passwords are created; and
+: [d] minimum password change of character requirements as defined are enforced when new passwords are created.
+|-
+|[[Practice_IA.L2-3.5.7_Details|More Practice Details...]]
+|}
+=== IA.L2-3.5.8 – Password Reuse ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Prohibit password reuse for a specified number of generations.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the number of generations during which a password cannot be reused is specified and [b] reuse of passwords is prohibited during the specified number of generations.
+|-
+|[[Practice_IA.L2-3.5.8_Details|More Practice Details...]]
+|}
+=== IA.L2-3.5.9 – Temporary Passwords ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Allow temporary password use for system logons with an immediate change to a permanent password.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] an immediate change to a permanent password is required when a temporary password is used for system logon.
+|-
+|[[Practice_IA.L2-3.5.9_Details|More Practice Details...]]
+|}
+=== IA.L2-3.5.10 – Cryptographically-Protected Passwords ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Store and transmit only cryptographically-protected passwords.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] passwords are cryptographically protected in storage; and
+: [b] passwords are cryptographically protected in transit.
+|-
+|[[Practice_IA.L2-3.5.10_Details|More Practice Details...]]
+|}
+=== IA.L2-3.5.11 – Obscure Feedback ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Obscure feedback of authentication information.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] authentication information is obscured during the authentication process.
+|-
+|[[Practice_IA.L2-3.5.11_Details|More Practice Details...]]
+|}
+== Incident Response (IR) ==
+=== IR.L2-3.6.1 – Incident Handling ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] an operational incident-handling capability is established;
+: [b] the operational incident-handling capability includes preparation;
+: [c] the operational incident-handling capability includes detection;
+: [d] the operational incident-handling capability includes analysis;
+: [e] the operational incident-handling capability includes containment;
+: [f] the operational incident-handling capability includes recovery; and
+: [g] the operational incident-handling capability includes user response
+|-
+|[[Practice_IR.L2-3.6.1_Details|More Practice Details...]]
+|}
-''' '''
+=== IR.L2-3.6.2 – Incident Reporting ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] incidents are tracked;
+: [b] incidents are documented;
+: [c] authorities to whom incidents are to be reported are identified;
+: [d] organizational officials to whom incidents are to be reported are identified;
+: [e] identified authorities are notified of incidents; and
+: [f] identified organizational officials are notified of incidents.
+|-
+|[[Practice_IR.L2-3.6.2_Details|More Practice Details...]]
+|}
-CMMC-Custom Terms
+=== IR.L2-3.6.3 – Incident Response Testing ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Test the organizational incident response capability.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the incident response capability is tested.
+|-
+|[[Practice_IR.L2-3.6.3_Details|More Practice Details...]]
+|}
-CMMC Assessment Guide – Level 2 | Version 2.13
+== Maintenance (MA) ==
+=== MA.L2-3.7.1 – Perform Maintenance ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Perform maintenance on organizational systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] system maintenance is performed.
+|-
+|[[Practice_MA.L2-3.7.1_Details|More Practice Details...]]
+|}
+=== MA.L2-3.7.2 – System Maintenance Control ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] tools used to conduct system maintenance are controlled;
+: [b] techniques used to conduct system maintenance are controlled;
+: [c] mechanisms used to conduct system maintenance are controlled; and
+: [d] personnel used to conduct system maintenance are controlled.
+|-
+|[[Practice_MA.L2-3.7.2_Details|More Practice Details...]]
+|}
+=== MA.L2-3.7.3 – Equipment Sanitization ===
+{|class="wikitable"
-CMMC-Custom Terms <br />
+|'''SECURITY REQUIREMENT'''
-The CMMC Program has custom terms that align with program requirements. Although some
+Ensure equipment removed for off-site maintenance is sanitized of any CUI.
+|-
-terms may have other definitions in open forums, it is important to understand these terms
+|'''ASSESSMENT OBJECTIVES'''
+: [a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.
-as they apply to the CMMC Program. <br />
+|-
-The specific terms as associated with Level 2 are: <br />
+|[[Practice_MA.L2-3.7.3_Details|More Practice Details...]]
-•
+|}
-  '''Assessment: '''As defined in 32 CFR § 170.4 means the testing or evaluation of security
+=== MA.L2-3.7.4 – Media Inspection ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.
+|-
+|[[Practice_MA.L2-3.7.4_Details|More Practice Details...]]
+|}
-controls to determine the extent to which the controls are implemented correctly,
+=== MA.L2-3.7.5 – Nonlocal Maintenance ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections; and
+: [b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.
+|-
+|[[Practice_MA.L2-3.7.5_Details|More Practice Details...]]
+|}
-operating as intended, and producing the desired outcome with respect to meeting the
+=== MA.L2-3.7.6 – Maintenance Personnel ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Supervise the maintenance activities of maintenance personnel without required access authorization.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] maintenance personnel without required access authorization are supervised during maintenance activities.
+|-
+|[[Practice_MA.L2-3.7.6_Details|More Practice Details...]]
+|}
-security requirements for an information system or organization, as defined in 32 CFR §
+== Media Protection (MP) ==
+=== MP.L2-3.8.1 – Media Protection ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] paper media containing CUI is physically controlled;
+: [b] digital media containing CUI is physically controlled;
+: [c] paper media containing CUI is securely stored; and
+: [d] digital media containing CUI is securely stored.
+|-
+|[[Practice_MP.L2-3.8.1_Details|More Practice Details...]]
+|}
-.15 to 32 CFR § 170.18.
+=== MP.L2-3.8.2 – Media Access ===
+{|class="wikitable"
-o  ''Level 2 self-assessment'' is the term for the activity performed by an OSA to evaluate
+|'''SECURITY REQUIREMENT'''
+Limit access to CUI on system media to authorized users.
-its own information system when seeking a CMMC Status of Level 2 (Self).
+|-
+|'''ASSESSMENT OBJECTIVES'''
-o  ''Level 2 certification assessment'' is the term for the activity performed by a C3PAO
+: [a] access to CUI on system media is limited to authorized users.
+|-
+|[[Practice_MP.L2-3.8.2_Details|More Practice Details...]]
+|}
-to evaluate the information system of an OSC when seeking a CMMC Status of
+=== MP.L2-3.8.3 – Media Disposal [CUI Data] ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] system media containing CUI is sanitized or destroyed before disposal; and
+: [b] system media containing CUI is sanitized before it is released for reuse.
+|-
+|[[Practice_MP.L2-3.8.3_Details|More Practice Details...]]
+|}
-Level 2 (C3PAO).
+=== MP.L2-3.8.4 – Media Markings ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Mark media with necessary CUI markings and distribution limitations.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] media containing CUI is marked with applicable CUI markings; and
+: [b] media containing CUI is marked with distribution limitations.
+|-
+|[[Practice_MP.L2-3.8.4_Details|More Practice Details...]]
+|}
-o  ''POA&amp;M closeout self-assessment'' is the term for the activity performed by an OSA
+=== MP.L2-3.8.5 – Media Accountability ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] access to media containing CUI is controlled; and
+: [b] accountability for media containing CUI is maintained during transport outside of controlled areas.
+|-
+|[[Practice_MP.L2-3.8.5_Details|More Practice Details...]]
+|}
-to evaluate only the NOT MET requirements that were identified with POA&amp;M
+=== MP.L2-3.8.6 – Portable Storage Encryption ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.
+|-
+|[[Practice_MP.L2-3.8.6_Details|More Practice Details...]]
+|}
-during the initial assessment, when seeking a CMMC Status of Final Level 2 (Self).
+=== MP.L2-3.8.7 – Removable Media ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Control the use of removable media on system components.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the use of removable media on system components is controlled.
+|-
+|[[Practice_MP.L2-3.8.7_Details|More Practice Details...]]
+|}
-o  ''POA&amp;M closeout certification assessment'' is the term for the activity performed by
+=== MP.L2-3.8.8 – Shared Media ===
+{|class="wikitable"
-a C3PAO or DCMA DIBCAC to evaluate only the NOT MET requirements that were
+|'''SECURITY REQUIREMENT'''
+Prohibit the use of portable storage devices when such devices have no identifiable owner.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the use of portable storage devices is prohibited when such devices have no identifiable owner.
+|-
+|[[Practice_MP.L2-3.8.8_Details|More Practice Details...]]
+|}
-identified with POA&amp;M during the initial assessment, when seeking a CMMC
+=== MP.L2-3.8.9 – Protect Backups ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Protect the confidentiality of backup CUI at storage locations.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the confidentiality of backup CUI is protected at storage locations.
+|-
+|[[Practice_MP.L2-3.8.9_Details|More Practice Details...]]
+|}
-Status of Final Level 2 (C3PAO) or Final Level 3 (DIBCAC) respectively.
+== Personnel Security (PS) ==
+=== PS.L2-3.9.1 – Screen Individuals ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Screen individuals prior to authorizing access to organizational systems containing CUI.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] individuals are screened prior to authorizing access to organizational systems containing CUI.
+|-
+|[[Practice_PS.L2-3.9.1_Details|More Practice Details...]]
+|}
-•
+=== PS.L2-3.9.2 – Personnel Actions ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established;
+: [b] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and
+: [c] the system is protected during and after personnel transfer actions.
+|-
+|[[Practice_PS.L2-3.9.2_Details|More Practice Details...]]
+|}
-  '''Assessment Objective: '''As defined in 32 CFR § 170.4 means a set of determination
+== Physical Protection (PE) ==
+=== PE.L2-3.10.1 – Limit Physical Access [CUI Data] ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] authorized individuals allowed physical access are identified;
+: [b] physical access to organizational systems is limited to authorized individuals;
+: [c] physical access to equipment is limited to authorized individuals; and
+: [d] physical access to operating environments is limited to authorized.
+|-
+|[[Practice_PE.L2-3.10.1_Details|More Practice Details...]]
+|}
-statements that, taken together, expresses the desired outcome for the assessment of a
+=== PE.L2-3.10.2 – Monitor Facility ===
+{|class="wikitable"
-security requirement. Successful implementation of the corresponding CMMC security
+|'''SECURITY REQUIREMENT'''
+Protect and monitor the physical facility and support infrastructure for organizational systems.
-requirement requires meeting all applicable assessment objectives defined in NIST SP
+|-
+|'''ASSESSMENT OBJECTIVES'''
-–171A or NIST SP 800-172A.
+: [a] the physical facility where organizational systems reside is protected;
+: [b] the support infrastructure for organizational systems is protected;
-•
+: [c] the physical facility where organizational systems reside is monitored; and
+: [d] the support infrastructure for organizational systems is monitored.
+|-
+|[[Practice_PE.L2-3.10.2_Details|More Practice Details...]]
+|}
-  '''Asset:''' An item of value to stakeholders. An asset may be tangible (e.g., a physical item
+=== PE.L2-3.10.3 – Escort Visitors [CUI Data] ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Escort visitors and monitor visitor activity.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] visitors are escorted; and
+: [b] visitor activity is monitored.
+|-
+|[[Practice_PE.L2-3.10.3_Details|More Practice Details...]]
+|}
-such as hardware, firmware, computing platform, network device, or other technology
+=== PE.L2-3.10.4 – Physical Access Logs [CUI Data] ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Maintain audit logs of physical access.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] audit logs of physical access are maintained.
+|-
+|[[Practice_PE.L2-3.10.4_Details|More Practice Details...]]
+|}
-component) or intangible (e.g., humans, data, information, software, capability, function,
+=== PE.L2-3.10.5 – Manage Physical Access [CUI Data] ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Control and manage physical access devices.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] physical access devices are identified;
+: [b] physical access devices are controlled; and
+: [c] physical access devices are managed.
+|-
+|[[Practice_PE.L2-3.10.5_Details|More Practice Details...]]
+|}
-service, trademark, copyright, patent, intellectual property, image, or reputation). The
+=== PE.L2-3.10.6 – Alternative Work Sites ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Enforce safeguarding measures for CUI at alternate work sites.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] safeguarding measures for CUI are defined for alternate work sites; and
+: [b] safeguarding measures for CUI are enforced for alternate work sites.
+|-
+|[[Practice_PE.L2-3.10.6_Details|More Practice Details...]]
+|}
-value of an asset is determined by stakeholders in consideration of loss concerns across
+== Risk Assessment (RA) ==
+=== RA.L2-3.11.1 – Risk Assessments ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined; and
+: [b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
+|-
+|[[Practice_RA.L2-3.11.1_Details|More Practice Details...]]
+|}
-the entire system life cycle. Such concerns include but are not limited to business or
+=== RA.L2-3.11.2 – Vulnerability Scan ===
+{|class="wikitable"
-mission concerns, as defined in NIST SP 800-160 Rev 1.
+|'''SECURITY REQUIREMENT'''
+Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
-•
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the frequency to scan for vulnerabilities in organizational systems and applications is defined;
+: [b] vulnerability scans are performed on organizational systems with the defined frequency;
+: [c] vulnerability scans are performed on applications with the defined frequency;
+: [d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified; and
+: [e] vulnerability scans are performed on applications when new vulnerabilities are
+identified.
+|-
+|[[Practice_RA.L2-3.11.2_Details|More Practice Details...]]
+|}
-  '''CMMC Assessment Scope: '''As defined in 32 CFR § 170.4 means the set of all assets in the
+=== RA.L2-3.11.3 – Vulnerability Remediation ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Remediate vulnerabilities in accordance with risk assessments.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] vulnerabilities are identified; and
+: [b] vulnerabilities are remediated in accordance with risk assessments.
+|-
+|[[Practice_RA.L2-3.11.3_Details|More Practice Details...]]
+|}
-OSA’s environment that will be assessed against CMMC security requirements.
+== Security Assessment (CA) ==
+=== CA.L2-3.12.1 – Security Control Assessment ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the frequency of security control assessments is defined; and
+: [b] security controls are assessed with the defined frequency to determine if the controls are effective in their application.
+|-
+|[[Practice_CA.L2-3.12.1_Details|More Practice Details...]]
+|}
-•
+=== CA.L2-3.12.2 – Operational Plan of Action ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] deficiencies and vulnerabilities to be addressed by the plan of action are identified;
+: [b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities; and
+: [c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
+|-
+|[[Practice_CA.L2-3.12.2_Details|More Practice Details...]]
+|}
-  '''CMMC Status: '''As defined in 32 CFR § 170.4 is the result of meeting or exceeding the
+=== CA.L2-3.12.3 – Security Control Monitoring ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
+|-
+|[[Practice_CA.L2-3.12.3_Details|More Practice Details...]]
+|}
-minimum required score for the corresponding assessment. The CMMC Status of an OSA
+=== CA.L2-3.12.4 – System Security Plan ====
+{|class="wikitable"
-information system is officially stored in SPRS and additionally issued on a Certificate of
+|'''SECURITY REQUIREMENT'''
+Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
-CMMC Status, if the assessment was conducted by a C3PAO or DCMA DIBCAC.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] a system security plan is developed;
+: [b] the system boundary is described and documented in the system security plan;
+: [c] the system environment of operation is described and documented in the system security plan;
+: [d] the security requirements identified and approved by the designated authority as non-applicable are identified;
+: [e] the method of security requirement implementation is described and documented in the system security plan;
+: [f] the relationship with or connection to other systems is described and documented in the system security plan;
+: [g] the frequency to update the system security plan is defined; and
+: [h] system security plan is updated with the defined frequency.
+|-
+|[[Practice_CA.L2-3.12.4_Details|More Practice Details...]]
+|}
+== System and Communications Protection (SC) ==
+=== SC.L2-3.13.1 – Boundary Protection [CUI Data] ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the external system boundary is defined;
+: [b] key internal system boundaries are defined;
+: [c] communications are monitored at the external system boundary;
+: [d] communications are monitored at key internal boundaries;
+: [e] communications are controlled at the external system boundary;
+: [f] communications are controlled at key internal boundaries;
+: [g] communications are protected at the external system boundary; and
+: [h] communications are protected at key internal boundaries.
+|-
+|[[Practice_SC.L2-3.13.1_Details|More Practice Details...]]
+|}
+=== SC.L2-3.13.2 – Security Engineering ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] architectural designs that promote effective information security are identified;
+: [b] software development techniques that promote effective information security are identified;
+: [c] systems engineering principles that promote effective information security are identified;
+: [d] identified architectural designs that promote effective information security are employed;
+: [e] identified software development techniques that promote effective information security are employed; and
+: [f] identified systems engineering principles that promote effective information security are employed.
+|-
+|[[Practice_SC.L2-3.13.2_Details|More Practice Details...]]
+|}
+=== SC.L2-3.13.3 – Role Separation ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Separate user functionality from system management functionality.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] user functionality is identified;
+: [b] system management functionality is identified; and
+: [c] user functionality is separated from system management functionality.
+|-
+|[[Practice_SC.L2-3.13.3_Details|More Practice Details...]]
+|}
+=== SC.L2-3.13.4 – Shared Resource Control ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Prevent unauthorized and unintended information transfer via shared system resources.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] unauthorized and unintended information transfer via shared system resources is
+prevented.
+|-
+|[[Practice_SC.L2-3.13.4_Details|More Practice Details...]]
+|}
+===  SC.L2-3.13.5 – Public-Access System Separation [CUI Data] ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] publicly accessible system components are identified; and
+: [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.
+|-
+|[[Practice_SC.L2-3.13.5_Details|More Practice Details...]]
+|}
+=== SC.L2-3.13.6 – Network Communication by Exception ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] network communications traffic is denied by default; and
+: [b] network communications traffic is allowed by exception.
+|-
+|[[Practice_SC.L2-3.13.6_Details|More Practice Details...]]
+|}
+=== SC.L2-3.13.7 – Split Tunneling ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).
+|-
+|[[Practice_SC.L2-3.13.7_Details|More Practice Details...]]
+|}
+=== SC.L2-3.13.8 – Data in Transit ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified;
+: [b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified; and
+: [c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.
+|-
+|[[Practice_SC.L2-3.13.8_Details|More Practice Details...]]
+|}
-''' '''
+=== SC.L2-3.13.9 – Connections Termination ===
+{|class="wikitable"
-CMMC-Custom Terms
+|'''SECURITY REQUIREMENT'''
+Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
-CMMC Assessment Guide – Level 2 | Version 2.13
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] a period of inactivity to terminate network connections associated with communications sessions is defined;
+: [b] network connections associated with communications sessions are terminated at the end of the sessions; and
+: [c] network connections associated with communications sessions are terminated after the defined period of inactivity.
+|-
+|[[Practice_SC.L2-3.13.9_Details|More Practice Details...]]
+|}
-o  ''Conditional Level 2 (Self) ''is defined in § 170.16(a)(1)(ii). The OSA has conducted
+=== SC.L2-3.13.10 – Key Management ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Establish and manage cryptographic keys for cryptography employed in organizational systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] cryptographic keys are established whenever cryptography is employed; and
+: [b] cryptographic keys are managed whenever cryptography is employed.
+|-
+|[[Practice_SC.L2-3.13.10_Details|More Practice Details...]]
+|}
-a Level 2 self-assessment, submitted compliance results in the Supplier
+=== SC.L2-3.13.11 – CUI Encryption ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
+|-
+|[[Practice_SC.L2-3.13.11_Details|More Practice Details...]]
+|}
-Performance Risk System (SPRS), and created a CMMC POA&amp;M that meets all
+=== SC.L2-3.13.12 – Collaborative Device Control ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] collaborative computing devices are identified;
+: [b] collaborative computing devices provide indication to users of devices in use; and
+: [c] remote activation of collaborative computing devices is prohibited.
+|-
+|[[Practice_SC.L2-3.13.12_Details|More Practice Details...]]
+|}
-CMMC POA&amp;M requirements listed in 32 CFR §170.16(a)(1)(ii).
+=== SC.L2-3.13.13 – Mobile Code ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Control and monitor the use of mobile code.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] use of mobile code is controlled; and
+: [b] use of mobile code is monitored.
+|-
+|[[Practice_SC.L2-3.13.13_Details|More Practice Details...]]
+|}
-o  ''Final Level 2 (Self) ''is defined in § 170.16(a)(1)(iii). The OSA will achieve a CMMC
+=== SC.L2-3.13.14 – Voice over Internet Protocol ===
+{|class="wikitable"
-Status  of  Final Level 2 (Self)  for the information system(s) within the CMMC
+|'''SECURITY REQUIREMENT'''
+Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
-Assessment Scope upon implementation of all security requirements and close
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] use of Voice over Internet Protocol (VoIP) technologies is controlled; and
+: [b] use of Voice over Internet Protocol (VoIP) technologies is monitored.
+|-
+|[[Practice_SC.L2-3.13.14_Details|More Practice Details...]]
+|}
-out of the POA&amp;M, as applicable.
+=== SC.L2-3.13.15 – Communications Authenticity ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Protect the authenticity of communications sessions.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the authenticity of communications sessions is protected.
+|-
+|[[Practice_SC.L2-3.13.15_Details|More Practice Details...]]
+|}
-o  ''Conditional Level 2 (C3PAO) ''is defined in § 170.17(a)(1)(ii). The OSC will achieve
+=== SC.L2-3.13.16 – Data at Rest ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Protect the confidentiality of CUI at rest.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the confidentiality of CUI at rest is protected.
+|-
+|[[Practice_SC.L2-3.13.16_Details|More Practice Details...]]
+|}
-a CMMC Status of Conditional Level 2 (C3PAO) if a POA&amp;M exists upon completion
+== System and Information Integrity (SI) ==
+=== SI.L2-3.14.1 – Flaw Remediation [CUI Data] ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Identify, report, and correct information and information system flaws in a timely manner.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the time within which to identify system flaws is specified;
+: [b] system flaws are identified within the specified time frame;
+: [c] the time within which to report system flaws is specified;
+: [d] system flaws are reported within the specified time frame;
+: [e] the time within which to correct system flaws is specified; and
+: [f] system flaws are corrected within the specified time frame.
+|-
+|[[Practice_SI.L2-3.14.1_Details|More Practice Details...]]
+|}
-of the assessment and the POA&amp;M meets all Level 2 POA&amp;M requirements listed
+=== SI.L2-3.14.2 – Malicious Code ProTection [CUI Data] ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Provide protection from malicious code at appropriate locations within organizational information systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] designated locations for malicious code protection are identified; and
+: [b] protection from malicious code at designated locations is provided.
+|-
+|[[Practice_SI.L2-3.14.2_Details|More Practice Details...]]
+|}
-in 32 CFR § 170.21(a)(2).
+=== SI.L2-3.14.3 – Security Alerts & Advisories ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Monitor system security alerts and advisories and take action in response.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] response actions to system security alerts and advisories are identified;
+: [b] system security alerts and advisories are monitored; and
+: [c] actions in response to system security alerts and advisories are taken.
+|-
+|[[Practice_SI.L2-3.14.3_Details|More Practice Details...]]
+|}
-o  ''Final Level 2 (C3PAO) ''is defined in § 170.17(a)(1)(iii). The OSC will achieve a
+=== SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data] ===
+{|class="wikitable"
-CMMC Status of Final  Level 2 (C3PAO) for the information systems within the
+|'''SECURITY REQUIREMENT'''
+Update malicious code protection mechanisms when new releases are available.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] malicious code protection mechanisms are updated when new releases are available.
+|-
+|[[Practice_SI.L2-3.14.4_Details|More Practice Details...]]
+|}
-CMMC Assessment Scope upon implementation of all security requirements and
+=== SI.L2-3.14.5 – System & File Scanning [CUI Data] ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the frequency for malicious code scans is defined;
+: [b] malicious code scans are performed with the defined frequency; and
+: [c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
+|-
+|[[Practice_SI.L2-3.14.5_Details|More Practice Details...]]
+|}
-as applicable, a POA&amp;M closeout assessment conducted by the C3PAO within 180
+=== SI.L2-3.14.6 – Monitor Communications for Attacks ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] the system is monitored to detect attacks and indicators of potential attacks;
+: [b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks; and
+: [c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks.
+|-
+|[[Practice_SI.L2-3.14.6_Details|More Practice Details...]]
+|}
-days. Additional guidance can be found in 32 CFR § 170.21.
+=== SI.L2-3.14.7 – Identify Unauthorized Use ===
+{|class="wikitable"
+|'''SECURITY REQUIREMENT'''
+Identify unauthorized use of organizational systems.
+|-
+|'''ASSESSMENT OBJECTIVES'''
+: [a] authorized use of the system is defined; and
+: [b] unauthorized use of the system is identified.
+|-
+|[[Practice_SI.L2-3.14.7_Details|More Practice Details...]]
+|}
-•
+== Appendix A – Acronyms and Abbreviations ==
+{| class="wikitable"
-  '''Component:  '''A discrete identifiable information technology ''asset''  that represents a
+|-
+|| AC || Access Control
-building block of a system and may include hardware, software, and firmware[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#13|2]]. A
+|-
+|| CD-ROM || Compact Disk Read-Only Memory
-''component'' is one type of ''asset''.
+|-
+|| CFR || Code of Federal Regulations
-•
+|-
+|| CMMC || Cybersecurity Maturity Model Certification
-  '''Enduring Exception:''' As defined in 32 CFR § 170.4 means a special circumstance or
+|-
+|| CUI || Controlled Unclassified Information
-system where remediation and full compliance with CMMC security requirements is not
+|-
+|| CVE || Common Vulnerabilities and Exposures
-feasible. Examples include systems required to replicate the configuration of ‘fielded’
+|-
+|| CWE || Common Weakness Enumeration
-systems, medical devices, test equipment, OT, and IoT. No operational plan of action is
+|-
+|| DFARS || Defense Federal Acquisition Regulation Supplement
-required but the circumstance must be documented within a system security plan.
+|-
+|| DMZ || Demilitarized Zone
-Specialized Assets and GFE may be Enduring Exceptions.
+|-
+|| DoD || Department of Defense
-•
+|-
+|| ESP || External Service Provider
-  '''Event: '''Any observable occurrence in a system[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#13|3]]. As described in NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#13|4]], the
+|-
+|| FAR || Federal Acquisition Regulation
-terms “information system” and “system” can be used interchangeably. ''Events'' sometimes
+|-
+|| FCI || Federal Contract Information
-provide indication that an ''incident'' is occurring.''' '''
+|-
+|| IT || Information Technology
-•
+|-
+|| NIST || National Institute of Standards and Technology
-  '''Incident:  '''An occurrence that actually or potentially jeopardizes the confidentiality,
+|-
+|| OSA || Organization Seeking Assessment
-integrity, or availability of a system or the information the system processes, stores, or
+|-
+|| PIV || Personal Identity Verification
-transmits or that constitutes a violation or imminent threat of violation of security
+|-
+|| SC || System and Communications Protection
-policies, security procedures, or acceptable use policies.[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#13|5''' ''']]
+|-
+|| SI || System and Information Integrity
-•
+|-
+|| SP || Special Publication
-  '''Information System  (IS):  '''As  defined  in  32  CFR  §  170.4  means a  discrete set of
+|-
+|| SPRS || Supplier Performance Risk System
-information resources organized for the collection, processing, maintenance, use,
+|-
+|| USB || Universal Serial Bus
-sharing, dissemination, or disposition of information. An ''IS'' is one type of ''asset''.''' '''
+|-
+|| UUENCODE || Unix-to-Unix Encode
+|-
+|| VLAN || Virtual Local Area Network
+|}
- NIST SP 800-171 Rev 2, p 59 under system component
- NIST SP 800-53 Rev. 5, p. 402
- NIST SP 800-171A, p. v
- NIST SP 800-171 Rev. 2, Appendix B, p. 54 (adapted)
-''' '''
-CMMC-Custom Terms
-CMMC Assessment Guide – Level 2 | Version 2.13
-•
-  '''Monitoring:  '''The act of continually  checking, supervising, critically observing, or
-determining the status in order to identify change from the performance level required
-or expected at an ''organization-defined'' frequency and rate.[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#14|6''' ''']]
-•
-  '''Operational plan of action: '''As used in security requirement CA.L2-3.12.2, means the
-formal artifact which identifies temporary vulnerabilities and temporary deficiencies in
-implementation of requirements and documents how and when they will be mitigated,
-corrected, or eliminated.  The OSA defines the format (e.g., document, spreadsheet,
-database) and specific content of its operational plan of action. An operational plan of
-action is not the same as a POA&amp;M associated with an assessment.
-•
-  '''Organization-defined: '''As determined by the OSA being assessed except as defined in
-the case of Organization-Defined Parameter (ODP). This can be applied to a frequency or
-rate at which something occurs within a given time period, or it could be associated with
-describing the configuration of an OSA’s solution.
-•
-  '''Periodically: '''Occurring at a regular interval as determined by the OSA that may not
-exceed one year.  As used in many requirements  within CMMC, the interval length is
-''organization-defined'' to provide OSA flexibility, with an interval length of no more than
-one year.''' '''
-•
-  '''Security Protection Data (SPD): '''As defined in 32 CFR § 170.4 means data stored or
-processed by Security Protection Assets (SPA) that are used to protect an OSC's assessed
-environment. SPD is security relevant information and includes, but is not limited to:
-configuration data required to operate an SPA, log files generated by or ingested by an
-SPA, data related to the configuration or vulnerability status of in-scope assets, and
-passwords that grant access to the in-scope environment.
-•
-  '''System Security Plan (SSP): '''As defined in 32 CFR § 170.4 means the formal document
-that provides an overview of the security requirements for an information system or an
-information security program and describes the security controls in place or planned for
-meeting those requirements. The system security plan describes the system components
-that are included within the system, the environment in which the system operates, how
-the security requirements are implemented, and the relationships with or connections to
-other systems, as defined in NIST SP 800-53 Rev 5.
-•
-  '''Temporary deficiency:''' As defined in 32 CFR § 170.4 means a condition where
-remediation of a discovered deficiency is feasible and a known fix is available or is in
-process. The deficiency must be documented in an operational plan of action. A
-temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC
-security requirement but arises after implementation. A temporary deficiency may
-apply during the initial implementation of a security requirement if, during roll-out,
-specific issues with a very limited subset of equipment is discovered that must be
-separately addressed. There is no standard duration for which a temporary deficiency
-may be active. For example, FIPS-validated cryptography that requires a patch and the
-patched version is no longer the validated version may be a temporary deficiency.
- NIST SP 800-160 Vol. 1 R1, Engineering Trustworthy Secure Systems, 2022, Appendix B., p. 55
-''' '''
-Assessment Criteria and Methodology
-CMMC Assessment Guide – Level 2 | Version 2.13
-Assessment Criteria and Methodology <br />
-The ''CMMC Assessment Guide – Level 2'' leverages the assessment procedure described in NIST
-SP 800-171A Section 2.1[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#15|7]]:
-''An assessment procedure consists of an assessment objective and a set of ''
-''potential assessment methods and assessment objects that can be used to ''
-''conduct the assessment.  Each assessment objective includes a determination ''
-''statement related to the requirement that is the subject of the assessment. The ''
-''determination statements are linked to the content of the requirement to ensure ''
-''traceability of the assessment results to the requirements. The application of an ''
-''assessment procedure to a  requirement  produces assessment findings.  These ''
-''findings reflect, or are subsequently used, to help determine if the requirement ''
-''has been satisfied. <br />
-Assessment objects identify the specific items being assessed and can include ''
-''specifications, mechanisms, activities, and individuals. <br />
-''•
-  ''Specifications are the document-based artifacts (e.g., policies, procedures, ''
-''security plans, security requirements, functional specifications, architectural ''
-''designs) associated with a system. ''
-•
-  ''Mechanisms are the specific hardware, software, or firmware safeguards ''
-''employed within a system. ''
-•
-  ''Activities are the protection-related actions supporting a system that involve ''
-''people (e.g., conducting system backup operations, exercising a contingency ''
-''plan, and monitoring network traffic). ''
-•
-  ''Individuals, or groups of individuals, are people applying the specifications, ''
-''mechanisms, or activities described above. ''
-''The assessment methods define the nature and the extent of the assessor’s ''
-''actions. The methods include ''examine'', ''interview'', and ''test''. <br />
-''•
-  ''The  ''examine''  method is the process of reviewing, inspecting, observing, ''
-''studying, or analyzing assessment objects (i.e., specifications, mechanisms, ''
-''activities). The purpose of the ''examine'' method is to facilitate understanding, ''
-''achieve clarification, or obtain evidence. ''
-•
-  ''The ''interview'' method is the process of holding discussions with individuals ''
-''or groups of individuals to facilitate understanding, achieve clarification, or ''
-''obtain evidence. ''
-•
-  ''And finally, the ''test'' method is the process of exercising assessment objects ''
-''(i.e., activities, mechanisms) under specified conditions to compare actual ''
-''with expected behavior. ''
- NIST SP 800-171A, ''Assessing Security Requirements for Controlled Unclassified Information'', June 2018, pp. 4-
-.
-''' '''
-Assessment Criteria and Methodology
-CMMC Assessment Guide – Level 2 | Version 2.13
-''In all three assessment methods, the results are used in making specific ''
-''determinations called for in the determination statements and thereby achieving ''
-''the objectives for the assessment procedure. ''
-Criteria
-Assessment objectives are provided for each requirement and are based on existing criteria
-from NIST SP 800-171A. The criteria are authoritative and provide a basis for the assessment
-of a requirement.
-Methodology
-To verify and validate that an OSA is meeting CMMC requirements, evidence needs to exist
-demonstrating that the OSA has fulfilled the objectives of the Level 2 requirements. Because
-different assessment objectives can be met in different ways (e.g., through documentation,
-computer configuration, network configuration, or training), a variety of techniques may be
-used to determine if the OSA meets the Level 2 requirements, including any of the three
-assessment methods from NIST SP 800-171A. <br />
-The  assessor  will follow the guidance in NIST SP  800-171A when determining which
-assessment methods to use:
-''Organizations [Certified Assessors] are not expected to employ ''all'' assessment methods ''
-''and objects contained within the assessment procedures identified in this publication. ''
-''Rather, organizations [Certified Assessors] have the flexibility to determine the level of ''
-''effort needed and the assurance required for an assessment (e.g., which assessment ''
-''methods and assessment objects are deemed to be the most useful in obtaining the ''
-''desired results). This determination is made based on how the organization ''
-''[contractor] can accomplish the assessment objectives in the most cost-effective ''
-''manner and with sufficient confidence to support the determination that the CUI ''
-''requirements have been satisfied.[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#16|8 ]]''
-The primary deliverable of an assessment is a compliance score and accompanying report
-that contains the findings associated with each requirement. For more detailed information
-on assessment methods, see Appendix D of NIST SP 800-171A, incorporated by reference
-per 32 CFR § 170.2.
- NIST SP 800-171A, p. 5.
-''' '''
-Assessment Criteria and Methodology
-CMMC Assessment Guide – Level 2 | Version 2.13
-Who Is Interviewed
-Interviews of applicable staff (possibly at different organizational levels)  may provide
-information to help an assessor determine if security requirements have been implemented,
-as well as if adequate resourcing, training, and planning have occurred for individuals to
-perform the requirements.
-What Is Examined
-Examination includes reviewing, inspecting, observing, studying, or analyzing assessment
-objects. The objects can be documents, mechanisms, or activities. <br />
-For some security  requirements, review of  documentation  may assist assessors  in
-determining if the assessment objectives have been met. Interviews with staff may help
-identify relevant documents. Documents need to be in their final forms; drafts of policies or
-documentation are not eligible to be used as evidence because they are not yet official and
-still subject to change. Common types of documents that may be used as evidence include: <br />
-•
-  policy, process, and procedure documents;
-•
-  training materials;
-•
-  plans and planning documents; and
-•
-  system, network, and data flow diagrams.
-This list of documents is not exhaustive or prescriptive. An OSA may not have these specific
-documents, and other documents may be reviewed. <br />
-In other cases, the security requirement is best self-assessed by observing that safeguards
-are in place by viewing hardware, associated configuration information, or observing staff
-following a process.
-What Is Tested
-Testing is an important part of the self-assessment process. Interviews provide information
-about  what the OSA  staff believe to be true, documentation provides evidence of
-implementing policies and procedures, and testing demonstrates what has or has not been
-done. For example, OSA staff may talk about how users are identified, documentation may
-provide details on how users are identified, but seeing a demonstration of identifying users
-provides evidence that the requirement  is met.  The assessor  will determine which
-requirements or objectives within a requirement need demonstration or testing. Most
-objectives will require testing.
-Assessment Findings
-The assessment of a CMMC requirement results in one of three possible findings: MET, NOT
-MET, or NOT APPLICABLE as defined in 32 CFR § 170.24. To achieve a Final Level 2 (Self) or
-''' '''
-Assessment Criteria and Methodology
-CMMC Assessment Guide – Level 2 | Version 2.13
-Final Level 2 (C3PAO) CMMC Status, the OSA will need a finding of MET or NOT APPLICABLE
-on all Level 2 security requirements. <br />
-•
-  '''MET''':  All applicable assessment  objectives for the security requirement are satisfied
-based on evidence. All evidence must be in final form and not draft. Unacceptable forms
-of evidence include working papers, drafts, and unofficial or unapproved policies. For
-each security requirement marked MET, it is best practice to record statements that
-indicate the response conforms to all objectives and document the appropriate evidence
-to support the response.''' '''
-o  Enduring Exceptions when described, along with any mitigations, in the system
-security plan shall be assessed as MET.''' '''
-o  Temporary deficiencies that are appropriately addressed in operational plans of
-action (i.e., include deficiency reviews, milestones, and show progress towards
-the implementation of corrections to reduce or eliminate identified
-vulnerabilities) shall be assessed as MET.''' '''
-•
-  '''NOT MET''': One or more objectives for the security requirement is not satisfied. For each
-security requirement  marked NOT MET, it is best practice to record statements that
-explain why and document the appropriate evidence showing that the OSA does not
-conform fully to all of the objectives. During Level 2 certification assessments, for each
-requirement objective marked NOT MET, the assessor will document why the evidence
-does not conform.
-•
-  '''NOT APPLICABLE (N/A)''': A security requirement and/or objective does not apply at the
-time of the assessment. For each security requirement marked N/A, it is best practice to
-record a statement that explains why the requirement does not apply to the OSA. For
-example, Public-Access System Separation (SC.L2-3.13.5) might be N/A if there are no
-publicly accessible systems within the CMMC Assessment Scope. During an assessment,
-an assessment objective assessed as N/A is equivalent to the same assessment objective
-being assessed as MET. <br />
-If an OSC previously received a favorable adjudication from the DoD CIO indicating that
-a requirement is not applicable or that an alternative security measure is equally
-effective, the DoD CIO adjudication must be included in the system security plan to
-receive consideration during an assessment. Implemented security measures
-adjudicated by the DoD CIO as equally effective are assessed as MET if there have been
-no changes in the environment. <br />
-Each assessment objective in NIST SP 800-171A must yield a finding of MET or NOT
-APPLICABLE in order for the overall security requirement to be scored as MET. Assessors
-exercise judgment in determining when sufficient and adequate evidence has been
-presented to make an assessment finding. <br />
-CMMC assessments are conducted and results are captured at the assessment objective
-level. One NOT MET assessment  objective  results in a failure of the entire security
-requirement.
-''' '''
-Assessment Criteria and Methodology
-CMMC Assessment Guide – Level 2 | Version 2.13
-A security requirement can be applicable even when assessment objectives included in
-the security requirement are scored as N/A. The security requirement is NOT MET when
-one or more applicable assessment objectives is NOT MET. <br />
-Satisfaction of security requirements may be accomplished by other parts of the
-enterprise or an External Service Provider (ESP), as defined in 32 CFR § 170.4. A security
-requirement is considered MET if adequate evidence is provided that the enterprise or
-External Service Provider (ESP), implements the requirement objectives. An ESP may be
-external people, technology, or facilities that the OSA uses, including cloud service
-providers, managed service providers, managed security service providers, or
-cybersecurity-as-a-service providers.
-''' '''
-Requirement Descriptions
-CMMC Assessment Guide – Level 2 | Version 2.13
-Requirement Descriptions <br />
-Introduction <br />
-This section provides detailed information and guidance for assessing each Level 2 security
-requirement. The section is organized first  by domain and then by individual security
-requirement. Each requirement description contains the following elements as described in
-CFR § 170.14(c): <br />
-•
-  '''Requirement Number, Name, and Statement: '''Headed by the requirement identification
-number in the format, DD.L#-REQ (e.g., AC.L2-3.1.1); followed by the requirement short
-name identifier, meant to be used for quick reference only; and finally followed by the
-complete CMMC security requirement statement.
-•
-  '''Assessment Objectives [NIST SP 800-171A]: '''Identifies the specific set of objectives that
-must be met to receive MET for the requirement as defined in NIST SP 800-171A.[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#20|9]]
-•
-  '''Potential Assessment Methods and Objects [NIST SP 800-171A]: '''Describes the nature
-and the extent of the assessment actions as set forth in NIST SP 800-171A. The methods
-include ''examine'', ''interview'', and ''test''. Assessment objects identify the items being assessed
-and can include specifications, mechanisms, activities, and individuals.[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#20|10 ]]
-•
-  '''Discussion [NIST SP 800-171 Rev. 2]: '''Contains discussion from the associated NIST SP
--171 security requirement.
-•
-  '''Further Discussion: '''
-o  Expands upon the NIST SP 800-171 Rev. 2 discussion content to provide additional
-guidance.
-o  Contains examples illustrating application of the requirements. These examples are
-intended to provide insight but are not prescriptive of how the requirement must
-be implemented, nor are they comprehensive of all assessment objectives
-necessary to achieve the requirement. The assessment objectives met within the
-example are referenced by letter in a bracket (e.g., [a, d] for objectives “a” and “d”)
-within the text.
-o  Examples are written from the perspective of an organization or an employee of an
-organization implementing solutions or researching approaches to satisfy CMMC
-requirements. The objective is to put the reader into the role of implementing or
-maintaining  alternatives to satisfy security requirements.  Examples are not all-
-inclusive or prescriptive  and do not imply any personal responsibility for
-complying with CMMC requirements.
-o  Provides potential assessment considerations. These may include common
-considerations for assessing the requirement and potential questions that may be
-asked when assessing the objectives.
- NIST SP 800-171A, p. 4.
- NIST SP 800-171A, pp. 4-5.
-''' '''
-Requirement Descriptions
-CMMC Assessment Guide – Level 2 | Version 2.13
-•
-  '''Key References: '''Lists the basic safeguarding requirement from NIST SP 800-171 Rev. 2.
-''' '''
-AC.L2-3.1.1 – Authorized Access Control [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-== Access Control (AC) ==
-=== Level 2 AC Practices ===
-==== AC.L2-3.1.3 – CONTROL CUI FLOW ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Control the flow of CUI in accordance with approved authorizations.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] information flow control policies are defined;
-: [b] methods and enforcement mechanisms for controlling the flow of CUI are defined;
-: [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;
-: [d] authorizations for controlling the flow of CUI are defined; and
-: [e] approved authorizations for controlling the flow of CUI are enforced.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AC.L2-3.1.3_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.4 – SEPARATION OF DUTIES ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the duties of individuals requiring separation are defined;
-: [b] responsibilities for duties that require separation are assigned to separate individuals; and
-: [c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AC.L2-3.1.4_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.5 – LEAST PRIVILEGE ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Employ the principle of least privilege, including for specific security functions and privileged accounts.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] privileged accounts are identified;
-: [b] access to privileged accounts is authorized in accordance with the principle of least privilege;
-: [c] security functions are identified; and
-: [d] access to security functions is authorized in accordance with the principle of least privilege.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
-|-
-|[[Practice_AC.L2-3.1.5_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.6 – NON-PRIVILEGED ACCOUNT USE ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Use non-privileged accounts or roles when accessing nonsecurity functions.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] nonsecurity functions are identified; and
-: [b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AC.L2-3.1.6_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.7 – PRIVILEGED FUNCTIONS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] privileged functions are defined;
-: [b] non-privileged users are defined;
-: [c] non-privileged users are prevented from executing privileged functions; and
-: [d] the execution of privileged functions is captured in audit logs.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AC.L2-3.1.7_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.8 – UNSUCCESSFUL LOGON ATTEMPTS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Limit unsuccessful logon attempts.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the means of limiting unsuccessful logon attempts is defined; and
-: [b] the defined means of limiting unsuccessful logon attempts is implemented.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AC.L2-3.1.8_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.9 – PRIVACY & SECURITY NOTICES ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Provide privacy and security notices consistent with applicable CUI rules.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and
-: [b] privacy and security notices are displayed.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AC.L2-3.1.9_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.10 – SESSION LOCK ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the period of inactivity after which the system initiates a session lock is defined;
-: [b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and
-: [c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AC.L2-3.1.10_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.11 – SESSION TERMINATION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Terminate (automatically) a user session after a defined condition.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] conditions requiring a user session to terminate are defined; and
-: [b] a user session is automatically terminated after any of the defined conditions
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AC.L2-3.1.11_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.12 – CONTROL REMOTE ACCESS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Monitor and control remote access sessions.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] remote access sessions are permitted;
-: [b] the types of permitted remote access are identified;
-: [c] remote access sessions are controlled; and
-: [d] remote access sessions are monitored.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_AC.L2-3.1.12_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.13 – REMOTE ACCESS CONFIDENTIALITY ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and
-: [b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_AC.L2-3.1.13_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.14 – REMOTE ACCESS ROUTING ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Route remote access via managed access control points.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] managed access control points are identified and implemented; and
-: [b] remote access is routed through managed network access control points.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AC.L2-3.1.14_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.15 – PRIVILEGED REMOTE ACCESS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Authorize remote execution of privileged commands and remote access to security-relevant information.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] privileged commands authorized for remote execution are identified;
-: [b] security-relevant information authorized to be accessed remotely is identified;
-: [c] the execution of the identified privileged commands via remote access is authorized; and
-: [d] access to the identified security-relevant information via remote access is authorized.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AC.L2-3.1.15_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.16 – WIRELESS ACCESS AUTHORIZATION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Authorize wireless access prior to allowing such connections.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] wireless access points are identified; and
-: [b] wireless access is authorized prior to allowing such connections.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_AC.L2-3.1.16_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.17 – WIRELESS ACCESS PROTECTION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Protect wireless access using authentication and encryption.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] wireless access to the system is protected using authentication; and
-: [b] wireless access to the system is protected using encryption.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_AC.L2-3.1.17_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.18 – MOBILE DEVICE CONNECTION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Control connection of mobile devices.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] mobile devices that process, store, or transmit CUI are identified;
-: [b] mobile device connections are authorized; and
-: [c] mobile device connections are monitored and logged.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_AC.L2-3.1.18_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.19 – ENCRYPT CUI ON MOBILE ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Encrypt CUI on mobile devices and mobile computing platforms.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and
-: [b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
-|-
-|[[Practice_AC.L2-3.1.19_Details|More Practice Details...]]
-|}
-==== AC.L2-3.1.21 – PORTABLE STORAGE USE ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Limit use of portable storage devices on external systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the use of portable storage devices containing CUI on external systems is identified and documented;
-: [b] limits on the use of portable storage devices containing CUI on external systems are defined; and
-: [c] the use of portable storage devices containing CUI on external systems is limited as defined.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AC.L2-3.1.21_Details|More Practice Details...]]
-|}
-== Awareness and Training (AT) ==
-=== Level 2 AT Practices ===
-==== AT.L2-3.2.1 – ROLE-BASED RISK AWARENESS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] security risks associated with organizational activities involving CUI are identified;
-: [b] policies, standards, and procedures related to the security of the system are identified;
-: [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
-: [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_AT.L2-3.2.1_Details|More Practice Details...]]
-|}
-==== AT.L2-3.2.2 – ROLE-BASED TRAINING ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|-
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] information security-related duties, roles, and responsibilities are defined;
-: [b] information security-related duties, roles, and responsibilities are assigned to designated personnel; and
-: [c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_AT.L2-3.2.2_Details|More Practice Details...]]
-|}
-==== AT.L2-3.2.3 – INSIDER THREAT AWARENESS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Provide security awareness training on recognizing and reporting potential indicators of insider threat.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] potential indicators associated with insider threats are identified; and
-: [b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AT.L2-3.2.3_Details|More Practice Details...]]
-|}
-== Audit and Accountability (AU) ==
-=== Level 2 AU Practices ===
-==== AU.L2-3.3.1 – SYSTEM AUDITING ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified;
-: [b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined;
-: [c] audit records are created (generated);
-: [d] audit records, once created, contain the defined content;
-: [e] retention requirements for audit records are defined; and
-: [f] audit records are retained as defined.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_AU.L2-3.3.1_Details|More Practice Details...]]
-|}
-==== AU.L2-3.3.2 – USER ACCOUNTABILITY ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined; and
-: [b] audit records, once created, contain the defined content.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
-|-
-|[[Practice_AU.L2-3.3.2_Details|More Practice Details...]]
-|}
-==== AU.L2-3.3.3 – EVENT REVIEW ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Review and update logged events.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] a process for determining when to review logged events is defined;
-: [b] event types being logged are reviewed in accordance with the defined review process; and
-: [c] event types being logged are updated based on the review.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AU.L2-3.3.3_Details|More Practice Details...]]
-|}
-==== AU.L2-3.3.4 – AUDIT FAILURE ALERTING ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Alert in the event of an audit logging process failure.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] personnel or roles to be alerted in the event of an audit logging process failure are identified;
-: [b] types of audit logging process failures for which alert will be generated are defined; and
-: [c] identified personnel or roles are alerted in the event of an audit logging process failure.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AU.L2-3.3.4_Details|More Practice Details...]]
-|}
-==== AU.L2-3.3.5 – AUDIT CORRELATION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and
-: [b] defined audit record review, analysis, and reporting processes are correlated.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_AU.L2-3.3.5_Details|More Practice Details...]]
-|}
-==== AU.L2-3.3.6 – REDUCTION & REPORTING ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Provide audit record reduction and report generation to support on-demand analysis and reporting.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] an audit record reduction capability that supports on-demand analysis is provided; and
-: [b] a report generation capability that supports on-demand reporting is provided.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AU.L2-3.3.6_Details|More Practice Details...]]
-|}
-==== AU.L2-3.3.7 – AUTHORITATIVE TIME SOURCE ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] internal system clocks are used to generate time stamps for audit records;
-: [b] an authoritative source with which to compare and synchronize internal system clocks is specified; and
-: [c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AU.L2-3.3.7_Details|More Practice Details...]]
-|}
-==== AU.L2-3.3.8 – AUDIT PROTECTION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] audit information is protected from unauthorized access;
-: [b] audit information is protected from unauthorized modification;
-: [c] audit information is protected from unauthorized deletion;
-: [d] audit logging tools are protected from unauthorized access;
-: [e] audit logging tools are protected from unauthorized modification; and
-: [f] audit logging tools are protected from unauthorized deletion.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AU.L2-3.3.8_Details|More Practice Details...]]
-|}
-==== AU.L2-3.3.9 – AUDIT MANAGEMENT ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Limit management of audit logging functionality to a subset of privileged users.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] a subset of privileged users granted access to manage audit logging functionality is defined; and
-: [b] management of audit logging functionality is limited to the defined subset of privileged users.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_AU.L2-3.3.9_Details|More Practice Details...]]
-|}
-== Configuration Management (CM) ==
-=== Level 2 CM Practices ===
-==== CM.L2-3.4.1 – SYSTEM BASELINING ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] a baseline configuration is established;
-: [b] the baseline configuration includes hardware, software, firmware, and documentation;
-: [c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle;
-: [d] a system inventory is established;
-: [e] the system inventory includes hardware, software, firmware, and documentation; and
-: [f] the inventory is maintained (reviewed and updated) throughout the system development life cycle.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_CM.L2-3.4.1_Details|More Practice Details...]]
-|}
-==== CM.L2-3.4.2 – SECURITY CONFIGURATION ENFORCEMENT ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Establish and enforce security configuration settings for information technology products employed in organizational systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration; and
-: [b] security configuration settings for information technology products employed in the system are enforced.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_CM.L2-3.4.2_Details|More Practice Details...]]
-|}
-==== CM.L2-3.4.3 – SYSTEM CHANGE MANAGEMENT ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Track, review, approve or disapprove, and log changes to organizational systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] changes to the system are tracked;
-: [b] changes to the system are reviewed;
-: [c] changes to the system are approved or disapproved; and
-: [d] changes to the system are logged.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_CM.L2-3.4.3_Details|More Practice Details...]]
-|}
-==== CM.L2-3.4.4 – SECURITY IMPACT ANALYSIS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Analyze the security impact of changes prior to implementation.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the security impact of changes to the system is analyzed prior to implementation.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_CM.L2-3.4.4_Details|More Practice Details...]]
-|}
-==== CM.L2-3.4.5 – ACCESS RESTRICTIONS FOR CHANGE ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] physical access restrictions associated with changes to the system are defined;
-: [b] physical access restrictions associated with changes to the system are documented;
-: [c] physical access restrictions associated with changes to the system are approved;
-: [d] physical access restrictions associated with changes to the system are enforced;
-: [e] logical access restrictions associated with changes to the system are defined;
-: [f] logical access restrictions associated with changes to the system are documented;
-: [g] logical access restrictions associated with changes to the system are approved; and
-: [h] logical access restrictions associated with changes to the system are enforced.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_CM.L2-3.4.5_Details|More Practice Details...]]
-|}
-==== CM.L2-3.4.6 – LEAST FUNCTIONALITY ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] essential system capabilities are defined based on the principle of least functionality; and
-: [b] the system is configured to provide only the defined essential capabilities.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_CM.L2-3.4.6_Details|More Practice Details...]]
-|}
-==== CM.L2-3.4.7 – NONESSENTIAL FUNCTIONALITY ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] essential programs are defined;
-: [b] the use of nonessential programs is defined;
-: [c] the use of nonessential programs is restricted, disabled, or prevented as defined;
-: [d] essential functions are defined;
-: [e] the use of nonessential functions is defined;
-: [f] the use of nonessential functions is restricted, disabled, or prevented as defined;
-: [g] essential ports are defined;
-: [h] the use of nonessential ports is defined;
-: [i] the use of nonessential ports is restricted, disabled, or prevented as defined;
-: [j] essential protocols are defined;
-: [k] the use of nonessential protocols is defined;
-: [l] the use of nonessential protocols is restricted, disabled, or prevented as defined;
-: [m] essential services are defined;
-: [n] the use of nonessential services is defined; and
-: [o] the use of nonessential services is restricted, disabled, or prevented as defined.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_CM.L2-3.4.7_Details|More Practice Details...]]
-|}
-==== CM.L2-3.4.8 – APPLICATION EXECUTION POLICY ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified;
-: [b] the software allowed to execute under whitelisting or denied use under blacklisting is specified; and
-: [c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_CM.L2-3.4.8_Details|More Practice Details...]]
-|}
-==== CM.L2-3.4.9 – USER-INSTALLED SOFTWARE ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Control and monitor user-installed software.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] a policy for controlling the installation of software by users is established;
-: [b] installation of software by users is controlled based on the established policy; and
-: [c] installation of software by users is monitored.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_CM.L2-3.4.9_Details|More Practice Details...]]
-|}
-== Identification and Authentication (IA) ==
-=== Level 2 IA Practices ===
-==== IA.L2-3.5.3 – MULTIFACTOR AUTHENTICATION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] privileged accounts are identified;
-: [b] multifactor authentication is implemented for local access to privileged accounts;
-: [c] multifactor authentication is implemented for network access to privileged accounts; and
-: [d] multifactor authentication is implemented for network access to non-privileged accounts.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_IA.L2-3.5.3_Details|More Practice Details...]]
-|}
-==== IA.L2-3.5.4 – REPLAY-RESISTANT AUTHENTICATION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_IA.L2-3.5.4_Details|More Practice Details...]]
-|}
-==== IA.L2-3.5.5 – IDENTIFIER REUSE ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Prevent reuse of identifiers for a defined period.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] a period within which identifiers cannot be reused is defined; and
-: [b] reuse of identifiers is prevented within the defined period.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_IA.L2-3.5.5_Details|More Practice Details...]]
-|}
-==== IA.L2-3.5.6 – IDENTIFIER HANDLING ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Disable identifiers after a defined period of inactivity.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] a period of inactivity after which an identifier is disabled is defined; and
-: [b] identifiers are disabled after the defined period of inactivity.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_IA.L2-3.5.6_Details|More Practice Details...]]
-|}
-==== IA.L2-3.5.7 – PASSWORD COMPLEXITY ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Enforce a minimum password complexity and change of characters when new passwords are created.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] password complexity requirements are defined;
-: [b] password change of character requirements are defined;
-: [c] minimum password complexity requirements as defined are enforced when new passwords are created; and
-: [d] minimum password change of character requirements as defined are enforced when new passwords are created.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_IA.L2-3.5.7_Details|More Practice Details...]]
-|}
-==== IA.L2-3.5.8 – PASSWORD REUSE ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Prohibit password reuse for a specified number of generations.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the number of generations during which a password cannot be reused is specified and [b] reuse of passwords is prohibited during the specified number of generations.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_IA.L2-3.5.8_Details|More Practice Details...]]
-|}
-==== IA.L2-3.5.9 – TEMPORARY PASSWORDS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Allow temporary password use for system logons with an immediate change to a permanent password.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] an immediate change to a permanent password is required when a temporary password is used for system logon.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_IA.L2-3.5.9_Details|More Practice Details...]]
-|}
-==== IA.L2-3.5.10 – CRYPTOGRAPHICALLY-PROTECTED PASSWORDS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Store and transmit only cryptographically-protected passwords.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] passwords are cryptographically protected in storage; and
-: [b] passwords are cryptographically protected in transit.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_IA.L2-3.5.10_Details|More Practice Details...]]
-|}
-==== IA.L2-3.5.11 – OBSCURE FEEDBACK ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Obscure feedback of authentication information.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] authentication information is obscured during the authentication process.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_IA.L2-3.5.11_Details|More Practice Details...]]
-|}
-== Incident Response (IR) ==
-=== Level 2 IR Practices ===
-==== IR.L2-3.6.1 – INCIDENT HANDLING ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] an operational incident-handling capability is established;
-: [b] the operational incident-handling capability includes preparation;
-: [c] the operational incident-handling capability includes detection;
-: [d] the operational incident-handling capability includes analysis;
-: [e] the operational incident-handling capability includes containment;
-: [f] the operational incident-handling capability includes recovery; and
-: [g] the operational incident-handling capability includes user response
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_IR.L2-3.6.1_Details|More Practice Details...]]
-|}
-==== IR.L2-3.6.2 – INCIDENT REPORTING ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] incidents are tracked;
-: [b] incidents are documented;
-: [c] authorities to whom incidents are to be reported are identified;
-: [d] organizational officials to whom incidents are to be reported are identified;
-: [e] identified authorities are notified of incidents; and
-: [f] identified organizational officials are notified of incidents.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_IR.L2-3.6.2_Details|More Practice Details...]]
-|}
-==== IR.L2-3.6.3 – INCIDENT RESPONSE TESTING ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Test the organizational incident response capability.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the incident response capability is tested.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_IR.L2-3.6.3_Details|More Practice Details...]]
-|}
-== Maintenance (MA) ==
-=== Level 2 MA Practices ===
-==== MA.L2-3.7.1 – PERFORM MAINTENANCE ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Perform maintenance on organizational systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] system maintenance is performed.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
-|-
-|[[Practice_MA.L2-3.7.1_Details|More Practice Details...]]
-|}
-==== MA.L2-3.7.2 – SYSTEM MAINTENANCE CONTROL ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] tools used to conduct system maintenance are controlled;
-: [b] techniques used to conduct system maintenance are controlled;
-: [c] mechanisms used to conduct system maintenance are controlled; and
-: [d] personnel used to conduct system maintenance are controlled.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_MA.L2-3.7.2_Details|More Practice Details...]]
-|}
-==== MA.L2-3.7.3 – EQUIPMENT SANITIZATION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Ensure equipment removed for off-site maintenance is sanitized of any CUI.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_MA.L2-3.7.3_Details|More Practice Details...]]
-|}
-==== MA.L2-3.7.4 – MEDIA INSPECTION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
-|-
-|[[Practice_MA.L2-3.7.4_Details|More Practice Details...]]
-|}
-==== MA.L2-3.7.5 – NONLOCAL MAINTENANCE ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections; and
-: [b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_MA.L2-3.7.5_Details|More Practice Details...]]
-|}
-==== MA.L2-3.7.6 – MAINTENANCE PERSONNEL ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Supervise the maintenance activities of maintenance personnel without required access authorization.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] maintenance personnel without required access authorization are supervised during maintenance activities.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_MA.L2-3.7.6_Details|More Practice Details...]]
-|}
-== Media Protection (MP) ==
-=== Level 2 MP Practices ===
-==== MP.L2-3.8.1 – MEDIA PROTECTION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] paper media containing CUI is physically controlled;
-: [b] digital media containing CUI is physically controlled;
-: [c] paper media containing CUI is securely stored; and
-: [d] digital media containing CUI is securely stored.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
-|-
-|[[Practice_MP.L2-3.8.1_Details|More Practice Details...]]
-|}
-==== MP.L2-3.8.2 – MEDIA ACCESS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Limit access to CUI on system media to authorized users.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] access to CUI on system media is limited to authorized users.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
-|-
-|[[Practice_MP.L2-3.8.2_Details|More Practice Details...]]
-|}
-==== MP.L2-3.8.4 – MEDIA MARKINGS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Mark media with necessary CUI markings and distribution limitations.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] media containing CUI is marked with applicable CUI markings; and
-: [b] media containing CUI is marked with distribution limitations.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_MP.L2-3.8.4_Details|More Practice Details...]]
-|}
-==== MP.L2-3.8.5 – MEDIA ACCOUNTABILITY ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] access to media containing CUI is controlled; and
-: [b] accountability for media containing CUI is maintained during transport outside of controlled areas.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_MP.L2-3.8.5_Details|More Practice Details...]]
-|}
-==== MP.L2-3.8.6 – PORTABLE STORAGE ENCRYPTION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_MP.L2-3.8.6_Details|More Practice Details...]]
-|}
-==== MP.L2-3.8.7 – REMOVEABLE MEDIA ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Control the use of removable media on system components.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the use of removable media on system components is controlled.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_MP.L2-3.8.7_Details|More Practice Details...]]
-|}
-==== MP.L2-3.8.8 – SHARED MEDIA ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Prohibit the use of portable storage devices when such devices have no identifiable owner.ASSESSMENT OBJECTIVES'''
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the use of portable storage devices is prohibited when such devices have no identifiable owner.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
-|-
-|[[Practice_MP.L2-3.8.8_Details|More Practice Details...]]
-|}
-==== MP.L2-3.8.9 – PROTECT BACKUPS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Protect the confidentiality of backup CUI at storage locations.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the confidentiality of backup CUI is protected at storage locations.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_MP.L2-3.8.9_Details|More Practice Details...]]
-|}
-== Personnel Security (PS) ==
-=== Level 2 PS Practices ===
-==== PS.L2-3.9.1 – SCREEN INDIVIDUALS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Screen individuals prior to authorizing access to organizational systems containing CUI.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] individuals are screened prior to authorizing access to organizational systems containing CUI.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
-|-
-|[[Practice_PS.L2-3.9.1_Details|More Practice Details...]]
-|}
-==== PS.L2-3.9.2 – PERSONNEL ACTIONS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established;
-: [b] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and
-: [c] the system is protected during and after personnel transfer actions.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_PS.L2-3.9.2_Details|More Practice Details...]]
-|}
-== Physical Protection (PE) ==
-=== Level 2 PE Practices ===
-==== PE.L2-3.10.2 – MONITOR FACILITY ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Protect and monitor the physical facility and support infrastructure for organizational systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the physical facility where organizational systems reside is protected;
-: [b] the support infrastructure for organizational systems is protected;
-: [c] the physical facility where organizational systems reside is monitored; and
-: [d] the support infrastructure for organizational systems is monitored.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_PE.L2-3.10.2_Details|More Practice Details...]]
-|}
-==== PE.L2-3.10.6 – ALTERNATIVE WORK SITES ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Enforce safeguarding measures for CUI at alternate work sites.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] safeguarding measures for CUI are defined for alternate work sites; and
-: [b] safeguarding measures for CUI are enforced for alternate work sites.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_PE.L2-3.10.6_Details|More Practice Details...]]
-|}
-== Risk Assessment (RA) ==
-=== Level 2 RA Practices ===
-==== RA.L2-3.11.1 – RISK ASSESSMENTS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined; and
-: [b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
-|-
-|[[Practice_RA.L2-3.11.1_Details|More Practice Details...]]
-|}
-==== RA.L2-3.11.2 – VULNERABILITY SCAN ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the frequency to scan for vulnerabilities in organizational systems and applications is defined;
-: [b] vulnerability scans are performed on organizational systems with the defined frequency;
-: [c] vulnerability scans are performed on applications with the defined frequency;
-: [d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified; and
-: [e] vulnerability scans are performed on applications when new vulnerabilities are
-identified.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_RA.L2-3.11.2_Details|More Practice Details...]]
-|}
-==== RA.L2-3.11.3 – VULNERABILITY REMEDIATION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Remediate vulnerabilities in accordance with risk assessments.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] vulnerabilities are identified; and
-: [b] vulnerabilities are remediated in accordance with risk assessments.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_RA.L2-3.11.3_Details|More Practice Details...]]
-|}
-== Security Assessment (CA) ==
-=== Level 2 CA Practices ===
-==== CA.L2-3.12.1 – SECURITY CONTROL ASSESSMENT ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the frequency of security control assessments is defined; and
-: [b] security controls are assessed with the defined frequency to determine if the controls are effective in their application.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_CA.L2-3.12.1_Details|More Practice Details...]]
-|}
-==== CA.L2-3.12.2 – PLAN OF ACTION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] deficiencies and vulnerabilities to be addressed by the plan of action are identified;
-: [b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities; and
-: [c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
-|-
-|[[Practice_CA.L2-3.12.2_Details|More Practice Details...]]
-|}
-==== CA.L2-3.12.3 – SECURITY CONTROL MONITORING ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_CA.L2-3.12.3_Details|More Practice Details...]]
-|}
-==== CA.L2-3.12.4 – SYSTEM SECURITY PLAN ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] a system security plan is developed;
-: [b] the system boundary is described and documented in the system security plan;
-: [c] the system environment of operation is described and documented in the system security plan;
-: [d] the security requirements identified and approved by the designated authority as non-applicable are identified;
-: [e] the method of security requirement implementation is described and documented in the system security plan;
-: [f] the relationship with or connection to other systems is described and documented in the system security plan;
-: [g] the frequency to update the system security plan is defined; and
-: [h] system security plan is updated with the defined frequency.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''NA'''
-|-
-|[[Practice_CA.L2-3.12.4_Details|More Practice Details...]]
-|}
-== System and Communications Protection (SC) ==
-=== Level 2 SC Practices ===
-==== SC.L2-3.13.2 – SECURITY ENGINEERING ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] architectural designs that promote effective information security are identified;
-: [b] software development techniques that promote effective information security are identified;
-: [c] systems engineering principles that promote effective information security are identified;
-: [d] identified architectural designs that promote effective information security are employed;
-: [e] identified software development techniques that promote effective information security are employed; and
-: [f] identified systems engineering principles that promote effective information security are employed.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_SC.L2-3.13.2_Details|More Practice Details...]]
-|}
-==== SC.L2-3.13.3 – ROLE SEPARATION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Separate user functionality from system management functionality.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] user functionality is identified;
-: [b] system management functionality is identified; and
-: [c] user functionality is separated from system management functionality.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_SC.L2-3.13.3_Details|More Practice Details...]]
-|}
-==== SC.L2-3.13.4 – SHARED RESOURCE CONTROL ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Prevent unauthorized and unintended information transfer via shared system resources.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] unauthorized and unintended information transfer via shared system resources is
-prevented.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_SC.L2-3.13.4_Details|More Practice Details...]]
-|}
-==== SC.L2-3.13.6 – NETWORK COMMUNICATION BY EXCEPTION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] network communications traffic is denied by default; and
-: [b] network communications traffic is allowed by exception.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_SC.L2-3.13.6_Details|More Practice Details...]]
-|}
-==== SC.L2-3.13.7 – SPLIT TUNNELING ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_SC.L2-3.13.7_Details|More Practice Details...]]
-|}
-==== SC.L2-3.13.8 – DATA IN TRANSIT ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified;
-: [b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified; and
-: [c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
-|-
-|[[Practice_SC.L2-3.13.8_Details|More Practice Details...]]
-|}
-==== SC.L2-3.13.9 – CONNECTIONS TERMINATION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] a period of inactivity to terminate network connections associated with communications sessions is defined;
-: [b] network connections associated with communications sessions are terminated at the end of the sessions; and
-: [c] network connections associated with communications sessions are terminated after the defined period of inactivity.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_SC.L2-3.13.9_Details|More Practice Details...]]
-|}
-==== SC.L2-3.13.10 – KEY MANAGEMENT ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Establish and manage cryptographic keys for cryptography employed in organizational systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] cryptographic keys are established whenever cryptography is employed; and
-: [b] cryptographic keys are managed whenever cryptography is employed.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_SC.L2-3.13.10_Details|More Practice Details...]]
-|}
-==== SC.L2-3.13.11 – CUI ENCRYPTION ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3 to 5'''
-|-
-|[[Practice_SC.L2-3.13.11_Details|More Practice Details...]]
-|}
-==== SC.L2-3.13.12 – COLLABORATIVE DEVICE CONTROL ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] collaborative computing devices are identified;
-: [b] collaborative computing devices provide indication to users of devices in use; and
-: [c] remote activation of collaborative computing devices is prohibited.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_SC.L2-3.13.12_Details|More Practice Details...]]
-|}
-==== SC.L2-3.13.13 – MOBILE CODE ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Control and monitor the use of mobile code.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] use of mobile code is controlled; and
-: [b] use of mobile code is monitored.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_SC.L2-3.13.13_Details|More Practice Details...]]
-|}
-==== SC.L2-3.13.14 – VOICE OVER INTERNET PROTOCOL ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] use of Voice over Internet Protocol (VoIP) technologies is controlled; and
-: [b] use of Voice over Internet Protocol (VoIP) technologies is monitored.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_SC.L2-3.13.14_Details|More Practice Details...]]
-|}
-==== SC.L2-3.13.15 – COMMUNICATIONS AUTHENTICITY ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Protect the authenticity of communications sessions.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the authenticity of communications sessions is protected.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_SC.L2-3.13.15_Details|More Practice Details...]]
-|}
-==== SC.L2-3.13.16 – DATA AT REST ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Protect the confidentiality of CUI at rest.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the confidentiality of CUI at rest is protected.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
-|-
-|[[Practice_SC.L2-3.13.16_Details|More Practice Details...]]
-|}
-== System and Information Integrity (SI) ==
-=== Level 2 SI Practices ===
-==== SI.L2-3.14.3 – SECURITY ALERTS & ADVISORIES ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Monitor system security alerts and advisories and take action in response.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] response actions to system security alerts and advisories are identified;
-: [b] system security alerts and advisories are monitored; and
-: [c] actions in response to system security alerts and advisories are taken.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_SI.L2-3.14.3_Details|More Practice Details...]]
-|}
-==== SI.L2-3.14.6 – MONITOR COMMUNICATIONS FOR ATTACKS ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] the system is monitored to detect attacks and indicators of potential attacks;
-: [b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks; and
-: [c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
-|-
-|[[Practice_SI.L2-3.14.6_Details|More Practice Details...]]
-|}
-==== SI.L2-3.14.7 – IDENTIFY UNAUTHORIZED USE ====
-{|class="wikitable"
-|'''SECURITY REQUIREMENT'''
-Identify unauthorized use of organizational systems.
-|-
-|'''ASSESSMENT OBJECTIVES'''
-: [a] authorized use of the system is defined; and
-: [b] unauthorized use of the system is identified.
-|-
-|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
-|-
-|[[Practice_SI.L2-3.14.7_Details|More Practice Details...]]
-|}
-Access Control (AC) <br />
-'''AC.L2-3.1.1 – AUTHORIZED ACCESS CONTROL [CUI DATA] '''
-Limit system access to authorized users, processes acting on behalf of authorized users, and
-devices (including other systems).
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#22|11 ]]'''
-Determine if: <br />
-[a] authorized users are identified; <br />
-[b] processes acting on behalf of authorized users are identified; <br />
-[c]  devices (and other systems) authorized to connect to the system are identified; <br />
-[d] system access is limited to authorized users; <br />
-[e] system access is limited to processes acting on behalf of authorized users; and <br />
-[f]  system access is limited to authorized devices (including other systems).
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#22|] 11 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing account management; system
-security plan; system design documentation; system configuration settings and associated
-documentation; list of active system accounts and the name of the individual associated with
-each account; notifications or records of recently transferred, separated, or terminated
-employees; list of conditions for group and role membership; list of recently disabled system
-accounts along with the name of the individual associated with each account; access
-authorization records; account management compliance reviews; system monitoring
-records; system audit logs and records; list of devices and systems authorized to connect to
-organizational systems; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with account management responsibilities; system or network
-administrators; personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for managing system accounts; mechanisms for
-implementing account management].
- NIST SP 800-171A, p. 9.
-''' '''
-AC.L2-3.1.1 – Authorized Access Control [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#23|12]] <br />
-'''Access control policies (e.g., identity-  or role-based policies, control matrices, and
-cryptography) control access between active entities or subjects (i.e., users or processes
-acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and
-domains) in systems. Access enforcement mechanisms can be employed at the application
-and service level to provide increased information security. Other systems include systems
-internal and external to the organization. This requirement focuses on account management
-for systems and applications. The definition of and enforcement of access authorizations,
-other than those determined by account type (e.g., privileged verses ''[sic]'' non-privileged) are
-addressed in requirement 3.1.2 (AC.L2-3.1.2).
-'''FURTHER DISCUSSION <br />
-'''Identify users, processes, and devices that are allowed to use company computers and can
-log on to the company network. Automated updates and other automatic processes should
-be associated with the user who initiated (authorized) the process. Limit the devices (e.g.,
-printers)  that can be accessed by company computers.  Set up your system so that only
-authorized users, processes, and devices can access the company network. <br />
-This  requirement, AC.L2-3.1.1, controls system access based on user, process, or device
-identity. AC.L2-3.1.1 leverages IA.L2-3.5.1 which provides a vetted and trusted identity for
-access control.
-'''Example 1 <br />
-'''Your company maintains a list of all personnel authorized to use company information
-systems, including those that store, process, and transmit CUI [a]. This list is used to support
-identification and authentication activities conducted by IT when authorizing access to
-systems [a,d].
-'''Example 2 <br />
-'''A coworker wants to buy a new multi-function printer/scanner/fax device and make it
-available on the company network within the CUI enclave. You explain that the company
-controls system and device access to the network and will prevent network access by
-unauthorized systems and devices [c]. You help the coworker submit a ticket that asks for
-the printer to be granted access to the network, and appropriate leadership approves the
-device [f].
-'''Potential Assessment Considerations <br />
-'''•
-  Is a list of authorized users maintained that defines their identities and roles [a]?
-•
-  Are account requests authorized before system access is granted [d,e,f]?
- NIST SP 800-171 Rev. 2, p. 10.
-''' '''
-AC.L2-3.1.1 – Authorized Access Control [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''KEY REFERENCES <br />
-'''•
-  NIST SP 800-171 Rev. 2 3.1.1
-•
-  FAR Clause 52.204-21 b.1.i
-''' '''
-AC.L2-3.1.2 – Transaction &amp; Function Control
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.2 – TRANSACTION &amp; FUNCTION CONTROL '''
-Limit system access to the types of transactions and functions that authorized users are
-permitted to execute.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#25|13 ]]'''
-Determine if: <br />
-[a] the types of transactions and functions that authorized users are permitted to execute
-are defined; and
-[b] system access is limited to the defined types of transactions and functions for
-authorized users.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#25|]13  ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing access enforcement; system
-security plan; system design documentation; list of approved authorizations including
-remote access authorizations; system audit logs and records; system configuration settings
-and associated documentation; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with access enforcement responsibilities; system or network
-administrators; personnel with information security responsibilities; system developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing access control policy].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#25|14]] '''
-Organizations may choose to define access privileges or other attributes by account, by type
-of account, or a combination of both. System account types include individual, shared, group,
-system,  anonymous, guest, emergency, developer, manufacturer, vendor, and temporary.
-Other attributes required for authorizing access include restrictions on time-of-day, day-of-
-week, and point-of-origin.  In defining other account attributes, organizations consider
-system-related requirements (e.g., system upgrades scheduled maintenance,) and mission
-or business requirements, (e.g., time zone differences, customer requirements, remote
-access to support travel requirements).
- NIST SP 800-171A, p. 9.
- NIST SP 800-171 Rev. 2, pp. 10-11.
-''' '''
-AC.L2-3.1.2 – Transaction &amp; Function Control
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Limit users to only the information systems, roles, or applications they are permitted to use
-and are needed for their roles and responsibilities. Limit access to applications and data
-based on the authorized users’ roles and responsibilities. Common types of functions a user
-can be assigned are create, read, update, and delete.
-'''Example <br />
-'''Your team manages DoD contracts for your company. Members of your team need to access
-the contract information to perform their work properly. Because some of that data contains
-CUI, you work with IT to set up your group’s systems so that users can be assigned access
-based on their specific roles [a]. Each role limits whether an employee has read-access or
-create/read/delete/update -access [b]. Implementing this access control restricts access to
-CUI information unless specifically authorized.
-'''Potential Assessment Considerations <br />
-'''•
-  Are access control lists used to limit access to applications and data based on role and/or
-identity [a]?
-•
-  Is access for authorized users restricted to those parts of the system they are explicitly
-permitted to use (e.g., a person who only performs word-processing  cannot access
-developer tools) [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.2
-•
-  FAR Clause 52.204-21 b.1.ii
- <br />
- <br />
-''' '''
-AC.L2-3.1.3 – Control CUI Flow
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.3 – CONTROL CUI FLOW '''
-Control the flow of CUI in accordance with approved authorizations.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#27|15 ]]'''
-Determine if: <br />
-[a] information flow control policies are defined; <br />
-[b] methods and enforcement mechanisms for controlling the flow of CUI are defined; <br />
-[c]  designated sources and destinations (e.g., networks, individuals, and devices) for CUI
-within the system and between interconnected systems are identified;
-[d] authorizations for controlling the flow of CUI are defined; and <br />
-[e] approved authorizations for controlling the flow of CUI are enforced.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#27|A]15 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; information flow control policies; procedures
-addressing information flow enforcement; system security plan; system design
-documentation; system configuration settings and associated documentation; list of
-information flow authorizations; system baseline configuration; system audit logs and
-records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing information flow enforcement policy].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#27|16]] '''
-Information flow control regulates where information can travel within a system and
-between systems (versus who can access the information) and without explicit regard to
-subsequent accesses to that information. Flow control restrictions include the following:
-keeping export-controlled information from being transmitted in the clear to the internet;
-blocking outside traffic that claims to be from within the organization; restricting requests
-to the internet that are not from the internal web proxy server; and limiting information
-transfers between organizations based on data structures and content.
- NIST SP 800-171A, p. 10.
- NIST SP 800-171 Rev. 2, p. 11.
-''' '''
-AC.L2-3.1.3 – Control CUI Flow
-CMMC Assessment Guide – Level 2 | Version 2.13
-Organizations commonly use information flow control policies and enforcement
-mechanisms to control the flow of information between designated sources and destinations
-(e.g., networks, individuals, and devices) within systems and between interconnected
-systems. Flow control is based on characteristics of the information or the information path.
-Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards,
-encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that
-restrict system services, provide a packet-filtering capability based on header information,
-or message-filtering capability based on message content (e.g., implementing key word
-searches or using document characteristics). Organizations also consider the
-trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and
-software components) that are critical to information flow enforcement. <br />
-Transferring information between systems representing different security domains with
-different security policies introduces risk that such transfers violate one or more domain
-security policies. <br />
-Organizations consider the shared nature of commercial telecommunications services in the
-implementation of security requirements associated with the use of such services.
-Commercial telecommunications services are commonly based on network components and
-consolidated management systems shared by all attached commercial customers and may
-also include third party-provided access lines and other service elements. Such transmission
-services may represent sources of increased risk despite contract security provisions. NIST
-SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides
-guidance on security for virtualization technologies. <br />
-In such situations, information owners or stewards provide guidance at designated policy
-enforcement points between interconnected systems. Organizations consider mandating
-specific architectural solutions when required to enforce specific security policies.
-Enforcement includes: prohibiting information transfers between interconnected systems
-(i.e., allowing access only); employing hardware mechanisms to enforce one-way
-information flows; and implementing trustworthy regrading mechanisms to reassign
-security attributes and security labels.
-'''FURTHER DISCUSSION '''
-Typically, companies will have a firewall between the internal network and the internet.
-Often multiple firewalls or routing switches are used inside a network to create zones to
-separate sensitive data, business units, or user groups. Proxy servers can be used to break
-the connection between multiple networks. All traffic entering or leaving a network is
-intercepted by the proxy, preventing direct access between networks. Companies should
-also ensure by policy and enforcement mechanisms that all CUI allowed to flow across the
-internet is encrypted.
-'''Example 1 <br />
-'''You  configure a proxy device on your company’s network. CUI is stored within this
-environment. Your goal is to better mask and protect the devices inside the network while
-enforcing information flow policies. After the device is configured, information does not flow
-''' '''
-AC.L2-3.1.3 – Control CUI Flow
-CMMC Assessment Guide – Level 2 | Version 2.13
-directly from the internal network to the internet. The proxy device intercepts the traffic and
-analyzes it to determine if the  traffic conforms to organization information flow control
-policies. If it does, the device allows the information to pass to its destination [b]. The proxy
-blocks traffic that does not meet policy requirements [e].
-'''Example 2''' <br />
-As a subcontractor on a DoD contract, your organization sometimes needs to transmit CUI to
-the prime contractor. You create a policy document that specifies who is allowed to transmit
-CUI and that such transmission requires manager approval [a,c,d]. The policy instructs users
-to encrypt any CUI transmitted via email or to use a designated secure file sharing utility
-[b,d]. The policy states that users who do not follow appropriate procedures may be subject
-to disciplinary action [e].
-'''Potential Assessment Considerations <br />
-'''•
-  Are designated sources of regulated data identified within the system (e.g., internal
-network and IP address) and between interconnected systems (e.g., external networks,
-IP addresses, ports, and protocols) [c]?
-•
-  Are designated destinations of regulated data identified within the system (e.g., internal
-network and IP address) and between interconnected systems (external networks and
-IP addresses) [c]?
-•
-  Are authorizations defined for each source and destination within the system and
-between interconnected systems (e.g., allow or deny rules for each combination of source
-and destination) [d]?
-•
-  Are approved authorizations for controlling the flow of regulated data enforced within
-the system and between interconnected systems (e.g., traffic between authorized sources
-and destinations is allowed and traffic between unauthorized sources and destinations
-is denied) [e]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.3
- <br />
-''' '''
-AC.L2-3.1.4 – Separation of Duties
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.4 – SEPARATION OF DUTIES '''
-Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#30|17 ]]'''
-Determine if: <br />
-[a] the duties of individuals requiring separation are defined; <br />
-[b] responsibilities for duties that require separation are assigned to separate individuals;
-and
-[c]  access privileges that enable individuals to exercise the duties that require separation
-are granted to separate individuals.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#30|A]17 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing divisions of responsibility and
-separation of duties; system security plan; system configuration settings and associated
-documentation; list of divisions of responsibility and separation of duties; system access
-authorizations; system audit logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with responsibilities for defining divisions of responsibility and
-separation of duties; personnel with information security responsibilities; system or
-network administrators].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing separation of duties policy].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#30|18]] '''
-Separation of duties addresses the potential for abuse of authorized privileges and helps to
-reduce the risk of malevolent activity without collusion.  Separation of duties includes
-dividing mission functions and system support functions among different individuals or
-roles; conducting system support functions with different individuals (e.g., configuration
-management, quality assurance and testing, system management, programming, and
-network security); and ensuring that security personnel administering access  control
-functions do not also administer audit functions. Because separation of duty violations can
-span systems and application domains, organizations consider the entirety of organizational
-systems and system components when developing policy on separation of duties.
- NIST SP 800-171A, p. 10.
- NIST SP 800-171 Rev. 2, p. 11.
-''' '''
-AC.L2-3.1.4 – Separation of Duties
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-No one person should be in charge of an entire critical task from beginning to end.
-Documenting and dividing elements of  important duties and tasks between employees
-reduces intentional or unintentional execution of malicious activities.
-'''Example 1 <br />
-'''You are responsible for the management of several key systems within your organization
-including some that process CUI. You assign the task of reviewing the system logs to two
-different people. This way, no one person is solely responsible for the execution of this
-critical security function [c]. <br />
-'''Example 2 <br />
-'''You are a system administrator. Human Resources notifies you of a new hire, and you create
-an account with general privileges, but you are not allowed to grant access to systems that
-contain CUI [a,b]. The program manager contacts the team in your organization that has
-system administration authority over the CUI systems and informs them which CUI the new
-hire will need to access.  Subsequently,  a  second system administrator grants access
-privileges to the new hire [c].
-'''Potential Assessment Considerations <br />
-'''•
-  Does system documentation identify the system functions or processes that require
-separation of duties (e.g., function combinations that represent a conflict of interest or
-an over-allocation of security privilege for one individual) [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.4
-''' '''
-AC.L2-3.1.5 – Least Privilege
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.5 – LEAST PRIVILEGE '''
-Employ the principle of least privilege, including for specific security functions and
-privileged accounts.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#32|19 ]]'''
-Determine if: <br />
-[a] privileged accounts are identified; <br />
-[b] access to privileged accounts is authorized in accordance with the principle of least
-privilege;
-[c]  security functions are identified; and <br />
-[d] access to security functions is authorized in accordance with the principle of least
-privilege.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#32|A]19 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing account management; system
-security plan; system design documentation; system configuration settings and associated
-documentation; list of active system accounts and the name of the individual associated with
-each account; list of conditions for group and role membership; notifications or records of
-recently transferred, separated, or terminated employees; list of recently disabled system
-accounts along with the name of the individual associated with each account; access
-authorization records; account management compliance reviews; system monitoring/audit
-records; procedures addressing least privilege; list of security functions (deployed in
-hardware, software, and firmware) and security-relevant information for which access is to
-be explicitly authorized; list of system-generated privileged accounts; list of system
-administration personnel; other relevant documents or records].''' '''
-'''Interview <br />
-'''[SELECT FROM: Personnel with account management responsibilities; system or network
-administrators; personnel with information security responsibilities; personnel with
-responsibilities for defining least privileges necessary to accomplish specified tasks].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for managing system accounts; mechanisms for
-implementing account management; mechanisms implementing least privilege functions;
-mechanisms prohibiting privileged access to the system].
- NIST SP 800-171A, p. 11.
-''' '''
-AC.L2-3.1.5 – Least Privilege
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#33|20]] <br />
-'''Organizations employ the principle of least privilege for specific duties and authorized
-accesses for users and processes. The principle of least privilege is applied with the goal of
-authorized privileges no higher than necessary to accomplish required organizational
-missions or business functions. Organizations consider the creation of additional processes,
-roles, and system accounts as necessary, to achieve least privilege. Organizations also apply
-least privilege to the development, implementation, and operation of organizational systems.
-Security functions include establishing system accounts, setting events to be logged, setting
-intrusion detection parameters, and configuring access authorizations (i.e., permissions,
-privileges). <br />
-Privileged accounts, including super user accounts, are typically described as system
-administrator for various types of commercial off-the-shelf operating systems. Restricting
-privileged accounts to specific personnel or roles prevents day-to-day users from having
-access to privileged information or functions. Organizations may differentiate in the
-application of this requirement between allowed privileges for local accounts and for domain
-accounts provided organizations retain the ability to control system configurations for key
-security parameters and as otherwise necessary to sufficiently mitigate risk. <br />
-'''FURTHER DISCUSSION <br />
-'''The principle of least privilege applies to all users and processes on all systems, but it is
-critical to systems containing or accessing CUI. Least privilege: <br />
-•
-  restricts user access to only the machines and information needed to fulfill job
-responsibilities; and
-•
-  limits what system configuration settings users can change, only allowing individuals
-with a business need to change them.
-'''Example <br />
-'''You create accounts for an organization that processes CUI. By default, everyone is assigned
-a basic user role, which prevents a user from modifying system configurations. Privileged
-access is only assigned to users and processes that require it to carry out job functions, such
-as IT staff, and is very selectively granted [b,d].
-'''Potential Assessment Considerations <br />
-'''•
-  Are privileged accounts documented and is when they may be used defined [a]?
-•
-  Are users assigned privileged accounts to perform their job functions only when it is
-necessary [b]?
-•
-  Are necessary security functions identified (e.g., access control configuration, system
-configuration settings, or privileged account lists) that must be managed through the use
-of privileged accounts [c]?
- NIST SP 800-171 Rev. 2, p. 12.
-''' '''
-AC.L2-3.1.5 – Least Privilege
-CMMC Assessment Guide – Level 2 | Version 2.13
-•
-  Is access to privileged functions and security information restricted to authorized
-employees [d]?
-'''KEY REFERENCES <br />
-'''•
-  NIST SP 800-171 Rev. 2 3.1.5
-''' '''
-AC.L2-3.1.6 – Non-Privileged Account Use
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.6 – NON-PRIVILEGED ACCOUNT USE '''
-Use non-privileged accounts or roles when accessing nonsecurity functions.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#35|21 ]]'''
-Determine if: <br />
-[a] nonsecurity functions are identified; and <br />
-[b] users are required to use non-privileged accounts or roles when accessing nonsecurity
-functions.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#35|A]21 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing least privilege; system
-security plan; list of system-generated security functions assigned to system accounts or
-roles; system configuration settings and associated documentation; system audit logs and
-records; other relevant documents or records].''' '''
-'''Interview <br />
-'''[SELECT FROM: Personnel with responsibilities for defining least privileges necessary to
-accomplish specified organizational tasks; personnel with information security
-responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing least privilege functions].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#35|22]] '''
-This requirement limits exposure when operating from within privileged accounts or roles.
-The inclusion of roles addresses situations where organizations implement access control
-policies such as role-based access control and where a change of role provides the same
-degree of assurance in the change of access authorizations for the user and all processes
-acting on behalf of the user as would be provided by a change between a privileged and non-
-privileged account.
-'''FURTHER DISCUSSION '''
-A user with a privileged account can perform more tasks and access more information than
-a person with a non-privileged account. Tasks (including unauthorized tasks orchestrated
-by attackers) performed when using the privileged account can have a greater impact on the
- NIST SP 800-171A, p. 11.
- NIST SP 800-171 Rev. 2, p. 12.
-''' '''
-AC.L2-3.1.6 – Non-Privileged Account Use
-CMMC Assessment Guide – Level 2 | Version 2.13
-system. System administrators and users with privileged accounts must be trained not to use
-their privileged accounts for everyday tasks, such as browsing the internet or connecting
-unnecessarily to other systems or services.
-'''Example <br />
-'''You are logged in using your privileged account and you need to look up how to reset a non-
-functioning application which processes CUI. You should log on to another computer with
-your non-privileged account before you connect to the web and start searching for the reset
-information [b]. That way, if your account is compromised during the search, it will be your
-regular user account rather than an account with elevated privileges.
-'''Potential Assessment Considerations <br />
-'''•
-  Are nonsecurity functions and non-privileged roles defined [a,b]?
-•
-  Is it required that nonsecurity functions only be accessed with the use of non-privileged
-accounts? How is this verified [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.6
-''' '''
-AC.L2-3.1.7 – Privileged Functions
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.7 – PRIVILEGED FUNCTIONS '''
-Prevent non-privileged users from executing privileged functions and capture the execution
-of such functions in audit logs.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#37|23 ]]'''
-Determine if: <br />
-[a] privileged functions are defined; <br />
-[b] non-privileged users are defined; <br />
-[c]  non-privileged users are prevented from executing privileged functions; and <br />
-[d] the execution of privileged functions is captured in audit logs.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#37|A]23 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Privacy and  security policies, procedures addressing system use
-notification; documented approval of system use notification messages or banners; system
-audit logs and records; system design documentation; user acknowledgements of
-notification message or banner; system security plan; system use notification messages;
-system configuration settings and associated documentation; other relevant documents or
-records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with responsibilities for defining least privileges necessary to
-accomplish specified tasks; personnel with information security responsibilities; system
-developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing least privilege functions for non-privileged
-users; mechanisms auditing the execution of privileged functions].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#37|24]] '''
-Privileged functions include establishing system accounts, performing system integrity
-checks, conducting patching operations, or administering cryptographic key management
-activities.  Non-privileged users are individuals that do not possess appropriate
-authorizations. Circumventing intrusion detection and prevention mechanisms or malicious
-code protection mechanisms are examples of privileged functions that require protection
- NIST SP 800-171A, p. 12.
- NIST SP 800-171 Rev. 2, p. 12.
-''' '''
-AC.L2-3.1.7 – Privileged Functions
-CMMC Assessment Guide – Level 2 | Version 2.13
-from non-privileged users. Note that this requirement represents a condition to be achieved
-by the definition of authorized privileges in 3.1.2 (AC.L2-3.1.2). <br />
-Misuse of privileged functions, either intentionally or unintentionally by authorized users,
-or by unauthorized external entities that have compromised system accounts, is a serious
-and ongoing concern and can have significant adverse impacts on organizations. Logging the
-use of privileged functions is one way to detect such misuse, and in doing so, help mitigate
-the risk from insider threats and the advanced persistent threat.
-'''FURTHER DISCUSSION '''
-Non-privileged users should receive only those permissions required to perform their basic
-job functions. Privileged users are granted additional permissions because their jobs require
-them. Privileged functions typically involve the control, monitoring, or administration of the
-system and its security measures. When these special privileged functions are performed,
-the activity must be captured in an audit log,  which can be used to identify abuse. Non-
-privileged employees must not be granted permission to perform any of the functions of a
-privileged user. <br />
-This  requirement,  AC.L2-3.1.7, manages non-privileged users by logging any attempts to
-execute privileged functions. AC.L2-3.1.7 leverages AU.L2-3.3.2, which ensures logging and
-traceability of user actions. AC.L2-3.1.7  also extends AC.L2-3.1.2, which defines  a
-requirement to limit types of transactions and functions to those that authorized users are
-permitted to execute.
-'''Example <br />
-'''Your organization  handles CUI and has  put security controls in place that prevent non-
-privileged users from performing privileged activities [a,b,c]. However, a standard user was
-accidentally given elevated system administrator privileges.  The organization has
-implemented an endpoint detection and response solution that provides visibility into the
-use of privileged activities. The monitoring system logs a security misconfiguration because
-the use of administrative privileges was performed by a user who was not known to have
-that ability. This allows you to correct the error [d].
-'''Potential Assessment Considerations <br />
-'''•
-  Is it possible to identify who enabled privileges at any particular time [d]?
-•
-  Are the privileged system functions documented (e.g., functions that involve the control,
-monitoring or administration of the system, including security functions and log
-management) [a]?
-•
-  Do documented procedures describe the configuration of the system to ensure system
-roles do not grant non-privileged users the ability to execute privileged functions [c]?
-•
-  Do procedures describe the configuration of system settings to capture the execution of
-all privileged functions in audit logs [d]?
-''' '''
-AC.L2-3.1.7 – Privileged Functions
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.7
-''' '''
-AC.L2-3.1.8 – Unsuccessful Logon Attempts
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.8 – UNSUCCESSFUL LOGON ATTEMPTS '''
-Limit unsuccessful logon attempts.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#40|25 ]]'''
-Determine if: <br />
-[a] the means of limiting unsuccessful logon attempts is defined; and <br />
-[b] the defined means of limiting unsuccessful logon attempts is implemented.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#40|A]25 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing unsuccessful logon attempts;
-system security plan; system design documentation; system configuration settings and
-associated documentation; system audit logs and records; other relevant documents or
-records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with information security responsibilities; system developers;
-system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing access control policy for unsuccessful logon
-attempts].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#40|26]] '''
-This  requirement applies regardless of whether the logon occurs via a local or network
-connection. Due to the potential for denial of service, automatic lockouts initiated by systems
-are, in most cases, temporary and automatically release after a predetermined period
-established by the organization (i.e., a delay algorithm). If a delay algorithm is selected,
-organizations may employ different algorithms for different system components based on
-the capabilities of the respective components. Responses to unsuccessful logon attempts
-may be implemented at the operating system and application levels.
-'''FURTHER DISCUSSION '''
-Consecutive unsuccessful logon attempts may indicate malicious activity. OSAs can mitigate
-these attacks by limiting the number of unsuccessful logon attempts, typically by locking the
-account. A defined number of consecutive unsuccessful logon attempts is a common
- NIST SP 800-171A, p. 12.
- NIST SP 800-171 Rev. 2, pp. 12-13.
-''' '''
-AC.L2-3.1.8 – Unsuccessful Logon Attempts
-CMMC Assessment Guide – Level 2 | Version 2.13
-configuration setting. OSAs  are expected to set this number at a level that fits their risk
-profile with the knowledge that fewer unsuccessful attempts provide higher security. <br />
-After an unsuccessful login attempt threshold is exceeded and the system locks an account,
-the account may either remain locked until an administrator takes action to unlock it, or it
-may be locked for a predefined time after which it unlocks automatically.
-'''Example <br />
-'''You attempt to log on to your work computer, which stores CUI. You mistype your password
-three times in a row, and an error message is generated telling you the account is locked [b].
-You call your IT help desk  or system administrator to request assistance.  The system
-administrator explains that the account is locked as a result of three unsuccessful logon
-attempts [a]. The administrator offers to unlock the account and notes that you can wait 30
-minutes for the account to unlock automatically.
-'''Potential Assessment Considerations <br />
-'''•
-  Is there a defined threshold for the number of unsuccessful logon attempts for which the
-system takes action to prevent additional attempts [a]?
-•
-  Is a mechanism for limiting the number of unsuccessful logon attempts implemented and
-does it use the defined threshold [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.8
-''' '''
-AC.L2-3.1.9 – Privacy &amp; Security Notices
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.9 – PRIVACY &amp; SECURITY NOTICES '''
-Provide privacy and security notices consistent with applicable CUI rules.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#42|27 ]]'''
-Determine if: <br />
-[a] privacy and security notices required by CUI-specified rules are identified, consistent,
-and associated with the specific CUI category; and
-[b] privacy and security notices are displayed.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#42|A]27 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Privacy and security policies, procedures addressing system use
-notification; documented approval of system use notification messages or banners; system
-audit logs and records; system design documentation; user acknowledgements of
-notification message or banner; system security plan; system use notification messages;
-system configuration settings and associated documentation; other relevant documents or
-records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; personnel with responsibility for providing legal advice; system
-developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing system use notification].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#42|28]] '''
-System use notifications can be implemented using messages or warning banners displayed
-before individuals log in to organizational systems. System use notifications are used only
-for access via logon interfaces with human users and are not required when such human
-interfaces do not exist.  Based on a risk assessment, organizations consider whether a
-secondary system use notification is needed to access applications or other system resources
-after the initial network logon. Where necessary, posters or other printed materials may be
-used in lieu of an automated system banner. Organizations consult with the Office of General
-Counsel for legal review and approval of warning banner content.
- NIST SP 800-171A, pp. 12-13.
- NIST SP 800-171 Rev. 2, p. 13.
-''' '''
-AC.L2-3.1.9 – Privacy &amp; Security Notices
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Every system containing or providing access to CUI has legal requirements concerning user
-privacy and security  notices.  One method of addressing this requirement is the use of a
-system-use notification banner that displays the legal requirements of using the system.
-Users may be required to click to agree to the displayed requirements of using the system
-each time they log on to the machine. This agreement can be used in the civil and/or criminal
-prosecution of an attacker that violates the terms. <br />
-The legal notification should meet all applicable requirements. At a minimum, the notice
-should inform the user that: <br />
-•
-  information system usage may be monitored or recorded, and is subject to audit;
-•
-  unauthorized use of the information systems is prohibited;
-•
-  unauthorized use is subject to criminal and civil penalties;
-•
-  use of the information system affirms consent to monitoring and recording;
-•
-  the information system contains CUI with specific requirements imposed  by the
-Department of Defense; and
-•
-  use of the information system may be subject to other specified requirements associated
-with certain types of CUI such as Export Controlled information.
-'''Example <br />
-'''You are setting up IT equipment including a database server that will contain CUI. You have
-worked with legal counsel to draft a notification. It contains both general and specific CUI
-security and privacy requirements [a]. The system displays the required security and privacy
-information before anyone logs on to your organization’s computers that contain or provide
-access to CUI [b].
-'''Potential Assessment Considerations <br />
-'''•
-  Are objectives identified for privacy and security notices, and does the implementation
-satisfy the required objectives  [a,b]? Discrepancies may indicate a deficient process
-and/or an incomplete objective for the overall requirement.
-•
-  Are there any special requirements associated with the specific CUI category [a]?
-•
-  Are appropriate notices displayed in areas where paper-based CUI is stored and
-processed [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.9
-''' '''
-AC.L2-3.1.10 – Session Lock
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.10 – SESSION LOCK '''
-Use session lock with pattern-hiding displays to prevent access and viewing of data after a
-period of inactivity.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#44|29 ]]'''
-Determine if: <br />
-[a] the period of inactivity after which the system initiates a session lock is defined; <br />
-[b] access to the system and viewing of data is prevented by initiating a session lock after
-the defined period of inactivity; and
-[c]  previously visible information is concealed via a pattern-hiding display after the
-defined period of inactivity.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#44|A]29 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing session lock; procedures
-addressing identification and authentication; system design documentation; system
-configuration settings and associated documentation; system security plan; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing access control policy for session lock].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#44|30]] '''
-Session locks are temporary actions taken when users stop work and move away from the
-immediate vicinity of the system but do not want to log out because of the temporary nature
-of their absences. Session locks are implemented where session activities can be determined,
-typically at the operating system level (but can also be at the application level). Session locks
-are not an acceptable substitute for logging out of the system, for example, if organizations
-require users to log out at the end of the workday. <br />
-Pattern-hiding displays can include static or dynamic images, for example, patterns used
-with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank
- NIST SP 800-171A, p. 13.
- NIST SP 800-171 Rev. 2, p. 13.
-''' '''
-AC.L2-3.1.10 – Session Lock
-CMMC Assessment Guide – Level 2 | Version 2.13
-screen, with the additional caveat that none of the images convey controlled unclassified
-information.
-'''FURTHER DISCUSSION '''
-Session locks can be initiated by the user or, more fundamentally, enabled automatically
-when the system has been idle for a period of time, for example, five minutes. Session locks
-are a quick way to prevent unauthorized use of the systems without having a user log off.
-Minimum configuration requirements are left up to the organization to define. <br />
-A locked session shows pattern-hiding information on the screen to mask the data on the
-display.
-'''Example <br />
-'''You  manage systems for an organization that stores, processes, and transmits CUI. You
-notice that employees leave their offices without locking their computers. Sometimes their
-screens display sensitive company information. You configure all machines to lock after five
-minutes of inactivity [a,b]. You also remind your coworkers to lock their systems when they
-walk away [a].
-'''Potential Assessment Considerations <br />
-'''•
-  Does the session lock hide previously visible information (e.g., replacing what was visible
-with a lock screen or screensaver that does not include sensitive information) [c]?
-•
-  If session locks are not managed centrally, how are all computer users made aware of the
-requirements and how to configure them [a,b,c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.10
-''' '''
-AC.L2-3.1.11 – Session Termination
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.11 – SESSION TERMINATION '''
-Terminate (automatically) a user session after a defined condition.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#46|31 ]]'''
-Determine if: <br />
-[a] conditions requiring a user session to terminate are defined; and <br />
-[b] a user session is automatically terminated after any of the defined conditions occur.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#46|A]31 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing session termination; system
-design documentation; system security plan; system configuration settings and associated
-documentation; list of conditions or trigger events requiring session disconnect; system
-audit logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing user session termination].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#46|32]] '''
-This requirement addresses the termination of user-initiated logical sessions in contrast to
-the termination of network connections that are associated with communications sessions
-(i.e., disconnecting from the network).  A logical session (for local, network, and remote
-access) is initiated whenever a user (or process acting on behalf of a user) accesses an
-organizational system.  Such user sessions can be terminated (and thus terminate user
-access) without terminating network sessions. Session termination terminates all processes
-associated with a user’s logical session except those processes that are specifically created
-by the user (i.e., session owner) to continue after the session is terminated. Conditions or
-trigger events requiring automatic session termination can include organization-defined
-periods of user inactivity, targeted responses to certain types of incidents, and time-of-day
-restrictions on system use.
- NIST SP 800-171A, pp. 13-14.
- NIST SP 800-171 Rev. 2, p. 13.
-''' '''
-AC.L2-3.1.11 – Session Termination
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Configure the system to terminate user sessions based on the organization’s policy. Session
-termination policies can be simple or sophisticated. Examples are inactivity (end the session
-after a specified duration (e.g., one hour[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#47|33]]) of inactivity), day/time (all sessions are
-terminated at the end of the established workday), misbehavior (end the session due to an
-attempted policy violation), and maintenance (terminate sessions to prevent issues with an
-upgrade or service outage). If there is no automatic control of user sessions, an attacker can
-take advantage of an unattended session.
-'''Example 1 <br />
-'''You  manage systems containing CUI  for your organization and configure the system to
-terminate all user sessions after 1 hour of inactivity [a]. As the session timeout approaches,
-the system prompts users with a warning banner asking if they want to continue the session.
-When the session timeout does occur, the login page pops up, and the users must log in to
-start a new session [b].
-'''Example 2 <br />
-'''A user is logged into a corporate database containing CUI but is not authorized to view CUI.
-The user has submitted a series of queries that unintentionally violate policy, as they attempt
-to extract CUI that the user is not authorized to view [a]. The session terminates with a
-warning  as a result of a violation of corporate policy [b]. The user  must reestablish the
-session before being able to submit additional legitimate queries.
-'''Potential Assessment Considerations <br />
-'''•
-  Are the conditions in which a user session must be terminated described (e.g., after a
-period of inactivity or after a defined time limit) [a]?
-•
-  Are procedures documented that describe how to configure the system to enable
-automatic termination of user sessions after any of the defined conditions occur [b]?''' '''
-•
-  Are user sessions terminated based on organization-defined conditions [a,b]?''' '''
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.11
- Review DoD Cybersecurity FAQ Q53.2 for information on minimum values.
-''' '''
-AC.L2-3.1.12 – Control Remote Access
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.12 – CONTROL REMOTE ACCESS '''
-Monitor and control remote access sessions.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#48|34 ]]'''
-Determine if: <br />
-[a] remote access sessions are permitted; <br />
-[b] the types of permitted remote access are identified; <br />
-[c]  remote access sessions are controlled; and <br />
-[d] remote access sessions are monitored.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#48|A]34 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing remote access
-implementation and usage (including restrictions); configuration management plan; system
-security plan; system design documentation; system configuration settings and associated
-documentation; remote access authorizations; system audit logs and records; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with responsibilities for managing remote access connections;
-system or network administrators; personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Remote access management capability for the system].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#48|35]] '''
-Remote access is access to organizational systems by users (or processes acting on behalf of
-users) communicating through external networks (e.g., the internet). Remote access
-methods include dial-up, broadband, and wireless. Organizations often employ encrypted
-virtual private networks (VPNs) to enhance confidentiality over remote connections. The use
-of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when
-adequately provisioned with appropriate control (e.g., employing encryption techniques for
-confidentiality protection), may provide sufficient assurance to the organization that it can
-effectively treat such connections as internal networks. VPNs with encrypted tunnels can
-affect the capability to adequately monitor network communications traffic for malicious
-code.
- NIST SP 800-171A, p. 14.
- NIST SP 800-171 Rev. 2, pp. 13-14.
-''' '''
-AC.L2-3.1.12 – Control Remote Access
-CMMC Assessment Guide – Level 2 | Version 2.13
-Automated monitoring and control of remote access sessions allows organizations to detect
-cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing
-connection activities of remote users on a variety of system components (e.g., servers,
-workstations, notebook computers, smart phones, and tablets). <br />
-NIST SP 800-46, SP 800-77, and SP 800-113 provide guidance on secure remote access and
-virtual private networks.
-'''FURTHER DISCUSSION '''
-Remote access connections pass through untrusted networks and therefore require proper
-security controls such as encryption to ensure data confidentiality. Initialization of all remote
-sessions should ensure that only authorized users and devices are connecting. After the
-remote session is established, the connection is monitored to track who is accessing the
-network remotely and what files are being accessed during the session. <br />
-Remote access sessions can encompass more than just remote connections back to a
-headquarters network. Access to cloud-based email providers or server infrastructures also
-are relevant to this requirement if those environments contain CUI. <br />
-This  requirement,  AC.L2-3.1.12,  requires the control of remote access sessions  and
-complements five other requirements dealing with remote access (AC.L2-3.1.14,  AC.L2-
-.1.13, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5): <br />
-•
-  AC.L2-3.1.14 limits remote access to specific access control points.
-•
-  AC.L2-3.1.13  requires the use of cryptographic mechanisms when enabling remote
-sessions.
-•
-  AC.L2-3.1.15 requires authorization for privileged commands executed during a remote
-session.
-•
-  IA.L2-3.5.3  requires multifactor authentication for network access to non-privileged
-accounts.
-•
-  Finally,  MA.L2-3.7.5  requires the addition of multifactor authentication for remote
-maintenance sessions.
-'''Example <br />
-'''You often need to work from remote locations, such as your home or client sites, and you are
-permitted to access your organization’s internal networks (including a network containing
-CUI) from those remote locations [a]. A system administrator issues you a company laptop
-with VPN software installed, which is required to connect to the networks remotely [b]. After
-the laptop connects to the VPN server, you must accept a privacy notice that states that the
-company’s security department may monitor the connection. This monitoring is achieved
-through the analysis of data from sensors on the network notifying IT if issues arise. The
-security department may also review audit logs to see who is connecting remotely, when,
-and what information they are accessing [d].  During session establishment, the message
-“Verifying Compliance” means software like a Device Health Check (DHC) application is
-checking the remote device to ensure it meets the established requirements to connect [c].
-''' '''
-AC.L2-3.1.12 – Control Remote Access
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''Potential Assessment Considerations <br />
-'''•
-  Do policies identify when remote access is permitted and what methods must be used
-[a,b]?
-•
-  Are systems configured to permit only approved remote access sessions (e.g., disallow
-remote access sessions by default) [c]?
-•
-  Are automated or manual mechanisms employed for monitoring remote connections? If
-the monitoring is manual, does it occur at a frequency commensurate with the level of
-risk [d]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.12
-''' '''
-AC.L2-3.1.13 – Remote Access Confidentiality
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.13 – REMOTE ACCESS CONFIDENTIALITY '''
-Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#51|36 ]]'''
-Determine if: <br />
-[a] cryptographic mechanisms to protect the confidentiality of remote access sessions are
-identified; and
-[b] cryptographic mechanisms to protect the confidentiality of remote access sessions are
-implemented.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#51|A]36 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing remote access to the system;
-system security plan; system design documentation; system configuration settings and
-associated documentation; cryptographic mechanisms and associated configuration
-documentation; system audit logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developers].
-'''Test <br />
-'''[SELECT FROM: Cryptographic mechanisms protecting remote access sessions].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#51|37]] '''
-Cryptographic standards include FIPS-validated cryptography and NSA-approved
-cryptography.
-'''FURTHER DISCUSSION '''
-A remote access session involves logging into the organization’s systems such as its internal
-network or a cloud service provider from a remote location such as home or an alternate
-work site.  Because the use of  cryptography  in this requirement  is to protect the
-confidentiality of CUI, the cryptography used must meet the criteria specified in requirement
-SC.L2-3.13.11.  Although not explicitly required to meet AC.L2-3.1.13  requirements, this
-remote access session must be secured using FIPS-validated cryptography to provide
-confidentiality and prevent anyone from deciphering session information exchanges.
- NIST SP 800-171A, p. 14.
- NIST SP 800-171 Rev. 2, p. 14.
-''' '''
-AC.L2-3.1.13 – Remote Access Confidentiality
-CMMC Assessment Guide – Level 2 | Version 2.13
-This  requirement,  AC.L2-3.1.13,  requires the use of cryptographic mechanisms when
-enabling remote sessions and complements five other requirements dealing with remote
-access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5): <br />
-•
-  AC.L2-3.1.12 requires the control of remote access sessions.
-•
-  AC.L2-3.1.14 limits remote access to specific access control points.
-•
-  AC.L2-3.1.15 requires authorization for privileged commands executed during a remote
-session.
-•
-  IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged
-accounts.
-•
-  Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote
-maintenance sessions.
-'''Example <br />
-'''You are responsible for implementing a remote network access capability for users who
-access CUI remotely. In order to provide session confidentiality, you decide to implement a
-VPN mechanism and select a product that has completed FIPS 140 validation [a,b].
-'''Potential Assessment Considerations <br />
-'''•
-  Are cryptographic mechanisms used for remote access sessions (e.g., Transport Layer
-Security (TLS) and Internet Protocol Security (IPSec) using FIPS-validated encryption
-algorithms)  defined and implemented  [a,b]?  Note that simply using an approved
-algorithm is not sufficient – the module (software and/or hardware) used to implement
-the algorithm must be separately validated under FIPS 140.
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.13
-''' '''
-AC.L2-3.1.14 – Remote Access Routing
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.14 – REMOTE ACCESS ROUTING '''
-Route remote access via managed access control points.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#53|38 ]]'''
-Determine if: <br />
-[a] managed access control points are identified and implemented; and <br />
-[b] remote access is routed through managed network access control points.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#53|A]38 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing remote access to the system;
-system security plan; system design documentation; list of all managed network access
-control points; system configuration settings and associated documentation; system audit
-logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities].
-'''Test <br />
-'''[SELECT FROM: Mechanisms routing all remote accesses through managed network access
-control points].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#53|39]] '''
-Routing remote access through managed access control points enhances explicit,
-organizational control over such connections, reducing the susceptibility to unauthorized
-access to organizational systems resulting in the unauthorized disclosure of CUI.
-'''FURTHER DISCUSSION '''
-The OSA can route all remote access through a limited number of remote access control
-points to reduce the attack surface and simplify network management. This allows for better
-monitoring and control of the remote connections. <br />
-This requirement, AC.L2-3.1.14, limits remote access to specific access control points and
-complements five other requirements dealing with remote access (AC.L2-3.1.12, AC.L2-
-.1.13, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5):
- NIST SP 800-171A, p. 15.
- NIST SP 800-171 Rev. 2, p. 14.
-''' '''
-AC.L2-3.1.14 – Remote Access Routing
-CMMC Assessment Guide – Level 2 | Version 2.13
-•
-  AC.L2-3.1.12 requires the control of remote access sessions.
-•
-  AC.L2-3.1.13  requires the use of cryptographic mechanisms when enabling remote
-sessions.
-•
-  AC.L2-3.1.15 requires authorization for privileged commands executed during a remote
-session.
-•
-  IA.L2-3.5.3  requires multifactor  authentication for network access to non-privileged
-accounts.
-•
-  Finally,  MA.L2-3.7.5  requires the addition of multifactor authentication for remote
-maintenance sessions.
-'''Example <br />
-'''You manage systems for a company that processes CUI at multiple locations, and several
-employees at different locations need to connect to the organization’s networks while
-working remotely. Because each company location has a direct connection to headquarters,
-you decide to route all remote access through the headquarters location [a]. All remote traffic
-is routed through a single location to simplify monitoring [b].
-'''Potential Assessment Considerations <br />
-'''•
-  How many managed access control points are implemented [a]?
-•
-  Is all remote access routed through the managed access control points [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.14
-''' '''
-AC.L2-3.1.15 – Privileged Remote Access
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.15 – PRIVILEGED REMOTE ACCESS '''
-Authorize remote execution of privileged commands and remote access to security-relevant
-information.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#55|40 ]]'''
-Determine if: <br />
-[a] privileged commands authorized for remote execution are identified; <br />
-[b] security-relevant information authorized to be accessed remotely is identified; <br />
-[c]  the execution of the identified privileged commands via remote access is authorized;
-and
-[d] access to the identified security-relevant information via remote access is authorized.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#55|A]40 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing remote access to the system;
-system configuration settings and associated documentation; system security plan; system
-audit logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities].''' '''
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing remote access management].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#55|41]] '''
-A privileged  command is a human-initiated (interactively or via a process operating on
-behalf of the human) command executed on a system involving the control, monitoring, or
-administration of the system including security functions and associated security-relevant
-information. Security-relevant information is any information within the system that can
-potentially impact the operation of security functions or the provision of security services in
-a manner that could result in failure to enforce the system security policy or maintain
-isolation of code and data.  Privileged commands give individuals the ability to execute
-sensitive, security-critical, or security-relevant system functions.  Controlling such access
-from remote locations helps to ensure that unauthorized individuals are not able to execute
-such commands freely with the potential to do serious or catastrophic damage to
- NIST SP 800-171A, p. 15.
- NIST SP 800-171 Rev. 2, p. 14.
-''' '''
-AC.L2-3.1.15 – Privileged Remote Access
-CMMC Assessment Guide – Level 2 | Version 2.13
-organizational systems. Note that the ability to affect the integrity of the system is considered
-security-relevant as that could enable the means to by-pass security functions although not
-directly impacting the function itself.
-'''FURTHER DISCUSSION '''
-Privileged users are not necessarily allowed to perform their job functions from a remote
-location. Likewise, not all privileged commands may be executed remotely. Allowing remote
-execution of privileged commands or remote access to security-relevant information should
-be avoided if possible. If absolutely necessary, the privileged  commands  authorized for
-remote execution should be identified and documented. Document which user roles have
-permissions to remotely execute privileged commands to make changes and to access
-security relevant information. Documentation must be used to establish security
-mechanisms that enforce the policy. <br />
-This requirement, AC.L2-3.1.15, requires authorization for privileged commands executed
-during a remote  session  and complements five other requirements dealing with remote
-access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.13, IA.L2-3.5.3, and MA.L2-3.7.5): <br />
-•
-  AC.L2-3.1.12 requires the control of remote access sessions.
-•
-  AC.L2-3.1.14 limits remote access to specific access control points.
-•
-  AC.L2-3.1.13  requires the use of cryptographic mechanisms when enabling remote
-sessions.
-•
-  IA.L2-3.5.3  requires multifactor authentication for network access to non-privileged
-accounts.
-•
-  Finally,  MA.L2-3.7.5  requires the addition of multifactor authentication for remote
-maintenance sessions.
-This  requirement,  AC.L2-3.1.15, also extends AC.L2-3.1.2,  which limits the types of
-transactions and functions that authorized users are permitted to execute.
-'''Example <br />
-'''Your company’s  Access Control Policy permits certain work roles to  remotely perform a
-limited set of privileged commands from company-owned computers [a]. You implement
-controls to enforce who can remotely execute a privileged command,  which privileged
-commands they can execute, and who is allowed access to security relevant information such
-as audit log configuration settings [a,c,d].
-'''Potential Assessment Considerations <br />
-'''•
-  Does system documentation identify system administration or security functions that
-can be executed remotely [a]?
-•
-  Is execution of the identified privileged commands via remote access only authorized for
-documented operational needs [c]?
-''' '''
-AC.L2-3.1.15 – Privileged Remote Access
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.15
-''' '''
-AC.L2-3.1.16 – Wireless Access Authorization
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.16 – WIRELESS ACCESS AUTHORIZATION '''
-Authorize wireless access prior to allowing such connections.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#58|42 ]]'''
-Determine if: <br />
-[a] wireless access points are identified; and <br />
-[b] wireless access is authorized prior to allowing such connections.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#58|A]42 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; configuration management plan; procedures
-addressing wireless access implementation and usage (including restrictions); system
-security plan; system design documentation; system configuration settings and associated
-documentation; wireless access authorizations; system audit logs and records; other
-relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with responsibilities for managing wireless access connections;
-personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Wireless access management capability for the system].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#58|43]] '''
-Establishing usage restrictions and configuration/connection requirements for wireless
-access to the system provides criteria for organizations to support wireless access
-authorization decisions. Such restrictions and requirements reduce the susceptibility to
-unauthorized access to the system through wireless technologies. Wireless networks use
-authentication protocols that provide credential protection and mutual authentication.
-'''FURTHER DISCUSSION '''
-Guidelines from management form the basis for the requirements that must be met prior to
-authorizing a wireless connection. These guidelines may include the following: <br />
-•
-  types of devices, such as corporate or privately owned equipment;
-•
-  configuration requirements of the devices; and
- NIST SP 800-171A, pp. 15-16.
- NIST SP 800-171 Rev. 2, p. 14.
-''' '''
-AC.L2-3.1.16 – Wireless Access Authorization
-CMMC Assessment Guide – Level 2 | Version 2.13
-•
-  authorization requirements before granting such connections.
-AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they
-all establish control for the connection of mobile devices and wireless devices through the
-use of authentication, authorization, and encryption mechanisms.
-'''Example <br />
-'''Your  company  is implementing a wireless network at its  headquarters.  CUI may be
-transmitted on this network. You work with management to draft a policy about the use of
-the wireless network. The policy states that only company-approved devices that contain
-verified security configuration settings are allowed to connect. The  policy also includes
-usage restrictions that must be followed for anyone who wants to use the wireless network.
-Authorization is required before devices are allowed to connect to the wireless network [b].
-'''Potential Assessment Considerations <br />
-'''•
-  Is an updated list of approved network devices providing wireless access to the system
-maintained [a]?
-•
-  Are network devices providing wireless access configured to require users or devices be
-authorized prior to permitting a wireless connection [b]?
-•
-  Is wireless access to the system authorized and managed [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.16
- <br />
-''' '''
-AC.L2-3.1.17 – Wireless Access Protection
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.17 – WIRELESS ACCESS PROTECTION '''
-Protect wireless access using authentication and encryption.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#60|44 ]]'''
-Determine if: <br />
-[a] wireless access to the system is protected using authentication; and <br />
-[b] wireless access to the system is protected using encryption.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#60|A]44 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; system design documentation; procedures addressing
-wireless implementation and usage (including restrictions); system security plan; system
-configuration settings and associated documentation; system audit logs and records; other
-relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing wireless access protections to the system].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#60|45]] '''
-Organizations authenticate individuals and devices to help protect wireless access to the
-system. Special attention is given to the wide variety of devices that are part of the Internet
-of Things with potential wireless access to organizational systems.
-'''FURTHER DISCUSSION '''
-Use  a  combination of authentication and encryption methods to protect the access to
-wireless networks.  Authenticating users to a  wireless access point can be achieved  in
-multiple ways. The most common authentication and encryption methods used include: <br />
-•
-  WPA2-PSK (WiFi Protected Access-Pre-shared Key) – This method uses a password or
-passphrase known by the wireless access point and the client (user device). It is common
-in small companies that have little turnover because the key must be changed each time
-an employee leaves in order to prevent the terminated employee from connecting to the
- NIST SP 800-171A, p. 16.
- NIST SP 800-171 Rev. 2, pp. 14-15.
-''' '''
-AC.L2-3.1.17 – Wireless Access Protection
-CMMC Assessment Guide – Level 2 | Version 2.13
-network without authorization. WPA2 is typically configured to use Advanced
-Encryption Standard (AES) encryption.
-•
-  WPA2 Enterprise –  This method may be better for larger companies  and enterprise
-networks because authentication is based on the identity of the individual user or device
-rather than a shared password or passphrase. It typically requires a Remote
-Authentication Dial-in User Service (RADIUS) server for authentication and can provide
-higher security than WPA2-PSK.
-Open authentication must not be used because it authenticates any user and lacks security
-capabilities. <br />
-Because the use of cryptography in this requirement is to protect the confidentiality of CUI,
-the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. <br />
-AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they
-all establish control for the connection of mobile devices and wireless devices through the
-use of authentication, authorization, and encryption mechanisms.
-'''Example 1 <br />
-'''You  manage the wireless network at a small company and are installing a new wireless
-solution that may transmit CUI. You start by selecting a product that employs encryption
-validated against the FIPS 140 standard. You configure the wireless solution to use WPA2,
-requiring users to enter a pre-shared key to connect to the wireless network [a,b].
-'''Example 2 <br />
-'''You  manage the wireless network at a large company and are installing a new wireless
-solution that may transmit CUI. You start by selecting a product that employs encryption that
-is validated against the FIPS 140 standard. Because of the size of your workforce, you
-configure the wireless system to authenticate users with a RADIUS server. Users must
-provide the wireless system with their domain usernames and passwords to be able to
-connect, and the RADIUS server verifies those credentials. Users unable to authenticate are
-denied access [a,b].
-'''Potential Assessment Considerations <br />
-'''•
-  Is wireless access limited only to authenticated and authorized users (e.g., required to
-supply a username and password) [a]?
-•
-  If the organization is securing its wireless network with a pre-shared key, is access to
-that key restricted to only authorized users [a]?
-•
-  Is wireless access encrypted using FIPS-validated cryptography? Note that simply using
-an approved algorithm is not sufficient; the module (software and/or hardware) used to
-implement the algorithm must be separately validated under FIPS 140 [b].
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.17
-''' '''
-AC.L2-3.1.18 – Mobile Device Connection
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.18 – MOBILE DEVICE CONNECTION '''
-Control connection of mobile devices.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#62|46 ]]'''
-Determine if: <br />
-[a] mobile devices that process, store, or transmit CUI are identified; <br />
-[b] mobile device connections are authorized; and <br />
-[c]  mobile device connections are monitored and logged.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#62|A]46 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; authorizations for mobile device connections to
-organizational systems; procedures addressing access control for mobile device usage
-(including restrictions); system design documentation; configuration management plan;
-system security plan; system audit logs and records; system configuration settings and
-associated documentation; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel using mobile devices to access organizational systems; system or
-network administrators; personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Access control capability authorizing mobile device connections to
-organizational systems].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#62|47]] '''
-A mobile device is a computing device that has a small form factor such that it can easily be
-carried by a single individual; is designed to operate without a physical connection (e.g.,
-wirelessly transmit or receive information); possesses local, non-removable or removable
-data storage; and includes a self-contained power source. Mobile devices may also include
-voice communication capabilities, on-board sensors that allow the device to capture
-information, or built-in features for synchronizing local data with remote locations.
-Examples of mobile devices include smart phones, e-readers, and tablets. <br />
-Due to the large variety of mobile devices with different technical characteristics and
-capabilities, organizational restrictions may vary for the different types of devices. Usage
-restrictions and implementation guidance for mobile devices include: device identification
- NIST SP 800-171A, p. 16.
- NIST SP 800-171 Rev. 2, p. 15.
-''' '''
-AC.L2-3.1.18 – Mobile Device Connection
-CMMC Assessment Guide – Level 2 | Version 2.13
-and authentication; configuration management; implementation of mandatory protective
-software (e.g., malicious code detection, firewall); scanning devices for malicious code;
-updating virus protection software; scanning for critical software updates and patches;
-conducting primary operating system (and possibly other resident software) integrity
-checks; and disabling unnecessary hardware (e.g., wireless, infrared). The need to provide
-adequate security for mobile devices goes beyond this requirement.  Many controls for
-mobile devices are reflected in other CUI security requirements. NIST SP 800-124 provides
-guidance on mobile device security.
-'''FURTHER DISCUSSION '''
-Establish guidelines and acceptable requirements  for proper configuration, use, and
-management of mobile devices. Devices that process, store, or transmit CUI must be
-identified with a device-specific identifier. There are many different types of identifiers, and
-it is important to select one that can accommodate all devices and be used in a consistent
-manner. These identifiers are important for facilitating the required monitoring and logging
-function. <br />
-In addition to smartphones, consider the security of other portable devices such as e-readers
-and tablets. <br />
-AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they
-all establish control for the connection of mobile devices and wireless devices through the
-use of authentication, authorization, and encryption mechanisms.
-'''Example <br />
-'''Your organization has a policy stating that all mobile devices, including iPads, tablets, mobile
-phones, and Personal Digital Assistants (PDAs), must be approved and registered with the
-IT department before connecting to the network that contains CUI. The IT department uses
-a Mobile Device Management solution to monitor mobile devices and enforce policies across
-the enterprise [b,c].
-'''Potential Assessment Considerations <br />
-'''•
-  Is a list of mobile devices that are permitted to process, store, or transmit CUI maintained
-[a,b]?
-•
-  Is the system configured to only permit connections from identified, authorized mobile
-devices [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.18
-''' '''
-AC.L2-3.1.19 – Encrypt CUI on Mobile
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.19 – ENCRYPT CUI ON MOBILE '''
-Encrypt CUI on mobile devices and mobile computing platforms.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#64|48 ]]'''
-Determine if: <br />
-[a] mobile devices and mobile computing platforms that process, store, or transmit CUI are
-identified; and
-[b] encryption is employed to protect CUI on identified mobile devices and mobile
-computing platforms.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#64|A]48 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing access control for  mobile
-devices; system design documentation; system configuration settings and associated
-documentation; encryption mechanisms and associated configuration documentation;
-system security plan; system audit logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with access control responsibilities for mobile devices; system or
-network administrators; personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Encryption mechanisms protecting confidentiality of information on mobile
-devices].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#64|49]] '''
-Organizations can employ full-device encryption or container-based encryption to protect
-the confidentiality of CUI on mobile devices and computing platforms.  Container-based
-encryption provides a more fine-grained approach to the encryption of data and information
-including encrypting selected data structures such as files, records, or fields.
-'''FURTHER DISCUSSION '''
-Ensure CUI is encrypted on all mobile devices and mobile computing platforms that process,
-store, or transmit CUI including smartphones, tablets, and e-readers.
- NIST SP 800-171A, p. 17.
- NIST SP 800-171 Rev. 2, p. 15.
-''' '''
-AC.L2-3.1.19 – Encrypt CUI on Mobile
-CMMC Assessment Guide – Level 2 | Version 2.13
-Because the use of cryptography in this requirement is to protect the confidentiality of CUI,
-the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. <br />
-This  requirement,  AC.L2-3.1.19,  specifies  that CUI be encrypted on mobile devices and
-extends three other CUI protection requirements  (MP.L2-3.8.1,  MP.L2-3.8.2,  and SC.L2-
-.13.16): <br />
-•
-  MP.L2-3.8.1 requires that media containing CUI be protected.
-•
-  MP.L2-3.8.2 limits access to CUI to authorized users.
-•
-  Finally, SC.L2-3.13.16 requires confidentiality of CUI at rest.
-This  requirement,  AC.L2-3.1.19, also leverages SC.L2-3.13.11,  which specifies that the
-algorithms used must be FIPS-validated cryptography, and SC.L2-3.13.10, which specifies
-that any cryptographic keys in use must be protected.
-'''Example  <br />
-'''You are in charge of mobile device security for a company that processes CUI. You configure
-all laptops to use the full-disk encryption technology built into the operating system. This
-approach is FIPS-validated and encrypts all files, folders, and volumes. <br />
-Phones and tablets pose a greater technical challenge with their wide range of manufacturers
-and operating systems. You select a proprietary mobile device management (MDM) solution
-to enforce FIPS-validated encryption on those devices [a,b].
-'''Potential Assessment Considerations <br />
-'''•
-  Is a list maintained of mobile devices and mobile computing platforms that are permitted
-to process, store, or transmit CUI [a]?
-•
-  Is CUI encrypted on mobile devices using FIPS-validated algorithms [b]?
-'''KEY REFERENCE '''
-•
-  NIST SP 800-171 Rev. 2 3.1.19
-''' '''
-AC.L2-3.1.20 – External Connections [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.20 – EXTERNAL CONNECTIONS [CUI DATA] '''
-Verify and control/limit connections to and use of external systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#66|50 ]]'''
-Determine if: <br />
-[a] connections to external systems are identified; <br />
-[b] the use of external systems is identified; <br />
-[c]  connections to external systems are verified; <br />
-[d] the use of external systems is verified; <br />
-[e] connections to external systems are controlled/limited; and <br />
-[f]  the use of external systems is controlled/limited.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#66|A]50 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing the use of external systems;
-terms and conditions for external systems; system security plan; list of applications
-accessible from external systems; system configuration settings and associated
-documentation; system connection or processing agreements; account management
-documents; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with responsibilities for defining terms and conditions for use of
-external systems to access organizational systems; system or network administrators;
-personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing terms and conditions on use of external
-systems].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#66|51]] '''
-External systems are systems or components of systems for which organizations typically
-have no direct supervision and authority over the application of security requirements and
-controls or the determination of the effectiveness of implemented controls on those systems.
-External systems include personally owned systems, components, or devices and privately-
-owned computing and communications devices resident in commercial or public facilities.
- NIST SP 800-171A, p. 17.
- NIST SP 800-171 Rev. 2, pp. 15-16.
-''' '''
-AC.L2-3.1.20 – External Connections [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-This requirement also addresses the use of external systems for the processing, storage, or
-transmission of CUI, including accessing cloud services (e.g., infrastructure as a service,
-platform as a service, or software as a service) from organizational systems. <br />
-Organizations establish terms and conditions for the use of external systems in accordance
-with organizational security policies and procedures. Terms and conditions address as a
-minimum, the types of applications that can be accessed on organizational systems from
-external systems. If terms and conditions with the owners of external systems cannot be
-established, organizations may impose restrictions on organizational personnel using those
-external systems. <br />
-This requirement recognizes that there are circumstances where individuals using external
-systems (e.g., contractors, coalition partners) need to access organizational systems. In those
-situations, organizations need confidence that the external systems contain the necessary
-controls so as not to compromise, damage, or otherwise harm organizational systems.
-Verification that the required controls have been effectively implemented can be achieved
-by third-party, independent assessments, attestations, or other means, depending on the
-assurance or confidence level required by organizations. <br />
-Note that while “external” typically refers to outside of the organization’s direct supervision
-and authority, that is not always the case. Regarding the protection of CUI across an
-organization, the organization may have systems that process CUI and others that do not.
-And among the systems that process CUI there are likely access restrictions for CUI that
-apply between systems. Therefore, from the perspective of a given system, other systems
-within the organization may be considered “external&quot; to that system.
-'''FURTHER DISCUSSION '''
-Control and manage connections between your company network and outside networks.
-Outside networks could include the public internet, one of your own company’s networks
-that falls outside of your CMMC Assessment Scope (e.g., an isolated lab), or a network that
-does not belong to your company. Tools to accomplish include firewalls and connection
-allow/deny lists. External systems not controlled by your  company could be running
-applications that are prohibited or blocked. Control and limit access to corporate networks
-from personally owned devices such as laptops, tablets, and phones. You may choose to limit
-how and when your network is connected  to outside systems or only allow  certain
-employees to connect to outside systems from network resources.
-'''Example <br />
-'''Your company has a project that contains CUI. You remind your coworkers of the policy
-requirement to use their company laptops, not personal laptops or tablets, when working
-remotely on the project [b,f]. You also remind everyone to work from the cloud environment
-that is approved for processing and storing CUI rather than the other collaborative tools that
-may be used for other projects [b,f].
-'''Potential Assessment Considerations <br />
-'''•
-  Are all connections to external systems outside of the assessment scope identified [a]?
-''' '''
-AC.L2-3.1.20 – External Connections [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-•
-  Are external systems (e.g., systems managed by OSAs, partners, or vendors; personal
-devices) that are permitted to connect to or make use of organizational systems
-identified [b]?
-•
-  Are methods employed to ensure that only authorized connections are being made to
-external systems (e.g., requiring log-ins or certificates, access from a specific IP address,
-or access via Virtual Private Network (VPN)) [c,e]?
-•
-  Are methods employed to confirm that only authorized external systems are connecting
-(e.g., if employees are receiving company email on personal cell phones, is the OSA
-checking to verify that only known/expected devices are connecting) [d]?
-•
-  Is the use of external systems limited, including by policy or physical control [f]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.20
-•
-  FAR Clause 52.204-21 b.1.iii
-''' '''
-''' '''
-AC.L2-3.1.21 – Portable Storage Use
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.21 – PORTABLE STORAGE USE '''
-Limit use of portable storage devices on external systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#69|52 ]]'''
-Determine if: <br />
-[a] the use of portable storage devices containing CUI on external systems is identified and
-documented;
-[b] limits on the use of portable storage devices containing CUI on external systems are
-defined; and
-[c]  the use of portable storage devices containing CUI on external systems is limited as
-defined.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#69|A]52 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing the use of external systems;
-system security plan; system configuration settings and associated documentation; system
-connection or processing agreements; account management documents; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with responsibilities for restricting or prohibiting use of
-organization-controlled storage devices on external systems; system or network
-administrators; personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing restrictions on use of portable storage devices].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#69|53]] '''
-Limits on the use of organization-controlled portable storage devices in external systems
-include complete prohibition of the use of such devices or restrictions on how the devices
-may be used and under what conditions the devices may be used. Note that while “external”
-typically refers to outside of the organization’s direct supervision and authority that is not
-always the case. Regarding the protection of CUI across an organization, the organization
-may have systems that process CUI and others that do not. Among the systems that process
-CUI there are likely access restrictions for CUI that apply between systems. Therefore, from
- NIST SP 800-171A, p. 18.
- NIST SP 800-171 Rev. 2, p. 16.
-''' '''
-AC.L2-3.1.21 – Portable Storage Use
-CMMC Assessment Guide – Level 2 | Version 2.13
-the perspective of a given system, other systems within the organization may be considered
-“external&quot; to that system.
-'''FURTHER DISCUSSION '''
-A portable storage device is a system component that can be inserted or attached and easily
-removed from a system. It is used to store data or information. Examples of portable storage
-devices include: <br />
-•
-  compact/digital video disks (CDs/DVDs);
-•
-  Universal Serial Bus (USB) drives;
-•
-  external hard disk drives;
-•
-  flash memory cards/drives; and
-•
-  floppy disks.
-This requirement can be implemented in two ways: <br />
-•
-  identifying the portable storage device usage restrictions, identifying portable storage
-devices that may be used on external systems, identifying associated external systems on
-which a portable storage device may be used, and administratively (through the use of a
-written policy) limiting the usage of the devices to those systems; or
-•
-  configuring devices to work only when connected  to a system to which the portable
-storage device can authenticate, limiting the devices’ use on external systems to those
-that the OSA has the ability to manage.
-'''Example <br />
-'''Your organization, which stores and processes CUI,  has a  written  portable  device  usage
-restriction policy. It states that users can only use external storage devices such as thumb
-dives or external hard disks that belong to the company. When needed for a specific business
-function, a user checks the device out from IT and returns it to IT when no longer needed
-[a,b].
-'''Potential Assessment Considerations <br />
-'''•
-  Are the portable storage devices authorized for external use identified and documented
-[a]?
-•
-  Are the circumstances defined in which portable storage devices containing CUI may be
-used on external systems (e.g., with management approval) [b]?
-•
-  Are limitations stipulated for the use of portable storage devices containing CUI on
-external systems (e.g., authorized personnel only, encrypted drives required) [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.21
-''' '''
-AC.L2-3.1.22 – Control Public Information [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AC.L2-3.1.22 – CONTROL PUBLIC INFORMATION [CUI DATA] '''
-Control CUI posted or processed on publicly accessible systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#71|54 ]]'''
-Determine if: <br />
-[a] individuals authorized to post or process information on publicly accessible systems
-are identified;
-[b] procedures to ensure CUI is not posted or processed on publicly accessible systems are
-identified;
-[c]  a review process is in place prior to posting of any content to publicly accessible
-systems;
-[d] content on publicly accessible systems is reviewed to ensure that it does not include
-CUI; and
-[e] mechanisms are in place to remove and address improper posting of CUI.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#71|A]54 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; procedures addressing publicly accessible content;
-system security plan; list of users authorized to post publicly accessible content on
-organizational systems; training materials and/or records; records of publicly accessible
-information reviews; records of response to nonpublic information on public websites;
-system audit logs and records; security awareness training records; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with responsibilities for managing publicly accessible
-information posted on organizational systems; personnel with information security
-responsibilities].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing management of publicly accessible content].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#71|55]] '''
-In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the
-public is not authorized access to nonpublic information (e.g., information protected under
-the Privacy Act, CUI, and proprietary information). This requirement addresses systems that
- NIST SP 800-171A, p. 18.
- NIST SP 800-171 Rev. 2, p. 16.
-''' '''
-AC.L2-3.1.22 – Control Public Information [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-are controlled by the organization and accessible to the public, typically without
-identification or authentication. Individuals authorized to post CUI onto publicly accessible
-systems are designated.  The content of information is reviewed prior to posting onto
-publicly accessible systems to ensure that nonpublic information is not included.
-'''FURTHER DISCUSSION '''
-Only government officials can be authorized to release CUI to the public. Do not allow CUI to
-become public – always safeguard the confidentiality of CUI by controlling the posting of CUI
-on company-controlled websites or public forums, and the exposure of CUI in public
-presentations or on public displays. It is important to know which users  are allowed to
-publish information on  publicly accessible systems, like your company website, and
-implement a review process before posting such information. If CUI  is discovered on a
-publicly accessible system, procedures should be in place to remove that information and
-alert the appropriate parties.
-'''Example <br />
-'''Your company decides to start issuing press releases about its projects in an effort to reach
-more potential customers. Your company receives CUI from the government as part of its
-DoD contract. Because you recognize the need to manage controlled information, including
-CUI, you meet with the employees who write the releases and post information to establish
-a review process [c]. It is decided that you will review press releases for CUI before posting
-it on the company website [a,d]. Only certain employees will be authorized to post to the
-website [a].
-'''Potential Assessment Considerations <br />
-'''•
-  Does information on externally facing systems (i.e., publicly accessible) have a
-documented approval chain for public release [c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.1.22
-•
-  FAR Clause 52.204-21 b.1.iv
-''' '''
-AT.L2-3.2.1 – Role-Based Risk Awareness
-CMMC Assessment Guide – Level 2 | Version 2.13
-Awareness and Training (AT) <br />
-'''AT.L2-3.2.1 – ROLE-BASED RISK AWARENESS '''
-Ensure that managers, systems  administrators, and users of organizational systems are
-made aware of the security risks associated with their activities and of the applicable
-policies, standards, and procedures related to the security of those systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#73|56 ]]'''
-Determine if: <br />
-[a] security risks associated with organizational activities involving CUI are identified; <br />
-[b] policies, standards, and procedures related to the security of the system are identified; <br />
-[c]  managers, systems administrators, and users of the system are made aware of the
-security risks associated with their activities; and
-[d] managers, systems administrators, and users of the system are made aware of the
-applicable policies, standards, and procedures related to the security of the system.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#73|A]56 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Security awareness and training policy; procedures addressing security
-awareness training implementation; relevant codes of federal regulations; security
-awareness training curriculum; security awareness training materials; system security plan;
-training records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with responsibilities for security awareness training; personnel
-with information security responsibilities; personnel composing the general system user
-community; personnel with responsibilities for role-based awareness training].
-'''Test <br />
-'''[SELECT FROM: Mechanisms managing security awareness training; mechanisms managing
-role-based security training].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#73|57]] <br />
-'''Organizations determine the content and frequency of security awareness training and
-security awareness techniques based on the specific organizational requirements and the
-systems to which personnel have authorized access. The content includes a basic
- NIST SP 800-171A, p. 19.
- NIST SP 800-171 Rev. 2, pp. 16-17.
-''' '''
-AT.L2-3.2.1 – Role-Based Risk Awareness
-CMMC Assessment Guide – Level 2 | Version 2.13
-understanding of the need for information security and user actions to maintain security and
-to respond to suspected security incidents. The content also addresses awareness of the
-need for operations security. Security awareness techniques include: formal training;
-offering supplies inscribed with security reminders; generating email advisories or notices
-from organizational officials; displaying logon screen messages; displaying security
-awareness posters; and conducting information security awareness events. <br />
-NIST SP 800-50 provides guidance on security awareness and training programs.
-'''FURTHER DISCUSSION <br />
-'''Awareness training focuses user attention on security. Several techniques can be used, such
-as: <br />
-•
-  synchronous or asynchronous training;
-•
-  simulations (e.g., simulated phishing emails);
-•
-  security awareness campaigns (posters, reminders, group discussions); and
-•
-  communicating regular email advisories and notices to employees.
-Awareness training and role-based training are different. This requirement, AT.L2-3.2.1,
-covers awareness training, which provides general security training to influence user
-behavior. This training can apply broadly or be tailored to a specific role. Role-based training
-focuses on the knowledge, skills, and abilities needed to complete a specific job and is
-covered by AT.L2-3.2.2.
-'''Example <br />
-'''Your organization holds a DoD contract which requires the use of CUI. You want to provide
-information to employees so they can identify phishing emails. To do this, you prepare a
-presentation that highlights basic traits, including: <br />
-•
-  suspicious-looking email address or domain name;
-•
-  a message that contains an attachment or URL; and
-•
-  a message that is poorly written and often contains obvious misspelled words.
-You encourage everyone to not click on attachments or links in a suspicious email [c]. You
-tell employees to forward such a message immediately to IT security [d]. You download free
-security awareness posters to hang in the office [c,d]. You send regular emails and tips to all
-employees to ensure your message is not forgotten over time [c,d].
-'''Potential Assessment Considerations <br />
-'''•
-  Do all users, managers, and system administrators receive initial and refresher training
-commensurate with their roles and responsibilities [c,d]?
-•
-  Do training materials identify the organization-defined security requirements that must
-be met by users while interacting with the system as described in written  policies,
-standards, and procedures [d]?
-''' '''
-AT.L2-3.2.1 – Role-Based Risk Awareness
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''KEY REFERENCES <br />
-'''•
-  NIST SP 800-171 Rev. 2 3.2.1
-''' '''
-AT.L2-3.2.2 – Role-Based Training
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AT.L2-3.2.2 – ROLE-BASED TRAINING '''
-Ensure that personnel are trained to carry out their assigned information security-related
-duties and responsibilities.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#76|58 ]]'''
-Determine if: <br />
-[a] information security-related duties, roles, and responsibilities are defined; <br />
-[b] information security-related duties, roles, and responsibilities are assigned to
-designated personnel; and
-[c]  personnel are adequately trained to carry out their assigned information security-
-related duties, roles, and responsibilities.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#76|A]58 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Security awareness and training policy; procedures addressing security
-training implementation; codes of federal regulations; security training curriculum; security
-training materials; system security plan; training records; other relevant documents or
-records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with responsibilities for role-based security training; personnel
-with assigned system security roles and responsibilities; personnel with responsibilities for
-security awareness training; personnel with information security responsibilities; personnel
-representing the general system user community].
-'''Test <br />
-'''[SELECT FROM: Mechanisms managing role-based security training; mechanisms managing
-security awareness training].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#76|59]] '''
-Organizations determine the content and frequency of security training based on the
-assigned duties, roles, and responsibilities of individuals and the security requirements of
-organizations and the systems to which personnel have authorized access. In addition,
-organizations provide system developers, enterprise architects, security architects,
-acquisition/procurement officials, software developers, system developers, systems
-integrators, system/network administrators, personnel conducting configuration
-management and auditing activities, personnel performing independent verification and
- NIST SP 800-171A, pp. 19-20.
- NIST SP 800-171 Rev. 2, p. 17.
-''' '''
-AT.L2-3.2.2 – Role-Based Training
-CMMC Assessment Guide – Level 2 | Version 2.13
-validation, security assessors, and other personnel having access to system-level software,
-security-related technical training specifically tailored for their assigned duties. <br />
-Comprehensive role-based training addresses management, operational, and technical roles
-and responsibilities covering physical, personnel, and technical controls. Such training can
-include policies, procedures, tools, and artifacts for the security roles defined. Organizations
-also provide the training necessary for individuals to carry out their responsibilities related
-to operations and supply chain security within the context of organizational information
-security programs. <br />
-NIST SP 800-181 provides guidance on role-based information security training in the
-workplace. SP 800-161 provides guidance on supply chain risk management.
-'''FURTHER DISCUSSION '''
-Training imparts skills and knowledge to enable staff to perform a specific job function.
-Training should be available to all employees for all organizational roles to accommodate
-role changes without being constrained by the training schedule. Awareness training and
-role-based training are different. Awareness training provides general security training to
-influence user behavior and is covered by AT.L2-3.2.1. This requirement, AT.L2-3.2.2, covers
-role-based training that focuses on the knowledge, skills, and abilities needed to complete a
-specific job. Role-based training may include awareness topics specific to individual roles
-such as ensuring systems administrators understand the risk associated with using an
-administrative account.
-'''Example <br />
-'''Your company upgraded the firewall to a newer, more advanced system to protect the CUI it
-stores. You have been identified as an employee who needs training on the new device [a,b,c].
-This will enable you to use the firewall effectively and efficiently. Your company considered
-training resources when it planned for the upgrade and ensured that training funds were
-available as part of the upgrade project [c].
-'''Potential Assessment Considerations <br />
-'''•
-  Are the duties, roles,  and responsibilities that impact, directly or indirectly, the
-information security of the company or its systems defined and documented [a]?
-•
-  Do information security-related tasks have accountable owners, and is a strictly limited
-group of individuals assigned to perform them [b]?
-•
-  Are personnel who  are assigned information security-related duties, roles,  and
-responsibilities trained on those responsibilities, including the security requirements
-unique or inherent to their roles or responsibilities [c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.2.2
-''' '''
-AT.L2-3.2.3 – Insider Threat Awareness
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AT.L2-3.2.3 – INSIDER THREAT AWARENESS '''
-Provide security awareness training on recognizing and reporting potential indicators of
-insider threat.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#78|60 ]]'''
-Determine if: <br />
-[a] potential indicators associated with insider threats are identified; and <br />
-[b] security awareness training on recognizing and reporting potential indicators of insider
-threat is provided to managers and employees.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#78|A]60 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Security awareness and training policy; procedures addressing security
-awareness training implementation; security awareness training curriculum; security
-awareness training materials; insider threat policy and procedures; system security plan;
-other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel that participate in security awareness training; personnel with
-responsibilities for basic security awareness training; personnel with information security
-responsibilities].
-'''Test <br />
-'''[SELECT FROM: Mechanisms managing insider threat training].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#78|61]] '''
-Potential indicators and possible precursors  of insider threat include behaviors such as:
-inordinate, long-term job dissatisfaction; attempts to gain access to information that is not
-required for job performance; unexplained access to financial resources; bullying or sexual
-harassment of fellow employees; workplace violence; and other serious violations of the
-policies, procedures, directives, rules, or practices of organizations.  Security awareness
-training includes how to communicate employee and management concerns regarding
-potential indicators of insider threat through appropriate organizational channels in
-accordance with established organizational policies and procedures.  Organizations may
-consider tailoring insider threat awareness topics to the role (e.g., training for managers may
-be focused on specific changes in behavior of team members, while training for employees
-may be focused on more general observations).
- NIST SP 800-171A, p. 20.
- NIST SP 800-171 Rev. 2, p. 17.
-''' '''
-AT.L2-3.2.3 – Insider Threat Awareness
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-An insider threat is the threat that an insider will use their authorized access, wittingly or
-unwittingly, to do harm. Insider threat security awareness training focuses on recognizing
-employee behaviors and characteristics that might be indicators of an insider threat and the
-guidelines and procedures to handle and report it. Training for managers will provide
-guidance on observing team members to identify all potential threat indicators, while
-training for general employees will provide guidance for focusing on a smaller number of
-indicators. Employee behaviors will vary depending on roles, team membership, and
-associated information needs.  The person responsible for specifying insider threat
-indicators must be cognizant of these factors. Because of this, organizations may choose to
-tailor the training for specific roles. This requirement does not require separate training
-regarding insider threat. Organizations may choose to integrate these topics into their
-standard security awareness training programs.
-'''Example <br />
-'''You are responsible for training all employees on the awareness of high-risk behaviors that
-can indicate a potential insider threat [b]. You educate yourself on the latest research on
-insider threat indicators by reviewing a number of law enforcement bulletins [a]. You then
-add the following example to the training package: A baseline of normal behavior for work
-schedules has been created. One employee’s normal work schedule is 8:00 AM–5:00 PM, but
-another employee noticed that the employee has been working until 9:00 PM every day even
-though no projects requiring additional hours have been assigned [b].  The observing
-employee reports the abnormal work schedule using the established reporting guidelines.
-'''Potential Assessment Considerations <br />
-'''•
-  Do training materials include potential indicators associated with insider threats (e.g.,
-repeated security violations, unusual work hours, unexpected significant transfers of
-data, suspicious contacts, concerning behaviors outside the workplace) [a,b]?
-•
-  Do training materials include methods of reporting potential indicators of insider threats
-to management or responsible security personnel [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.2.3
-''' '''
-AU.L2-3.3.1 – System Auditing
-CMMC Assessment Guide – Level 2 | Version 2.13
-Audit and Accountability (AU) <br />
-'''AU.L2-3.3.1 – SYSTEM AUDITING '''
-Create and retain system audit logs and records to the extent needed to enable the
-monitoring, analysis, investigation, and reporting of unlawful or unauthorized system
-activity.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#80|62 ]]'''
-Determine if: <br />
-[a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis,
-investigation, and reporting of unlawful or unauthorized system activity are specified;
-[b] the content of audit records needed to support monitoring, analysis, investigation, and
-reporting of unlawful or unauthorized system activity is defined;
-[c]  audit records are created (generated); <br />
-[d] audit records, once created, contain the defined content; <br />
-[e] retention requirements for audit records are defined; and <br />
-[f]  audit records are retained as defined.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#80|A]62 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Audit and accountability policy; procedures addressing auditable events;
-system security plan; system design documentation; system configuration settings  and
-associated documentation; procedures addressing control of audit records; procedures
-addressing audit record generation; system audit logs and records; system auditable events;
-system incident reports; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with
-information security responsibilities; personnel with audit review, analysis and reporting
-responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing system audit logging].
- NIST SP 800-171A, p. 21.
-''' '''
-AU.L2-3.3.1 – System Auditing
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#81|63]] '''
-An event is any observable occurrence in a system, which includes unlawful or unauthorized
-system activity. Organizations identify event types for which a logging functionality is
-needed as those events which are significant and relevant to the security of systems and the
-environments in which those systems operate to meet specific and ongoing auditing needs.
-Event types can include password changes, failed logons or failed  accesses related to
-systems, administrative privilege usage, or third-party credential usage. In determining
-event types that require logging, organizations consider the monitoring and auditing
-appropriate for each of the CUI security requirements. Monitoring and auditing
-requirements can be balanced with other system needs. For example, organizations may
-determine that systems must have the capability to log every file access both successful and
-unsuccessful, but not activate that capability except for specific circumstances due to the
-potential burden on system performance. <br />
-Audit records can be generated at various levels of abstraction, including at the packet level
-as information traverses the network. Selecting the appropriate level of abstraction is a
-critical aspect of an audit logging capability and can facilitate the identification of root causes
-to problems. Organizations consider in the definition of event types, the logging necessary to
-cover related events such as the steps in distributed, transaction-based processes (e.g.,
-processes that are distributed across multiple organizations) and actions that occur in
-service-oriented or cloud-based architectures. <br />
-Audit record content that may be necessary to satisfy this requirement includes time stamps,
-source and destination addresses, user or process identifiers, event descriptions, success or
-failure indications, filenames involved, and access control or flow control rules invoked.
-Event outcomes can include indicators of event success or failure and event-specific results
-(e.g., the security state of the system after the event occurred). <br />
-Detailed information that organizations may consider in audit records includes full text
-recording of privileged commands or the individual identities of group account users.
-Organizations consider limiting the additional audit log information to only that information
-explicitly needed for specific audit requirements. This facilitates the use of audit trails and
-audit logs by not including information that could potentially be misleading or could make it
-more difficult to locate information of interest. Audit logs are reviewed and analyzed as often
-as needed to provide important information to organizations to facilitate risk-based decision
-making. NIST SP 800-92 provides guidance on security log management.
-'''FURTHER DISCUSSION '''
-OSAs  must ensure that all applicable systems create and retain audit logs that contain
-enough information to identify and investigate potentially unlawful or unauthorized system
-activity. OSAs must define the audit logs it needs to collect as well as the specific events to
-capture within the selected logs. Captured audit records are checked to verify that they
-contain the required events.
- NIST SP 800-171 Rev. 2, pp. 17-18.
-''' '''
-AU.L2-3.3.1 – System Auditing
-CMMC Assessment Guide – Level 2 | Version 2.13
-In defining the audit log retention period, OSAs must ensure that logs are retained for a
-sufficiently long period to allow for the investigation of a security event. The retention period
-must take into account the delay of weeks or months that can occur between an initial
-compromise and the discovery of attacker activity.
-'''Example <br />
-'''You set up audit logging capability for your company. You determine that all systems that
-contain CUI must have extra detail in the audit logs. Because of this, you configure these
-systems to log the following information for all user actions [b,c]: <br />
-•
-  time stamps;
-•
-  source and destination addresses;
-•
-  user or process identifiers;
-•
-  event descriptions;
-•
-  success or fail indications;''' '''and''' '''
-•
-  filenames.''' '''
-'''Potential Assessment Considerations <br />
-'''•
-  Are audit log retention requirements appropriate to the system and its associated level
-of risk [e]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.3.1
-''' '''
-AU.L2-3.3.2 – User Accountability
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AU.L2-3.3.2 – USER ACCOUNTABILITY '''
-Ensure that the actions of individual system users can be uniquely traced to those users so
-they can be held accountable for their actions.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#83|64 ]]'''
-Determine if: <br />
-[a] the content of the audit records needed to support the ability to uniquely trace users to
-their actions is defined; and
-[b] audit records, once created, contain the defined content.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#83|A]64 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Audit and accountability policy; procedures addressing audit records and
-event types; system security plan; system design documentation; system configuration
-settings and associated documentation; procedures addressing audit record generation;
-procedures addressing audit review, analysis, and reporting; reports of audit findings;
-system audit logs and records; system events; system incident reports; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with
-information security responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing system audit logging].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#83|65]] '''
-This requirement ensures that the contents of the audit record include the information
-needed to link the audit event to the actions of an individual to the extent feasible.
-Organizations consider logging for traceability including results from monitoring of account
-usage, remote access, wireless connectivity, mobile device connection, communications at
-system boundaries, configuration settings, physical access, nonlocal maintenance, use of
-maintenance tools, temperature and humidity, equipment delivery and removal, system
-component inventory, use of mobile code, and use of VoIP.
- NIST SP 800-171A, pp. 21-22.
- NIST SP 800-171 Rev. 2, p. 18.
-''' '''
-AU.L2-3.3.2 – User Accountability
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Capturing the necessary information in audit logs ensures that you can trace actions to a
-specific user. This may include capturing user IDs, source and destination addresses, and
-time stamps. Logging from networks, servers, clients, and applications should be considered
-in ensuring accountability. <br />
-This  requirement,  AU.L2-3.3.2, which ensures logging and traceability of user actions,
-supports the control of non-privileged users required by AC.L2-3.1.7 as well as many other
-auditing, configuration management, incident response, and situation awareness
-requirements.
-'''Example <br />
-'''You manage systems for a company that stores, processes, and transmits CUI. You want to
-ensure that you can trace all remote access sessions to a specific user. You configure the VPN
-device to capture the following information for all remote access connections: source and
-destination IP address, user ID, machine name, time stamp, and  user actions during the
-remote session [b].
-'''Potential Assessment Considerations <br />
-'''•
-  Are users uniquely traced and held responsible for unauthorized actions [a]?
-•
-  Does the system protect against an individual denying having performed an action (non-
-repudiation) [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.3.2
- <br />
-''' '''
-AU.L2-3.3.3 – Event Review
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AU.L2-3.3.3 – EVENT REVIEW '''
-Review and update logged events.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#85|66 ]]'''
-Determine if: <br />
-[a] a process for determining when to review logged events is defined; <br />
-[b] event types being logged are reviewed in accordance with the defined review process;
-and
-[c]  event types being logged are updated based on the review.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#85|A]66 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Audit and accountability policy; procedures addressing audit records and
-event types; system security plan; list of organization-defined event types to be logged;
-reviewed and updated records of logged event types; system audit logs and records; system
-incident reports; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with
-information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting review and update of logged event types].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#85|67]] '''
-The intent of this requirement is to periodically re-evaluate which logged events will
-continue to be included in the list of events to be logged. The event types that are logged by
-organizations may change over time. Reviewing and updating the set of logged event types
-periodically is necessary to ensure that the current set remains necessary and sufficient.
-'''FURTHER DISCUSSION '''
-This requirement is focused on the configuration of the auditing system, not the review of
-the audit records produced by the selected events. The review of the audit logs is covered
-under AU.L2-3.3.5 and AU.L2-3.3.6.
- NIST SP 800-171A, p. 22.
- NIST SP 800-171 Rev. 2, pp. 18-19.
-''' '''
-AU.L2-3.3.3 – Event Review
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''Example <br />
-'''You are in charge of IT operations for a company that processes CUI and are responsible for
-identifying and documenting which events are relevant to the security of your company’s
-systems. Your company has decided that this list of events should be updated annually or
-when new security threats or events have been identified, which may require additional
-events to be logged and reviewed [a]. The list of events you are capturing in your logs started
-as the list of recommended events given by the manufacturers of your operating systems and
-devices, but it has grown from experience. <br />
-Your company experiences a security incident, and a forensics review shows the logs appear
-to have been deleted by a remote user. You notice that remote sessions are not currently
-being logged [b]. You update the list of events to include logging all VPN sessions [c].
-'''Potential Assessment Considerations <br />
-'''•
-  Do documented processes include methods for determining when to review logged event
-types (i.e., regular frequency, after incidents, after major system changes) [a]?
-•
-  Do documented processes include methods for reviewing event types being logged (i.e.,
-based on specific threat, use case, retention capacity, current utilization, and/or newly
-added system component or functionality) [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.3.3
- <br />
-''' '''
-AU.L2-3.3.4 – Audit Failure Alerting
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AU.L2-3.3.4 – AUDIT FAILURE ALERTING '''
-Alert in the event of an audit logging process failure.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#87|68 ]]'''
-Determine if: <br />
-[a] personnel or roles to be alerted in the event of an audit logging process failure are
-identified;
-[b] types of audit logging process failures for which alert will be generated are defined; and <br />
-[c]  identified personnel or roles are alerted in the event of an audit logging process failure.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#87|A]68 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Audit and accountability policy; procedures addressing response to audit
-logging  processing failures; system design documentation; system security plan; system
-configuration settings and associated documentation; list of personnel to be notified in case
-of an audit logging processing failure; system incident reports; system audit logs and
-records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with
-information security responsibilities; system or network administrators; system
-developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing system response to audit logging process
-failures].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#87|69]] '''
-Audit logging process failures include software and hardware errors, failures in the audit
-record capturing mechanisms, and audit record storage capacity being reached or exceeded.
-This requirement applies to each audit record data storage repository (i.e., distinct system
-component where audit records are stored), the total audit record storage capacity of
-organizations (i.e., all audit record data storage repositories combined), or both.
- NIST SP 800-171A, p. 22.
- NIST SP 800-171 Rev. 2, p. 19.
-''' '''
-AU.L2-3.3.4 – Audit Failure Alerting
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Audit logging keeps track of activities occurring on the network, servers, user workstations,
-and other components of the overall system.  These logs must always be available and
-functional.  The  company’s  designated security personnel (e.g.,  system administrator and
-security officer) need to be aware when the audit log process fails or becomes unavailable
-[a]. Notifications  (e.g., email, Short Message Service  (SMS))  should  to be sent to the
-company’s designated security personnel to immediately take appropriate action. If security
-personnel are unaware of the audit logging process failure, then they will be unaware of any
-suspicious activity occurring at that time. Response to an audit logging process failure should
-account for the extent of the failure (e.g., a single component’s audit logging versus failure of
-the centralized logging solution), the risks involved in this loss of audit logging, and other
-factors (e.g., the possibility that an adversary could have caused the audit logging process
-failure).
-'''Example <br />
-'''You are in charge of IT operations for a  company  that processes CUI, and your
-responsibilities include managing the audit logging process. You configure your systems to
-send you an email in the event of an audit log failure. One day, you receive one of these alerts.
-You connect to the system, restart logging, and determine why the logging stopped [a,b,c].
-'''Potential Assessment Considerations <br />
-'''•
-  Will the system alert personnel with security responsibilities in the event of an audit
-processing failure?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.3.4
- <br />
-''' '''
-AU.L2-3.3.5 – Audit Correlation
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AU.L2-3.3.5 – AUDIT CORRELATION '''
-Correlate audit record review, analysis, and reporting processes for investigation and
-response to indications of unlawful, unauthorized, suspicious, or unusual activity.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#89|70 ]]'''
-Determine if: <br />
-[a] audit record review, analysis, and reporting processes for investigation and response to
-indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and
-[b] defined audit record review, analysis, and reporting processes are correlated.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#89|A]70 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Audit and accountability policy; procedures addressing audit record review,
-analysis, and reporting; system security plan; system design documentation; system
-configuration settings and associated documentation; procedures addressing investigation
-of and response to suspicious activities; system audit logs and records across different
-repositories; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with audit record review, analysis, and reporting responsibilities;
-personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting analysis and correlation of audit records;
-mechanisms integrating audit review, analysis and reporting].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#89|71]] '''
-Correlating audit record review, analysis, and reporting processes helps to ensure that they
-do not operate independently, but rather collectively. Regarding the assessment of a given
-organizational system, the requirement is agnostic as to whether this correlation is applied
-at the system level or at the organization level across all systems.
-'''FURTHER DISCUSSION '''
-Companies must review, analyze, and report audit records to help detect and respond to
-security incidents in a timely manner for the purpose of investigation and corrective actions.
-Collection of audit logs into one or more central repositories may facilitate correlated review.
- NIST SP 800-171A, p. 23.
- NIST SP 800-171 Rev. 2, p. 19.
-''' '''
-AU.L2-3.3.5 – Audit Correlation
-CMMC Assessment Guide – Level 2 | Version 2.13
-Small companies may be able to accomplish this manually with well-defined and -managed
-procedures. Larger companies will use an automated system for analysis that correlates log
-data from across the entire enterprise. Some companies may want to orchestrate the analysis
-process  to  include the use of Application Programming Interfaces (APIs)  for collection,
-correlation, and the automation of responses based on programed rulesets.
-'''Example <br />
-'''You are a member of a cyber defense team responsible for audit log analysis. You run an
-automated tool that analyzes all the audit logs across a Local Area Network (LAN) segment
-simultaneously looking for similar anomalies on separate systems at separate locations.
-Some of these systems store CUI. After extracting anomalous information and performing a
-correlation analysis [b], you determine that four different systems have had their event log
-information cleared between 2:00 AM to 3:00 AM, although the associated dates are
-different. The team monitors all systems on the same LAN segment between 2:00 AM to 3:00
-AM for the next 30 days.
-'''Potential Assessment Considerations <br />
-'''•
-  Are mechanisms used across different repositories to integrate audit review, analysis,
-correlation, and reporting processes [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.3.5
- <br />
-''' '''
-AU.L2-3.3.6 – Reduction &amp; Reporting
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AU.L2-3.3.6 – REDUCTION &amp; REPORTING '''
-Provide audit record reduction and report generation to support on-demand analysis and
-reporting.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#91|72 ]]'''
-Determine if: <br />
-[a] an audit record reduction capability that supports on-demand analysis is provided; and <br />
-[b] a report generation capability that supports on-demand reporting is provided.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#91|A]72 ]]'''
-'''Examine <br />
-'''[SELECT  FROM: Audit and accountability policy; procedures addressing audit record
-reduction and report generation; system design documentation; system security plan;
-system configuration settings and associated documentation; audit record reduction,
-review, analysis, and reporting tools; system audit logs and records; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with audit record reduction and report generation
-responsibilities; personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Audit record reduction and report generation capability].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#91|73]] '''
-Audit record reduction is a process that manipulates collected audit information and
-organizes such information in a summary format that is more meaningful to analysts. Audit
-record reduction and report generation capabilities do not always emanate from the same
-system or organizational entities conducting auditing activities.  Audit record reduction
-capability can include, for example, modern data mining techniques with advanced data
-filters to identify anomalous behavior in audit records.  The report generation capability
-provided by the system can help generate customizable reports.  Time ordering of audit
-records can be a significant issue if the granularity of the time stamp  in the record is
-insufficient.
- NIST SP 800-171A, p. 23.
- NIST SP 800-171 Rev. 2, p. 19.
-''' '''
-AU.L2-3.3.6 – Reduction &amp; Reporting
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Raw audit log data is difficult to review, analyze, and report because of the volume of data.
-Audit record reduction is an automated process that interprets raw audit log data and
-extracts meaningful and relevant information without altering the original logs. An example
-of log reduction for files to be analyzed would be the removal of details associated with
-nightly backups. Report generation on reduced log information allows you to create succinct
-customized reports without the need to burden the reader with unimportant information. In
-addition, the security-relevant audit information must be made available to personnel on
-demand for immediate review, analysis, reporting, and event investigation support.
-Performing audit log reduction and providing on-demand reports may allow the analyst to
-take mitigating action before an adversary completes its malicious actions.
-'''Example <br />
-'''You are in charge of IT operations in a company that processes CUI. You are responsible for
-providing audit record reduction and report generation capability. To support this function,
-you deploy an open-source solution that will collect and analyze data for signs of anomalies.
-The solution queries your central log repository to extract relevant data and provide you
-with a concise and comprehensive view for further analysis to identify potentially malicious
-activity [a]. In addition to creating on-demand data sets for analysis, you create customized
-reports explaining the contents of the data set [b].
-'''Potential Assessment Considerations <br />
-'''•
-  Does the system support on-demand audit review, analysis, and reporting requirements
-and after-the-fact security investigations [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.3.6
-''' '''
-AU.L2-3.3.7 – Authoritative Time Source
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AU.L2-3.3.7 – AUTHORITATIVE TIME SOURCE '''
-Provide a system capability that compares and synchronizes internal system clocks with an
-authoritative source to generate time stamps for audit records.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#93|74 ]]'''
-Determine if: <br />
-[a] internal system clocks are used to generate time stamps for audit records; <br />
-[b] an authoritative source with which to compare and synchronize internal system clocks
-is specified; and
-[c]  internal system clocks used to generate time stamps for audit records are compared to
-and synchronized with the specified authoritative time source.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#93|A]74 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Audit and accountability policy; procedures addressing time stamp
-generation; system design documentation; system security plan; system configuration
-settings and associated documentation; system audit logs and records; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with information security responsibilities; system or network
-administrators; system developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing time stamp generation; mechanisms
-implementing internal information system clock synchronization].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#93|75]] '''
-Internal system clocks are used to generate time stamps, which include date and time. Time
-is expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich
-Mean Time (GMT), or local time with an offset from UTC.  The granularity of time
-measurements refers to the degree of synchronization between system clocks and reference
-clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of
-milliseconds.  Organizations may define different time granularities for different system
-components. Time service can also be critical to other security capabilities such as access
-control and identification and authentication, depending on the nature of the mechanisms
- NIST SP 800-171A, pp. 23-24.
- NIST SP 800-171 Rev. 2, p. 19.
-''' '''
-AU.L2-3.3.7 – Authoritative Time Source
-CMMC Assessment Guide – Level 2 | Version 2.13
-used to support those capabilities. This requirement provides uniformity of time stamps for
-systems with multiple system clocks and systems connected over a network.
-'''FURTHER DISCUSSION '''
-Each system must synchronize its time with a central time server to ensure that all systems
-are recording audit logs using the same time source. Reviewing audit logs from multiple
-systems can be a difficult task if time is not synchronized. Systems can be synchronized to a
-network device or directory service or configured manually.
-'''Example <br />
-'''You are setting up several new computers on your company’s network, which contains CUI.
-You update the time settings on each machine to use the same authoritative time server on
-the internet [b,c]. When you review audit logs, all your machines will have synchronized
-time, which aids in any potential security investigations.
-'''Potential Assessment Considerations <br />
-'''•
-  Can the records’ time stamps map to Coordinated Universal Time (UTC), compare system
-clocks with authoritative Network Time Protocol (NTP) servers, and synchronize system
-clocks when the time difference is greater than 1 second [c]?
-•
-  Does the system synchronize internal system clocks on a defined frequency [c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.3.7
- <br />
-''' '''
-AU.L2-3.3.8 – Audit Protection
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AU.L2-3.3.8 – AUDIT PROTECTION '''
-Protect audit information and audit logging tools from unauthorized access, modification,
-and deletion.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#95|76 ]]'''
-Determine if: <br />
-[a] audit information is protected from unauthorized access; <br />
-[b] audit information is protected from unauthorized modification; <br />
-[c]  audit information is protected from unauthorized deletion; <br />
-[d] audit logging tools are protected from unauthorized access; <br />
-[e] audit logging tools are protected from unauthorized modification; and <br />
-[f]  audit logging tools are protected from unauthorized deletion.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#95|A]76 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Audit and accountability policy; access control policy and procedures;
-procedures addressing protection of audit information; system security plan; system design
-documentation; system configuration settings and associated documentation, system audit
-logs and records; audit logging tools; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with
-information security responsibilities; system or network administrators; system
-developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing audit information protection].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#95|77]] '''
-Audit information includes all information (e.g., audit records, audit log settings, and audit
-reports) needed to successfully audit system activity. Audit logging tools are those programs
-and devices used to conduct audit and logging activities. This requirement focuses on the
-technical protection of audit information and limits the ability to access and execute audit
-logging tools to authorized individuals. Physical protection of audit information is addressed
-by media protection and physical and environmental protection requirements.
- NIST SP 800-171A, p. 24.
- NIST SP 800-171 Rev. 2, p. 20.
-''' '''
-AU.L2-3.3.8 – Audit Protection
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Audit information is a critical record of what events occurred, the source of the events, and
-the outcomes of the events; this information needs to be protected.  The logs must be
-properly secured so that the information may not be modified or deleted, either intentionally
-or unintentionally. Only those with a legitimate need-to-know should have access to audit
-information, whether that information is being accessed directly from logs or from audit
-tools.
-'''Example <br />
-'''You are in charge of  IT operations in a  company  that handles CUI. Your responsibilities
-include protecting audit information and audit logging tools. You protect the information
-from modification or deletion by having audit log events forwarded to a central server and
-by restricting the local audit logs to only be viewable by the system administrators [a,b,c].
-Only a small group of security professionals can view the data on the central audit server
-[b,c,d]. For an additional layer of protection, you back up the server daily and encrypt the
-backups before sending them to a cloud data repository [a,b,c].
-'''Potential Assessment Considerations <br />
-'''•
-  Is there a list of authorized users for audit systems and tools [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.3.8
- <br />
-''' '''
-AU.L2-3.3.9 – Audit Management
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''AU.L2-3.3.9 – AUDIT MANAGEMENT '''
-Limit management of audit logging functionality to a subset of privileged users.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#97|78 ]]'''
-Determine if: <br />
-[a] a subset of privileged users granted access to manage audit logging functionality is
-defined; and
-[b] management of audit logging functionality is limited to the defined subset of privileged
-users.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#97|A]78 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Audit and accountability policy; access control policy and procedures;
-procedures addressing protection of audit information; system security plan; system design
-documentation; system configuration settings and associated documentation; access
-authorizations; system-generated list of privileged users with access to management of audit
-logging functionality; access control list; system audit logs and records; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with
-information security responsibilities; system or network administrators; system
-developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms managing access to audit logging functionality].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#97|79]] '''
-Individuals with privileged access to a system and who are also the subject of an audit by
-that system, may affect the reliability of audit information by inhibiting audit logging
-activities or modifying audit records. This requirement specifies that privileged access be
-further defined between audit-related privileges and other privileges, thus limiting the users
-with audit-related privileges.
- NIST SP 800-171A, pp. 24-25.
- NIST SP 800-171 Rev. 2, p. 20.
-''' '''
-AU.L2-3.3.9 – Audit Management
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Companies should restrict access to audit logging functions to a limited number of privileged
-users who can modify audit logs and audit settings. General users should not be granted
-permissions to perform audit management. All audit managers should be privileged users,
-but only a small subset of privileged users will be given audit management responsibilities.
-Functions performed by privileged users must be distinctly separate from the functions
-performed by users who have audit-related responsibilities to reduce the potential of
-fraudulent activities by privileged users not being detected or reported.  When possible,
-individuals who manage audit logs should not have access to other privileged functions.
-'''Example <br />
-'''You are responsible for the administration of select company infrastructure that contains
-CUI, but you are not responsible for managing audit information. You are not permitted to
-review audit logs, delete audit logs, or modify audit log settings [b]. Full control of audit
-logging functions has been given to senior system administrators [a,b]. This separation of
-system administration duties from audit logging management is necessary to prevent
-possible log file tampering.
-'''Potential Assessment Considerations <br />
-'''•
-  Are audit records of nonlocal accesses to privileged accounts and the execution of
-privileged functions protected [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.3.9
- <br />
-''' '''
-CM.L2-3.4.1 – System Baselining
-CMMC Assessment Guide – Level 2 | Version 2.13
-Configuration Management (CM) <br />
-'''CM.L2-3.4.1 – SYSTEM BASELINING '''
-Establish and maintain baseline configurations and inventories of organizational systems
-(including hardware, software, firmware, and documentation) throughout the respective
-system development life cycles.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#99|80 ]]'''
-Determine if: <br />
-[a] a baseline configuration is established; <br />
-[b] the baseline configuration includes hardware, software, firmware, and documentation; <br />
-[c]  the baseline configuration is maintained (reviewed and updated) throughout the
-system development life cycle;
-[d] a system inventory is established; <br />
-[e] the system inventory includes hardware, software, firmware, and documentation; and <br />
-[f]  the inventory is maintained (reviewed and updated) throughout the system
-development life cycle.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#99|A]80 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Configuration management policy; procedures addressing the baseline
-configuration of the system; procedures addressing system inventory; system security plan;
-configuration management plan; system inventory records; inventory review and update
-records; enterprise architecture documentation; system design documentation; system
-architecture and configuration documentation; system configuration settings and associated
-documentation; change control records; system component installation records; system
-component removal records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with configuration management responsibilities; personnel with
-responsibilities for establishing the system inventory; personnel with responsibilities for
-updating the system inventory; personnel with information security responsibilities; system
-or network administrators].
- NIST SP 800-171A, p. 26.
-''' '''
-CM.L2-3.4.1 – System Baselining
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''Test <br />
-'''[SELECT FROM: Organizational processes for managing baseline configurations;
-mechanisms supporting configuration control of the baseline configuration; organizational
-processes for developing and documenting an inventory of system components;
-organizational processes for updating inventory of system components; mechanisms
-supporting or implementing the system inventory; mechanisms implementing updating of
-the system inventory].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#100|81]] '''
-This requirement establishes and maintains baseline configurations for systems and system
-components including for system communications and connectivity. Baseline configurations
-are documented, formally reviewed, and agreed-upon sets of specifications for systems or
-configuration items within those systems. Baseline configurations serve as a basis for future
-builds, releases, and changes to systems. Baseline configurations include information about
-system components (e.g., standard software packages installed on workstations, notebook
-computers, servers, network components, or mobile devices; current version numbers and
-update and patch information on operating systems and applications; and configuration
-settings and parameters), network topology, and the logical placement of those components
-within the system architecture. Baseline configurations of systems also reflect the current
-enterprise architecture. Maintaining effective baseline configurations requires creating new
-baselines as organizational systems change over time. Baseline configuration maintenance
-includes reviewing and updating the baseline configuration when changes are made based
-on security risks and deviations from the established baseline configuration. <br />
-Organizations can implement centralized system component inventories that include
-components from multiple organizational systems. In such situations, organizations ensure
-that the resulting inventories include system-specific information required for proper
-component accountability (e.g., system association, system owner).  Information deemed
-necessary for effective accountability of system components includes hardware inventory
-specifications, software license information, software version numbers, component owners,
-and for networked components or devices, machine names and network addresses.
-Inventory specifications include manufacturer, device type, model, serial number, and
-physical location. <br />
-NIST SP 800-128 provides guidance on security-focused configuration management.
-'''FURTHER DISCUSSION '''
-An effective cybersecurity program depends on consistent, secure system and component
-configuration and management. Build and configure systems from a known, secure, and
-approved configuration baseline. This includes: <br />
-•
-  documenting the software and configuration settings of a system;
- NIST SP 800-171 Rev. 2, p. 20.
-''' '''
-CM.L2-3.4.1 – System Baselining
-CMMC Assessment Guide – Level 2 | Version 2.13
-•
-  placement within the network; and
-•
-  other specifications as required by the organization.
-'''Example <br />
-'''You are in charge of upgrading the computer operating systems of your office’s computers.
-Some of these computers process, store, or transmit CUI. You research how to set up and
-configure a workstation with the least functionality and highest security and use that as the
-framework for creating a configuration that minimizes functionality while still allowing
-users to do their tasks. After testing the new baseline on a single workstation, you document
-this configuration and apply it to the other computers [a]. You then check to make sure that
-the software changes are accurately reflected in your master system inventory [e]. Finally,
-you set a calendar reminder to review the baseline in three months [f].
-'''Potential Assessment Considerations <br />
-'''•
-  Do baseline configurations include software versions and patch level, configuration
-parameters, network information, and communications with connected systems [a,b]?
-•
-  Are baseline configurations updated as needed to accommodate security risks or
-software changes [c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.4.1
- <br />
-''' '''
-CM.L2-3.4.2 – Security Configuration Enforcement
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''CM.L2-3.4.2 – SECURITY CONFIGURATION ENFORCEMENT '''
-Establish and enforce security configuration settings for information technology products
-employed in organizational systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#102|82 ]]'''
-Determine if: <br />
-[a] security configuration settings for information technology products employed in the
-system are established and included in the baseline configuration; and
-[b] security configuration settings for information technology products employed in the
-system are enforced.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#102|A]82 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Configuration management policy; baseline configuration; procedures
-addressing configuration settings for the system; configuration management plan; system
-security plan; system design documentation; system configuration settings and associated
-documentation; security configuration checklists; evidence supporting approved deviations
-from established configuration settings; change control records; system audit logs and
-records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with security configuration management responsibilities;
-personnel with information security responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for managing configuration settings; mechanisms
-that implement, monitor, and/or control system configuration settings; mechanisms that
-identify and/or document deviations from established configuration settings; processes for
-managing baseline configurations; mechanisms supporting configuration control of baseline
-configurations].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#102|83]] <br />
-'''Configuration settings are the set of parameters that can be changed in hardware, software,
-or firmware components of the system that affect the security posture or functionality of the
-system. Information technology products for which security-related configuration settings
-can be defined include mainframe computers, servers, workstations, input and output
-devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers,
- NIST SP 800-171A, pp. 26-27.
- NIST SP 800-171 Rev. 2, p. 21.
-''' '''
-CM.L2-3.4.2 – Security Configuration Enforcement
-CMMC Assessment Guide – Level 2 | Version 2.13
-gateways, voice and data switches, wireless access points, network appliances, sensors),
-operating systems, middleware, and applications. <br />
-Security parameters are those parameters impacting the security state of systems including
-the parameters required to satisfy other security requirements. Security parameters include:
-registry settings; account, file, directory permission settings; and settings for functions,
-ports, protocols, and remote connections. Organizations establish organization-wide
-configuration settings and subsequently derive specific configuration settings for systems.
-The established settings become part of the systems configuration baseline. <br />
-Common secure configurations (also referred to as security configuration checklists,
-lockdown and hardening guides, security reference guides, security technical
-implementation guides) provide recognized, standardized, and established benchmarks that
-stipulate secure configuration settings for specific  information technology
-platforms/products and instructions for configuring those system components to meet
-operational requirements. Common secure configurations can be developed by a variety of
-organizations including information technology product developers, manufacturers,
-vendors, consortia, academia, industry, federal agencies, and other organizations in the
-public and private sectors. <br />
-NIST SP 800-70 and SP 800-128 provide guidance on security configuration settings.
-'''FURTHER DISCUSSION <br />
-'''Information security is an integral part of a company’s configuration management process.
-Security-related configuration settings are customized to satisfy the company’s security
-requirements and are applied them to all systems once tested and approved. The
-configuration settings must reflect the most restrictive settings that are appropriate for the
-system. Any required deviations from the baseline are reviewed, documented, and approved.
-'''Example <br />
-'''You manage baseline configurations for your company’s systems, including those that
-process, store, and transmit CUI. As part of this, you download a secure configuration guide
-for each of your asset types (servers, workstations, network components, operating systems,
-middleware, and applications) from a well-known and trusted IT security organization. You
-then apply all of the settings that you can while still ensuring the assets can perform the role
-for which they are needed. Once you have the configuration settings identified and tested,
-you document them to ensure all applicable machines can be configured the same way [a,b].
-'''Potential Assessment Considerations <br />
-'''•
-  Do security settings reflect the most restrictive settings appropriate [a]?
-•
-  Are changes or deviations to security settings documented [b]?
-'''KEY REFERENCES <br />
-'''•
-  NIST SP 800-171 Rev. 2 3.4.2
-''' '''
-CM.L2-3.4.3 – System Change Management
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''CM.L2-3.4.3 – SYSTEM CHANGE MANAGEMENT '''
-Track, review, approve or disapprove, and log changes to organizational systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#104|84 ]]'''
-Determine if: <br />
-[a] changes to the system are tracked; <br />
-[b] changes to the system are reviewed; <br />
-[c]  changes to the system are approved or disapproved; and <br />
-[d] changes to the system are logged.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#104|A]84 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Configuration management policy; procedures addressing system
-configuration change control; configuration management plan; system architecture and
-configuration documentation; system security plan; change control records; system audit
-logs and records; change control audit and review reports; agenda/minutes from
-configuration change control oversight meetings; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with configuration change control responsibilities; personnel
-with information security responsibilities; system or network administrators; members of
-change control board or similar].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for configuration change control; mechanisms that
-implement configuration change control].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#104|85]] '''
-Tracking, reviewing, approving/disapproving, and logging changes is called configuration
-change control. Configuration change control for organizational systems involves the
-systematic proposal, justification, implementation, testing, review, and disposition of
-changes to the systems, including system upgrades and modifications. Configuration change
-control includes changes to baseline configurations for components and configuration items
-of systems, changes to configuration settings for information technology products (e.g.,
-operating systems, applications, firewalls, routers, and mobile devices), unscheduled and
-unauthorized changes, and changes to remediate vulnerabilities.
- NIST SP 800-171A, p. 27.
- NIST SP 800-171 Rev. 2, p. 21
-''' '''
-CM.L2-3.4.3 – System Change Management
-CMMC Assessment Guide – Level 2 | Version 2.13
-Processes for managing configuration changes to systems include Configuration Control
-Boards or Change Advisory Boards that review and approve proposed changes to systems.
-For new development systems or systems undergoing major upgrades, organizations
-consider including representatives from development organizations on the Configuration
-Control Boards or Change Advisory Boards. Audit logs of changes include activities before
-and after changes are made to organizational systems and the activities required to
-implement such changes. <br />
-NIST SP 800-128 provides guidance on configuration change control.
-'''FURTHER DISCUSSION '''
-You must track, review, and approve configuration changes before committing to
-production. Changes to computing environments can create unintended and unforeseen
-issues that can affect the security and availability of the systems, including those that process
-CUI. Relevant experts and stakeholders must review and approve proposed changes. They
-should discuss potential impacts before the organization puts the changes in place. Relevant
-items include changes to the physical environment and to the systems hosted within it.
-'''Example <br />
-'''Once a month, the management and technical team leads join a change control board
-meeting. During this meeting, everyone reviews all proposed changes to the environment
-[b,c]. This includes changes to the physical and computing environments. The meeting
-ensures that relevant subject-matter experts review changes and propose alternatives
-where needed.
-'''Potential Assessment Considerations '''
-•
-  Are changes to the system authorized by company management and documented
-[a,b,c,d]?
-•
-  Are changes documented and tracked (e.g., manually written down or included in a
-tracking service such as a ticketing system) [d]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.4.3
- <br />
-''' '''
-CM.L2-3.4.4 – Security Impact Analysis
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''CM.L2-3.4.4 – SECURITY IMPACT ANALYSIS '''
-Analyze the security impact of changes prior to implementation.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#106|86 ]]'''
-Determine if: <br />
-[a] the security impact of changes to the system is analyzed prior to implementation.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#106|A]86 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Configuration management policy; procedures addressing security impact
-analysis for system changes; configuration management plan; security impact analysis
-documentation; system security plan; analysis tools and associated outputs; change control
-records; system audit logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with responsibility for conducting security impact analysis;
-personnel with information security responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for security impact analysis].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#106|87]] '''
-Organizational personnel with information security responsibilities (e.g., system
-administrators, system security officers, system security managers, and systems security
-engineers) conduct security impact analyses. Individuals conducting security impact
-analyses possess the necessary skills and technical expertise to analyze the changes to
-systems and the associated  security ramifications. Security impact analysis may include
-reviewing security plans to understand security requirements and reviewing system design
-documentation to understand the implementation of controls and how specific changes
-might affect the controls. Security impact analyses may also include risk assessments to
-better understand the impact of the changes and to determine if additional controls are
-required. <br />
-NIST SP 800-128 provides guidance on configuration change control and security impact
-analysis.
- NIST SP 800-171A, p. 27.
- NIST SP 800-171 Rev. 2, pp. 21-22.
-''' '''
-CM.L2-3.4.4 – Security Impact Analysis
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Changes to complex environments are reviewed for potential security impact before
-implemented. Changes to IT systems can cause unforeseen problems and have unintended
-consequences for both users and the security of the operating environment. Analyze the
-security impact of changes prior to implementing them. This can uncover and mitigate
-potential problems before they occur.
-'''Example <br />
-'''You have been asked to deploy a new web browser plug-in. Your standard change
-management process requires that you produce a detailed plan for the change, including a
-review of its potential security impact. A subject-matter expert who did not submit the
-change reviews the plan and tests the new plug-in for functionality and security. You update
-the change plan based on the expert’s findings and submit it to the change control board for
-final approval [a].
-'''Potential Assessment Considerations <br />
-'''•
-  Are configuration changes tested, validated, and documented before installing them on
-the operational system [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.4.4
- <br />
-''' '''
-CM.L2-3.4.5 – Access Restrictions for Change
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''CM.L2-3.4.5 – ACCESS RESTRICTIONS FOR CHANGE '''
-Define, document, approve, and enforce physical and logical access restrictions associated
-with changes to organizational systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#108|88 ]]'''
-Determine if: <br />
-[a] physical access restrictions associated with changes to the system are defined; <br />
-[b] physical access restrictions associated with changes to the system are documented; <br />
-[c]  physical access restrictions associated with changes to the system are approved; <br />
-[d] physical access restrictions associated with changes to the system are enforced; <br />
-[e] logical access restrictions associated with changes to the system are defined; <br />
-[f]  logical access restrictions associated with changes to the system are documented; <br />
-[g] logical access restrictions associated with changes to the system are approved; and <br />
-[h] logical access restrictions associated with changes to the system are enforced.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#108|A]88 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Configuration management policy; procedures addressing access
-restrictions for changes to the system; system security plan;  configuration management
-plan; system design documentation; system architecture and configuration documentation;
-system configuration settings and associated documentation; logical access approvals;
-physical access approvals; access credentials; change control records; system audit logs and
-records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with logical access control responsibilities; personnel with
-physical access control responsibilities; personnel with information security
-responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for managing access restrictions associated with
-changes to the system; mechanisms supporting, implementing, and enforcing access
-restrictions associated with changes to the system].
- NIST SP 800-171A, p. 28.
-''' '''
-CM.L2-3.4.5 – Access Restrictions for Change
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#109|89]] '''
-Any changes to the hardware, software, or firmware components of systems can potentially
-have significant effects on the overall security of the systems.  Therefore, organizations
-permit only qualified and authorized individuals to access systems for purposes of initiating
-changes, including upgrades and modifications. Access restrictions for change also include
-software libraries.  Access restrictions include physical and logical access control
-requirements, workflow automation, media libraries, abstract layers (e.g., changes
-implemented into external interfaces rather than directly into systems), and change
-windows (e.g., changes occur only during certain specified times). In addition to security
-concerns, commonly-accepted due diligence for configuration management includes access
-restrictions as an essential part in ensuring the ability to effectively manage the
-configuration. <br />
-NIST SP 800-128 provides guidance on configuration change control.
-'''FURTHER DISCUSSION '''
-Define, identify, and document qualified individuals authorized to make physical and logical
-changes to the organization’s hardware, software, software libraries,  or firmware
-components. Control of configuration management activities may involve: <br />
-•
-  physical access control that prohibits unauthorized users from gaining physical access to
-an asset (e.g., requiring a special key card to enter a server room);
-•
-  logical access control that prevents unauthorized users from logging onto a system to
-make configuration changes (e.g.,  requiring specific credentials for modifying
-configuration settings, patching software, or updating software libraries);
-•
-  workflow automation in which configuration management workflow rules define human
-tasks  and data or files are routed between people authorized to do configuration
-management based on pre-defined business rules (e.g., passing an electronic form to a
-manager requesting approval of configuration change made by an authorized employee);
-•
-  an abstraction layer for configuration management that requires changes be made from
-an external system  through constrained interface (e.g.,  software updates can only be
-made from a patch management system with a specific IP address); and
-•
-  utilization of a configuration management change window (e.g., software updates are
-only allowed between 8:00 AM and 10:00 AM or between 6:00 PM and 8:00 PM).
-'''Example <br />
-'''Your datacenter requires expanded  storage  capacity  in a server.  The change has been
-approved, and security is planning to allow an external technician to access the building at a
-specific date and time under the supervision of a manager [a,b,c,d]. A system administrator
-creates a temporary privileged account that can be used to log into the server’s operating
-system and update storage settings [e,f,g]. On the appointed day, the technician is escorted
- NIST SP 800-171 Rev. 2, p. 22.
-''' '''
-CM.L2-3.4.5 – Access Restrictions for Change
-CMMC Assessment Guide – Level 2 | Version 2.13
-into the datacenter, upgrades the hardware, expands the storage in the operating system
-(OS), and departs. The manager verifies the upgrade and disables the privileged account [h].
-'''Potential Assessment Considerations <br />
-'''•
-  Are only employees who are approved to make physical or logical changes on systems
-allowed to do so [a,d,e,h]?
-•
-  Are authorized personnel approved and documented by the service owner and IT
-security [a,e]?
-•
-  Does all change documentation include the name of the authorized employee making the
-change [b,d,f,h]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.4.5
- <br />
-''' '''
-CM.L2-3.4.6 – Least Functionality
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''CM.L2-3.4.6 – LEAST FUNCTIONALITY '''
-Employ the principle of least functionality by configuring organizational systems to provide
-only essential capabilities.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#111|90 ]]'''
-Determine if: <br />
-[a] essential system capabilities are defined based on the principle of least functionality;
-and
-[b] the system is configured to provide only the defined essential capabilities.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#111|A]90 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Configuration management policy; configuration management plan;
-procedures addressing least functionality in the system; system security plan; system design
-documentation; system configuration settings and associated documentation; security
-configuration checklists; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with security configuration management responsibilities;
-personnel with information security responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational processes prohibiting or restricting functions, ports,
-protocols, or services; mechanisms implementing restrictions or prohibition of functions,
-ports, protocols, or services].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#111|91]] '''
-Systems can provide a wide variety of functions and services. Some of the functions and
-services routinely provided by default, may not be necessary to support essential
-organizational missions, functions, or operations.  It is sometimes convenient to provide
-multiple services from single system components. However, doing so increases risk over
-limiting the services provided by any one component. Where feasible, organizations limit
-component functionality to a single function per component. <br />
-Organizations review functions and services provided by systems or components of systems,
-to determine which functions and services are candidates for elimination.  Organizations
-disable unused or unnecessary physical and logical ports and protocols to prevent
-unauthorized connection of devices, transfer of information, and tunneling. Organizations
- NIST SP 800-171A, pp. 28-29.
- NIST SP 800-171 Rev. 2, p. 22.
-''' '''
-CM.L2-3.4.6 – Least Functionality
-CMMC Assessment Guide – Level 2 | Version 2.13
-can utilize network scanning tools, intrusion detection and prevention systems, and end-
-point protections such as firewalls and host-based intrusion detection systems to identify
-and prevent the use of prohibited functions, ports, protocols, and services.
-'''FURTHER DISCUSSION '''
-You should customize organizational systems to remove non-essential applications and
-disable  unnecessary  services.  Systems come with many unnecessary applications and
-settings enabled by default  including  unused ports and protocols. Leave only the fewest
-capabilities necessary for the systems to operate effectively.
-'''Example <br />
-'''You have ordered a new server, which has arrived with a number of free utilities installed in
-addition to the operating system. Before you deploy the server, you research the utilities to
-determine which ones can be eliminated without impacting functionality. You remove the
-unneeded software, then move on to disable unused ports and services. The server that
-enters  production therefore has only the essential  capabilities enabled for the system to
-function in its role [a,b].
-'''Potential Assessment Considerations <br />
-'''•
-  Are the roles and functions for each system identified along with the software and
-services required to perform those functions [a]?
-•
-  Are the software and services required for those defined functions identified [a]?
-•
-  Is the information system configured to exclude any function not needed in the
-operational environment [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.4.6
- <br />
-''' '''
-CM.L2-3.4.7 – Nonessential Functionality
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''CM.L2-3.4.7 – NONESSENTIAL FUNCTIONALITY '''
-Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols,
-and services.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#113|92 ]]'''
-Determine if: <br />
-[a] essential programs are defined; <br />
-[b] the use of nonessential programs is defined; <br />
-[c]  the use of nonessential programs is restricted, disabled, or prevented as defined; <br />
-[d] essential functions are defined; <br />
-[e] the use of nonessential functions is defined; <br />
-[f]  the use of nonessential functions is restricted, disabled, or prevented as defined; <br />
-[g] essential ports are defined; <br />
-[h] the use of nonessential ports is defined; <br />
-[i]  the use of nonessential ports is restricted, disabled, or prevented as defined; <br />
-[j]  essential protocols are defined; <br />
-[k] the use of nonessential protocols is defined; <br />
-[l]  the use of nonessential protocols is restricted, disabled, or prevented as defined; <br />
-[m] essential services are defined; <br />
-[n] the use of nonessential services is defined; and <br />
-[o] the use of nonessential services is restricted, disabled, or prevented as defined.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#113|A]92 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Configuration management policy; procedures addressing least
-functionality in the system; configuration management plan; system security plan; system
-design documentation; security configuration checklists; system configuration settings and
-associated documentation; specifications for preventing software program execution;
-documented reviews of programs, functions, ports, protocols, and/or services; change
-control records; system audit logs and records; other relevant documents or records].
- NIST SP 800-171A, p. 29.
-''' '''
-CM.L2-3.4.7 – Nonessential Functionality
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''Interview <br />
-'''[SELECT FROM: Personnel with responsibilities for reviewing programs, functions, ports,
-protocols, and services on the system; personnel with information security responsibilities;
-system or network administrators; system developers].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for reviewing and disabling nonessential
-programs, functions, ports, protocols, or services; mechanisms implementing review and
-handling of nonessential programs, functions, ports, protocols, or services; organizational
-processes preventing program execution on the system; organizational processes for
-software program usage and restrictions; mechanisms supporting or implementing software
-program usage and restrictions; mechanisms preventing program execution on the system].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#114|93]] '''
-Restricting the use of nonessential software (programs) includes restricting the roles
-allowed to approve program execution; prohibiting auto-execute; program blacklisting and
-whitelisting; or restricting the number of program instances executed at the same time. The
-organization makes a security-based determination which functions, ports, protocols,
-and/or services are restricted.  Bluetooth,  File Transfer Protocol (FTP), and peer-to-peer
-networking are examples of protocols organizations consider preventing the use  of,
-restricting, or disabling.
-'''FURTHER DISCUSSION '''
-Organizations should only use the minimum set of programs, services, ports, and protocols
-required for to accomplish the organization’s mission. This has several implications: <br />
-•
-  All unnecessary programs and accounts are removed from all endpoints and servers.
-•
-  The organization makes a policy decision to control the execution of programs through
-either whitelisting or blacklisting.  Whitelisting means a program can only run if the
-software has been vetted in some way, and the executable name has been entered onto a
-list of allowed software. Blacklisting means any software can execute as long it is not on
-a list of known malicious software.  Whitelisting provides far more security than
-blacklisting, but the organization’s policy can direct the implementation of either
-approach. Control of execution applies to both servers and endpoints.
-•
-  The organization restricts the use of all unnecessary ports, protocols, and system services
-in order to limit entry points that attackers can use. For example, the use of the FTP
-service is eliminated from all computers, and the associated ports are blocked unless a
-required service utilizes those ports. The elimination of nonessential functionality on the
-network and systems provides a smaller attack surface for an attacker to gain access and
-take control of your network or systems.
-This requirement, CM.L2-3.4.7, which requires limiting functionality to essential programs,
-ports, protocols, and services, extends CM.L2-3.4.6, which requires adherence to the
- NIST SP 800-171 Rev. 2, pp. 22-23.
-''' '''
-CM.L2-3.4.7 – Nonessential Functionality
-CMMC Assessment Guide – Level 2 | Version 2.13
-principle of least functionality but does not specifically address which elements of a system
-should be limited.
-'''Example <br />
-'''You are responsible for purchasing new endpoint hardware, installing organizationally
-required software to the hardware, and configuring the endpoint in accordance with the
-organization’s policy. The organization has a system imaging capability that loads all
-necessary software, but it does not remove unnecessary services, eliminate the use of certain
-protocols, or close unused ports. After imaging the systems, you close all ports and block the
-use of all protocols except the following: <br />
-•
-  TCP for SSH on port 22;
-•
-  SMTP on port 25;
-•
-  TCP and UDP on port 53; and
-•
-  HTTP and HTTPS on port 443.
-The use of any other ports or protocols are allowed by exception only [i,l,o].
-'''Potential Assessment Considerations <br />
-'''•
-  Are only applications and services that are needed for the function of the system
-configured and enabled [a,b,c,d,e,f]?
-•
-  Are only those ports and protocols necessary to provide the service of the information
-system configured for that system [g,h,i,j,k,l]?
-•
-  Are systems services reviewed to determine what is essential for the function of that
-system [m]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.4.7
- <br />
-''' '''
-CM.L2-3.4.8 – Application Execution Policy
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''CM.L2-3.4.8 – APPLICATION EXECUTION POLICY '''
-Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software
-or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized
-software.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#116|94 ]]'''
-Determine if: <br />
-[a] a policy specifying whether whitelisting or blacklisting is to be implemented is
-specified;
-[b] the software allowed to execute under whitelisting or denied use under blacklisting is
-specified; and
-[c]  whitelisting to allow the execution of authorized software or blacklisting to prevent the
-use of unauthorized software is implemented as specified.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#116|A]94 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Configuration management policy; procedures addressing least
-functionality in the system; system security plan; configuration management plan; system
-design documentation; system configuration settings and associated documentation; list of
-software programs not authorized to execute on the system; list of software programs
-authorized to execute on the system; security configuration checklists; review and update
-records associated with list of authorized or unauthorized software programs; change
-control records; system audit logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with responsibilities for identifying software authorized or not
-authorized to execute on the system; personnel with information security responsibilities;
-system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational process for identifying, reviewing, and updating programs
-authorized or not authorized to execute on the system; process for implementing blacklisting
-or whitelisting; mechanisms supporting or implementing blacklisting or whitelisting].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#116|95]] '''
-The process used to identify software programs that are not authorized to execute on
-systems is commonly referred to as blacklisting.  The process used to identify software
- NIST SP 800-171A, p. 30.
- NIST SP 800-171 Rev. 2, p. 23.
-''' '''
-CM.L2-3.4.8 – Application Execution Policy
-CMMC Assessment Guide – Level 2 | Version 2.13
-programs that are authorized to execute on systems is commonly referred to as whitelisting.
-Whitelisting is the stronger of the two policies for restricting software program execution.
-In addition to whitelisting, organizations consider verifying the integrity of whitelisted
-software programs using, for example, cryptographic checksums, digital signatures, or hash
-functions.  Verification of whitelisted software can occur either prior to execution or at
-system startup. <br />
-NIST SP 800-167 provides guidance on application whitelisting.
-'''FURTHER DISCUSSION '''
-Organizations should determine their blacklisting or whitelisting policy and configure the
-system to manage software that is allowed to run. Blacklisting or deny-by-exception allows
-all software to run except if on an unauthorized software list such as what is maintained in
-antivirus solutions. Whitelisting or permit-by-exception does not allow any software to run
-except if on an authorized software list. The stronger policy of the two is whitelisting. <br />
-This requirement, CM.L2-3.4.8, requires the implementation of allow-lists and deny-lists for
-application software. It leverages CM.L2-3.4.1, which requires the organization to establish
-and maintain software inventories. <br />
-This requirement, CM.L2-3.4.8, also extends CM.L2-3.4.9, which only requires control and
-monitoring of any user installed software.
-'''Example <br />
-'''To improve your company’s protection from malware, you have decided to allow only
-designated programs to run. With additional research you identify a capability within the
-latest operating system that can control executables, scripts, libraries, or application
-installers run in your environment [c]. To ensure success you begin by authorizing digitally
-signed executables.  Once  they are deployed,  you then plan to evaluate and deploy
-whitelisting for software libraries and scripts [c].
-'''Potential Assessment Considerations <br />
-'''•
-  Is the information system configured to only allow authorized software to run [a,b,c]?
-•
-  Is the system configured to disallow running unauthorized software [a,b,c]?
-•
-  Is there a defined list of software programs authorized to execute on the system [b]?
-•
-  Is the authorization policy a deny-all, permit by exception for software allowed to execute
-on the system [a,b,c]?
-•
-  Are automated mechanisms used to prevent program execution in accordance with
-defined lists (e.g., whitelisting) [a,b,c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.4.8
-''' '''
-CM.L2-3.4.9 – User-Installed Software
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''CM.L2-3.4.9 – USER-INSTALLED SOFTWARE '''
-Control and monitor user-installed software.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#118|96 ]]'''
-Determine if: <br />
-[a] a policy for controlling the installation of software by users is established; <br />
-[b] installation of software by users is controlled based on the established policy; and <br />
-[c]  installation of software by users is monitored.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#118|A]96 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Configuration management policy; procedures addressing user installed
-software; configuration management plan; system security plan; system design
-documentation; system configuration settings and associated documentation; list of rules
-governing user-installed software; system monitoring records; system audit logs and
-records; continuous monitoring strategy; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with responsibilities for governing user-installed software;
-personnel operating, using, or maintaining the system; personnel monitoring compliance
-with user-installed software policy; personnel with information security responsibilities;
-system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational processes governing user-installed software on the system;
-mechanisms enforcing rules or methods for governing the installation of software by users;
-mechanisms monitoring policy compliance].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#118|97]] '''
-Users can install software in organizational systems if provided the necessary privileges. To
-maintain control over the software installed, organizations identify permitted and
-prohibited actions regarding software installation through policies.  Permitted software
-installations include updates and security patches to existing software and applications from
-organization-approved “app stores.” Prohibited software installations may include software
-with unknown or suspect pedigrees or software that organizations consider potentially
-malicious.  The policies organizations select governing user-installed software may be
- NIST SP 800-171A, p. 30.
- NIST SP 800-171 Rev. 2, p. 23.
-''' '''
-CM.L2-3.4.9 – User-Installed Software
-CMMC Assessment Guide – Level 2 | Version 2.13
-organization-developed or provided by some external entity. Policy enforcement methods
-include procedural methods, automated methods, or both.
-'''FURTHER DISCUSSION '''
-Software that users have the ability to install is limited to items that the organization
-approves. When not controlled, users could install software that can create unnecessary risk.
-This risk applies both to the individual machine and to the larger operating environment.
-Policies and technical controls reduce risk to the organization by preventing users from
-installing unauthorized software.
-'''Example <br />
-'''You are a system administrator. A user calls you for help installing a software package. They
-are receiving a message asking for a password because they do not have permission to install
-the software. You explain that the policy prohibits users from installing software without
-approval [a]. When you set up workstations for users, you do not provide administrative
-privileges. After the call, you redistribute the policy to all users ensuring everyone in the
-company is aware of the restrictions.
-'''Potential Assessment Considerations <br />
-'''•
-  Are user controls in place to prohibit the installation of unauthorized software [a]?
-•
-  Is all software in use on the information systems approved [b]?
-•
-  Is there a mechanism in place to monitor the types of software a user is permitted to
-download (e.g., is there a whitelist of approved software) [c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.4.9
- <br />
-''' '''
-IA.L2-3.5.1 – Identification [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-Identification and Authentication (IA) <br />
-'''IA.L2-3.5.1 – IDENTIFICATION [CUI DATA] '''
-Identify system users, processes acting on behalf of users, and devices.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#120|98 ]]'''
-Determine if: <br />
-[a] system users are identified; <br />
-[b] processes acting on behalf of users are identified; and <br />
-[c]  devices accessing the system are identified.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#120|]98 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Identification and authentication policy; procedures addressing user
-identification and authentication; system security plan, system design documentation;
-system configuration settings and associated documentation; system audit logs and records;
-list of system accounts; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system operations responsibilities; personnel with
-information security responsibilities; system or network administrators; personnel with
-account management responsibilities; system developers].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for uniquely identifying and authenticating users;
-mechanisms supporting or implementing identification and authentication capability].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#120|99]] '''
-Common device identifiers include media access control (MAC), Internet Protocol (IP)
-addresses, or device-unique token identifiers. Management of individual identifiers is not
-applicable to shared system accounts. Typically, individual identifiers are the user names
-associated with the system accounts assigned to those individuals.  Organizations may
-require unique identification of individuals in group accounts or for detailed accountability
-of individual activity. In addition, this requirement addresses individual identifiers that are
-not necessarily associated with system accounts.  Organizational devices requiring
- NIST SP 800-171A, p. 31.
- NIST SP 800-171 Rev. 2, p. 23.
-''' '''
-IA.L2-3.5.1 – Identification [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-identification may be defined by type, by device, or by a combination of type/device. NIST SP
--63-3 provides guidance on digital identities.
-'''FURTHER DISCUSSION '''
-Make sure to assign individual, unique identifiers (e.g., user names) to all users  and
-processes that  access company systems. Authorized devices also should have unique
-identifiers. Unique identifiers can be as simple as a short set of alphanumeric characters (e.g.,
-SW001 could refer to a network switch, SW002 could refer to a different network switch). <br />
-This requirement, IA.L2-3.5.1, provides a vetted and trusted identity that supports the access
-control mechanism required by AC.L2-3.1.1.
-'''Example <br />
-'''You want to make sure that all employees working on a project  can  access  important
-information about it. Because this is work for the DoD and may contain CUI, you also need to
-prevent employees who are not working on that  project from being able to access the
-information. You assign each employee is assigned a unique user ID, which they use to log
-into the system [a].
-'''Potential Assessment Considerations <br />
-'''•
-  Are unique identifiers issued to individual users (e.g., usernames) [a]?
-•
-  Are the processes and service accounts that an authorized user initiates identified (e.g.,
-scripts, automatic updates, configuration updates, vulnerability scans) [b]?
-•
-  Are unique device identifiers used for devices that access the system identified [c]?
-'''KEY REFERENCES'''
-•
-  NIST SP 800-171 Rev. 2 3.5.1
-•
-  FAR Clause 52.204-21 b.1.v
-''' '''
-IA.L2-3.5.2 – Authentication [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''IA.L2-3.5.2 – AUTHENTICATION [CUI DATA] '''
-Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to
-allowing access to organizational systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#122|100 <br />
-]]'''Determine if: <br />
-[a] the identity of each user is authenticated or verified as a prerequisite to system access; <br />
-[b] the identity of each process acting on behalf of a user is authenticated or verified as a
-prerequisite to system access; and
-[c]  the identity of each device accessing or connecting to the system is authenticated or
-verified as a prerequisite to system access.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#122|]100 <br />
-]]Examine <br />
-'''[SELECT FROM: Identification and authentication policy; system security plan; procedures
-addressing authenticator management; procedures addressing user identification and
-authentication; system design documentation; list of system authenticator types; system
-configuration settings and associated documentation; change control records associated
-with managing system authenticators; system audit logs and records; other relevant
-documents or records]. <br />
-'''Interview <br />
-'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
-information security responsibilities; system or network administrators]. <br />
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting or implementing authenticator management
-capability].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#122|101]] <br />
-'''Individual authenticators include the following: passwords, key cards, cryptographic
-devices, and one-time password devices. Initial authenticator content is the actual content
-of the authenticator, for example, the initial password. In contrast, the requirements about
-authenticator content include the minimum password length.  Developers ship system
-components with factory default authentication credentials to allow for initial installation
-and configuration.  Default authentication credentials are often well known, easily
-discoverable, and present a significant security risk. <br />
-Systems support authenticator management by organization-defined settings and
-restrictions for various authenticator characteristics including minimum password length,
- NIST SP 800-171A, p. 31.
- NIST SP 800-171 Rev. 2, p. 24.
-''' '''
-IA.L2-3.5.2 – Authentication [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-validation time window for time synchronous one-time tokens, and number of allowed
-rejections during the verification stage of biometric authentication.  Authenticator
-management includes issuing and revoking, when no longer needed, authenticators for
-temporary access such as that required  for remote maintenance.  Device authenticators
-include certificates and passwords. <br />
-NIST SP 800-63-3 provides guidance on digital identities.
-'''FURTHER DISCUSSION <br />
-'''Before a person or device is given system access, verify that the user or device is who or what
-it claims to be. This verification is called authentication. The most common way to verify
-identity is using a username and a hard-to-guess password. <br />
-Some devices ship with default usernames and passwords. Some devices ship with a default
-username  (e.g.,  admin)  and password.  A  default username and password  must be
-immediately changed to something unique. Default passwords may be well known to the
-public, easily found in a search, or easy to guess, allowing an unauthorized person to access
-the system.
-'''Example 1 <br />
-'''You are in charge of purchasing. You know that some laptops come with a default username
-and password. You notify IT that all default passwords should be reset prior to laptop use
-[a]. You ask IT to explain the importance of resetting default passwords and convey how
-easily they are discovered using internet searches during next week’s cybersecurity
-awareness training.
-'''Example 2 <br />
-'''Your company decides to use cloud services for email and other capabilities. Upon reviewing
-this requirement, you realize every user or device that connects to the cloud service must be
-authenticated. As a result, you work with your cloud service provider to ensure that only
-properly authenticated users and devices are allowed to connect to the system [a,c].
-'''Potential Assessment Considerations <br />
-'''•
-  Are unique authenticators used to verify user identities (e.g., passwords) [a]?
-•
-  An example of a process acting on behalf of users could be a script that logs in as a person
-or service account [b]. Can the OSA show that it maintains a record of all of those service
-accounts for use when reviewing log data or responding to an incident?
-•
-  Are user credentials authenticated in system processes (e.g., credentials binding,
-certificates, tokens) [b]?
-•
-  Are device identifiers used in authentication processes (e.g., MAC address, non-
-anonymous computer name, certificates) [c]?
-'''KEY REFERENCES <br />
-'''•
-  NIST SP 800-171 Rev. 2 3.5.2
-''' '''
-IA.L2-3.5.2 – Authentication [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-•
-  FAR Clause 52.204-21 b.1.vi
-''' '''
-IA.L2-3.5.3 – Multifactor Authentication
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''IA.L2-3.5.3 – MULTIFACTOR AUTHENTICATION '''
-Use multifactor authentication for local and network access to privileged accounts and for
-network access to non-privileged accounts.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#125|102 ]]'''
-Determine if: <br />
-[a] privileged accounts are identified; <br />
-[b] multifactor authentication is implemented for local access to privileged accounts; <br />
-[c]  multifactor authentication is implemented for network access to privileged accounts;
-and
-[d] multifactor authentication is implemented for network access to non-privileged
-accounts.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#125|A]102 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Identification and authentication policy; procedures addressing user
-identification and authentication; system security plan; system design documentation;
-system configuration settings and associated documentation; system audit logs and records;
-list of system accounts; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
-information security responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting or implementing authenticator management
-capability].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#125|103]] '''
-Multifactor authentication requires the use of two or more different factors to authenticate.
-The factors are defined as something you know (e.g., password, personal identification
-number [PIN]); something you have (e.g., cryptographic identification device, token); or
-something you are (e.g., biometric).  Multifactor authentication solutions that feature
-physical authenticators include hardware authenticators providing time-based or challenge-
-response authenticators and smart cards. In addition to authenticating users at the system
-level (i.e., at logon), organizations may also employ authentication mechanisms at the
- NIST SP 800-171A, p. 32.
- NIST SP 800-171 Rev. 2, pp. 24-25.
-''' '''
-IA.L2-3.5.3 – Multifactor Authentication
-CMMC Assessment Guide – Level 2 | Version 2.13
-application level, when necessary, to provide increased information security.  Access to
-organizational systems is defined as local access or network access. Local access is any access
-to organizational systems by users (or processes acting on behalf of users) where such access
-is obtained by direct connections without the use of networks. Network access is access to
-systems by users (or processes acting on behalf of users) where such access is obtained
-through network connections (i.e., nonlocal accesses). Remote access is a type of network
-access that involves communication through external networks. The use of encrypted virtual
-private networks for connections between organization-controlled and non-organization
-controlled endpoints may be treated as internal networks with regard to protecting the
-confidentiality of information. <br />
-NIST SP 800-63-3 provides guidance on digital identities.
-'''FURTHER DISCUSSION '''
-Implement a combination of two  or more  factors of authentication to verify privileged
-account holders’ identity regardless of how the user is accessing the account. Implement a
-combination of two or more factors for non-privileged users accessing the system over a
-network. <br />
-The implementation of multi-factor authentication will depend on the environment and
-business  needs. Although two-factor authentication directly on the computer is most
-common, there are situations (e.g., multi-factor identification for a mission system that
-cannot be altered) where additional technical or physical solutions can provide security. If a
-mobile device is used to access a system or application containing  CUI,  multi-factor
-authentication is required. <br />
-This  requirement,  IA.L2-3.5.3,  requires multifactor authentication for network access to
-non-privileged accounts  and complements five other  requirements  dealing with remote
-access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.13, AC.L2-3.1.15, and MA.L2-3.7.5:  <br />
-•
-  AC.L2-3.1.12 requires the control of remote access sessions.
-•
-  AC.L2-3.1.14 limits remote access to specific access control points.
-•
-  AC.L2-3.1.13  requires the use of cryptographic mechanisms when enabling remote
-sessions.
-•
-  AC.L2-3.1.15 requires authorization for privileged commands executed during a remote.
-•
-  Finally,  MA.L2-3.7.5  requires the addition of multifactor authentication for remote
-maintenance sessions.
-This requirement, IA.L2-3.5.3, also enhances IA.L2-3.5.2, which is a requirement for a less
-rigorous form of user authentication.
-'''Example <br />
-'''You decide to implement multifactor authentication (MFA) to improve security of your
-network. Your first step is enabling MFA on VPN access to your internal network [c,d]. When
-users initiate remote access, they will be prompted for the additional authentication factor.
-''' '''
-IA.L2-3.5.3 – Multifactor Authentication
-CMMC Assessment Guide – Level 2 | Version 2.13
-Because  you also  use  a cloud-based  email solution,  you  require  MFA  for access to that
-resource as well [c,d]. Finally, you enable MFA for both local and network logins for the
-system administrator accounts used to patch and manage servers [a,b,c].
-'''Potential Assessment Considerations <br />
-'''•
-  Does the system uniquely identify and authenticate users, including privileged accounts
-[b,c,d]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.5.3
-''' '''
-IA.L2-3.5.4 – Replay-Resistant Authentication
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''IA.L2-3.5.4 – REPLAY-RESISTANT AUTHENTICATION '''
-Employ replay-resistant authentication mechanisms for network access to privileged and
-non-privileged accounts.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#128|104 ]]'''
-Determine if: <br />
-[a] replay-resistant authentication mechanisms are implemented for network account
-access to privileged and non-privileged accounts.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#128|A]104 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Identification and authentication policy; procedures addressing user
-identification and authentication; system security plan; system design documentation;
-system configuration settings and associated documentation; system audit logs and records;
-list of privileged system accounts; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system operations responsibilities; personnel with account
-management responsibilities; personnel with information security responsibilities; system
-or network administrators; system developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting or implementing identification and authentication
-capability or replay resistant authentication mechanisms].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#128|105]] '''
-Authentication processes resist replay attacks if it is impractical to successfully authenticate
-by recording or replaying previous authentication messages. Replay-resistant techniques
-include protocols that use nonces or challenges such as time synchronous or challenge-
-response one-time authenticators. <br />
-NIST SP 800-63-3 provides guidance on digital identities.
-'''FURTHER DISCUSSION '''
-When insecure protocols are used for access to computing resources, an adversary may be
-able to capture login information and immediately reuse (replay) it for other purposes. It is
-important to use mechanisms that resist this technique.
- NIST SP 800-171A, p. 32.
- NIST SP 800-171 Rev. 2, p. 25.
-''' '''
-IA.L2-3.5.4 – Replay-Resistant Authentication
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''Example <br />
-'''To protect your IT infrastructure, you understand that the methods for authentication must
-not be easily copied and re-sent to your systems by an adversary. You select Kerberos for
-authentication because of its built-in resistance to replay attacks. As a next step you upgrade
-all of your web applications to require Transport Layer Security (TLS), which also is replay-
-resistant. Your use of MFA to protect remote access also confers some replay resistance.
-'''Potential Assessment Considerations <br />
-'''•
-  Are only anti-replay authentication mechanisms used [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.5.4
- <br />
-''' '''
-IA.L2-3.5.5 – Identifier Reuse
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''IA.L2-3.5.5 – IDENTIFIER REUSE '''
-Prevent reuse of identifiers for a defined period.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#130|106 ]]'''
-Determine if: <br />
-[a] a period within which identifiers cannot be reused is defined; and <br />
-[b] reuse of identifiers is prevented within the defined period.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#130|A]106 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Identification and authentication policy; system security plan; procedures
-addressing authenticator management; procedures addressing user identification and
-authentication; system design documentation; list of system authenticator types; system
-configuration settings and associated documentation; change control records associated
-with managing system authenticators; system audit logs and records; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
-information security responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting or implementing authenticator management
-capability].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#130|107]] '''
-Identifiers are provided for users, processes acting on behalf of users, or devices (IA.L2-
-.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used
-individual, group, role, or device identifiers to different individuals, groups, roles, or devices.
-'''FURTHER DISCUSSION '''
-Identifiers uniquely associate a user ID to an individual, group, role, or device.  Establish
-guidelines and implement mechanisms to prevent identifiers from being reused for the
-period of time established in the policy.
- NIST SP 800-171A, pp. 32-33.
- NIST SP 800-171 Rev. 2, p. 25.
-''' '''
-IA.L2-3.5.5 – Identifier Reuse
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''Example <br />
-'''As a system administrator, you maintain a central directory/domain that holds the accounts
-for users, computers, and network devices. As part of your job, you issue unique usernames
-(e.g., riley@acme.com) for the staff to access resources. When you issue staff computers you
-also rename the computer to reflect to whom it is assigned (e.g., riley-laptop01). Riley has
-recently left the organization,  so you must manage the former staff member’s account.
-Incidentally, their replacement is also named Riley. In the directory, you do not assign the
-previous account to the new user, as policy has defined an identifier reuse period of 24
-months [a]. In accordance with policy, you create an account called riley02 [b]. This account
-is assigned the appropriate permissions for the new user. A new laptop is also provided with
-the identifier of riley02-laptop01.
-'''Potential Assessment Considerations <br />
-'''•
-  Are accounts uniquely assigned to employees, contractors, and subcontractors [b]?
-•
-  Are account identifiers reused [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.5.5
- <br />
-''' '''
-IA.L2-3.5.6 – Identifier Handling
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''IA.L2-3.5.6 – IDENTIFIER HANDLING '''
-Disable identifiers after a defined period of inactivity.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#132|108 ]]'''
-Determine if: <br />
-[a] a period of inactivity after which an identifier is disabled is defined; and <br />
-[b] identifiers are disabled after the defined period of inactivity.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#132|A]108 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Identification and authentication policy; procedures addressing identifier
-management; procedures addressing account management; system security plan; system
-design documentation; system configuration settings and associated documentation; list of
-system accounts; list of identifiers generated from physical access control devices; other
-relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with identifier management responsibilities; personnel with
-information security responsibilities; system or network administrators; system
-developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting or implementing identifier management].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#132|109]] '''
-Inactive identifiers pose a risk to organizational information because attackers may exploit
-an inactive identifier to gain undetected access to organizational devices. The owners of the
-inactive accounts may not notice if unauthorized access to the account has been obtained.
-'''FURTHER DISCUSSION '''
-Identifiers are uniquely associated with an individual, account, process,  or device.  An
-inactive identifier is one that has not been used for a defined extended period of time. For
-example, a user account may be needed for a certain time to allow for transition of business
-processes to existing or new staff. Once use of the identifier is no longer necessary, it should
-be disabled as soon as possible. Failure to maintain awareness of accounts that are no longer
-needed yet still active could allow an adversary to exploit IT services.
- NIST SP 800-171A, p. 33.
- NIST SP 800-171 Rev. 2, p. 25.
-''' '''
-IA.L2-3.5.6 – Identifier Handling
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''Example <br />
-'''One of your responsibilities  is to enforce  your company’s inactive account policy: any
-account that has not been used in the last 45 days must be disabled [a]. You enforce this by
-writing a script that runs once a day to check the last login date for each account and
-generates a report of the accounts with no login records for the last 45 days. After reviewing
-the report, you notify each inactive employee’s supervisor and disable the account [b].
-'''Potential Assessment Considerations <br />
-'''•
-  Are user accounts or identifiers monitored for inactivity [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.5.6
-''' '''
-IA.L2-3.5.7 – Password Complexity
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''IA.L2-3.5.7 – PASSWORD COMPLEXITY '''
-Enforce a minimum password complexity and change of characters when new passwords
-are created.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#134|110 ]]'''
-Determine if: <br />
-[a] password complexity requirements are defined; <br />
-[b] password change of character requirements are defined; <br />
-[c]  minimum password complexity requirements as defined are enforced when new
-passwords are created; and
-[d] minimum password change of character requirements as defined are enforced when
-new passwords are created.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#134|A]110 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Identification and authentication policy; password policy; procedures
-addressing authenticator management; system security plan; system configuration settings
-and associated documentation; system design documentation; password configurations and
-associated documentation; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
-information security responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting or implementing authenticator management
-capability].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#134|111]] '''
-This requirement applies to single-factor authentication of individuals using passwords as
-individual or group authenticators, and in a similar manner, when passwords are used as
-part of multifactor authenticators. The number of changed characters refers to the number
-of changes required with respect to the total number of positions in the current password.
-To mitigate certain brute force attacks against passwords, organizations may also consider
-salting passwords.
- NIST SP 800-171A, pp. 33-34.
- NIST SP 800-171 Rev. 2, p. 25.
-''' '''
-IA.L2-3.5.7 – Password Complexity
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Password complexity means using different types of characters as well as a specified number
-of characters. This applies to both the creation of new passwords and the modification of
-existing passwords. Characters to manage complexity include numbers, lowercase and
-uppercase letters, and symbols.  Minimum complexity requirements are left up to the
-organization to define. Define the lowest level of password complexity required. Define the
-number of characters that must be changed when an existing password is changed. Enforce
-these rules for all passwords. Salting passwords adds a string of random characters (salt) to
-a password prior to hashing. This ensures the randomness of the resulting hash value.
-'''Example <br />
-'''You work with management to define password complexity rules and ensure they are listed
-in the company’s security policy. You define and enforce a minimum number of characters
-for each password and ensure that a certain number of characters must be changed when
-updating passwords [a,b]. Characters include numbers, lowercase and uppercase letters, and
-symbols [a]. These rules help create hard-to-guess passwords, which help to secure your
-network.
-'''Potential Assessment Considerations <br />
-'''•
-  Is  a degree of complexity  specified  for passwords, (e.g., are account passwords a
-minimum of 12 characters and a mix of upper/lower case, numbers,  and special
-characters), including minimum requirements for each type [a,b,c]?
-•
-  Is a change of characters required when new passwords are created [d]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.5.7
- <br />
-''' '''
-IA.L2-3.5.8 – Password Reuse
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''IA.L2-3.5.8 – PASSWORD REUSE '''
-Prohibit password reuse for a specified number of generations.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#136|112 ]]'''
-Determine if: <br />
-[a] the number of generations during which a password cannot be reused is specified and <br />
-[b] reuse of passwords is prohibited during the specified number of generations.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#136|A]112 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Identification and authentication policy; password policy; procedures
-addressing authenticator management; system security plan; system design documentation;
-system configuration settings and associated documentation; password configurations and
-associated documentation; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
-information security responsibilities; system or network administrators; system
-developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting or implementing password-based authenticator
-management capability].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#136|113]] '''
-Password lifetime restrictions do not apply to temporary passwords.
-'''FURTHER DISCUSSION '''
-Individuals may not reuse their passwords for a defined period of time and a set number of
-passwords generated.
-'''Example <br />
-'''You explain in your company’s security policy that changing passwords regularly provides
-increased security by reducing the ability of adversaries to exploit stolen or purchased
-passwords over an extended period. You define how often individuals can reuse their
-passwords and the minimum number of password generations before reuse [a]. If a user
- NIST SP 800-171A, p. 34.
- NIST SP 800-171 Rev. 2, p. 25.
-''' '''
-IA.L2-3.5.8 – Password Reuse
-CMMC Assessment Guide – Level 2 | Version 2.13
-tries to reuse a password before the number of password generations has been exceeded, an
-error message is generated, and the user is required to enter a new password [b].
-'''Potential Assessment Considerations <br />
-'''•
-  How many generations of password changes need to take place before a password can
-be reused [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.5.8
- <br />
-''' '''
-IA.L2-3.5.9 – Temporary Passwords
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''IA.L2-3.5.9 – TEMPORARY PASSWORDS '''
-Allow temporary password use for system logons with an immediate change to a permanent
-password.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#138|114 ]]'''
-Determine if: <br />
-[a] an immediate change to a permanent password is required when a temporary password
-is used for system logon.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#138|A]114 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Identification and authentication policy; password policy; procedures
-addressing authenticator management; system security plan; system configuration settings
-and associated documentation; system design documentation; password configurations and
-associated documentation; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
-information security responsibilities; system or network administrators; system
-developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting or implementing password-based authenticator
-management capability].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#138|115]] '''
-Changing temporary passwords to permanent passwords immediately after system logon
-ensures that the necessary strength of the authentication mechanism is implemented at the
-earliest opportunity, reducing the susceptibility to authenticator compromises.
-'''FURTHER DISCUSSION '''
-Users must change their temporary passwords the first time they log in.  Temporary
-passwords often follow a consistent style within an organization and can be more easily
-guessed than passwords created by the unique user. This approach to temporary passwords
-should be avoided.
- NIST SP 800-171A, p. 34.
- NIST SP 800-171 Rev. 2, p. 25.
-''' '''
-IA.L2-3.5.9 – Temporary Passwords
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''Example <br />
-'''One of your duties as a systems administrator is to create accounts for new users. You
-configure all systems with user accounts to require users to change a temporary password
-upon initial login to a permanent password [a]. When a user logs on for the first time, they
-are prompted to create a unique password that meets all of the defined complexity rules.
-'''Potential Assessment Considerations <br />
-'''•
-  Are temporary passwords only valid to allow a user to perform a password reset [a]?
-•
-  Does the system enforce an immediate password change after logon when a temporary
-password is issued [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.5.9
- <br />
-''' '''
-IA.L2-3.5.10 – Cryptographically-Protected Passwords
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''IA.L2-3.5.10 – CRYPTOGRAPHICALLY-PROTECTED PASSWORDS '''
-Store and transmit only cryptographically-protected passwords.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#140|116 ]]'''
-Determine if: <br />
-[a] passwords are cryptographically protected in storage; and <br />
-[b] passwords are cryptographically protected in transit.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#140|A]116 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Identification and authentication policy; system security plan; procedures
-addressing authenticator management; procedures addressing user identification and
-authentication; system design documentation; list of system authenticator types; system
-configuration settings and associated documentation; change control records associated
-with managing system authenticators; system audit logs and records; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
-information security responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting or implementing authenticator management
-capability].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#140|117]] '''
-Cryptographically-protected passwords use salted one-way cryptographic hashes of
-passwords. <br />
-See NIST Cryptographic Standards and Guidelines.
-'''FURTHER DISCUSSION '''
-All passwords must be cryptographically protected using a one-way function for storage and
-transmission. This type of protection changes passwords into another form, or a hashed
-password. A one-way transformation makes it theoretically impossible to turn the hashed
- NIST SP 800-171A, pp. 34-35.
- NIST SP 800-171 Rev. 2, pp. 25-26.
-''' '''
-IA.L2-3.5.10 – Cryptographically-Protected Passwords
-CMMC Assessment Guide – Level 2 | Version 2.13
-password back into the original password, but inadequate complexity (IA.L2-3.5.7) may still
-facilitate offline cracking of hashes.
-'''Example <br />
-'''You are responsible for managing passwords for your organization.  You protect all
-passwords with a one-way transformation, or hashing, before storing them. Passwords are
-never transmitted across a network unencrypted [a,b].
-'''Potential Assessment Considerations <br />
-'''•
-  Are passwords prevented from being stored in reversible encryption form in any
-company systems [a]?
-•
-  Are passwords stored as one-way hashes constructed from passwords [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.5.10
- <br />
-''' '''
-IA.L2-3.5.11 – Obscure Feedback
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''IA.L2-3.5.11 – OBSCURE FEEDBACK '''
-Obscure feedback of authentication information.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#142|118 ]]'''
-Determine if: <br />
-[a] authentication information is obscured during the authentication process.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#142|A]118 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Identification and authentication policy; procedures addressing
-authenticator feedback; system security plan; system design documentation; system
-configuration settings and associated documentation; system audit logs and records; other
-relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with information security responsibilities; system or network
-administrators; system developers].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting or implementing the obscuring of feedback of
-authentication information during authentication].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#142|119]] '''
-The feedback from systems does not provide any information that would allow unauthorized
-individuals to compromise authentication mechanisms. For some types of systems or system
-components, for example, desktop or notebook computers with relatively large monitors,
-the threat (often referred to as shoulder surfing) may be significant.  For  other types of
-systems or components, for example, mobile devices with small displays, this threat may be
-less significant, and is balanced against the increased likelihood of typographic input errors
-due to the small keyboards. Therefore, the means for obscuring the authenticator feedback
-is selected accordingly.  Obscuring authenticator feedback includes displaying asterisks
-when users type passwords into input devices or displaying feedback for a very limited time
-before fully obscuring it.
-'''FURTHER DISCUSSION '''
-Authentication information includes passwords. When users enter a password, the system
-displays a symbol, such as an asterisk, to obscure feedback preventing others from seeing
- NIST SP 800-171A, p. 35.
- NIST SP 800-171 Rev. 2, p. 26.
-''' '''
-IA.L2-3.5.11 – Obscure Feedback
-CMMC Assessment Guide – Level 2 | Version 2.13
-the actual characters. Feedback is obscured based on a defined policy (e.g., smaller devices
-may briefly show characters before obscuring).
-'''Example <br />
-'''As a system administrator, you configure your systems to display an asterisk when users
-enter their passwords into a computer system [a]. For mobile devices, the password
-characters are briefly displayed to the user before being obscured. This prevents people from
-figuring out passwords by looking over someone’s shoulder.
-'''Potential Assessment Considerations <br />
-'''•
-  Is the feedback immediately obscured when the authentication is presented on a larger
-display (e.g., desktop or notebook computers with relatively large monitors) [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.5.11
- <br />
-''' '''
-IR.L2-3.6.1 – Incident Handling
-CMMC Assessment Guide – Level 2 | Version 2.13
-Incident Response (IR) <br />
-'''IR.L2-3.6.1 – INCIDENT HANDLING '''
-Establish an operational incident-handling capability for organizational systems that
-includes preparation, detection, analysis, containment, recovery, and user response
-activities.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#144|120 ]]'''
-Determine if: <br />
-[a] an operational incident-handling capability is established; <br />
-[b] the operational incident-handling capability includes preparation; <br />
-[c]  the operational incident-handling capability includes detection; <br />
-[d] the operational incident-handling capability includes analysis; <br />
-[e] the operational incident-handling capability includes containment; <br />
-[f]  the operational incident-handling capability includes recovery; and <br />
-[g] the operational incident-handling capability includes user response activities.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#144|A]120 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Incident response policy; contingency planning policy; procedures
-addressing incident handling; procedures addressing incident response assistance; incident
-response plan; contingency plan; system security plan; procedures addressing incident
-response training; incident response training curriculum; incident response training
-materials; incident response training records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with incident handling responsibilities; personnel with
-contingency planning responsibilities; personnel with incident response training and
-operational  responsibilities; personnel with incident response assistance and support
-responsibilities; personnel with access to incident response support and assistance
-capability; personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Incident-handling capability for the organization; organizational processes
-for incident response assistance; mechanisms supporting or implementing incident
-response assistance].
- NIST SP 800-171A, p. 36.
-''' '''
-IR.L2-3.6.1 – Incident Handling
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#145|121]] '''
-Organizations recognize that incident handling capability is dependent on the capabilities of
-organizational systems and the mission/business processes being supported by those
-systems.  Organizations consider incident handling as part of the definition, design, and
-development of mission/business processes and systems. Incident-related information can
-be obtained from a variety of sources including audit monitoring, network monitoring,
-physical access monitoring, user and administrator reports, and reported supply chain
-events.  Effective incident handling capability includes coordination among many
-organizational entities including mission/business owners, system owners, authorizing
-officials, human resources offices, physical and personnel security offices, legal departments,
-operations personnel, procurement offices, and the risk executive. <br />
-As part of user response activities, incident response training is provided by organizations
-and is linked directly to the assigned roles and responsibilities of organizational personnel
-to ensure that the appropriate content and level of detail is included in such training. For
-example, regular users may only need to know who to call or how to recognize an incident
-on the system; system administrators may require additional training on how to handle or
-remediate incidents; and incident responders may receive more specific training on
-forensics, reporting, system recovery, and restoration. Incident response training includes
-user training in the identification/reporting of suspicious activities from external and
-internal sources. User response activities also includes incident response assistance which
-may consist of help desk support, assistance groups, and access to forensics services or
-consumer redress services, when required. <br />
-NIST SP 800-61 provides guidance on incident handling. SP 800-86 and SP 800-101 provide
-guidance on integrating forensic techniques into incident response. SP 800-161 provides
-guidance on supply chain risk management.
-'''FURTHER DISCUSSION '''
-Incident handling capabilities prepare your organization to respond to incidents and may: <br />
-•
-  identify people inside and outside your organization you may need to contact during an
-incident;
-•
-  establish a way to report incidents, such as an email address or a phone number;
-•
-  establish a system for tracking incidents; and
-•
-  determine a place and a way to store evidence of an incident.
-Software and hardware may be required to analyze incidents when they occur. Incident
-prevention activities are also part of an incident-handling capability. The incident-handling
-team provides input for such things as risk assessments and training. <br />
-OSAs detect incidents using different indicators. Indicators may include: <br />
-•
-  alerts from sensors or antivirus software;
- NIST SP 800-171 Rev. 2, p. 26.
-''' '''
-IR.L2-3.6.1 – Incident Handling
-CMMC Assessment Guide – Level 2 | Version 2.13
-•
-  a filename that looks unusual; and
-•
-  log entries that raise concern.
-After detecting an incident, an incident response team performs analysis. This requires some
-knowledge of normal network operations. The incident should be documented including all
-the log entries associated with the incident. <br />
-Containment of the incident is a critical step to stop the damage the incident is causing to
-your network. Containment activities should be based on previously defined organizational
-priorities and assessment of risk. <br />
-Recovery activities restore systems to pre-incident functionality and address its underlying
-causes. Organizations should use recovery activities as a means of improving their overall
-resilience to future attacks.
-'''Example <br />
-'''Your manager asks you to set up your company’s incident-response capability [a]. First, you
-create an email address to collect information on possible incidents. Next, you draft a contact
-list of all the people who need to know when an incident occurs. You document a procedure
-for how to submit incidents that includes roles and responsibilities when a potential incident
-is detected or reported. The procedure also explains how to track incidents, from initial
-creation to closure [b].
-'''Potential Assessment Considerations <br />
-'''•
-  Is there an incident response policy which specifically outlines requirements for handling
-of incidents involving CUI [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.6.1
-''' '''
-IR.L2-3.6.2 – Incident Reporting
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''IR.L2-3.6.2 – INCIDENT REPORTING '''
-Track, document, and report incidents to designated officials and/or authorities both
-internal and external to the organization.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#147|122 ]]'''
-Determine if: <br />
-[a] incidents are tracked; <br />
-[b] incidents are documented; <br />
-[c]  authorities to whom incidents are to be reported are identified; <br />
-[d] organizational officials to whom incidents are to be reported are identified; <br />
-[e] identified authorities are notified of incidents; and <br />
-[f]  identified organizational officials are notified of incidents.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#147|A]122 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Incident response policy; procedures addressing incident monitoring;
-incident response records and documentation; procedures addressing incident reporting;
-incident reporting records and documentation; incident response plan; system security plan;
-other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with incident monitoring responsibilities; personnel with
-incident reporting responsibilities; personnel who have or should have reported incidents;
-personnel (authorities) to whom incident information is to be reported; personnel with
-information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Incident monitoring capability for the organization; mechanisms supporting
-or implementing tracking and documenting of system security incidents; organizational
-processes for incident reporting; mechanisms supporting or implementing incident
-reporting].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#147|123]] '''
-Tracking and documenting system security incidents includes maintaining records about
-each incident, the status of the incident, and other pertinent information necessary for
- NIST SP 800-171A, pp. 36-37.
- NIST SP 800-171 Rev. 2, pp. 26-27.
-''' '''
-IR.L2-3.6.2 – Incident Reporting
-CMMC Assessment Guide – Level 2 | Version 2.13
-forensics, evaluating incident details, trends, and handling.  Incident information can be
-obtained from a variety of sources including incident reports, incident response teams, audit
-monitoring, network monitoring, physical access monitoring, and user/administrator
-reports. Reporting incidents addresses specific incident reporting requirements within an
-organization and the formal incident reporting requirements for the organization. Suspected
-security incidents may also be reported and include the receipt of suspicious email
-communications that can potentially contain malicious code. The types of security incidents
-reported, the content and timeliness of the reports, and the designated reporting authorities
-reflect applicable laws, Executive Orders, directives, regulations, and policies. <br />
-NIST SP 800-61 provides guidance on incident handling.
-'''FURTHER DISCUSSION '''
-Incident handling is the actions the organization takes to prevent or contain the impact of an
-incident to the organization while it is occurring or shortly after it has occurred. The majority
-of the process consists of  incident  identification, containment, eradication, and recovery.
-During this process, it is essential to track the work processes required in order to effectively
-respond. Designate a central hub to serve as the point to coordinate, communicate, and track
-activities. The hub should receive and document information from system administrators,
-incident handlers, and others involved throughout the process.  As the incident process
-moves toward eradication, executives, affected business units, and any required external
-stakeholders should be kept aware of the incident in order to make decisions affecting the
-business. Report to designated authorities, taking into account applicable laws, directives,
-regulations, and other  guidance. Specify  staff  responsible for communicating about the
-incident to internal and external stakeholders.
-'''Example <br />
-'''You notice unusual activity on a server and determine a potential security incident has
-occurred. You open a tracking ticket with the Security Operations Center (SOC), which
-assigns an incident handler to work the ticket [a]. The handler investigates and documents
-initial findings, which lead to a determination that unauthorized access occurred on the
-server  [b].  The SOC establishes an incident management  team consisting  of security,
-database, network, and system administrators. The team meets daily to update progress and
-plan courses of action to contain the incident [a]. At the end of the day, the team provides a
-status report to IT executives [d,f]. Two days later, the team declares the incident contained.
-The team produces a final report as the database system is rebuilt and placed back into
-operation.
-'''Potential Assessment Considerations <br />
-'''•
-  Is there an incident response policy that directs the establishment of requirements for
-tracking and reporting of incidents involving CUI to appropriate officials [a,d]?
-•
-  Is cybersecurity incident information promptly reported to management [e,f]?
-''' '''
-IR.L2-3.6.2 – Incident Reporting
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.6.2
-''' '''
-IR.L2-3.6.3 – Incident Response Testing
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''IR.L2-3.6.3 – INCIDENT RESPONSE TESTING '''
-Test the organizational incident response capability.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#150|124 ]]'''
-Determine if: <br />
-[a] the incident response capability is tested.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#150|A]124 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Incident response policy; contingency planning policy; procedures
-addressing incident response testing; procedures addressing contingency plan testing;
-incident response testing material; incident response test results; incident response test
-plan; incident response plan; contingency plan; system security plan; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with incident response testing responsibilities; personnel with
-information security responsibilities; personnel with responsibilities for testing plans
-related to incident response].
-'''Test <br />
-'''[SELECT FROM: Mechanisms and processes for incident response].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#150|125]] '''
-Organizations test incident response capabilities to determine the effectiveness of the
-capabilities and to identify potential weaknesses or deficiencies. Incident response testing
-includes the use of checklists, walk-through or tabletop exercises, simulations (both parallel
-and full interrupt), and comprehensive exercises. Incident response testing can also include
-a determination of the effects on organizational operations (e.g., reduction in mission
-capabilities), organizational assets, and individuals due to incident response. <br />
-NIST SP 800-84 provides guidance on testing programs for information technology
-capabilities.
-'''FURTHER DISCUSSION '''
-Testing incident response capability validates existing plans and  highlights potential
-deficiencies. The test should address questions such as what happens during an incident;
- NIST SP 800-171A, p. 37.
- NIST SP 800-171 Rev. 2, p. 27.
-''' '''
-IR.L2-3.6.3 – Incident Response Testing
-CMMC Assessment Guide – Level 2 | Version 2.13
-who is responsible for incident management;  what tasks are assigned within the IT
-organization;  what support is  needed from legal, public affairs, or other business
-components;  how resources are added  if needed during the incident;  and how law
-enforcement is involved. Any negative impacts to the normal day-to-day operations when
-responding to an incident should also be identified and documented.
-'''Example <br />
-'''You decide to conduct an incident response table top exercise that simulates an attacker
-gaining access to the network through a compromised server. You include relevant IT staff
-such as security, database, network, and system administrators  as participants.  You also
-request representatives from legal, human resources, and communications. You provide a
-scenario to the group and have prepared key questions aligned with the response plans to
-guide the exercise. During the exercise, you focus on how the team executes the incident
-response plan. Afterward, you conduct a debrief with everyone that was involved to provide
-feedback and develop improvements to the incident response plan [a].
-'''Potential Assessment Considerations <br />
-'''•
-  Does the incident response policy outline requirements for regular incident response
-plan testing and reviews of incident response capabilities [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.6.3
-''' '''
-MA.L2-3.7.1 – Perform Maintenance
-CMMC Assessment Guide – Level 2 | Version 2.13
-Maintenance (MA) <br />
-'''MA.L2-3.7.1 – PERFORM MAINTENANCE '''
-Perform maintenance on organizational systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#152|126 ]]'''
-Determine if: <br />
-[a] system maintenance is performed.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#152|A]126 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System maintenance policy; procedures addressing controlled system
-maintenance; maintenance records; manufacturer or vendor maintenance specifications;
-equipment sanitization records; media sanitization records; system security plan; other
-relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system maintenance responsibilities; personnel with
-information security responsibilities; personnel responsible for media sanitization; system
-or network administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for scheduling, performing, documenting,
-reviewing, approving, and monitoring maintenance and repairs for systems; organizational
-processes for sanitizing  system components; mechanisms supporting or implementing
-controlled maintenance; mechanisms implementing sanitization of system components].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#152|127]] '''
-This requirement addresses the information security aspects of the system maintenance
-program and applies to all types of maintenance to any system component (including
-hardware, firmware, applications) conducted by any local or nonlocal entity.  System
-maintenance also includes those components not directly associated with information
-processing and data or information retention such as scanners, copiers, and printers.
- NIST SP 800-171A, p. 38.
- NIST SP 800-171 Rev. 2, p. 27.
-''' '''
-MA.L2-3.7.1 – Perform Maintenance
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-One common form of computer security maintenance is regular patching of discovered
-vulnerabilities in software and operating systems, though there  are others that require
-attention. <br />
-System maintenance includes: <br />
-•
-  corrective maintenance (e.g., repairing problems with the technology);
-•
-  preventative maintenance (e.g., updates to prevent potential problems);
-•
-  adaptive maintenance (e.g., changes to the operative environment); and
-•
-  perfective maintenance (e.g., improve operations).
-'''Example <br />
-'''You are responsible for maintenance activities on your company’s machines. This includes
-regular planned maintenance, unscheduled maintenance, reconfigurations when required,
-and damage repairs [a]. You know that failing to conduct maintenance activities can impact
-system security and availability, so you ensure that maintenance is regularly performed. You
-track all maintenance performed to assist with troubleshooting later if needed.
-'''Potential Assessment Considerations <br />
-'''•
-  Are systems, devices, and supporting systems maintained per manufacturer
-recommendations or company defined schedules [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.7.1
- <br />
-''' '''
-MA.L2-3.7.2 – System Maintenance Control
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''MA.L2-3.7.2 – SYSTEM MAINTENANCE CONTROL '''
-Provide controls on the tools, techniques, mechanisms, and personnel used to conduct
-system maintenance.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#154|128 ]]'''
-Determine if: <br />
-[a] tools used to conduct system maintenance are controlled; <br />
-[b] techniques used to conduct system maintenance are controlled; <br />
-[c]  mechanisms used to conduct system maintenance are controlled; and <br />
-[d] personnel used to conduct system maintenance are controlled.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#154|A]128 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System maintenance policy; procedures addressing system maintenance
-tools and media; maintenance records;  system maintenance tools and associated
-documentation; maintenance tool inspection records; system security plan; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system maintenance responsibilities; personnel with
-information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for approving, controlling, and monitoring
-maintenance tools; mechanisms supporting or implementing approval, control, and
-monitoring of maintenance tools; organizational processes for inspecting maintenance tools;
-mechanisms supporting or implementing inspection of maintenance tools; organizational
-process for inspecting media for malicious code; mechanisms supporting or implementing
-inspection of media used for maintenance].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#154|129]] '''
-This requirement addresses security-related issues with maintenance tools that are not
-within the organizational system boundaries that process, store, or transmit CUI, but are
-used specifically for diagnostic and repair actions on those systems.  Organizations have
-flexibility in determining the controls in place for maintenance tools, but can include
-approving, controlling, and monitoring the use of such tools. Maintenance tools are potential
- NIST SP 800-171A, p. 38.
- NIST SP 800-171 Rev. 2, pp. 27-28.
-''' '''
-MA.L2-3.7.2 – System Maintenance Control
-CMMC Assessment Guide – Level 2 | Version 2.13
-vehicles for transporting malicious code, either intentionally or unintentionally, into a
-facility and into organizational systems. Maintenance tools can include hardware, software,
-and firmware items, for example, hardware and software diagnostic test equipment and
-hardware and software packet sniffers.
-'''FURTHER DISCUSSION '''
-Tools used to perform maintenance must remain secure so they do not introduce viruses or
-other malware into your system. Controlling  your maintenance techniques prevents
-intentional or unintentional harm to your network and systems. Additionally, the personnel
-responsible for maintenance activities should be supervised considering their elevated
-privilege on company assets.
-'''Example <br />
-'''You are responsible for maintenance activities on your company’s machines.  To avoid
-introducing additional vulnerability into the systems you are maintaining, you make sure
-that all maintenance tools are approved and their usage is monitored and controlled [a,b].
-You ensure the tools are kept current and up-to-date [a]. You and your backup are the only
-people authorized to use these tools and perform system maintenance [d].
-'''Potential Assessment Considerations <br />
-'''•
-  Are  physical or logical access controls used  to limit access to maintenance tools to
-authorized personnel [a]?
-•
-  Are physical or logical access controls used to limit access to system documentation and
-organizational maintenance process documentation to authorized personnel [b]?
-•
-  Are physical or logical access controls used to limit access to automated mechanisms
-(e.g., automated scripts, scheduled jobs) to authorized personnel [c]?
-•
-  Are physical or logical access controls used to limit access to the system entry points that
-enable maintenance (e.g., administrative portals, local and remote console access, and
-physical equipment panels) to authorized personnel [d]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.7.2
- <br />
-''' '''
-MA.L2-3.7.3 – Equipment Sanitization
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''MA.L2-3.7.3 – EQUIPMENT SANITIZATION '''
-Ensure equipment removed for off-site maintenance is sanitized of any CUI.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#156|130 ]]'''
-Determine if: <br />
-[a] equipment to be removed from organizational spaces for off-site maintenance is
-sanitized of any CUI.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#156|A]130 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System maintenance policy; procedures addressing controlled system
-maintenance; maintenance records; manufacturer or vendor maintenance specifications;
-equipment sanitization records; media sanitization records; system security plan; other
-relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system maintenance responsibilities; personnel with
-information security responsibilities; personnel responsible for media sanitization; system
-or network administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for scheduling, performing, documenting,
-reviewing, approving, and monitoring maintenance and repairs for systems; organizational
-processes for sanitizing system components; mechanisms supporting or implementing
-controlled maintenance; mechanisms implementing sanitization of system components].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#156|131]] '''
-This requirement addresses the information security aspects of system maintenance that are
-performed off-site and applies to all types of maintenance  to any system component
-(including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty,
-in-house, software maintenance agreement). <br />
-NIST SP 800-88 provides guidance on media sanitization.
-'''FURTHER DISCUSSION '''
-Sanitization is a process that makes access to data infeasible on media such as a hard drive.
-The process may overwrite the entire media with a fixed pattern such as binary zeros. In
- NIST SP 800-171A, p. 39.
- NIST SP 800-171 Rev. 2, p. 28.
-''' '''
-MA.L2-3.7.3 – Equipment Sanitization
-CMMC Assessment Guide – Level 2 | Version 2.13
-addition to clearing the data an organization could purge (e.g., degaussing, secure erasing, or
-disassembling) the data, or even destroy the media (e.g.,  incinerating, shredding, or
-pulverizing). Performing one of these activities ensures that the data is extremely hard to
-recover, thus ensuring its confidentiality. <br />
-For additional guidance on which specific sanitization actions should be taken on any specific
-type of media, review the description of the Purge actions given in NIST SP 800-88 Revision
-– Guidelines for Media Sanitization.
-'''Example <br />
-'''You manage your organization’s IT equipment. A recent DoD project has been using a storage
-array to house CUI. Recently, the array has experienced disk issues. After troubleshooting
-with the vendor, they recommend several drives be replaced in the array. Knowing the drives
-may  contain  CUI,  you  reference NIST 800-88 Rev. 1 and determine a strategy you can
-implement on the defective equipment – processing the drives with a degaussing unit [a].
-Once all the drives have been wiped, you document the action and ship the faulty drives to
-the vendor.
-'''Potential Assessment Considerations <br />
-'''•
-  Is there a process for sanitizing (e.g., erasing, wiping, degaussing) equipment that was
-used to store, process, or transmit CUI before it is removed from the facility for off-site
-maintenance (e.g., manufacturer or contracted maintenance support) [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.7.3
-''' '''
-MA.L2-3.7.4 – Media Inspection
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''MA.L2-3.7.4 – MEDIA INSPECTION '''
-Check media containing diagnostic and test programs for malicious code before the media
-are used in organizational systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#158|132 ]]'''
-Determine if: <br />
-[a] media containing diagnostic and test programs are checked for malicious code before
-being used in organizational systems that process, store, or transmit CUI.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#158|A]132 ]]'''
-'''Examine '''
-[SELECT FROM: System maintenance policy; procedures addressing system maintenance
-tools; system maintenance tools and associated documentation; maintenance records;
-system security plan; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system maintenance responsibilities; personnel with
-information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational process for inspecting media for malicious code;
-mechanisms supporting or implementing inspection of media used for maintenance].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#158|133]] '''
-If, upon inspection of media containing maintenance diagnostic and test programs,
-organizations determine that the media contain malicious code, the incident is handled
-consistent with incident handling policies and procedures.
-'''FURTHER DISCUSSION '''
-As part of troubleshooting, a vendor may provide a diagnostic application to install on a
-system. As this is executable code, there is a chance that the file is corrupt or infected with
-malicious code. Implement procedures to scan any files prior to installation. The same level
-of scrutiny must be made as with any file a staff member may download. <br />
-This requirement, MA.L2-3.7.4, extends both SI.L2-3.14.2 and SI.L2-3.14.4. SI.L2-3.14.2 and
-SI.L2-3.14.4 require the implementation and updating of mechanisms to protect systems
- NIST SP 800-171A, p. 39.
- NIST SP 800-171 Rev. 2, p. 28.
-''' '''
-MA.L2-3.7.4 – Media Inspection
-CMMC Assessment Guide – Level 2 | Version 2.13
-from malicious code, and MA.L2-3.7.4 extends this requirement to diagnostic and testing
-tools.
-'''Example <br />
-'''You  have  recently been experiencing performance issues on one of your servers.  After
-troubleshooting for much of the morning, the vendor has asked to install a utility that will
-collect more data from the server. The file is stored on the vendor’s FTP server. The support
-technician gives you the FTP site so you can anonymously download the utility file. You also
-ask him for a hash of the utility file. As you download the file to your local computer, you
-realize it is compressed.  You  unzip the file and perform a manual  antivirus  scan, which
-reports no issues [a]. To verify the utility file has not been altered, you run an application to
-see that the hash from the vendor matches.
-'''Potential Assessment Considerations <br />
-'''•
-  Are media containing diagnostic and test programs (e.g., downloaded or copied utilities
-or tools from manufacturer, third-party, or in-house support teams) checked  for
-malicious code (e.g., using antivirus or antimalware scans) before the media are used on
-organizational systems [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.7.4
-''' '''
-MA.L2-3.7.5 – Nonlocal Maintenance
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''MA.L2-3.7.5 – NONLOCAL MAINTENANCE '''
-Require multifactor authentication to establish nonlocal maintenance sessions via external
-network connections and terminate such connections when nonlocal maintenance is
-complete.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#160|134 ]]'''
-Determine if: <br />
-[a] multifactor authentication is used to establish nonlocal maintenance sessions via
-external network connections; and
-[b] nonlocal maintenance sessions established via external network connections are
-terminated when nonlocal maintenance is complete.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#160|A]134 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System maintenance policy; procedures addressing nonlocal system
-maintenance; system security plan; system design documentation; system configuration
-settings and associated documentation; maintenance records; diagnostic records; other
-relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system maintenance responsibilities; personnel with
-information security responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for managing nonlocal maintenance; mechanisms
-implementing, supporting, and managing nonlocal maintenance; mechanisms for strong
-authentication of nonlocal maintenance diagnostic sessions; mechanisms for terminating
-nonlocal maintenance sessions and network connections].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#160|135]] '''
-Nonlocal maintenance and diagnostic activities are those activities conducted by individuals
-communicating through an external network. The authentication techniques employed in
-the establishment of these nonlocal maintenance and diagnostic sessions reflect the network
-access requirements in IA.L2-3.5.3.
- NIST SP 800-171A, pp. 39-40.
- NIST SP 800-171 Rev. 2, p. 28.
-''' '''
-MA.L2-3.7.5 – Nonlocal Maintenance
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Nonlocal maintenance activities must use multifactor authentication.  Multifactor
-authentication requires at least two factors, such as: <br />
-•
-  something you know (e.g., password, personal identification number [PIN]);
-•
-  something you have (e.g., cryptographic identification device, token); or
-•
-  something you are (e.g., biometric fingerprint or facial scan).
-Requiring two or more factors to prove your identity increases the security of the
-connection. Nonlocal maintenance activities are activities conducted from external network
-connections such as over the internet. After nonlocal maintenance activities are complete,
-shut down the external network connection. <br />
-This  requirement,  MA.L2-3.7.5  specifies  the addition of multifactor authentication for
-remote maintenance sessions and complements five other requirements  dealing with
-remote access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.13, AC.L2-3.1.15, and IA.L2-3.5.3): <br />
-•
-  AC.L2-3.1.12 requires the control of remote access sessions.
-•
-  AC.L2-3.1.14 limits remote access to specific access control points.
-•
-  AC.L2-3.1.13  requires the use of cryptographic mechanisms when enabling remote
-sessions.
-•
-  AC.L2-3.1.15 requires authorization for privileged commands executed during a remote
-session.
-•
-  Finally,  IA.L2-3.5.3  requires multifactor authentication for network access to non-
-privileged accounts.
-'''Example <br />
-'''You are responsible for maintaining your company’s firewall. In order to conduct
-maintenance while working remotely, you connect to the firewall’s management interface
-and log in using administrator credentials. The firewall then sends a verification request to
-the multifactor authentication app on your smartphone [a]. You need both of these things to
-prove your identity [a]. After you respond to the multifactor challenge, you have access to
-the maintenance interface. When you finish your activities, you shut down the remote
-connection by logging out and quitting your web browser [b].
-'''Potential Assessment Considerations <br />
-'''•
-  Is multifactor authentication required prior to maintenance of a system when connecting
-remotely from outside the system boundary [a]?
-•
-  Are personnel required to manually terminate remote maintenance sessions established
-via external network connections when maintenance is complete,  or are connections
-terminated automatically through system session management mechanisms [b]?
-''' '''
-MA.L2-3.7.5 – Nonlocal Maintenance
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.7.5
-''' '''
-MA.L2-3.7.6 – Maintenance Personnel
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''MA.L2-3.7.6 – MAINTENANCE PERSONNEL '''
-Supervise the maintenance activities of maintenance  personnel without required access
-authorization.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#163|136 ]]'''
-Determine if: <br />
-[a] maintenance personnel without required access authorization are supervised during
-maintenance activities.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#163|A]136 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System maintenance policy; procedures addressing maintenance personnel;
-service provider contracts; service-level agreements; list of authorized personnel;
-maintenance records; access control records; system security plan; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system maintenance responsibilities; personnel with
-information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for authorizing and managing maintenance
-personnel; mechanisms supporting or implementing authorization of maintenance
-personnel].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#163|137]] '''
-This requirement applies to individuals who are performing hardware or software
-maintenance on organizational systems, while PE.L2-3.10.1 addresses physical access for
-individuals whose maintenance duties place them within the physical protection perimeter
-of the systems (e.g., custodial staff, physical plant maintenance personnel). Individuals not
-previously identified as authorized maintenance personnel, such as information technology
-manufacturers, vendors, consultants, and systems integrators, may require privileged access
-to organizational systems, for example, when required to conduct maintenance activities
-with little or no notice. Organizations may choose to issue temporary credentials to these
-individuals based on organizational risk assessments.  Temporary credentials may be for
-one-time use or for very limited time periods.
- NIST SP 800-171A, p. 40.
- NIST SP 800-171 Rev. 2, p. 28.
-''' '''
-MA.L2-3.7.6 – Maintenance Personnel
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Individuals without proper permissions must be supervised while conducting maintenance
-on organizational machines. Consider creating temporary accounts with short-term
-expiration periods rather than regular user accounts. Additionally, limit the permissions and
-access these accounts have to the most restrictive settings possible.
-'''Example <br />
-'''One of your software providers has to come on-site to update the software on your
-company’s computers. You give the individual a temporary logon and password that expires
-in 12 hours and is limited to accessing only the computers necessary to complete the work
-[a]. This gives the technician access long enough to perform the update. You monitor the
-individual’s physical and network activity while the maintenance is taking place [a] and
-revoke access when the job is done.
-'''Potential Assessment Considerations <br />
-'''•
-  Are there  processes  for escorting and supervising maintenance personnel without
-required access authorization (e.g., vendor support personnel, short-term maintenance
-contractors) during system maintenance [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.7.6
-''' '''
-MP.L2-3.8.1 – Media Protection
-CMMC Assessment Guide – Level 2 | Version 2.13
-Media Protection (MP) <br />
-'''MP.L2-3.8.1 – MEDIA PROTECTION '''
-Protect (i.e., physically control and securely store) system media containing CUI, both paper
-and digital.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#165|138 ]]'''
-Determine if: <br />
-[a] paper media containing CUI is physically controlled; <br />
-[b] digital media containing CUI is physically controlled; <br />
-[c]  paper media containing CUI is securely stored; and <br />
-[d] digital media containing CUI is securely stored.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#165|A]138 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System media protection policy; procedures addressing media storage;
-procedures addressing media access restrictions; access control policy and procedures;
-physical and environmental protection policy and procedures; system security plan; media
-storage facilities; access control records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system media protection responsibilities; personnel with
-information security responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for restricting information media; mechanisms
-supporting or implementing media access restrictions].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#165|139]] '''
-System media includes digital and non-digital media.  Digital media includes diskettes,
-magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and
-digital video disks. Non-digital media includes paper and microfilm. Protecting digital media
-includes limiting access to design specifications stored on compact disks or flash drives in
-the media library to the project leader and any individuals on the development team.
-Physically controlling system media includes conducting inventories, maintaining
- NIST SP 800-171A, p. 41.
- NIST SP 800-171 Rev. 2, p. 29.
-''' '''
-MP.L2-3.8.1 – Media Protection
-CMMC Assessment Guide – Level 2 | Version 2.13
-accountability for stored media, and ensuring procedures are in place to allow individuals to
-check out and return media to the media library. Secure storage includes a locked drawer,
-desk, or cabinet, or a controlled media library. <br />
-Access to CUI on system media can be limited by physically controlling such media, which
-includes conducting inventories, ensuring procedures are in place to allow individuals to
-check out and return media to the media library, and maintaining accountability for all
-stored media. <br />
-NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.
-'''FURTHER DISCUSSION '''
-CUI can be contained on two types of physical media: <br />
-•
-  hardcopy (e.g., CD drives, USB drives, magnetic tape); and
-•
-  digital devices (e.g., CD drives, USB drives, video).
-You should store physical media containing CUI in a secure location. This location should be
-accessible only to those people with the proper permissions.  All who access CUI should
-follow the process for checking it out and returning it.
-'''Example <br />
-'''Your company has CUI for a specific Army contract contained on a USB drive. You store the
-drive in a locked drawer, and you log it on an inventory [d]. You establish a procedure to
-check out the USB drive so you have a history of who is accessing it. These procedures help
-to maintain the confidentiality, integrity, and availability of the data.
-'''Potential Assessment Considerations <br />
-'''•
-  Is hardcopy media containing CUI handled only by authorized personnel according to
-defined procedures [a]?
-•
-  Is  digital media containing CUI handled only by authorized personnel according to
-defined procedures [b]?
-•
-  Is paper media containing CUI physically secured (e.g., in a locked drawer or cabinet) [c]?
-•
-  Is digital media containing CUI securely stored (e.g., in access-controlled repositories)
-[d]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.8.1
-''' '''
-MP.L2-3.8.2 – Media Access
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''MP.L2-3.8.2 – MEDIA ACCESS '''
-Limit access to CUI on system media to authorized users.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#167|140 ]]'''
-Determine if: <br />
-[a] access to CUI on system media is limited to authorized users.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#167|A]140 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System media protection policy; procedures addressing media storage;
-physical and environmental protection policy and procedures; access control policy and
-procedures; system security plan; system media; designated controlled areas; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system media protection and storage responsibilities;
-personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for storing media; mechanisms supporting or
-implementing secure media storage and media protection].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#167|141]] '''
-Access can be limited by physically controlling system media and secure storage  areas.
-Physically controlling system media includes conducting inventories, ensuring procedures
-are in place to allow individuals to check out and return system media to the media library,
-and maintaining accountability for all stored media. Secure storage includes a locked drawer,
-desk, or cabinet, or a controlled media library.
-'''FURTHER DISCUSSION '''
-Limit physical access to CUI to people permitted to access CUI. Use locked or controlled
-storage areas and limit access to only those allowed to access CUI. Keep track of who accesses
-physical CUI in an audit log.
- NIST SP 800-171A, p. 41.
- NIST SP 800-171 Rev. 2, p. 29.
-''' '''
-MP.L2-3.8.2 – Media Access
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''Example <br />
-'''Your company has CUI for a specific Army contract contained on a USB drive. In order to
-control the data, you establish specific procedures for handling the drive. You designate the
-project manager as the owner of the data and require anyone who needs access to the data
-to get permission from the data owner [a]. The data owner maintains a list of users that are
-authorized to access the information. Before an authorized individual can get access to the
-USB drive that contains the CUI they have to fill out a log and check out the drive. When they
-are done with the data, they check in the drive and return it to its secure storage location.
-'''Potential Assessment Considerations <br />
-'''•
-  Is  a list of users who are authorized to access the CUI contained on system media
-maintained [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.8.2
-''' '''
-MP.L2-3.8.3 – Media Disposal [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''MP.L2-3.8.3 – MEDIA DISPOSAL [CUI DATA] '''
-Sanitize or destroy system media containing CUI before disposal or release for reuse.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#169|142 ]]'''
-Determine if: <br />
-[a] system media containing CUI is sanitized or destroyed before disposal; and <br />
-[b] system media containing CUI is sanitized before it is released for reuse.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#169|A]142 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System media protection policy; procedures addressing media sanitization
-and disposal; applicable standards and policies addressing media sanitization; system
-security plan; media sanitization records; system audit logs and records; system design
-documentation; system configuration settings and associated documentation; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with media sanitization responsibilities; personnel with
-information security responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for media sanitization; mechanisms supporting or
-implementing media sanitization].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#169|143]] '''
-This requirement applies to all system media, digital and non-digital, subject to disposal or
-reuse. Examples include: digital media found in workstations, network components,
-scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media
-such as paper and microfilm. The sanitization process removes information from the media
-such that the information cannot be retrieved or reconstructed. Sanitization techniques,
-including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of
-information to unauthorized individuals when such media is released for reuse or disposal.
-Organizations determine the appropriate sanitization methods, recognizing that destruction
-may be necessary when other methods cannot be applied to the media requiring sanitization. <br />
-Organizations use discretion on the employment of sanitization techniques and procedures
-for media containing information that is in the public domain or publicly releasable or
-deemed to have no adverse impact on organizations or individuals if released for reuse or
- NIST SP 800-171A, pp. 41-42.
- NIST SP 800-171 Rev. 2, p. 29.
-''' '''
-MP.L2-3.8.3 – Media Disposal [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-disposal. Sanitization of non-digital media includes destruction, removing CUI from
-documents, or redacting selected sections or words from a document by obscuring the
-redacted sections or words in a manner equivalent in effectiveness to removing the words
-or sections from the document. NARA policy and guidance control sanitization processes.
-NIST SP 800-88 provides guidance on media sanitization.
-'''FURTHER DISCUSSION '''
-“Media” refers to a broad range of items that store information, including paper documents,
-disks, tapes, digital photography, USB drives, CDs, DVDs, and mobile phones. It is important
-to know what information is on media so that you can handle it properly. If there is CUI, you
-or someone in your company should either: <br />
-•
-  shred or destroy the device before disposal so it cannot be read; or
-•
-  clean or purge the information, if you want to reuse the device.
-See NIST Special Publication 800-88, Revision 1, ''Guidelines for Media Sanitization'', for more
-information.
-'''Example <br />
-'''As you pack for an office move, you find some old CDs in a file cabinet. You determine that
-one has information about an old project your company did for the DoD. You shred the CD
-rather than simply throwing it in the trash [a].
-'''Potential Assessment Considerations <br />
-'''•
-  Is all managed data storage erased, encrypted, or destroyed using mechanisms to ensure
-that no usable data is retrievable [a,b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.8.3
-•
-  FAR Clause 52.204-21 b.1.vii
-''' '''
-''' '''
-MP.L2-3.8.4 – Media Markings
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''MP.L2-3.8.4 – MEDIA MARKINGS '''
-Mark media with necessary CUI markings and distribution limitations.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#171|144 ]]'''
-Determine if: <br />
-[a] media containing CUI is marked with applicable CUI markings; and <br />
-[b] media containing CUI is marked with distribution limitations.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#171|A]144 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System media protection policy; procedures addressing media marking;
-physical and environmental protection policy and procedures; system security plan; list of
-system media marking security attributes; designated controlled areas; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system media protection and marking responsibilities;
-personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for marking information media; mechanisms
-supporting or implementing media marking].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#171|145]] '''
-The term security marking refers to the application or use of human-readable security
-attributes. System media includes digital and non-digital media. Marking of system media
-reflects applicable federal laws, Executive Orders, directives, policies, and regulations.
-'''FURTHER DISCUSSION '''
-All media, hardcopy and digital, must be properly marked to alert individuals to the presence
-of CUI stored on the media. The National Archives and Records Administration (NARA) has
-published guidelines for labeling media of different sizes.[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#171|146 <br />
-]]MP.L2-3.8.8 requires that media have an identifiable owner, so organizations may find it
-desirable to include ownership information on the device label as well.
- NIST SP 800-171A, p. 42.
- NIST SP 800-171 Rev. 2, p. 30.
- NARA, ''CUI Notice 2019-01: Controlled Unclassified Information (CUI) Coversheets and Labels''
-''' '''
-MP.L2-3.8.4 – Media Markings
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''Example <br />
-'''You were recently contacted by the project team for a new DoD program. The team said they
-wanted the CUI in use for the program to be properly protected. When speaking with them,
-you realize that most of the protections will be provided as part of existing enterprise
-cybersecurity capabilities. They also mentioned that the project team will use several USB
-drives to share  specific data.  You explain that  the team must ensure the USB drives are
-externally marked to indicate the presence of CUI [a]. The project team labels the outside of
-each USB drive with an appropriate CUI  label following NARA guidance [a].  Further, the
-labels indicate that distribution is limited to those employees supporting the DoD program
-[a].
-'''Potential Assessment Considerations <br />
-'''•
-  Are all media containing CUI identified [a,b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.8.4
-''' '''
-MP.L2-3.8.5 – Media Accountability
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''MP.L2-3.8.5 – MEDIA ACCOUNTABILITY '''
-Control access to media containing CUI and maintain accountability for media during
-transport outside of controlled areas.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#173|147 ]]'''
-Determine if: <br />
-[a] access to media containing CUI is controlled; and <br />
-[b] accountability for media containing CUI is maintained during transport outside of
-controlled areas.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#173|A]147 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System media protection policy; procedures addressing media storage;
-physical and environmental protection policy and procedures; access control policy and
-procedures; system security plan; system media; designated controlled areas; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system  media protection and storage responsibilities;
-personnel with information security responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for storing media; mechanisms supporting or
-implementing media storage and media protection].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#173|148]] '''
-Controlled areas are areas or spaces for which organizations provide physical or procedural
-controls to meet the requirements established for protecting systems and information.
-Controls to maintain accountability for media during transport include locked containers
-and cryptography.  Cryptographic mechanisms can provide confidentiality and integrity
-protections depending upon the mechanisms used.  Activities associated with transport
-include the actual transport as well as those activities such as releasing media for transport
-and ensuring that media enters the appropriate transport processes.  For the actual
-transport, authorized transport and courier personnel may include individuals external to
-the organization. Maintaining accountability of media during transport includes restricting
-transport activities to authorized personnel and tracking and obtaining explicit records of
- NIST SP 800-171A, p. 42.
- NIST SP 800-171 Rev. 2, p. 30.
-''' '''
-MP.L2-3.8.5 – Media Accountability
-CMMC Assessment Guide – Level 2 | Version 2.13
-transport activities as the media moves through the transportation system to prevent and
-detect loss, destruction, or tampering.
-'''FURTHER DISCUSSION '''
-CUI is protected in both physical and digital formats. Physical control can be accomplished
-using traditional concepts like restricted access to physical locations or locking papers in a
-desk or filing cabinet. The digitization of data makes access to CUI much easier. CUI can be
-stored and transported on magnetic disks, tapes, USB drives, CD-ROMs, and so on.  This
-makes digital CUI data very portable. It is important for an organization to apply mechanisms
-to prevent unauthorized access to CUI due to ease of transport.''' '''
-'''Example <br />
-'''Your team has recently completed configuring a server for a DoD customer. The customer
-has asked that it be ready to plug in and use. An application installed on the server contains
-data that is considered CUI. You box the server for shipment using tamper-evident packaging
-and label it with the specific recipient for the shipment [b]. You select a reputable shipping
-service so you will get a tracking number to monitor the progress. Once the item is shipped,
-you send the recipients the tracking number so they can monitor and ensure prompt delivery
-at their facility.
-'''Potential Assessment Considerations <br />
-'''•
-  Do only approved individuals have access to media containing CUI [a]?
-•
-  Is access to the media containing CUI recorded in an audit log [b]?
-•
-  Is all CUI data on media encrypted or physically locked prior to transport outside of
-secure locations [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.8.5
-''' '''
-MP.L2-3.8.6 – Portable Storage Encryption
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''MP.L2-3.8.6 – PORTABLE STORAGE ENCRYPTION '''
-Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital
-media during transport unless otherwise protected by alternative physical safeguards.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#175|149 ]]'''
-Determine if: <br />
-[a] the confidentiality of CUI stored on digital media is protected during transport using
-cryptographic mechanisms or alternative physical safeguards.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#175|A]149 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System media protection policy; procedures addressing media transport;
-system  design documentation; system security plan; system configuration settings and
-associated documentation; system media transport records; system audit logs and records;
-other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system media  transport responsibilities; personnel with
-information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Cryptographic mechanisms protecting information on digital media during
-transportation outside controlled areas].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#175|150]] '''
-This requirement applies to portable storage devices (e.g., USB memory sticks, digital video
-disks, compact disks, external or removable hard disk drives). <br />
-NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.
-'''FURTHER DISCUSSION '''
-CUI can be stored and transported on a variety of portable media, which increases the chance
-that the CUI can be lost. When identifying the paths CUI flows through your company, identify
-devices to include in this requirement.
- NIST SP 800-171A, p. 43.
- NIST SP 800-171 Rev. 2, p. 30.
-''' '''
-MP.L2-3.8.6 – Portable Storage Encryption
-CMMC Assessment Guide – Level 2 | Version 2.13
-To mitigate the risk of losing or exposing CUI, implement an encryption scheme to protect
-the data. Even if the media are lost, proper encryption renders the data inaccessible. When
-encryption is not an option, apply alternative physical safeguards during transport. <br />
-Because the use of cryptography in this requirement is to protect the confidentiality of CUI,
-the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. <br />
-This requirement, MP.L2-3.8.6, provides additional protections to those provided by MP.L2-
-.8.5. This requirement  is intended to protect against situations where control of media
-access fails, such as through the loss of the media.
-'''Example <br />
-'''You manage the backups for file servers in your datacenter. You know that in addition to the
-company’s sensitive information, CUI''' '''is stored on the file servers. As part of a broader plan
-to protect data, you send the backup tapes off site to a vendor. You are aware that your
-backup software provides the option to encrypt data onto tape. You develop a plan to test
-and enable backup encryption for the data sent off site. This encryption provides additional
-protections for the data on the backup tapes during transport and offsite storage [a].
-'''Potential Assessment Considerations <br />
-'''•
-  Are all CUI data on media encrypted or physically protected prior to transport outside of
-controlled areas [a]?
-•
-  Are cryptographic mechanisms used to protect digital media during transport outside of
-controlled areas [a]?
-•
-  Do cryptographic mechanisms comply with FIPS 140-2 [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.8.6
-''' '''
-MP.L2-3.8.7 – Removeable Media
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''MP.L2-3.8.7 – REMOVEABLE MEDIA '''
-Control the use of removable media on system components.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#177|151 ]]'''
-Determine if: <br />
-[a] the use of removable media on system components is controlled.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#177|A]151 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System media protection policy; system use policy; procedures addressing
-media usage restrictions; system security plan; rules of behavior; system design
-documentation; system configuration settings and associated documentation; system audit
-logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system media use responsibilities; personnel with
-information security responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for media use; mechanisms restricting or
-prohibiting use of system media on systems or system components].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#177|152]] '''
-In contrast to requirement MP.L2-3.8.1, which restricts user access to media, this
-requirement restricts the use of certain types of media on systems, for example, restricting
-or prohibiting the use of flash drives or external hard disk drives. Organizations can employ
-technical and nontechnical controls (e.g., policies, procedures, and rules of behavior) to
-control the use of system media.  Organizations may control the use of portable storage
-devices, for example, by using physical cages on workstations to prohibit access to certain
-external ports, or disabling or removing the ability to insert, read, or write to such devices. <br />
-Organizations may also limit the use of portable storage devices to only approved devices
-including devices provided by the organization, devices provided by other approved
-organizations, and devices that are not personally owned. Finally, organizations may control
-the use of portable storage devices based on the type of device, prohibiting the use of
-writeable, portable devices, and implementing this restriction by disabling or removing the
-capability to write to such devices. Malicious code protection mechanisms include anti-virus
-signature definitions and reputation-based technologies. Many technologies and methods
- NIST SP 800-171A, p. 43.
- NIST SP 800-171 Rev. 2, pp. 30-31.
-''' '''
-MP.L2-3.8.7 – Removeable Media
-CMMC Assessment Guide – Level 2 | Version 2.13
-exist to limit or eliminate the effects of malicious code. Pervasive configuration management
-and comprehensive software integrity controls may be effective in preventing execution of
-unauthorized code. In addition to commercial off-the-shelf software, malicious code may also
-be present in custom-built software. This could include logic bombs, back doors, and other
-types of cyber-attacks that could affect organizational missions/business functions.
-Traditional malicious code protection mechanisms cannot always detect such code. In these
-situations, organizations rely instead on other safeguards including secure coding practices,
-configuration management and control, trusted procurement processes, and monitoring
-technologies  to help ensure that software does not perform functions other than the
-functions intended.
-'''FURTHER DISCUSSION '''
-Removable media are any type of media storage that you can remove from your computer
-or machine (e.g., CDs, DVDs, diskettes, and USB drives). Write a specific policy for removable
-media. The policy should cover the various types of removable media (e.g., write-once media
-and rewritable media) and should discuss the company’s  approach to removable media.
-Ensure the following controls are considered and included in the policy: <br />
-•
-  limit the use of removable media to the smallest number needed; and
-•
-  scan all removable media for viruses.
-'''Example <br />
-'''You are in charge of IT operations. You establish a policy for removable media that includes
-USB drives [a]. The policy information such as: <br />
-•
-  only USB drives issued by the organization may be used; and
-•
-  USB drives are to be used for work purposes only [a].
-You set up a separate computer to scan these drives before anyone uses them on the
-network. This computer has anti-virus software installed that is kept up to date.
-'''Potential Assessment Considerations <br />
-'''•
-  Are removable media allowed [a]?
-•
-  Are policies and/or procedures in use to control the use of removable media [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.8.7
-''' '''
-MP.L2-3.8.8 – Shared Media
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''MP.L2-3.8.8 – SHARED MEDIA '''
-Prohibit the use of portable storage devices when such devices have no identifiable owner.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#179|153 ]]'''
-Determine if: <br />
-[a] the use of portable storage devices is prohibited when such devices have no identifiable
-owner.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#179|A]153 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System media protection policy; system use policy; procedures addressing
-media usage restrictions; system security plan; rules of behavior; system configuration
-settings and associated documentation; system design documentation; system audit logs and
-records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system media use responsibilities; personnel with
-information security responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for media use; mechanisms prohibiting use of
-media on systems or system components].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#179|154]] '''
-Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable
-storage devices reduces the overall risk of using such technologies by allowing organizations
-to assign responsibility and accountability for addressing known vulnerabilities in the
-devices (e.g., insertion of malicious code).
-'''FURTHER DISCUSSION '''
-A portable storage device is a system component that can be inserted into and removed from
-a system and is used to store data or information. It typically plugs into a laptop or desktop
-port (e.g., USB port). These devices can contain malicious files that can lead to a compromise
-of a connected system. Therefore, use should be prohibited if the device cannot be traced to
-an owner who is responsible and accountable for its security.
- NIST SP 800-171A, p. 43.
- NIST SP 800-171 Rev. 2, p. 31.
-''' '''
-MP.L2-3.8.8 – Shared Media
-CMMC Assessment Guide – Level 2 | Version 2.13
-This  requirement,  MP.L2-3.8.8, furthers the protections provided by MP.L2-3.8.7  by
-prohibiting unidentified media use even if that media type is allowable.
-'''Example <br />
-'''You are the IT manager. One day, a staff member reports finding a USB drive in the parking
-lot. You investigate and learn that there are no labels on the outside of the drive to indicate
-who might be responsible for it. You send an email to all employees to remind them that IT
-policies expressly prohibit plugging unknown devices into company computers. You also
-direct staff members to turn in to the IT help desk any devices that have no identifiable
-owner [a].
-'''Potential Assessment Considerations <br />
-'''•
-  Do portable storage devices used have identifiable owners [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.8.8
-''' '''
-MP.L2-3.8.9 – Protect Backups
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''MP.L2-3.8.9 – PROTECT BACKUPS '''
-Protect the confidentiality of backup CUI at storage locations.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#181|155 ]]'''
-Determine if: <br />
-[a] the confidentiality of backup CUI is protected at storage locations.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#181|A]155 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Procedures addressing system backup; system configuration settings and
-associated documentation; security plan; backup storage locations; system backup logs or
-records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with system backup responsibilities; personnel with information
-security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for conducting system backups; mechanisms
-supporting or implementing system backups].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#181|156]] '''
-Organizations can employ cryptographic mechanisms or alternative physical controls to
-protect the confidentiality of backup information at designated storage locations. Backed-up
-information containing CUI may include system-level information and user-level
-information. System-level information includes system-state information, operating system
-software, application software, and licenses. User-level information includes information
-other than system-level information.
-'''FURTHER DISCUSSION '''
-You protect CUI to ensure that it remains private (confidentiality) and unchanged (integrity).
-Methods to ensure confidentiality may include: <br />
-•
-  encrypting files or media;
-•
-  managing who has access to the information; and
-•
-  physically securing devices and media that contain CUI.
- NIST SP 800-171A, p. 44.
- NIST SP 800-171 Rev. 2, p. 31.
-''' '''
-MP.L2-3.8.9 – Protect Backups
-CMMC Assessment Guide – Level 2 | Version 2.13
-Storage locations for information are varied, and may include: <br />
-•
-  external hard drives;
-•
-  USB drives;
-•
-  magnetic media (tape cartridge);
-•
-  optical disk (CD, DVD);
-•
-  Networked Attached Storage (NAS);
-•
-  servers; and
-•
-  cloud backup.
-This requirement, MP.L2-3.8.9, requires the confidentiality of backup information at storage
-locations.
-'''Example <br />
-'''You are in charge of protecting CUI for your company. Because the company’s backups
-contain CUI, you work with IT to protect the confidentiality of backup data. You agree to
-encrypt all CUI data as it is saved to an external hard drive [a].
-'''Potential Assessment Considerations <br />
-'''•
-  Are data backups encrypted on media before removal from a secured facility [a]?
-•
-  Are cryptographic mechanisms FIPS validated [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.8.9
-''' '''
-PS.L2-3.9.1 – Screen Individuals
-CMMC Assessment Guide – Level 2 | Version 2.13
-Personnel Security (PS) <br />
-'''PS.L2-3.9.1 – SCREEN INDIVIDUALS '''
-Screen individuals prior to authorizing access to organizational systems containing CUI.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#183|157 ]]'''
-Determine if: <br />
-[a] individuals are screened prior to authorizing access to organizational systems
-containing CUI.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#183|A]157 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Personnel security policy; procedures addressing personnel screening;
-records of screened personnel; system security plan; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with personnel security responsibilities; personnel with
-information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for personnel screening].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#183|158]] '''
-Personnel security screening (vetting) activities involve the evaluation/assessment of
-individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the
-trustworthiness of the individual) prior to authorizing access to organizational systems
-containing CUI. The screening activities reflect applicable federal laws, Executive Orders,
-directives, policies, regulations, and specific criteria established for the level of access
-required for assigned positions.
-'''FURTHER DISCUSSION '''
-Ensure all employees who need access to CUI undergo organization-defined screening before
-being granted access. Base the types of screening on the requirements for a given position
-and role.
- NIST SP 800-171A, p. 45.
- NIST SP 800-171 Rev. 2, p. 31.
-''' '''
-PS.L2-3.9.1 – Screen Individuals
-CMMC Assessment Guide – Level 2 | Version 2.13
-The effective screening of personnel provided by this requirement, PS.L2-3.9.1, improves
-upon the effectiveness of authentication performed in IA.L2-3.5.2.
-'''Example <br />
-'''You are in charge of security at your organization.  You complete standard criminal
-background and credit checks of all individuals you hire before they can access CUI [a]. Your
-screening program follows appropriate laws, policies, regulations, and criteria for the level
-of access required for each position.
-'''Potential Assessment Considerations <br />
-'''•
-  Are appropriate background checks completed prior granting access to organizational
-systems containing CUI [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.9.1
-''' '''
-PS.L2-3.9.2 – Personnel Actions
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''PS.L2-3.9.2 – PERSONNEL ACTIONS '''
-Ensure that organizational systems containing CUI are protected during and after personnel
-actions such as terminations and transfers.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#185|159 ]]'''
-Determine if: <br />
-[a] a policy and/or process for terminating system access and any credentials coincident
-with personnel actions is established;
-[b] system access and credentials are terminated consistent with personnel actions such as
-termination or transfer; and
-[c]  the system is protected during and after personnel transfer actions.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#185|A]159 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Personnel security policy; procedures addressing personnel transfer and
-termination; records of personnel transfer and termination actions; list of system accounts;
-records of terminated or revoked authenticators and credentials; records of exit interviews;
-other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with personnel security responsibilities; personnel with account
-management responsibilities; system or network administrators; personnel with
-information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for personnel transfer and termination;
-mechanisms supporting or implementing personnel transfer and termination notifications;
-mechanisms for disabling system access and revoking authenticators].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#185|160]] '''
-Protecting CUI during and after personnel actions may include returning system-related
-property and conducting exit interviews.  System-related property includes hardware
-authentication tokens, identification cards, system administration technical manuals, keys,
-and building passes.  Exit interviews ensure that individuals who have been terminated
-understand the security constraints imposed by being former employees and that proper
-accountability is achieved for system-related property.  Security topics of interest at exit
-interviews can include reminding terminated individuals of nondisclosure agreements and
- NIST SP 800-171A, p. 45.
- NIST SP 800-171 Rev. 2, pp. 31-32.
-''' '''
-PS.L2-3.9.2 – Personnel Actions
-CMMC Assessment Guide – Level 2 | Version 2.13
-potential limitations on future employment. Exit interviews may not be possible for some
-terminated individuals, for example, in cases related to job abandonment, illnesses, and non-
-availability of supervisors.  For termination actions, timely execution is essential for
-individuals terminated for cause. In certain situations, organizations consider disabling the
-system accounts of individuals that are being terminated prior to the individuals being
-notified. <br />
-This requirement applies to reassignments or transfers of individuals when the personnel
-action is permanent or of such extended durations as to require protection. Organizations
-define the CUI protections appropriate for the types of reassignments or transfers, whether
-permanent or extended. Protections that may be required for transfers or reassignments to
-other positions within organizations include returning old and issuing new keys,
-identification cards, and building passes; changing system access authorizations (i.e.,
-privileges); closing system accounts and establishing new accounts; and providing for access
-to official records to which individuals had access at previous work locations and in previous
-system accounts.
-'''FURTHER DISCUSSION '''
-Employee access to CUI is removed when they change jobs or leave the company. When
-employment or program access is terminated for any reason, the following actions may occur
-within the defined time frame: <br />
-•
-  all company IT equipment (e.g., laptops, cell phones, storage devices) is returned;
-•
-  all identification, access cards, and keys are returned; and
-•
-  an exit interview is conducted to remind the employee of their obligations to not discuss
-CUI, even after employment.
-Additionally, perform the following: <br />
-•
-  remove access to all accounts granting access to CUI or modify access to CUI as
-appropriate for a new work role;
-•
-  disable or close employee accounts for departing employees; and
-•
-  limit access to physical spaces with CUI for departing employees or those who transition
-to a work role that does not require access to CUI.
-This requirement, PS.L2-3.9.2, leverages the identification of system users required by IA.L2-
-.5.1 in order to ensure that all accesses are identified and removed.
-'''Example 1 <br />
-'''You are in charge of IT operations. Per organizational policies, when workers leave the
-company, you remove them from any physical CUI access lists. If you are not their supervisor,
-you contact their supervisor or human resources immediately and ask them to: <br />
-•
-  turn in the former employees’ computers for proper handling;
-''' '''
-PS.L2-3.9.2 – Personnel Actions
-CMMC Assessment Guide – Level 2 | Version 2.13
-•
-  inform help desk or system administrators to have the former employees’ system access
-revoked;
-•
-  retrieve the former employees’ identification and access cards; and
-•
-  have the former employees attend an exit interview where you or human  resources
-remind them of their obligations to not discuss CUI [b].
-'''Example 2 <br />
-'''An employee transfers from one working group in your company to another. Human
-resources team notifies IT of the transfer date, and the employee’s new manager follows
-procedure by submitting a ticket to the IT help desk to provide information on the access
-rights the employee will require in their new role. IT implements the rights for the new
-position and revokes the access for the prior position on the official date of the transfer [c].
-'''Potential Assessment Considerations <br />
-'''•
-  Is information system access disabled upon employee termination or transfer [c]?
-•
-  Are authenticators/ credentials associated with the employee revoked upon termination
-or transfer within a certain time frame [b,c]?
-•
-  Is all company information system-related property retrieved from the terminated or
-transferred employee within a certain timeframe [a,c]?
-•
-  Is access to company information and information systems formerly controlled by the
-terminated or transferred employee retained for a certain timeframe [a,c]?
-•
-  Is the information security office and data owner of the change in authorization notified
-within a certain timeframe [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.9.2
-''' '''
-PE.L2-3.10.1 – Limit Physical Access [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-Physical Protection (PE) <br />
-'''PE.L2-3.10.1 – LIMIT PHYSICAL ACCESS [CUI DATA] '''
-Limit physical access to organizational systems, equipment, and the respective operating
-environments to authorized individuals.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#188|161 ]]'''
-Determine if: <br />
-[a] authorized individuals allowed physical access are identified; <br />
-[b] physical access to organizational systems is limited to authorized individuals; <br />
-[c]  physical access to equipment is limited to authorized individuals; and <br />
-[d] physical access to operating environments is limited to authorized individuals.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#188|]161 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
-physical access authorizations; system security plan; authorized personnel access list;
-authorization credentials; physical access list reviews; physical access termination records
-and associated documentation; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with physical access authorization responsibilities; personnel
-with physical access to system facility; personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for physical access authorizations; mechanisms
-supporting or implementing physical access authorizations].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#188|162]] '''
-This requirement applies to employees, individuals with permanent physical access
-authorization credentials, and visitors. Authorized individuals have credentials that include
-badges, identification cards, and smart cards.  Organizations determine the strength of
-authorization credentials needed consistent with applicable laws, directives, policies,
- NIST SP 800-171A, p. 46.
- NIST SP 800-171 Rev. 2, p. 32.
-''' '''
-PE.L2-3.10.1 – Limit Physical Access [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-regulations, standards, procedures, and guidelines. This requirement applies only to areas
-within facilities that have not been designated as publicly accessible. <br />
-Limiting physical access to equipment may include placing equipment in locked rooms or
-other secured areas and allowing access to authorized individuals only,  and placing
-equipment in locations that can be monitored by organizational personnel.  Computing
-devices, external disk drives, networking devices, monitors, printers, copiers, scanners,
-facsimile machines, and audio devices are examples of equipment.
-'''FURTHER DISCUSSION '''
-This addresses the company’s physical space (e.g., office, testing environments, equipment
-rooms),  technical assets, and non-technical assets  that need to be protected from
-unauthorized physical access. Specific environments are limited to authorized employees,
-and access is controlled with badges, electronic locks, physical key locks, etc. <br />
-Output devices, such as printers, are placed in areas where their use does not expose data to
-unauthorized individuals. Lists of personnel with authorized access are developed and
-maintained, and personnel are issued appropriate authorization credentials.
-'''Example <br />
-'''You  manage  a  DoD  project  that  requires special equipment used only by project team
-members [b,c]. You work with the facilities manager to put locks on the doors to the areas
-where the equipment is stored and used [b,c,d].  Project team members are the only
-individuals issued with keys to the space. This restricts access to only those employees who
-work on the DoD project and require access to that equipment.
-'''Potential Assessment Considerations <br />
-'''•
-  Are lists of personnel with authorized access developed and maintained, and are
-appropriate authorization credentials issued [a]?
-•
-  Has the facility/building manager designated building areas as “sensitive” and designed
-physical security protections (e.g., guards, locks, cameras, card readers) to limit physical
-access to the area to only authorized employees [b,c,d]?
-•
-  Are output devices such as printers placed in areas where their use does not expose data
-to unauthorized individuals [c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.10.1
-•
-  FAR Clause 52.204-21 b.1.viii
-''' '''
-PE.L2-3.10.2 – Monitor Facility
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''PE.L2-3.10.2 – MONITOR FACILITY  '''
-Protect and monitor the physical facility and support infrastructure for organizational
-systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A] '''
-Determine if:
-[a] the physical facility where organizational systems reside is protected; <br />
-[b] the support infrastructure for organizational systems is protected; <br />
-[c]  the physical facility where organizational systems reside is monitored; and <br />
-[d] the support infrastructure for organizational systems is monitored.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A] '''
-'''Examine <br />
-'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
-physical access monitoring; system security plan; physical access logs or records; physical
-access monitoring records; physical access log reviews; other relevant documents or
-records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with physical access monitoring responsibilities; personnel with
-incident response responsibilities; personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for monitoring physical access; mechanisms
-supporting or implementing physical access monitoring; mechanisms supporting or
-implementing the review of physical access logs].
-'''DISCUSSION [NIST SP 800-171 R2] '''
-Monitoring of physical access includes publicly accessible areas within organizational
-facilities. This can be accomplished, for example, by the employment of guards; the use of
-sensor devices; or the use of video surveillance equipment such as cameras. Examples of
-support infrastructure include system distribution, transmission, and power lines. Security
-controls applied to the support infrastructure prevent accidental damage, disruption, and
-physical tampering. Such controls may also be necessary to prevent eavesdropping or
-modification of unencrypted transmissions. Physical access controls to support
-infrastructure include locked wiring closets; disconnected or locked spare jacks; protection
-of cabling by conduit or cable trays; and wiretapping sensors.
-''' '''
-PE.L2-3.10.2 – Monitor Facility
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION'''
-The infrastructure inside of a facility, such as power and network cables, is protected so that
-visitors and unauthorized employees cannot access it. The protection is also monitored by
-security guards, video cameras, sensors, or alarms.
-'''Example'''
-You are responsible for protecting your IT facilities. You install video cameras at each
-entrance and exit, connect them to a video recorder, and show the camera feeds on a display
-at the reception desk [c,d]. You also make sure there are secure locks on all entrances, exits,
-and windows to the facilities [a,b].
-'''Potential Assessment Considerations''' <br />
-•
-  Is physical access monitored to detect and respond to physical security incidents [c, d]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev 2 3.10.2
-''' '''
-PE.L2-3.10.3 – Escort Visitors [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''PE.L2-3.10.3 – ESCORT VISITORS [CUI DATA] '''
-Escort visitors and monitor visitor activity.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#192|163 ]]'''
-Determine if: <br />
-[a] visitors are escorted; and <br />
-[b] visitor activity is monitored.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#192|]163 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
-physical access control; system security plan; physical access control logs or records;
-inventory records of physical access control devices; system entry and exit points; records
-of key and lock combination changes; storage locations for physical access control devices;
-physical access control devices; list of security safeguards controlling access to designated
-publicly accessible areas within facility; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with physical access control responsibilities; personnel with
-information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for physical access control; mechanisms
-supporting or implementing physical access control; physical access control devices].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#192|164]] '''
-Individuals with permanent physical access authorization credentials are not considered
-visitors. Audit logs can be used to monitor visitor activity.
-'''FURTHER DISCUSSION '''
-Do not allow visitors, even those people you know well, to walk around your facility without
-an escort. Make sure that all non-employees wear special visitor badges and/or are escorted
-by an employee at all times while on the property.
- NIST SP 800-171A, p. 47.
- NIST SP 800-171 Rev. 2, p. 32.
-''' '''
-PE.L2-3.10.3 – Escort Visitors [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''Example <br />
-'''Coming back from a meeting, you see the friend of a coworker walking down the hallway
-near your office. You know this person well and trust them, but are not sure why they are in
-the building. You stop to talk, and the person explains that they are meeting a coworker for
-lunch, but cannot remember where the lunchroom is.  You walk the person back to the
-reception area to get a visitor badge and wait until someone can escort them to the lunch
-room [a]. You report this incident and the company decides to install a badge reader at the
-main door so visitors cannot enter without an escort [a].
-'''Potential Assessment Considerations <br />
-'''•
-  Are personnel required to accompany visitors to areas in a facility with physical access
-to organizational systems [a]?
-•
-  Are visitors clearly distinguishable from regular personnel [b]?
-•
-  Is visitor activity monitored (e.g., use of cameras or guards, reviews of secure areas upon
-visitor departure, review of visitor audit logs) [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.10.3
-•
-  FAR Clause 52.204-21 Partial b.1.ix
- <br />
-''' '''
-PE.L2-3.10.4 – Physical Access Logs [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''PE.L2-3.10.4 – PHYSICAL ACCESS LOGS [CUI DATA] '''
-Maintain audit logs of physical access.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#194|165 ]]'''
-Determine if: <br />
-[a] audit logs of physical access are maintained.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#194|]165 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
-physical access control; system security plan; physical access control logs or records;
-inventory records of physical access control devices; system entry and exit points; records
-of key and lock combination changes; storage locations for physical access control devices;
-physical access control devices; list of security safeguards controlling access to designated
-publicly accessible areas within facility; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with physical access control responsibilities; personnel with
-information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for physical access control; mechanisms
-supporting or implementing physical access control; physical access control devices].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#194|166]] '''
-Organizations have flexibility in the types of audit logs employed. Audit logs can be
-procedural (e.g., written log of individuals accessing the facility), automated (e.g., capturing
-ID provided by a PIV card), or some combination thereof. Physical access points can include
-facility access points, interior access points to systems or system components requiring
-supplemental access controls, or both.  System components (e.g., workstations, notebook
-computers) may be in areas designated as publicly accessible with organizations
-safeguarding access to such devices.
-'''FURTHER DISCUSSION '''
-Make sure you have a record of who accesses your facility (e.g., office, plant, factory). You can
-do this in writing by having employees and visitors sign in and sign out or by electronic
- NIST SP 800-171A, p. 47.
- NIST SP 800-171 Rev. 2, pp. 32-33.
-''' '''
-PE.L2-3.10.4 – Physical Access Logs [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-means such as badge readers. Whatever means you use, you need to retain the access records
-for the time period that your company has defined.
-'''Example <br />
-'''You and your coworkers like to have friends and family join you for lunch at the office on
-Fridays. Your small company has just signed a contract with the DoD, however, and you now
-need to document who enters and leaves your facility. You work with the reception staff to
-ensure that all non-employees sign in at the reception area and sign out when they leave [a].
-You retain those paper sign-in sheets in a locked filing cabinet for one year.  Employees
-receive badges or key cards that enable tracking and logging access to company facilities.
-'''Potential Assessment Considerations <br />
-'''•
-  Are logs of physical access to sensitive areas (both authorized access and visitor access)
-maintained per retention requirements [a]?
-•
-  Are visitor access records retained for as long as required [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.10.4
-•
-  FAR Clause 52.204-21 Partial b.1.ix
-''' '''
-PE.L2-3.10.5 – Manage Physical Access [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''PE.L2-3.10.5 – MANAGE PHYSICAL ACCESS [CUI DATA] '''
-Control and manage physical access devices.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#196|167 ]]'''
-Determine if: <br />
-[a] physical access devices are identified; <br />
-[b] physical access devices are controlled; and <br />
-[c]  physical access devices are managed.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#196|]167 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
-physical access control; system security plan; physical access control logs or records;
-inventory records of physical access control devices; system entry and exit points; records
-of key and lock combination changes; storage locations for physical access control devices;
-physical access control devices; list of security safeguards controlling access to designated
-publicly accessible areas within facility; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with physical access control responsibilities; personnel with
-information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for physical access control; mechanisms
-supporting or implementing physical access control; physical access control devices].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#196|168]] '''
-Physical access devices include keys, locks, combinations, and card readers.
-'''FURTHER DISCUSSION '''
-Identifying and controlling physical access devices (e.g., locks, badges, key cards) is just as
-important as monitoring and limiting who is able to physically access certain equipment.
-Physical access devices are only strong protection if you know who has them and what access
-they allow. Physical access devices can be managed using manual or automatic processes
- NIST SP 800-171A, pp. 47-48.
- NIST SP 800-171 Rev. 2, p. 33.
-''' '''
-PE.L2-3.10.5 – Manage Physical Access [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-such a list of who is assigned what key, or updating the badge access system as personnel
-change roles.
-'''Example <br />
-'''You are a facility manager. A team member retired today and returns their company keys to
-you.  The project on which they were working requires  access to areas that  contain
-equipment with CUI. You receive the keys, check your electronic records against the serial
-numbers on the keys to ensure all have been returned, and mark each key returned [c].
-'''Potential Assessment Considerations <br />
-'''•
-  Are lists or inventories of physical access devices maintained (e.g., keys, facility badges,
-key cards) [a]?
-•
-  Is  access to physical access devices  limited  (e.g.,  granted to, and accessible only by,
-authorized individuals) [b]?
-•
-  Are physical access devices managed (e.g., revoking key card access when necessary,
-changing locks as needed, maintaining access control devices and systems) [c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.10.5
-•
-  FAR Clause 52.204-21 Partial b.1.ix
-''' '''
-PE.L2-3.10.6 – Alternative Work Sites
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''PE.L2-3.10.6 – ALTERNATIVE WORK SITES '''
-Enforce safeguarding measures for CUI at alternate work sites.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#198|169 ]]'''
-Determine if: <br />
-[a] safeguarding measures for CUI are defined for alternate work sites; and <br />
-[b] safeguarding measures for CUI are enforced for alternate work sites.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#198|A]169 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
-alternate work sites for personnel; system security plan; list of safeguards required for
-alternate work sites; assessments of safeguards at alternate work sites; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel approving use of alternate work sites; personnel using alternate
-work sites; personnel assessing controls at alternate work sites; personnel with information
-security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for security at alternate work sites; mechanisms
-supporting alternate work sites; safeguards employed at alternate work sites; means of
-communications between personnel at alternate work sites and security personnel].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#198|170]] '''
-Alternate work sites may include government facilities or the private residences of
-employees. Organizations may define different security requirements for specific alternate
-work sites or types of sites depending on the work-related activities conducted at those sites. <br />
-NIST SP 800-46 and NIST SP 800-114 provide guidance on enterprise and user security
-when teleworking.
-'''FURTHER DISCUSSION '''
-Many people work from home or travel as part of their job. Define and implement safeguards
-to account for protection of information beyond the enterprise perimeter. Safeguards may
- NIST SP 800-171A, p. 48.
- NIST SP 800-171 Rev. 2, p. 33.
-''' '''
-PE.L2-3.10.6 – Alternative Work Sites
-CMMC Assessment Guide – Level 2 | Version 2.13
-include physical protections, such as locked file drawers, as well as electronic protections
-such as encryption, audit logging, and proper access controls.
-'''Example <br />
-'''Many of your company’s project managers work remotely as they often travel to sponsor
-locations or even work from home. Because the projects on which they work require access
-to CUI, you must ensure the same level of protection is afforded as when they work in the
-office.  You ensure that each laptop is deployed with patch management and anti-virus
-software protection  [b].  Because  data may be stored on the local hard drive,  you have
-enabled full-disk encryption on their laptops [b]. When a remote staff member needs access
-to the internal network you require VPN connectivity that also disconnects the laptop from
-the remote network (i.e.,  prevents  split tunneling) [b]. The VPN requires multifactor
-authentication to verify remote users are who they claim to be [b].
-'''Potential Assessment Considerations <br />
-'''•
-  Do all alternate sites where CUI data is stored or processed meet the same physical
-security requirements as the main site [b]?
-•
-  Does the alternate processing site provide information security measures equivalent to
-those of the primary site [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.10.6
-''' '''
-RA.L2-3.11.1 – RIsk Assessments
-CMMC Assessment Guide – Level 2 | Version 2.13
-Risk Assessment (RA) <br />
-'''RA.L2-3.11.1 – RISK ASSESSMENTS '''
-Periodically assess the risk to organizational operations (including mission, functions, image,
-or reputation), organizational assets, and individuals, resulting from the operation of
-organizational systems and the associated processing, storage, or transmission of CUI.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#200|171 ]]'''
-Determine if: <br />
-[a] the frequency to assess risk to organizational operations, organizational assets, and
-individuals is defined; and
-[b] risk to organizational operations, organizational assets, and individuals resulting from
-the operation of an organizational system that processes, stores, or transmits CUI is
-assessed with the defined frequency.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#200|A]171 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Risk assessment policy; security planning policy and procedures;
-procedures addressing organizational risk assessments; system security plan; risk
-assessment; risk assessment results; risk assessment reviews; risk assessment updates;
-other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with risk assessment responsibilities; personnel with
-information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for risk assessment; mechanisms supporting or
-for conducting, documenting, reviewing, disseminating, and updating the risk assessment].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#200|172]] '''
-Clearly defined system boundaries are a prerequisite for effective risk assessments. Such risk
-assessments consider threats, vulnerabilities, likelihood, and impact to organizational
-operations, organizational assets, and individuals based on the operation  and use of
-organizational systems.  Risk assessments also consider risk from external parties (e.g.,
-service providers, contractor operating systems on behalf of the organization, individuals
- NIST SP 800-171A, p. 49.
- NIST SP 800-171 Rev. 2, p. 33.
-''' '''
-RA.L2-3.11.1 – RIsk Assessments
-CMMC Assessment Guide – Level 2 | Version 2.13
-accessing organizational systems, outsourcing entities). Risk assessments, either formal or
-informal, can be conducted at the organization level, the mission or business process level,
-or the system level, and at any phase in the system development life cycle. <br />
-NIST SP 800-30 provides guidance on conducting risk assessments.
-'''FURTHER DISCUSSION '''
-Risk arises from anything that can reduce an organization’s assurance of mission/business
-success; cause harm to image or reputation; or harm individuals, other organizations, or the
-Nation. <br />
-Organizations assess the risk to their operations and assets at regular intervals. Areas where
-weakness or vulnerabilities could lead to risk may include: <br />
-•
-  poorly designed and executed business processes;
-•
-  inadvertent actions of people, such as disclosure or modification of information;
-•
-  intentional actions of people inside and outside the organization;
-•
-  failure of systems to perform as intended;
-•
-  failures of technology; and
-•
-  external events, such as natural disasters, public infrastructure and supply chain failures.
-When conducting risk assessments use established criteria and procedures. The results of
-formal risk assessments are documented. It is important to note that risk assessments differ
-from vulnerability assessments  (see  RA.L2-3.11.2). A vulnerability assessment provides
-input to a risk assessment  along with other information such  as  results from likelihood
-analysis and analysis of potential treat sources. <br />
-Risk assessments should be performed at defined regular intervals. Mission risks include
-anything that will keep an organization from meeting its mission. Function risk is anything
-that will prevent the performance of a function.  Image and reputation risks refer to
-intangible risks that have value and could cause damage to potential or future trust
-relationships.[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#201|173]] <br />
-This  requirement,  RA.L2-3.11.1,  which requires  periodically assessing the risk to
-organization systems, assets, and individuals, is a baseline Risk Assessment requirement.
-RA.L2-3.11.1 enables other Risk Assessment requirements (e.g., RA.L2-3.11.3, Vulnerability
-Remediation), as well as CA.L2-3.12.2, Plan of Action.
-'''Example <br />
-'''You are a system administrator. You and your team members are working on a big
-government contract requiring you to store CUI. As part of your periodic (e.g., annual) risk
-assessment exercise, you  evaluate  the  new  risk involved with storing CUI [a,b]. When
-conducting the assessment you consider increased legal exposure, financial requirements of
-safeguarding CUI, potentially elevated attention from external attackers, and other factors.
- NIST SP 800-30, ''Guide for Conducting Risk Assessments'', September 2012.
-''' '''
-RA.L2-3.11.1 – RIsk Assessments
-CMMC Assessment Guide – Level 2 | Version 2.13
-After determining how storing CUI affects your overall risk profile, you use that as a basis for
-a conversation on how that risk should be mitigated.
-'''Potential Assessment Considerations <br />
-'''•
-  Have initial and periodic risk assessments been conducted [b]?
-•
-  Are methods defined for assessing risk (e.g., reviewing security assessments, incident
-reports, and security advisories, identifying threat sources, threat events, and
-vulnerabilities, and determining likelihood, impact, and overall risk to the confidentiality
-of CUI) [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.11.1
-''' '''
-RA.L2-3.11.2 – Vulnerability Scan
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''RA.L2-3.11.2 – VULNERABILITY SCAN '''
-Scan for vulnerabilities in organizational systems and applications periodically and when
-new vulnerabilities affecting those systems and applications are identified.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#203|174 ]]'''
-Determine if: <br />
-[a] the frequency to scan for vulnerabilities in organizational systems and applications is
-defined;
-[b] vulnerability scans are performed on organizational systems with the defined
-frequency;
-[c]  vulnerability scans are performed on applications with the defined frequency; <br />
-[d] vulnerability scans are performed on organizational systems when new vulnerabilities
-are identified; and
-[e] vulnerability scans are performed on applications when new vulnerabilities are
-identified.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#203|A]174 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk
-assessment; system security plan; security assessment report; vulnerability scanning tools
-and associated configuration documentation; vulnerability scanning results; patch and
-vulnerability management records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with risk assessment, security assessment and vulnerability
-scanning responsibilities; personnel with vulnerability scan analysis and remediation
-responsibilities; personnel with information security responsibilities; system or network
-administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for vulnerability scanning, analysis, remediation,
-and information sharing; mechanisms supporting or implementing vulnerability scanning,
-analysis, remediation, and information sharing].
- NIST SP 800-171A, pp. 49-50.
-''' '''
-RA.L2-3.11.2 – Vulnerability Scan
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#204|175]] '''
-Organizations determine the required vulnerability scanning for all system components,
-ensuring that potential sources of vulnerabilities such as networked printers, scanners, and
-copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new
-vulnerabilities are discovered, announced, and scanning methods developed. This process
-ensures that potential vulnerabilities in the system are identified and addressed as quickly
-as possible. Vulnerability analyses for custom software applications may require additional
-approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three
-approaches. Organizations can employ these analysis approaches in source code reviews and
-in a variety of tools (e.g., static analysis tools, web-based application scanners, binary
-analyzers). Vulnerability scanning includes: scanning for patch levels; scanning for functions,
-ports, protocols, and services that should not be accessible to users or devices; and scanning
-for improperly configured or incorrectly operating information flow control mechanisms. <br />
-To facilitate interoperability, organizations consider using products that are Security
-Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in
-the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the
-Open Vulnerability Assessment Language (OVAL) to determine the presence of system
-vulnerabilities.  Sources for vulnerability information include the Common Weakness
-Enumeration (CWE) listing and the National Vulnerability Database (NVD). <br />
-Security assessments, such as red team exercises, provide additional sources of potential
-vulnerabilities for which to scan.  Organizations also consider using scanning tools that
-express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain
-situations, the nature of the vulnerability scanning may be more intrusive or the system
-component that is the subject of the scanning may contain highly sensitive information.
-Privileged access authorization to selected system components facilitates thorough
-vulnerability scanning and protects the sensitive nature of such scanning. <br />
-NIST SP 800-40 provides guidance on vulnerability management.
-'''FURTHER DISCUSSION '''
-A vulnerability scanner is an application that identifies vulnerabilities in organizational
-assets. Most scanners can create a prioritized list of vulnerabilities ordered by their level of
-severity. Scan for vulnerabilities on all devices connected to the network including servers,
-desktops, laptops, virtual machines, containers, firewalls, switches, and printers. All assets
-that are within the scope of the CMMC assessment must be scanned, including assets such as
-laptop computers that may not routinely connect to an organization’s network. <br />
-Perform reviews of your organization’s custom-developed software. Vulnerability analysis
-of a custom-made solution may require a penetration tester to properly test and validate
-findings. Automated vulnerability scanners may not be as thorough when scanning custom
-developed applications. Source code scanners can help identify weaknesses and
-vulnerabilities within code prior to compilation and use.
- NIST SP 800-171 Rev. 2, pp. 33-34.
-''' '''
-RA.L2-3.11.2 – Vulnerability Scan
-CMMC Assessment Guide – Level 2 | Version 2.13
-The vulnerability scanning process is a regular activity, not a single occurrence.
-Organizations put in place a vulnerability scanner that updates its database each time it
-performs a scan so it can identify the most current known vulnerabilities. Schedule scans
-with consideration of the potential for impact to normal operations and use caution when
-scanning critical assets. <br />
-This requirement, RA.L2-3.11.2, which ensures scanning for vulnerabilities in
-organizational systems and application, is a baseline Risk Assessment requirement. RA.L2-
-.11.2, contributes to performing risk assessments as described in RA.L2-3.11.1.
-'''Example <br />
-'''You are a system administrator. Your organization has assessed its risk and determined that
-it needs to scan for vulnerabilities in systems and applications once each quarter [a]. You
-conduct some tests and decide that it is important to be able to schedule scans after standard
-business hours. You also realize that you have remote workers and that you will need to be
-sure to scan their remote computers as well [b]. After some final tests, you integrate the scans
-into normal IT operations, running as scheduled [b,c]. You verify that the scanner application
-receives the latest updates on vulnerabilities and that those are included in future scans [d,e].
-'''Potential Assessment Considerations <br />
-'''•
-  Is  the frequency specified for vulnerability scans to be performed in organizational
-systems and applications (e.g., continuous passive scanning, scheduled active scans) [a]?
-•
-  Are vulnerability scans performed on a defined frequency or randomly in accordance
-with company policy [a,b,c]?
-•
-  Are systems periodically scanned for common and new vulnerabilities [d,e]?
-•
-  Is the list of scanned system vulnerabilities updated on a defined frequency or when new
-vulnerabilities are identified and reported [d,e]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.11.2
-''' '''
-RA.L2-3.11.3 – Vulnerability Remediation
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''RA.L2-3.11.3 – VULNERABILITY REMEDIATION '''
-Remediate vulnerabilities in accordance with risk assessments.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#206|176 ]]'''
-Determine if: <br />
-[a] vulnerabilities are identified; and <br />
-[b] vulnerabilities are remediated in accordance with risk assessments.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#206|A]176 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk
-assessment; system security plan; security assessment report; vulnerability scanning tools
-and associated configuration documentation; vulnerability scanning results; patch and
-vulnerability management records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with risk assessment, security assessment and vulnerability
-scanning responsibilities; personnel with vulnerability scan analysis responsibilities;
-personnel with vulnerability remediation responsibilities; personnel with information
-security responsibilities; system or network administrators].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for vulnerability scanning, analysis, remediation,
-and information sharing; mechanisms supporting or implementing vulnerability scanning,
-analysis, remediation, and information sharing].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#206|177]] '''
-Vulnerabilities discovered, for example, via the scanning conducted in response to RA.L2-
-.11.2, are remediated with consideration of the related assessment of risk.  The
-consideration of risk influences the prioritization of remediation efforts and the level of
-effort to be expended in the remediation for specific vulnerabilities.
-'''FURTHER DISCUSSION '''
-Not all vulnerabilities captured in a vulnerability scanner may pose the same level of risk to
-an organization. Prioritize mitigation efforts to close the most critical vulnerabilities first.
- NIST SP 800-171A, p. 50.
- NIST SP 800-171 Rev. 2, p. 34.
-''' '''
-RA.L2-3.11.3 – Vulnerability Remediation
-CMMC Assessment Guide – Level 2 | Version 2.13
-Track all vulnerability remediation to ensure completion; also track vulnerabilities that you
-have determined not to remediate. <br />
-This  requirement,  RA.L2-3.11.3, benefits from CA.L2-3.12.2.  RA.L2-3.11.3  allows
-remediation of vulnerabilities to take place based on the developed plans of actions for
-vulnerabilities from CA.L2-3.12.2.
-'''Example <br />
-'''You are a system administrator. Each quarter you receive a list of vulnerabilities generated
-by your company’s vulnerability scanner [a]. You prioritize that list and note which
-vulnerabilities should be targeted as soon as possible as well as which vulnerabilities you
-can safely defer addressing at this time. You document the reasoning behind accepting the
-risk of the unremediated flaws and note to continue to monitor these vulnerabilities in case
-you need to revise the decision at a later date [b].
-'''Potential Assessment Considerations <br />
-'''•
-  Are the results of risk assessments used to prioritize vulnerabilities for remediation [b]?
-•
-  For any given vulnerability is action taken for remediation, acceptance, avoidance, or
-transference of the vulnerability risk [b]?
-•
-  Are all high risk vulnerabilities prioritized [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.11.3
-''' '''
-CA.L2-3.12.1 – Security Control Assessment
-CMMC Assessment Guide – Level 2 | Version 2.13
-Security Assessment (CA) <br />
-'''CA.L2-3.12.1 – SECURITY CONTROL ASSESSMENT '''
-Periodically assess the security controls in organizational systems to determine if the
-controls are effective in their application. <br />
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#208|178 ]]'''
-Determine if: <br />
-[a] the frequency of security control assessments is defined; and <br />
-[b] security controls are assessed with the defined frequency to determine if the controls
-are effective in their application.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#208|A]178 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Security assessment and authorization policy; procedures addressing
-security assessment planning; procedures addressing security assessments; security
-assessment plan; system security plan; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with security assessment responsibilities; personnel with
-information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting security assessment, security assessment plan
-development, and security assessment reporting]. <br />
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#208|179]] '''
-Organizations assess security controls in organizational systems and the environments in
-which those systems operate as part of the system development life cycle. Security controls
-are the safeguards or countermeasures organizations implement to satisfy security
-requirements. By assessing the implemented security controls, organizations determine if
-the security safeguards or countermeasures are in place and operating as intended. Security
-control assessments ensure that information security is built into organizational systems;
-identify weaknesses and deficiencies early in the development process; provide essential
-information needed to make risk-based decisions; and ensure compliance to vulnerability
- NIST SP 800-171A, p. 51.
- NIST SP 800-171 Rev. 2, pp. 34-35.
-''' '''
-CA.L2-3.12.1 – Security Control Assessment
-CMMC Assessment Guide – Level 2 | Version 2.13
-mitigation procedures. Assessments are conducted on the implemented security controls as
-documented in system security plans. <br />
-Security assessment reports document assessment results in sufficient detail as deemed
-necessary by organizations, to determine the accuracy and completeness of the reports and
-whether the security controls are implemented correctly, operating as intended, and
-producing the desired outcome with respect to meeting security requirements. Security
-assessment results are provided to the individuals or roles appropriate for the types of
-assessments being conducted. <br />
-Organizations ensure that security assessment results are current, relevant to the
-determination of security control effectiveness, and obtained with the appropriate level of
-assessor independence. Organizations can choose to use other types of assessment activities
-such as vulnerability scanning and system monitoring to maintain the security posture of
-systems during the system life cycle. <br />
-NIST SP 800-53 provides guidance on security and privacy controls for systems and
-organizations. SP 800-53A provides guidance on developing security assessment plans and
-conducting assessments. <br />
-'''FURTHER DISCUSSION '''
-Avoid a “set it and forget it” mentality when implementing security controls. The security
-landscape is constantly changing. Reassess existing controls at periodic intervals in order to
-validate their effectiveness in your environment. Set the assessment schedule according to
-organizational needs. Consider regulatory obligations and internal policies when assessing
-the controls. <br />
-Outputs from security control assessments typically include: <br />
-•
-  documented assessment results;
-•
-  proposed new controls, or updates to existing controls;
-•
-  remediation plans; and
-•
-  newly identified risks.
-This  requirement,  CA.L2-3.12.1, which ensures determining security controls are
-implemented properly, promotes effective security assessments for organizational systems
-mandated by CA.L2-3.12.3.
-'''Example <br />
-'''You are in charge of IT operations. You need to ensure that the security controls
-implemented within the system are achieving their objectives [b]. Taking the requirements
-outlined in your SSP as a guide, you conduct annual written reviews of the security controls
-to ensure they meet your organization’s needs. When you find controls that do not meet
-requirements, you propose updated or new controls, develop a written implementation plan,
-document new risks, and execute the changes.
-''' '''
-CA.L2-3.12.1 – Security Control Assessment
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''Potential Assessment Considerations <br />
-'''•
-  Are security controls assessed at least annually [a]?
-•
-  Is the output of the security controls assessment documented [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.12.1
-''' '''
-CA.L2-3.12.2 – operational Plan of Action
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''CA.L2-3.12.2 – OPERATIONAL PLAN OF ACTION '''
-Develop and implement plans of action designed to correct deficiencies and reduce or
-eliminate vulnerabilities in organizational systems. <br />
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#211|180 ]]'''
-Determine if: <br />
-[a] deficiencies and vulnerabilities to be addressed by the plan of action are identified; <br />
-[b] a plan of action is developed to correct identified deficiencies and reduce or eliminate
-identified vulnerabilities; and
-[c]  the plan of action is implemented to correct identified deficiencies and reduce or
-eliminate identified vulnerabilities.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#211|A]180 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Security assessment and authorization policy; procedures addressing plan
-of action; system security plan; security assessment plan; security assessment report;
-security assessment evidence; plan of action; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with plan of action development and implementation
-responsibilities; personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Mechanisms for developing, implementing, and maintaining plan of action]. <br />
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#211|181]] '''
-The plan of action is a key document in the information security program. Organizations
-develop plans of action that describe how any unimplemented security requirements will be
-met and how any planned mitigations will be implemented. Organizations can document the
-system security plan and plan of action as separate or combined documents and in any
-chosen format. <br />
-Federal agencies may consider the submitted system security plans and plans of action as
-critical inputs to an overall risk management decision to process, store, or transmit CUI on a
-system hosted by a nonfederal organization and whether it is advisable to pursue an
-agreement or contract with the nonfederal organization.
- NIST SP 800-171A, p. 51.
- NIST SP 800-171 Rev. 2, p. 35.
-''' '''
-CA.L2-3.12.2 – operational Plan of Action
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-When you write a plan of action, define the clear goal or objective of the plan. You may
-include the following in the action plan: <br />
-•
-  ownership of who is accountable for ensuring the plan’s performance;
-•
-  specific steps or milestones that are clear and actionable;
-•
-  assigned responsibility for each step or milestone;
-•
-  milestones to measure plan progress; and
-•
-  completion dates.
-This requirement, CA.L2-3.12.2, which ensures developing and implementing operational
-plans of action to correct and reduce vulnerabilities in systems, is driven by risk management
-requirement  RA.L2-3.11.1, which promotes periodically assessing risk to organizational
-systems. CA.L2-3.12.2 promotes monitoring security controls on an ongoing basis as defined
-in requirement CA.L2-3.12.3. <br />
-An operational  plan of action in accordance with CA.L2-3.12.2 differs from a CMMC
-assessment  POA&amp;M as described in 32 CFR § 170.21.  The assessment POA&amp;M  places
-conditions on which security requirements can be assessed as NOT MET and allows the OSA
-to qualify for a CMMC Status of Conditional Level 2 (Self), Conditional Level 2 (C3PAO), or
-Conditional Level 3 (DIBCAC). Operational plans of action are not subject to the 180 day
-POA&amp;M closeout requirement.  Severity, availability of remediation, and  business
-requirements are among the factors to consider when creating and maintaining operational
-plans of action.
-'''Example <br />
-'''As IT director, one of your duties is to develop action plans when you discover that your
-company is not meeting security requirements or when a security issue arises [b]. A recent
-vulnerability scan identified several items that need to be addressed so you develop a plan
-to fix them [b]. Your plan identifies the people responsible for fixing the issues, how to do it,
-and when the remediation will be completed [b]. You also define how to verify that the
-person responsible has fixed the vulnerability [b]. You document this in an operational plan
-of action that is updated as milestones are reached [b]. You have a separate resource review
-the modifications after they have been completed to ensure the plan has been implemented
-correctly [c].
-'''Potential Assessment Considerations <br />
-'''•
-  Is there an action plan to remediate identified weaknesses or deficiencies [a]?
-•
-  Is the action plan maintained as remediation is performed [b]?
-•
-  Does the action plan designate remediation dates and milestones for each item [c]?
-''' '''
-CA.L2-3.12.2 – operational Plan of Action
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.12.2
-''' '''
-CA.L2-3.12.3 – Security Control Monitoring
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''CA.L2-3.12.3 – SECURITY CONTROL MONITORING '''
-Monitor security controls on an ongoing basis to ensure the continued effectiveness of the
-controls.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#214|182 ]]'''
-Determine if: <br />
-[a] security controls are monitored on an ongoing basis to ensure the continued
-effectiveness of those controls.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#214|A]182 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Security planning policy; organizational procedures addressing system
-security plan development and implementation; procedures addressing system security
-plan reviews and updates; enterprise architecture documentation; system security plan;
-records of system security plan reviews and updates; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with security planning and system security plan implementation
-responsibilities; personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for system security plan development, review,
-update, and approval; mechanisms supporting the system security plan].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#214|183]] '''
-Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities,
-and information security to support organizational risk management decisions. The terms
-continuous and ongoing imply that organizations assess and analyze security controls and
-information security-related risks at a frequency sufficient to support risk-based decisions.
-The results of continuous monitoring programs generate appropriate risk response actions
-by organizations. Providing access to security information on a continuing basis through
-reports or dashboards gives organizational officials the capability to make effective and
-timely risk management decisions.  Automation supports more frequent updates to
-hardware, software, firmware inventories, and other system information. Effectiveness is
-further enhanced when continuous monitoring outputs are formatted to provide
-information that is specific, measurable, actionable, relevant, and timely.  Monitoring
- NIST SP 800-171A, p. 52.
- NIST SP 800-171 Rev. 2, p. 35.
-''' '''
-CA.L2-3.12.3 – Security Control Monitoring
-CMMC Assessment Guide – Level 2 | Version 2.13
-requirements, including the need for specific monitoring, may also be referenced in other
-requirements. <br />
-NIST SP 800-137 provides guidance on continuous monitoring.
-'''FURTHER DISCUSSION '''
-Provide a plan for monitoring the state of security controls on a recurring basis that occurs
-more frequently than the periodic assessments discussed in CA.L2-3.12.1.  This process
-provides a mechanism to assess the overall security posture of your organization, which
-directly relates to activities discussed in CA.L2-3.12.4.  As a result,  the process not only
-maintains awareness of vulnerabilities and threats, but it also informs management of the
-effectiveness of the security controls in determining if security controls are current and for
-management to make an acceptable risk decision.
-'''Example <br />
-'''You are responsible for ensuring your company fulfills all cybersecurity requirements for its
-DoD contracts. You review those requirements and the security controls your company has
-put in place to meet them. You then create a plan to evaluate each control regularly over the
-next year. You mark several controls to be evaluated by a third-party security assessor. You
-assign  other IT resources in the organization  to evaluate controls within their area of
-responsibility. To ensure progress you establish recurring meetings with the accountable IT
-staff to assess continuous monitoring progress, review security information, evaluate risks
-from gaps in continuous monitoring, and produce reports for your management [a].
-'''Potential Assessment Considerations <br />
-'''•
-  Are the security controls that need to be continuously monitored identified [a]?
-•
-  Is the timeframe for continuous monitoring activities to support risk-based decision
-making defined [a]?
-•
-  Is the output of continuous monitoring activities provided to stakeholders [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.12.3
-''' '''
-CA.L2-3.12.4 – System Security Plan
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''CA.L2-3.12.4 – SYSTEM SECURITY PLAN '''
-Develop, document, and periodically update system security plans that describe system
-boundaries, system environments of operation, how security requirements are
-implemented, and the relationships with or connections to other systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#216|184 ]]'''
-Determine if: <br />
-[a] a system security plan is developed; <br />
-[b] the system boundary is described and documented in the system security plan; <br />
-[c]  the system environment of operation is described and documented in the system
-security plan;
-[d] the security requirements identified and approved by the designated authority as
-non-applicable are identified;
-[e] the method of security requirement implementation is described and documented in
-the system security plan;
-[f]  the relationship with or connection to other systems is described and documented in
-the system security plan;
-[g] the frequency to update the system security plan is defined; and <br />
-[h] system security plan is updated with the defined frequency.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#216|A]184 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Security planning policy; procedures addressing system security plan
-development and implementation; procedures addressing system security plan reviews and
-updates; enterprise architecture documentation; system security plan; records of system
-security plan reviews and updates; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with security planning and system security plan implementation
-responsibilities; personnel with information security responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for system security plan development, review,
-update, and approval; mechanisms supporting the system security plan].
- NIST SP 800-171A, p. 52.
-''' '''
-CA.L2-3.12.4 – System Security Plan
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#217|185]] '''
-System security plans relate security requirements to a set of security controls.  System
-security plans also describe, at a high level, how the security controls meet those security
-requirements, but do not provide detailed, technical  descriptions of the design or
-implementation of the controls.  System security plans contain sufficient information to
-enable a design and implementation that is unambiguously compliant with the intent of the
-plans and subsequent determinations of risk if the plan is implemented as intended. Security
-plans need not be single documents; the plans can be a collection of various documents
-including documents that already exist.  Effective security plans make extensive use of
-references to policies, procedures, and additional documents (e.g., design and
-implementation specifications) where more detailed information can be obtained.  This
-reduces the documentation requirements associated with security programs and maintains
-security-related information in other established management/operational areas related to
-enterprise architecture, system development life cycle, systems engineering, and acquisition. <br />
-Federal agencies may consider the submitted system security plans and plans of action as
-critical inputs to an overall risk management decision to process, store, or transmit CUI on a
-system hosted by a nonfederal organization and whether it is advisable to pursue an
-agreement or contract with the nonfederal organization. <br />
-NIST SP 800-18 provides guidance on developing security plans.
-'''FURTHER DISCUSSION '''
-A system security plan (SSP) is a document that outlines how an organization implements
-its security requirements. OSAs must have an SSP  in place at the time of assessment to
-describe each information system within the CMMC Assessment Scope. The absence of an
-up-to-date SSP at the time of the assessment would result in a finding that an assessment
-could not be completed due to incomplete information and noncompliance with DFARS
-clause 252.204-7012. OSAs are free to choose the format of their SSP. At a minimum, an SSP
-must include: <br />
-•
-  Description of the CMMC Assessment Scope;
-•
-  CMMC Assessment Scope  Description: high-level description of the assets  within the
-assessment scope[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#217|186]];
-•
-  Description of the Environment of Operation: physical surroundings in which an
-information system processes, stores, and transmits information;
-•
-  Identified and Approved Security Requirements: requirements levied on an information
-system that are derived from applicable laws, Executive Orders, directives, policies,
-standards, instructions, regulations, procedures, or organizational mission/business
-case needs to ensure the confidentiality, integrity, and availability of the information
-being processed, stored, or transmitted;
- NIST SP 800-171 Rev. 2, pp. 35-36.
- There is no requirement to embed every asset in the SSP. .
-''' '''
-CA.L2-3.12.4 – System Security Plan
-CMMC Assessment Guide – Level 2 | Version 2.13
-•
-  Implementation Method for Security Requirements: description of how the identified
-and approved security requirements are implemented with the system or environment;
-•
-  Connections and Relationships to Other Systems and Networks: description of related,
-dependent, and interconnected systems; and
-•
-  Defined Frequency of Updates: at least annually.
-In addition to the requirements above, an SSP often includes: <br />
-•
-  general information system description: technical and functional description;
-•
-  design  philosophies:  defense-in-depth strategies and allowed interfaces and network
-protocols; and
-•
-  roles and responsibilities: description of the roles and responsibilities for key personnel,
-which may include the system owner, system custodian, authorizing officials, and other
-stakeholders
-This  requirement,  CA.L2-3.12.4, which requires  developing, documenting, and updating
-system security plans, promotes effective information security within organizational
-systems required by SC.L2-3.13.2, as well as other system and communications protection
-requirements.
-'''Example <br />
-'''You are in charge of system security. You develop an SSP and have senior leadership formally
-approve the document [a]. The SSP explains how your organization handles CUI and defines
-how that data is stored, transmitted, and protected [d,e]. The criteria outlined in the SSP is
-used to guide configuration of the network and other information resources to meet your
-company’s goals. Knowing that it is important to keep the SSP current, you establish a policy
-that requires a formal review and update of the SSP each year [g,h].
-'''Potential Assessment Considerations <br />
-'''•
-  Do mechanisms exist to develop and periodically update an SSP [a,g]?
-•
-  Are security requirements identified and approved by the designated authority as
-non-applicable documented [d]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.12.4
-''' '''
-SC.L2-3.13.1 – Boundary Protection [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-System and Communications Protection (SC) <br />
-'''SC.L2-3.13.1 – BOUNDARY PROTECTION [CUI DATA] '''
-Monitor, control, and protect communications (i.e., information transmitted or received by
-organizational systems) at the external boundaries and key internal boundaries of
-organizational systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#219|187 ]]'''
-Determine if: <br />
-[a] the external system boundary is defined; <br />
-[b] key internal system boundaries are defined; <br />
-[c]  communications are monitored at the external system boundary; <br />
-[d] communications are monitored at key internal boundaries; <br />
-[e] communications are controlled at the external system boundary; <br />
-[f]  communications are controlled at key internal boundaries; <br />
-[g] communications are protected at the external system boundary; and <br />
-[h] communications are protected at key internal boundaries.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#219|]187 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-boundary protection; system security plan; list of key internal boundaries of the system;
-system design documentation; boundary protection hardware and software; enterprise
-security architecture documentation; system audit logs and records; system configuration
-settings and associated documentation; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developers; personnel with boundary protection responsibilities].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing boundary protection capability].
- NIST SP 800-171A, p. 53.
-''' '''
-SC.L2-3.13.1 – Boundary Protection [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#220|188]] '''
-Communications can be monitored, controlled, and protected at boundary components and
-by restricting or prohibiting interfaces in organizational systems.  Boundary components
-include gateways, routers, firewalls, guards, network-based malicious code analysis and
-virtualization systems, or encrypted tunnels implemented within a system security
-architecture (e.g., routers protecting firewalls or application gateways residing on protected
-subnetworks).  Restricting or prohibiting interfaces in organizational systems includes
-restricting external web communications traffic to designated web servers within managed
-interfaces and prohibiting external traffic that appears to be spoofing internal addresses. <br />
-Organizations consider the shared nature of commercial telecommunications services in the
-implementation of security requirements associated with the use of such services.
-Commercial telecommunications services are commonly based on network components and
-consolidated management systems shared by all attached commercial customers and may
-also include third party-provided access lines and other service elements. Such transmission
-services may represent sources of increased risk despite contract security provisions. NIST
-SP 800-41 provides guidance on firewalls and firewall policy. NIST SP 800-125B provides
-guidance on security for virtualization technologies.
-'''FURTHER DISCUSSION '''
-Fences, locks, badges, and key cards help keep non-employees out of your physical facilities.
-Similarly, your company’s IT network or system has boundaries that must be protected.
-Many companies use a web proxy and a firewall. <br />
-When an employee uses a company computer to go to a website, a web proxy makes the
-request on the user’s behalf, looks at the web request, and decides if it should let the
-employee go to the website. <br />
-A firewall controls access from the inside and outside, protecting valuable information and
-resources stored on the company’s network. A firewall stops unwanted traffic on the internet
-from passing through an outside “fence” to the company’s networks and information
-systems.  Internal boundaries determine where data can flow, for instance a software
-development environment may have its own boundary controlling,  monitoring, and
-protecting the data that can leave that boundary. <br />
-It may be wise to monitor, control, or protect one part of the company network from another.
-This can also be accomplished  with a firewall  and  limits  the ability of attackers  and
-disgruntled employees from entering sensitive parts of your internal network and causing
-damage.
-'''Example <br />
-'''You are setting up the new network and want to keep your  company’s information and
-resources safe. You start by sketching out a simple diagram that identifies the external
-boundary of your network and any internal boundaries that are needed [a,b]. The first piece
- NIST SP 800-171 Rev. 2, p. 36.
-''' '''
-SC.L2-3.13.1 – Boundary Protection [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-of equipment you install is the firewall, a device to separate your internal network from the
-internet. The firewall also has a feature that allows you to block access to potentially
-malicious websites, and you configure that service as well [a,c,e,g]. Some of your coworkers
-complain that they cannot get onto certain websites [c,e,g]. You explain that the new network
-blocks websites that are known for spreading malware. The firewall sends you a daily digest
-of blocked activity so that you can monitor the system for attack trends [c,d].
-'''Potential Assessment Considerations <br />
-'''•
-  What are the external system boundary components that make up the entry and exit
-points for data flow (e.g., firewalls, gateways, cloud service boundaries), behind which all
-system components that handle regulated data are contained? What are the supporting
-system components necessary for the protection of regulated data [a]?
-•
-  What are the internal system boundary components that make up the entry and exit
-points for key internal data flow (e.g., internal firewalls, routers, any devices that can
-bridge the connection between one segment of the system and another) that separate
-segments of the internal network –  including devices that separate internal network
-segments such as development and production networks as well as a traditional
-Demilitarized Zone (DMZ) at the edge of the network [b]?
-•
-  Is data flowing in and out of the external and key internal system boundaries monitored
-(e.g., connections are logged and able to be reviewed, suspicious traffic generates alerts)
-[c,d]?
-•
-  Is  data  traversing  the external and internal system  boundaries  controlled  such that
-connections are denied by default and only authorized connections are allowed [e,f]?
-•
-  Is data flowing in and out of the external and key internal system boundaries protected
-(e.g., applying encryption when required or prudent, tunneling traffic as needed) [g,h]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.1
-•
-  FAR Clause 52.204-21 b.1.x
-''' '''
-SC.L2-3.13.2 – Security Engineering
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SC.L2-3.13.2 – SECURITY ENGINEERING '''
-Employ architectural designs, software development techniques, and systems engineering
-principles that promote effective information security within organizational systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#222|189 ]]'''
-Determine if: <br />
-[a] architectural designs that promote effective information security are identified; <br />
-[b] software development techniques that promote effective information security are
-identified;
-[c]  systems engineering principles that promote effective information security are
-identified;
-[d] identified architectural designs that promote effective information security are
-employed;
-[e] identified software development techniques that promote effective information
-security are employed; and
-[f]  identified systems engineering principles that promote effective information security
-are employed.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#222|A]189 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Security planning policy; procedures addressing system security plan
-development and implementation; procedures addressing system security plan reviews and
-updates; enterprise architecture documentation; system security plan; records of system
-security plan reviews and updates; system and communications protection policy;
-procedures addressing security engineering principles used in the specification, design,
-development, implementation, and modification of the system; security architecture
-documentation; security requirements and specifications for the system; system design
-documentation; system configuration settings and associated documentation; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with responsibility for determining information system security
-requirements; personnel with information system design, development, implementation,
-and modification responsibilities; personnel with security planning and system security plan
-implementation responsibilities; personnel with information security responsibilities].
- NIST SP 800-171A, pp. 53-54.
-''' '''
-SC.L2-3.13.2 – Security Engineering
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''Test <br />
-'''[SELECT FROM: Organizational processes for system security plan development, review,
-update, and approval; mechanisms supporting the system security plan; processes for
-applying security engineering principles in system specification, design, development,
-implementation, and modification; automated mechanisms  supporting the application of
-security engineering principles in information system specification, design, development,
-implementation, and modification].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#223|190]] '''
-Organizations apply systems security engineering principles to new development systems
-or systems undergoing major upgrades. For legacy systems, organizations apply systems
-security engineering principles to system upgrades and modifications to the extent feasible,
-given the current state of hardware, software, and firmware components within those
-systems. The application of systems security engineering concepts and principles helps to
-develop trustworthy, secure, and resilient systems and system components and reduce the
-susceptibility of organizations to disruptions, hazards, and threats.  Examples of these
-concepts and principles include developing layered protections; establishing security
-policies, architecture, and controls as the foundation for design; incorporating security
-requirements into the system development life cycle; delineating physical and logical
-security boundaries; ensuring that developers are trained on how to build secure software;
-and performing threat modeling to identify use cases, threat agents, attack vectors and
-patterns, design patterns, and compensating controls needed to mitigate risk. Organizations
-that apply security engineering concepts and principles can facilitate the development of
-trustworthy, secure systems, system components, and system services; reduce risk to
-acceptable levels; and make informed risk-management decisions. <br />
-NIST SP 800-160-1 provides guidance on systems security engineering.
-'''FURTHER DISCUSSION '''
-Familiarity with security engineering principles and their successful  application to your
-infrastructure will increase the security of your environment.  NIST SP 800-160  ''System ''
-''Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of ''
-''Trustworthy Secure Systems''  can serve as a source of security engineering and design
-principles. <br />
-Decide which designs and principles to apply. Some will not be possible or appropriate for a
-given company or for specific systems or components. <br />
-Designs and principles should be applied to policies and security standards. Starting with
-the  baseline configuration, they should be extended through all layers of the technology
-stack (e.g.,  hardware, software, firmware) and throughout all the components of the
-infrastructure.  The application of these chosen designs and principles should drive you
- NIST SP 800-171 Rev. 2, pp. 36-37.
-''' '''
-SC.L2-3.13.2 – Security Engineering
-CMMC Assessment Guide – Level 2 | Version 2.13
-towards a secure architecture with the required security capabilities and intrinsic behaviors
-present throughout the lifecycle of your technology. <br />
-As legacy components age, it may become increasingly difficult for those components to meet
-security principles and requirements. This should factor into life-cycle decisions for those
-components (e.g., replacing legacy hardware, upgrading or re-writing software, upgrading
-run-time environments).
-'''Example <br />
-'''You are responsible for developing strategies to protect data and harden your infrastructure.
-You are on a team responsible for performing a major upgrade to a legacy system. You refer
-to your documented security engineering principles [c]. Reviewing each, you decide which
-are appropriate and applicable  [c].  You apply the chosen designs and principles when
-creating your design for the upgrade [f]. <br />
-You document the security requirements for the software and hardware changes to ensure
-the principles are followed. You review the upgrade at critical points in the workflow to
-ensure the requirements are met. You assist in updating the policies covering the use of the
-upgraded system so user behavior stays aligned with the principles.
-'''Potential Assessment Considerations <br />
-'''•
-  Does the organization have a defined system architecture [a,d]?
-•
-  Are system security engineering principles applied in the specification, design,
-development and implementation of the systems [d,e,f]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.2
-''' '''
-SC.L2-3.13.3 – Role Separation
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SC.L2-3.13.3 – ROLE SEPARATION '''
-Separate user functionality from system management functionality.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#225|191 ]]'''
-Determine if: <br />
-[a] user functionality is identified; <br />
-[b] system management functionality is identified; and <br />
-[c]  user functionality is separated from system management functionality.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#225|A]191 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-application partitioning; system design documentation; system configuration settings and
-associated documentation; system security plan; system audit logs and records; other
-relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developer].
-'''Test <br />
-'''[SELECT FROM: Separation of user functionality from system management functionality].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#225|192]] '''
-System management functionality includes functions necessary to administer databases,
-network components, workstations, or servers, and typically requires privileged user access.
-The separation of user functionality from system management functionality is physical or
-logical. Organizations can implement separation of system management functionality from
-user functionality by using different computers, different central processing units, different
-instances of operating systems, or different network addresses; virtualization techniques; or
-combinations of these or other methods, as appropriate. This type of separation includes
-web administrative interfaces that use separate authentication methods for users of any
-other system resources. Separation of system and user functionality may include isolating
-administrative interfaces on different domains and with additional access controls.
- NIST SP 800-171A, p. 54.
- NIST SP 800-171 Rev. 2, p. 37.
-''' '''
-SC.L2-3.13.3 – Role Separation
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Prevent users and user services from accessing system management functionality on IT
-components (e.g., databases, network components, workstations, servers). This reduces the
-attack surface to those critical interfaces by limiting who can access and how they can be
-accessed. By separating the user functionality from system management functionality, the
-administrator or privileged functions are not available to the general user. <br />
-The intent of this requirement is to ensure: <br />
-•
-  general users are not permitted to perform system administration functions; and
-•
-  system administrators only perform system administration functions from their
-privileged account.
-This can be accomplished using separation like VLANs or logical separation using strong
-access control methods.
-'''Example <br />
-'''As a system administrator, you are responsible for managing a number of core systems.
-Policy  prevents you from conducting any administration from the computer or system
-account you use for day-to-day work [a,b]. The servers you manage also are isolated from
-the main corporate network. To work with them you use a special unique account to connect
-to a “jump” server that has access to the systems you routinely administer.
-'''Potential Assessment Considerations <br />
-'''•
-  Are physical or logical controls used to separate user functionality from system
-management-related functionality (e.g.,  to ensure that administration (e.g., privilege)
-options are not available to general users) [c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.3
-''' '''
-SC.L2-3.13.4 – Shared Resource Control
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SC.L2-3.13.4 – SHARED RESOURCE CONTROL '''
-Prevent unauthorized and unintended information transfer via shared system resources.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#227|193 ]]'''
-Determine if: <br />
-[a] unauthorized and unintended information transfer via shared system resources is
-prevented.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#227|A]193 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-application partitioning; system security plan; system  design documentation; system
-configuration settings and associated documentation; system audit logs and records; other
-relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developer].
-'''Test <br />
-'''[SELECT FROM: Separation of user functionality from system management functionality].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#227|194]] '''
-The control of information in shared system resources (e.g., registers, cache memory, main
-memory, hard disks) is also commonly referred to as object reuse and residual information
-protection. This requirement prevents information produced by the actions of prior users or
-roles (or the actions of processes acting on behalf of prior users or roles) from being available
-to any current users or roles (or current processes acting on behalf of current users or roles)
-that obtain access to shared system resources after those resources have been released back
-to the system. This requirement also applies to encrypted representations of information.
-This requirement does not address information remnants, which refers to residual
-representation of data that has been nominally deleted; covert channels (including storage
-or timing channels) where shared resources are manipulated to violate information flow
-restrictions; or components within systems for which there are only single users or roles.
- NIST SP 800-171A, pp. 54-55.
- NIST SP 800-171 Rev. 2, p. 37.
-''' '''
-SC.L2-3.13.4 – Shared Resource Control
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-No shared system resource, such as cache memory, hard disks, registers, or main memory
-may  pass information from one user  to another user.  In other words, when objects are
-reused no residual information should exist on that object. This protects the confidentiality
-of the information. This is typically a feature provided by operating system and software
-vendors.
-'''Example <br />
-'''You are a system administrator responsible for creating and deploying the system hardening
-procedures for your company’s computers. You ensure that the computer baselines include
-software patches to prevent attackers from exploiting flaws in the processor architecture to
-read data (e.g., the Meltdown and Spectre exploits). You also verify that the computer
-operating system is configured to prevent users from accessing other users’ folders [a].
-'''Potential Assessment Considerations <br />
-'''•
-  Are shared system resources identified and documented [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.4
-''' '''
-SC.L2-3.13.5 – Public-Access System Separation [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SC.L2-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION [CUI DATA] '''
-Implement subnetworks for publicly accessible system components that are physically or
-logically separated from internal networks.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#229|195 ]]'''
-Determine if: <br />
-[a] publicly accessible system components are identified; and <br />
-[b] subnetworks for publicly accessible system components are physically or logically
-separated from internal networks.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#229|A]195 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-boundary protection; system security plan; list of key internal boundaries of the system;
-system design documentation; boundary protection hardware and software; system
-configuration settings and associated  documentation; enterprise security architecture
-documentation; system audit logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developers; personnel with boundary protection responsibilities].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing boundary protection capability].
-'''DISCUSSION [NIST SP 800-171 REV. 2] '''
-Subnetworks that are physically or logically separated from internal networks are referred
-to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control
-devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-
-based technologies. <br />
-NIST SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides
-guidance on security for virtualization technologies.
- NIST SP 800-171A, p. 55.
-''' '''
-SC.L2-3.13.5 – Public-Access System Separation [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#230|196]] '''
-Separate the publicly accessible systems from the internal systems that need to be protected.
-Do not place internal systems on the same network as the publicly accessible systems and
-block access by default from DMZ networks to internal networks. <br />
-One method of accomplishing this is to create a DMZ network, which enhances security by
-providing public access to a specific set of resources while preventing connections from
-those resources to the rest of the IT environment. Some OSAs achieve a similar result through
-the use of a cloud computing environment that is separated from the rest of the company’s
-infrastructure.
-'''Example <br />
-'''The head of recruiting at your company wants to launch a website to post job openings and
-allow the public to download an application form [a]. After some discussion, your team
-realizes it needs to use a firewall to create a perimeter network to do this [b]. You host the
-server separately from the company’s internal network and make sure the network on which
-it resides is isolated with the proper firewall rules [b].
-'''Potential Assessment Considerations <br />
-'''•
-  Are any system components reachable by the public (e.g., internet-facing web servers,
-VPN gateways, publicly accessible cloud services) [a]?
-•
-  Are  publicly accessible system components on physically or logically separated
-subnetworks (e.g., isolated subnetworks using separate, dedicated VLAN segments such
-as DMZs) [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.5
-•
-  FAR Clause 52.204-21 b.1.xi
-''' '''
- NIST SP 800-171 Rev. 2, pp. 37-38.
-''' '''
-SC.L2-3.13.6 – Network Communication by Exception
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SC.L2-3.13.6 – NETWORK COMMUNICATION BY EXCEPTION '''
-Deny network communications traffic by default and allow network communications traffic
-by exception (i.e., deny all, permit by exception).
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#231|197 ]]'''
-Determine if: <br />
-[a] network communications traffic is denied by default; and <br />
-[b] network communications traffic is allowed by exception.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#231|A]197 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-boundary protection; system security plan; system design documentation; system
-configuration settings and associated documentation; system audit logs and records; other
-relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developer; personnel with boundary protection responsibilities].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing traffic management at managed interfaces].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#231|198]] '''
-This requirement applies to inbound and outbound network communications traffic at the
-system boundary and at identified points within the system. A deny-all, permit-by-exception
-network communications traffic policy ensures that only those connections which are
-essential and approved are allowed.
-'''FURTHER DISCUSSION '''
-Block all traffic entering and leaving  the network,  but permit specific traffic based on
-organizational policies, exceptions, or criteria. This process of permitting only authorized
-traffic to the network is called whitelisting  and  limits the number of unintentional
-connections to the network.
- NIST SP 800-171A, p. 55.
- NIST SP 800-171 Rev. 2, p. 38.
-''' '''
-SC.L2-3.13.6 – Network Communication by Exception
-CMMC Assessment Guide – Level 2 | Version 2.13
-This  requirement,  SC.L2-3.13.6, requires a deny-all permit by  exception approach for all
-network communications. In doing so, it adds specifics for SC.L2-3.13.1, which only requires
-monitoring, control, and protection of communication channels.
-'''Example <br />
-'''You are setting up a new environment to house CUI. To properly isolate the CUI network, you
-install a firewall between it and other networks and set the firewall rules to deny all traffic
-[a]. You review each service and application that runs in the new environment and determine
-that you only need to allow http and https traffic outbound [b]. You test the functionality of
-the required services and make some needed adjustments, then comment each firewall rule
-so there is documentation of why it is required. You review the firewall rules on a regular
-basis to make sure no unauthorized changes were made.
-'''Potential Assessment Considerations <br />
-'''•
-  Are network communications traffic on relevant system components  (e.g., host and
-network firewalls, routers, gateways) denied by default (e.g., configured with an implicit
-deny rule that takes effect in the absence of any other matching traffic rules) [a]?
-•
-  Are network communications traffic on relevant system components (e.g., host and
-network firewalls, routers, gateways) allowed by exception (e.g., configured with explicit
-allow rules that takes effect only when network traffic matches one or more rules) [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.6
-''' '''
-SC.L2-3.13.7 – Split Tunneling
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SC.L2-3.13.7 – SPLIT TUNNELING '''
-Prevent remote devices from simultaneously establishing non-remote connections with
-organizational systems and communicating via some other connection to resources in
-external networks (i.e., split tunneling).
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#233|199 ]]'''
-Determine if: <br />
-[a] remote devices are prevented from simultaneously establishing non-remote
-connections with the system and communicating via some other connection to
-resources in external networks (i.e., split tunneling).
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#233|A]199 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-boundary protection; system security plan; system design documentation; system hardware
-and software; system architecture; system configuration settings and associated
-documentation; system audit logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developer; personnel with boundary protection responsibilities].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing boundary protection capability; mechanisms
-supporting or restricting non-remote connections].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#233|200]] '''
-Split tunneling might be desirable by remote users to communicate with local system
-resources such as printers or file servers.  However, split tunneling allows unauthorized
-external connections, making the system more vulnerable to attack and to exfiltration of
-organizational information.  This requirement is implemented in remote devices (e.g.,
-notebook computers, smart phones, and tablets) through configuration settings to disable
-split tunneling in those devices, and by preventing configuration settings from being readily
-configurable by users. This requirement is implemented in the system by the detection of
-split tunneling (or of configuration settings that allow split tunneling) in the remote device,
-and by prohibiting the connection if the remote device is using split tunneling.
- NIST SP 800-171A, p. 56.
- NIST SP 800-171 Rev. 2, p. 38.
-''' '''
-SC.L2-3.13.7 – Split Tunneling
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Split tunneling for a  remote user utilizes two connections: accessing resources on the
-internal  network via a VPN and simultaneously  accessing an external network such as a
-public network or the internet. <br />
-Split  tunneling presents a potential opportunity  where an open unencrypted connection
-from a public network could allow an adversary to access resources on internal network. As
-a mitigation strategy, the split tunneling setting should be disabled on all devices so that all
-traffic, including traffic for external networks or the internet, goes through the VPN.
-'''Example <br />
-'''You are a system administrator responsible for configuring the network to prevent remote
-users from using split tunneling. You review the configuration of remote user laptops. You
-discover that remote users are able  to access files, email, database and other services
-through the VPN connection while also being able to print and access resources on their local
-network. You change the configuration settings for all company computers to disable split
-tunneling [a]. You test a laptop that has had the new hardening procedures applied and verify
-that all traffic from the laptop is now routed through the VPN connection.
-'''Potential Assessment Considerations <br />
-'''•
-  Does the system prevent remote devices that have established connections (e.g., remote
-laptops) with the system from communicating outside that communications path with
-resources on uncontrolled/unauthorized networks [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.7
-''' '''
-SC.L2-3.13.8 – Data in Transit
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SC.L2-3.13.8 – DATA IN TRANSIT '''
-Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during
-transmission unless otherwise protected by alternative physical safeguards. <br />
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#235|201 ]]'''
-Determine if: <br />
-[a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are
-identified;
-[b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are
-identified; and
-[c]  either cryptographic mechanisms or alternative physical safeguards are implemented
-to prevent unauthorized disclosure of CUI during transmission.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#235|A]201 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and communications  protection policy; procedures addressing
-transmission confidentiality and integrity; system security plan; system design
-documentation; system configuration settings and associated documentation; system audit
-logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developer].
-'''Test <br />
-'''[SELECT FROM: Cryptographic mechanisms or mechanisms supporting or implementing
-transmission  confidentiality; organizational processes for defining and implementing
-alternative physical safeguards]. <br />
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#235|202]] '''
-This requirement applies to internal and external networks and any system components that
-can transmit information including servers, notebook computers, desktop computers,
-mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths
-outside the physical protection of controlled boundaries are susceptible to both interception
-and  modification.  Organizations relying on commercial providers offering transmission
-services as commodity services rather than as fully dedicated services (i.e., services which
-can be highly specialized to individual customer needs), may find it difficult to obtain the
-necessary assurances regarding the implementation of the controls for transmission
- NIST SP 800-171A, p. 56.
- NIST SP 800-171 Rev. 2, p. 38.
-''' '''
-SC.L2-3.13.8 – Data in Transit
-CMMC Assessment Guide – Level 2 | Version 2.13
-confidentiality.  In such situations, organizations determine what types of confidentiality
-services are available in commercial telecommunication service packages. If it is infeasible
-or impractical to obtain the necessary safeguards and assurances of the effectiveness of the
-safeguards through appropriate contracting vehicles, organizations implement
-compensating safeguards or explicitly accept the additional risk.  An example of an
-alternative physical safeguard is a protected distribution system (PDS) where the
-distribution medium is protected against electronic or physical intercept, thereby ensuring
-the confidentiality of the information being transmitted.
-'''FURTHER DISCUSSION '''
-The intent of this requirement is to ensure CUI is cryptographically protected during transit,
-particularly on the internet. The most common way to accomplish this is to establish a TLS
-tunnel between the source and destination using the most current version of TLS.  This
-requirement  does not specify a mutually authenticated handshake, but mutual
-authentication is the most secure approach to creating a tunnel. <br />
-Because the use of cryptography in this requirement is to protect the confidentiality of CUI,
-the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. <br />
-This requirement, SC.L2-3.13.8, requires cryptographic mechanisms be used to prevent the
-disclosure of CUI in-transit and leverages SC.L2-3.13.11, which specifies that the algorithms
-used must be FIPS-validated cryptography. <br />
-'''Example <br />
-'''You are a system administrator responsible for configuring encryption on all devices that
-contain CUI. Because your users regularly store CUI on laptops and take them out of the
-office, you encrypt the hard drives with a FIPS-validated encryption tool built into the
-operating system. For users who need to share CUI, you install a Secure FTP server to allow
-CUI to be transmitted in a compliant manner [a]. You verify that the server is using a FIPS-
-validated encryption module by checking the NIST Cryptographic Module Validation
-Program website  [c].  You turn on the “FIPS Compliance” setting for the server during
-configuration because that is what is required for this product in order to use only FIPS-
-validated cryptography [c]. <br />
-'''Potential Assessment Considerations <br />
-'''•
-  Are cryptographic mechanisms used to prevent unauthorized disclosure of information
-during transmission unless otherwise protected by alternative physical measures (e.g.,
-PDS) [c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.8
-''' '''
-SC.L2-3.13.9 – Connections Termination
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SC.L2-3.13.9 – CONNECTIONS TERMINATION '''
-Terminate network connections associated with communications sessions at the end of the
-sessions or after a defined period of inactivity.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#237|203 ]]'''
-Determine if: <br />
-[a] a period of inactivity to terminate network connections associated with
-communications sessions is defined;
-[b] network connections associated with communications sessions are terminated at the
-end of the sessions; and
-[c]  network connections associated with communications sessions are terminated after the
-defined period of inactivity.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#237|A]203 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-network disconnect; system design documentation; system security plan; system
-configuration settings and associated documentation; system audit logs and records; other
-relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developer].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting or implementing network disconnect capability].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#237|204]] '''
-This requirement applies to internal and external networks.  Terminating network
-connections associated with communications sessions include de-allocating associated
-TCP/IP address or port pairs at the operating system level, or de-allocating networking
-assignments at the application level if multiple application sessions are using a single,
-operating system-level network connection.  Time periods of user inactivity may be
-established by organizations and include time periods by type of network access or  for
-specific network accesses.
- NIST SP 800-171A, p. 57.
- NIST SP 800-171 Rev. 2, pp. 38-39.
-''' '''
-SC.L2-3.13.9 – Connections Termination
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Prevent malicious actors from taking advantage of an open network session or an
-unattended computer at the end of the connection. Balance user work patterns and needs
-against security to determine the length of inactivity that will force a termination. <br />
-This requirement, SC.L2-3.13.9, specifies network connections be terminated under certain
-conditions, which complements AC.L2-3.1.18 that specifies  control of mobile device
-connections.
-'''Example <br />
-'''You are an administrator of a server that provides remote access. Your company’s policies
-state that network connections must be terminated after being idle for 60 minutes [a]. You
-edit the server configuration file and set the timeout to 60 minutes and restart the remote
-access software  [c].  You test the software and verify that the  connection is terminated
-appropriately.
-'''Potential Assessment Considerations <br />
-'''•
-  Are the network connections requiring management and time-out for inactivity
-documented [a]?
-•
-  Are  the network connections requiring management and time-out for inactivity
-configured and implemented [c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.9
-''' '''
-SC.L2-3.13.10 – Key Management
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SC.L2-3.13.10 – KEY MANAGEMENT '''
-Establish and manage cryptographic keys for cryptography employed in organizational
-systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#239|205 <br />
-]]'''Determine if: <br />
-[a] cryptographic keys are established whenever cryptography is employed; and <br />
-[b] cryptographic keys are managed whenever cryptography is employed.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#239|A]205 ]]'''
-'''Examine '''
-[SELECT FROM: System and communications protection policy; procedures addressing
-cryptographic key establishment and management; system security plan; system design
-documentation; cryptographic mechanisms; system configuration settings and associated
-documentation; system audit logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; personnel with responsibilities for cryptographic key establishment and
-management].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting or implementing cryptographic key establishment
-and management].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#239|206]] <br />
-'''Cryptographic key management and establishment can be performed using manual
-procedures or mechanisms supported by manual procedures.  Organizations define key
-management requirements in accordance with applicable federal laws, Executive Orders,
-policies, directives, regulations, and standards specifying appropriate options, levels, and
-parameters. <br />
-NIST SP 800-56A and NIST SP 800-57-1 provide guidance on cryptographic key management
-and key establishment.
-'''FURTHER DISCUSSION <br />
-'''Develop  processes and technical mechanisms to protect the cryptographic keys’
-confidentiality, authenticity, and authorized use in accordance with industry standards and
- NIST SP 800-171A, p. 57.
- NIST SP 800-171 Rev. 2, p. 39.
-''' '''
-SC.L2-3.13.10 – Key Management
-CMMC Assessment Guide – Level 2 | Version 2.13
-regulations. Key management systems provide oversight, assurance, and the capability to
-demonstrate the cryptographic keys are created in a secure manner and protected from loss
-or misuse throughout their lifecycle (e.g., active, expired, revoked). For a small number of
-keys, this can be accomplished with manual procedures and mechanisms. As the number of
-keys and cryptographic units increase, automation and tool support will be required. <br />
-The first intent of this requirement is to ensure cryptographic keys are properly created in a
-secure manner that prevents them from being reproduced by an adversary.  The second
-intent of this requirement is to ensure cryptographic keys are managed in a secure manner
-that prevents them from being stolen by an adversary. <br />
-Key establishment involves the creation of keys and coordination among parties that will use
-the keys of the methodology for generating the final keying material. This is discussed in
-detail in SP 800-56A, B, and C. <br />
-Key management involves protecting keys when they are distributed, when they are stored,
-when they are being used, and when they are being recovered. <br />
-Key establishment best practices are identified in NIST SP 800-56A, B, and C. Key
-management best practices are identified in NIST SP 800-57 Parts 1, 2, and 3. <br />
-This  requirement, SC.L2-3.13.10, complements AC.L2-3.1.19  by specifying that any
-cryptographic keys in use must be protected. <br />
-'''Example 1 <br />
-'''You are a system administrator responsible for providing key management. You have
-generated a public-private key pair to exchange CUI [a]. You require all system
-administrators to read the key management policy before you allow them to install the
-private key on their machines [b]. No one else is allowed to know or have a copy of the private
-key per the policy. You provide the public key to the other parties who will be sending you
-CUI and test the Public Key Infrastructure (PKI) to ensure the encryption is working [a]. You
-set a revocation period of one year on all your certificates per organizational policy [b]. <br />
-'''Example 2 <br />
-'''You encrypt all of your company’s computers using the disk encryption utility built into the
-operating system. As you configure encryption on each device, it generates a cryptographic
-key. You associate each key with the correct computer in your inventory spreadsheet and
-restrict access to the spreadsheet to the system administrators whose work role requires
-them to manage the computers [b]. <br />
-'''Potential Assessment Considerations <br />
-'''•
-  Are cryptographic keys established whenever cryptography is employed (e.g., digital
-signatures, authentication, authorization, transport, or other cryptographic
-mechanisms) [a]?
-•
-  Are cryptographic keys maintained whenever cryptography is employed (e.g., key
-storage, backup, recovery, revocation, destruction, etc.) [b]?
-''' '''
-SC.L2-3.13.10 – Key Management
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.10
-''' '''
-SC.L2-3.13.11 – CUI Encryption
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SC.L2-3.13.11 – CUI ENCRYPTION '''
-Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#242|207 ]]'''
-Determine if: <br />
-[a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#242|A]207 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-cryptographic  protection; system security plan; system design documentation; system
-configuration settings and associated documentation; cryptographic module validation
-certificates; list of FIPS-validated cryptographic modules; system audit logs and records; any
-other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developers; personnel with responsibilities for cryptographic
-protection].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting or implementing cryptographic protection].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#242|208]] '''
-Cryptography can be employed to support many security solutions including the protection
-of controlled unclassified information, the provision of digital signatures, and the
-enforcement of information separation when authorized individuals have the necessary
-clearances for such information but lack the necessary formal access approvals.
-Cryptography can also be used to support random number generation and hash generation.
-Cryptographic standards include FIPS-validated cryptography and/or NSA-approved
-cryptography.
-'''FURTHER DISCUSSION '''
-FIPS-validated cryptography means the cryptographic module has to have been tested and
-validated to meet FIPS 140-2 requirements. Simply using an approved algorithm is not
-sufficient – the module (software and/or hardware) used to implement the algorithm must
-be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is
- NIST SP 800-171A, pp. 57-58.
- NIST SP 800-171 Rev. 2, p. 39.
-''' '''
-SC.L2-3.13.11 – CUI Encryption
-CMMC Assessment Guide – Level 2 | Version 2.13
-required to protect CUI when transmitted or stored outside the protected environment of
-the covered OSA information system (including wireless/remote access). Encryption used
-for other purposes, such as within applications or devices within the protected environment
-of the covered OSA information system, would not need to use FIPS-validated cryptography. <br />
-This requirement, SC.L2-3.13.11, complements AC.L2-3.1.19, MP.L2-3.8.6, SC.L2-3.13.8, and
-SC.L2-3.13.16  by specifying that FIPS-validated cryptography must be used.  While FIPS-
-validated modules and algorithms are critical for protecting CUI, in limited cases Enduring
-Exceptions and temporary deficiencies may apply when implementing such cryptographic
-mechanisms.
-'''Example <br />
-'''You are a system administrator responsible for deploying encryption on all devices that
-contain CUI. You must ensure that the encryption you use on the devices is FIPS-validated
-cryptography [a]. An employee informs you of a need to carry a large volume of CUI offsite
-and asks for guidance on how to do so. You provide the user with disk encryption software
-that you have verified via the NIST website that uses a CMVP-validated encryption module
-[a]. Once the encryption software is active, the user copies the CUI data onto the drive for
-transport.
-'''Potential Assessment Considerations <br />
-'''•
-  Is cryptography implemented to protect the confidentiality of CUI at rest and in transit,
-through the configuration of systems and applications or through the use of encryption
-tools [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.11
-''' '''
-SC.L2-3.13.12 – Collaborative Device Control
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SC.L2-3.13.12 – COLLABORATIVE DEVICE CONTROL '''
-Prohibit remote activation of collaborative computing devices and provide indication of
-devices in use to users present at the device.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#244|209 ]]'''
-Determine if: <br />
-[a] collaborative computing devices are identified; <br />
-[b] collaborative computing devices provide indication to users of devices in use; and <br />
-[c]  remote activation of collaborative computing devices is prohibited.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#244|A]209 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-collaborative computing; access control policy and procedures; system security plan; system
-design documentation; system audit logs and records; system configuration settings and
-associated documentation; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developer; personnel with responsibilities for managing
-collaborative computing devices].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting or implementing management of remote activation
-of collaborative computing devices; mechanisms providing an indication of  use of
-collaborative computing devices].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#244|210]] '''
-Collaborative computing devices include networked white boards, cameras, and
-microphones.  Indication of use includes signals to users when collaborative computing
-devices are activated.  Dedicated video conferencing systems, which rely on one of the
-participants calling or connecting to the other party to activate the video conference, are
-excluded.
- NIST SP 800-171A, p. 58.
- NIST SP 800-171 Rev. 2, p. 39.
-''' '''
-SC.L2-3.13.12 – Collaborative Device Control
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Notification that a device is in use can include an indicator light that turns on or a specific
-text window that appears on screen. If a device does not have the means to alert a user when
-in use, the organization should provide manual means. Manual means can include, as
-necessary: <br />
-•
-  paper notification on entryways; and
-•
-  locking entryways when a collaborative computing device is in use.
-This  requirement  is not intended to include technologies that enable users to share the
-contents of their computer screens via the internet. <br />
-'''Example''' <br />
-A group of remote employees at your company routinely collaborate using cameras and
-microphones attached to their computers [a]. To prevent the misuse of these devices, you
-disable the ability to turn on cameras or microphones remotely [c]. You ensure the machines
-alert users when the camera or microphone are in use with a light beside the camera and an
-onscreen notification [b]. Although remote activation is blocked, this enables users to see if
-the devices are active.
-'''Potential Assessment Considerations <br />
-'''•
-  Are the collaborative computing devices configured to provide indication to users when
-in use (e.g., a light, text notification, or audio tone) or are users alerted before entering a
-space (e.g., written notice posted outside the space) where they are in use [b]?
-•
-  Are the collaborative computing devices configured to prevent them from being turned
-on without user interaction or consent [c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.12
-''' '''
-SC.L2-3.13.13 – Mobile Code
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SC.L2-3.13.13 – MOBILE CODE '''
-Control and monitor the use of mobile code.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#246|211 ]]'''
-Determine if: <br />
-[a] use of mobile code is controlled; and <br />
-[b] use of mobile code is monitored.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#246|A]211 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-mobile code; mobile code usage restrictions, mobile code implementation policy and
-procedures; system audit logs and records; system security plan; list of acceptable mobile
-code and mobile code technologies; list of unacceptable mobile code and mobile
-technologies; authorization records; system monitoring records; system audit logs and
-records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; personnel with responsibilities for managing mobile code].
-'''Test <br />
-'''[SELECT FROM: Organizational process for controlling, authorizing, monitoring, and
-restricting mobile code; mechanisms supporting or implementing the management of
-mobile code; mechanisms supporting or implementing the monitoring of mobile code].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#246|212]] '''
-Mobile code technologies include Java, JavaScript, ActiveX, Postscript, PDF, Flash animations,
-and VBScript. Decisions regarding the use of mobile code in organizational systems are based
-on the potential for the code to cause damage to the systems if used maliciously.  Usage
-restrictions and implementation guidance apply to the selection and use of mobile code
-installed on servers and mobile code downloaded and executed on individual workstations,
-notebook computers, and devices (e.g., smart phones). Mobile code policy and procedures
-address controlling or preventing the development, acquisition, or introduction of
-unacceptable mobile code in systems, including requiring mobile code to be digitally signed
-by a trusted source.
- NIST SP 800-171A, pp. 58-59.
- NIST SP 800-171 Rev. 2, pp. 39-40.
-''' '''
-SC.L2-3.13.13 – Mobile Code
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Ensure mobile code is authorized to execute in company systems only in accordance with
-policy and technical configuration, and that unauthorized mobile code is not. Monitor the use
-of mobile code through boundary devices (e.g., firewalls), audit logs, or security utilities (e.g.,
-mobile device management, advanced endpoint protection)  and implement remediation
-activities as needed. <br />
-The first intent of this requirement is to ensure the limits of mobile code usage and usage
-restrictions are documented and enforced. This includes documenting all authorizations for
-the use of mobile code and ensuring it is not used in other ways. Usage restrictions and
-implementation guidance apply to the selection and use of mobile code installed on servers
-and mobile code downloaded and executed on individual workstations and devices to
-include all mobile devices and smart phones.  <br />
-The second intent is to monitor the use of mobile code and implement remediation steps if
-its use does not align with policy.
-'''Example <br />
-'''Your company has decided to prohibit the use of Flash, ActiveX, and Java plug-ins for web
-browsers on all of its computers [a]. To  enforce this policy you configure the computer
-baseline configuration to disable and deny the execution of mobile code [a]. You implement
-an exception process to re-enable  mobile code execution only for those users with a
-legitimate business need [a]. <br />
-One department complains that a web application they need to perform their job no longer
-works. You meet with them and verify that the web application uses ActiveX in the browser.
-You submit a change request with the Change Review Board. Once the change is approved,
-you reconfigure the department’s computers to allow the running of ActiveX in the browser.
-You also configure the company firewall to alert you if ActiveX is used by any website but the
-allowed one [b]. You set a reminder for yourself to check in with the department at the end
-of the year to verify they still need that web application.
-'''Potential Assessment Considerations <br />
-'''•
-  Are there defined limits of mobile code usage and established usage restrictions, which
-specifically authorize use of mobile code (e.g., Java, JavaScript, ActiveX, PDF, Flash,
-Shockwave, Postscript, VBScript) within the information system [a]?
-•
-  Is the use of mobile code documented, monitored, and managed (e.g., Java, JavaScript,
-ActiveX, PDF, Flash, Shockwave, Postscript, VBScript) [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.13
-''' '''
-SC.L2-3.13.14 – Voice over Internet Protocol
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SC.L2-3.13.14 – VOICE OVER INTERNET PROTOCOL '''
-Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#248|213 ]]'''
-Determine if: <br />
-[a] use of Voice over Internet Protocol (VoIP) technologies is controlled; and <br />
-[b] use of Voice over Internet Protocol (VoIP) technologies is monitored.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#248|A]213 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-VoIP; VoIP usage restrictions; VoIP implementation guidance; system security plan; system
-design documentation; system audit logs and records; system configuration settings and
-associated documentation; system monitoring records; other relevant documents or
-records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; personnel with responsibilities for managing VoIP].
-'''Test <br />
-'''[SELECT FROM: Organizational process for authorizing, monitoring, and controlling VoIP;
-mechanisms supporting or implementing authorizing, monitoring, and controlling VoIP].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#248|214]] '''
-VoIP has different requirements, features, functionality, availability, and service limitations
-when compared with the Plain Old Telephone Service (POTS) (i.e., the standard telephone
-service).  In contrast, other telephone services are based on high-speed, digital
-communications lines, such as Integrated Services Digital Network (ISDN) and Fiber
-Distributed Data Interface (FDDI).  The main distinctions between POTS and non-POTS
-services are speed and bandwidth.  To address the threats associated with VoIP, usage
-restrictions and implementation guidelines are based on the potential for the VoIP
-technology to cause damage to the system if it is used maliciously. Threats to VoIP are similar
-to those inherent with any Internet-based application. <br />
-NIST SP 800-58 provides guidance on Voice Over IP Systems.
- NIST SP 800-171A, p. 59.
- NIST SP 800-171 Rev. 2, p. 40.
-''' '''
-SC.L2-3.13.14 – Voice over Internet Protocol
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''FURTHER DISCUSSION '''
-Controlling VoIP technologies starts with establishing guidelines and enforcing the
-appropriate usage that is described in organizational policies. Monitoring should include the
-users’ activity for anything other than what is permitted and authorized and detection of
-insecure or unauthorized use of the VoIP technology. Security concerns for VoIP include
-eavesdropping on calls and using ID spoofing to impersonate trusted individuals. <br />
-Selecting a solution that can encrypt VoIP traffic is helpful in maintaining the confidentiality
-and integrity of the voice data.
-'''Example <br />
-'''You are a system administrator responsible for the VoIP system. You configure VoIP for new
-users after being notified that they have signed the Acceptable Use Policy for VoIP technology
-[a].  You verify that the VoIP solution is configured to use encryption and have enabled
-requirements for passwords on voice mailboxes and on phone extension management. You
-require phone system administrators to log in using multifactor authentication when
-managing the system [a]. You  add the VoIP software to the list of applications that are
-patched monthly as needed [a,b]. Finally, you configure the VoIP system to send logs to your
-log aggregator so that they can be correlated with those from other systems and examined
-for signs of suspicious activity [b].
-'''Potential Assessment Considerations <br />
-'''•
-  Are VoIP technologies (e.g., approved and managed products or solutions) that may or
-may not be used in the system defined [a]?
-•
-  Is monitoring for unapproved VoIP technologies or unapproved use of the allowed VoIP
-solutions employed [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.14
-''' '''
-SC.L2-3.13.15 – Communications Authenticity
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SC.L2-3.13.15 – COMMUNICATIONS AUTHENTICITY '''
-Protect the authenticity of communications sessions.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#250|215 ]]'''
-Determine if: <br />
-[a] the authenticity of communications sessions is protected.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#250|A]215 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-session authenticity; system security plan; system design documentation; system
-configuration settings and associated documentation; system audit logs and records; other
-relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities].
-'''Test '''
-[SELECT FROM: Mechanisms supporting or implementing session authenticity]
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#250|216]] '''
-Authenticity protection includes protecting against man-in-the-middle attacks, session
-hijacking, and the insertion of false information into communications sessions.  This
-requirement addresses communications protection at the session versus packet level (e.g.,
-sessions in service-oriented architectures providing web-based services) and establishes
-grounds for confidence at both ends of communications sessions in ongoing identities of
-other parties and in the validity of information transmitted. <br />
-NIST SP 800-77, NIST SP 800-95, and NIST SP 800-113 provide guidance on secure
-communications sessions.
-'''FURTHER DISCUSSION '''
-The intent of this requirement is to ensure a trust relationship is established between both
-ends of a communication session. Each end can be assured that the other end is who it is
-supposed to be. This is often implemented using a mutual authentication handshake when
-the session is established, especially between devices.  Session authenticity is usually
- NIST SP 800-171A, p. 59.
- NIST SP 800-171 Rev. 2, p. 40.
-''' '''
-SC.L2-3.13.15 – Communications Authenticity
-CMMC Assessment Guide – Level 2 | Version 2.13
-provided by a security protocol enforced for a communication session. Choosing and
-enforcing a protocol will provide authenticity throughout a communications session.
-'''Example <br />
-'''You are a system  administrator  responsible for  ensuring  that the two-factor user
-authentication mechanism for the servers is configured correctly.  You  purchase and
-maintain the digital certificate and replace it with a new one before the old one expires. You
-ensure the TLS configuration settings on the web servers, VPN solution, and other
-components that use TLS are correct, using secure settings that address risks against attacks
-on the encrypted sessions [a].
-'''Potential Assessment Considerations <br />
-'''•
-  Is a communications protocol used that ensures the sending and receiving parties do not
-change during a communications session [a]?
-•
-  Are controls in place to validate the identities and information transmitted to protect
-against man-in-the-middle attacks, session hijacking, and insertion of false information
-into communications sessions [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.15
-''' '''
-SC.L2-3.13.16 – Data at Rest
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SC.L2-3.13.16 – DATA AT REST '''
-Protect the confidentiality of CUI at rest.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#252|217 ]]'''
-Determine if: <br />
-[a] the confidentiality of CUI at rest is protected.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#252|A]217 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-protection of information at rest; system security plan; system design documentation; list of
-information at rest requiring confidentiality protections; system configuration settings and
-associated documentation; cryptographic mechanisms and associated configuration
-documentation; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; system developer].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting or implementing confidentiality protections for
-information at rest].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#252|218]] '''
-Information at rest refers to the state of information when it is not in process or in transit
-and is located on storage devices as specific components of systems. The focus of protection
-at rest is not on the type of storage device or the frequency of access but rather the state of
-the information.  Organizations can use different mechanisms to achieve confidentiality
-protections, including the use of cryptographic mechanisms and file share scanning.
-Organizations may also use other controls including secure off-line storage in lieu of online
-storage when adequate protection of information at rest cannot otherwise be achieved or
-continuous monitoring to identify malicious code at rest.
-'''FURTHER DISCUSSION '''
-CUI at rest means information that is not moving through the network; typically this means
-data currently stored on hard drives, media, and mobile devices. Implement the necessary
-security controls to protect the confidentiality of CUI at rest.  Although an approved
- NIST SP 800-171A, pp. 59-60.
- NIST SP 800-171 Rev. 2, p. 40.
-''' '''
-SC.L2-3.13.16 – Data at Rest
-CMMC Assessment Guide – Level 2 | Version 2.13
-encryption method protects data stored at rest, there are other technical and physical
-solutions. The methods chosen should depend on the environment and business needs. <br />
-Implementing encryption for CUI is one approach to this requirement, but it is not
-mandatory. Physical security is often employed to restrict access to CUI, particularly when it
-resides on servers within a company’s offices. Other approaches for protecting CUI include
-system-related protections such as configurations and rule sets for firewalls, gateways,
-intrusion detection/prevention systems, filtering routers, and authenticator content that
-eliminate attempts at exfiltration.  You  may also employ other security requirements
-including secure off-line storage. <br />
-Because the use of cryptography in this requirement is to protect the confidentiality of CUI,
-the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. <br />
-This  requirement,  SC.L2-3.13.16,  specifies  confidentially be provided for CUI at rest and
-complements MP.L2-3.8.9, which specifies confidentially of CUI at backup storage locations.
-This  requirement,  SC.L2-3.13.16, also leverages  SC.L2-3.13.11,  which specifies that the
-algorithms used must be FIPS-validated cryptography.
-'''Example 1 <br />
-'''Your company has a policy stating CUI must be protected at rest and you work to enforce
-that policy. You research Full Disk Encryption (FDE) products that meet the FIPS encryption
-requirement. After testing, you deploy the encryption to all computers to protect CUI at rest
-[a].
-'''Example 2 <br />
-'''You have used encryption to protect the CUI on most of the computers at your company, but
-you have some devices that do not support encryption. You create a policy requiring these
-devices to be signed out when needed, stay in possession of the signer when checked out,
-and to be signed back in and locked up in a secured closet when the user is done with the
-device [a]. At the end of the day each Friday, you audit the sign-out sheet and make sure all
-devices are returned to the closet.
-'''Potential Assessment Considerations <br />
-'''•
-  Is the confidentiality of CUI at rest protected using encryption of storage devices and/or
-appropriate physical methods [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.13.16
-''' '''
-SI.L2-3.14.1 – Flaw Remediation [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-System and Information Integrity (SI) <br />
-'''SI.L2-3.14.1 – FLAW REMEDIATION [CUI DATA] '''
-Identify, report, and correct system flaws in a timely manner.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#254|219 ]]'''
-Determine if: <br />
-[a] the time within which to identify system flaws is specified; <br />
-[b] system flaws are identified within the specified time frame; <br />
-[c]  the time within which to report system flaws is specified; <br />
-[d] system flaws are reported within the specified time frame; <br />
-[e] the time within which to correct system flaws is specified; and <br />
-[f]  system flaws are corrected within the specified time frame.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#254|]219 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and information integrity policy; procedures addressing flaw
-remediation; procedures addressing configuration management; system security plan; list
-of flaws and vulnerabilities potentially affecting the system; list of recent security flaw
-remediation actions performed on the system (e.g., list of installed patches, service packs,
-hot fixes, and other software updates to correct system flaws); test results from the
-installation of software and firmware updates to correct system flaws; installation/change
-control records for security-relevant software and firmware updates; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; personnel installing, configuring, and maintaining the system; personnel
-with responsibility for flaw remediation; personnel with configuration management
-responsibility].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for identifying, reporting, and correcting system
-flaws; organizational process for installing software and firmware updates; mechanisms
- NIST SP 800-171A, p. 61.
-''' '''
-SI.L2-3.14.1 – Flaw Remediation [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-supporting or implementing reporting, and correcting system flaws; mechanisms supporting
-or implementing testing software and firmware updates].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#255|220]] '''
-Organizations identify systems that are affected by announced software and firmware flaws
-including potential vulnerabilities resulting from those flaws and report this information to
-designated personnel with information security responsibilities. Security-relevant updates
-include patches, service packs, hot fixes, and anti-virus signatures. Organizations address
-flaws discovered during security assessments, continuous monitoring, incident response
-activities, and system error handling.  Organizations can take advantage of available
-resources such as the Common Weakness Enumeration (CWE) database or Common
-Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in
-organizational systems. <br />
-Organization-defined time periods for updating security-relevant software and firmware
-may vary based on a variety of factors including the criticality of the update (i.e., severity of
-the vulnerability related to the discovered flaw). Some types of flaw remediation may require
-more testing than other types of remediation. NIST SP 800-40 provides guidance on patch
-management technologies.
-'''FURTHER DISCUSSION '''
-All software and firmware have potential flaws. Many vendors work to remedy those flaws
-by releasing vulnerability information and updates to their software and firmware. OSAs
-must have a process to review relevant vendor notifications and updates about problems or
-weaknesses. After reviewing the information, the OSA must implement a patch management
-process that allows for software and firmware flaws to be fixed without adversely affecting
-the system functionality. OSAs must define the time frames within which flaws are identified,
-reported, and corrected for all systems. OSAs should consider purchasing support from their
-vendors to ensure timely access to updates.
-'''Example <br />
-'''You know that software vendors typically release patches, service packs, hot fixes, etc. and
-want to make sure your software is up to date. You develop a policy that requires checking
-vendor websites for flaw notifications every week [a]. The policy further requires that those
-flaws be assessed for severity and patched on end-user computers once each week and
-servers once each month [c,e]. Consistent with that policy, you configure the system to check
-for updates weekly or daily depending on the criticality of the software [b,e]. Your team
-reviews  available updates and implements the applicable ones  according to  the defined
-schedule [f].
- NIST SP 800-171 Rev. 2, pp. 40-41.
-''' '''
-SI.L2-3.14.1 – Flaw Remediation [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''Potential Assessment Considerations <br />
-'''•
-  Is the time frame (e.g., a set number of days) within which system flaw identification
-activities (e.g., vulnerability scans, configuration scans, manual review) must be
-performed defined and documented [a]?
-•
-  Are system flaws (e.g., vulnerabilities, misconfigurations) identified in accordance with
-the specified time frame [b]?
-•
-  Is the time frame (e.g., a set number of days dependent on the assessed severity of a flaw)
-within which system flaws must be corrected defined and documented [e]?
-•
-  Are  system flaws (e.g., applied security patches, made configuration changes, or
-implemented workarounds or mitigations) corrected in accordance with the specified
-time frame [f]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.14.1
-•
-  FAR Clause 52.204-21 b.1.xii
- <br />
-''' '''
-SI.L2-3.14.2 – Malicious Code Protection [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SI.L2-3.14.2 – MALICIOUS CODE PROTECTION [CUI DATA] '''
-Provide protection from malicious code at designated locations within organizational
-systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#257|221 ]]'''
-Determine if: <br />
-[a] designated locations for malicious code protection are identified; and <br />
-[b] protection from malicious code at designated locations is provided.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#257|]221 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and information integrity policy; configuration management policy
-and procedures; procedures addressing malicious code protection; records of malicious
-code protection updates; malicious code protection mechanisms; system security plan;
-system configuration settings and associated documentation; record of actions initiated by
-malicious code protection mechanisms in response to malicious code detection; scan results
-from malicious code protection mechanisms; system design documentation; system audit
-logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; personnel installing, configuring, and maintaining the system; personnel
-with responsibility for malicious code protection; personnel with configuration management
-responsibility].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for employing, updating, and configuring
-malicious code protection mechanisms; organizational process for addressing false positives
-and resulting potential impact; mechanisms supporting or implementing employing,
-updating, and configuring malicious code protection mechanisms; mechanisms supporting
-or implementing malicious code scanning and subsequent actions].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#257|222]] '''
-Designated locations include system entry and exit points which may include firewalls,
-remote access servers, workstations, electronic mail servers, web servers, proxy servers,
-notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan
-horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE,
- NIST SP 800-171A, pp. 61-62.
- NIST SP 800-171 Rev. 2, p. 41.
-''' '''
-SI.L2-3.14.2 – Malicious Code Protection [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-Unicode), contained within compressed or hidden files, or hidden in files using techniques
-such as steganography. Malicious code can be inserted into systems in a variety of ways
-including web accesses, electronic mail, electronic mail attachments, and portable storage
-devices. Malicious code insertions occur through the exploitation of system vulnerabilities. <br />
-Malicious code protection mechanisms include anti-virus signature definitions and
-reputation-based technologies.  A variety of technologies and methods exist to limit or
-eliminate the effects of malicious code.  Pervasive configuration management and
-comprehensive software integrity controls may be effective in preventing execution of
-unauthorized code. In addition to commercial off-the-shelf software, malicious code may also
-be present in custom-built software. This could include logic bombs, back doors, and other
-types of cyber-attacks that could affect organizational missions/business functions.
-Traditional malicious code protection mechanisms cannot always detect such code. In these
-situations, organizations rely instead on other safeguards including secure coding practices,
-configuration management and control, trusted procurement processes, and monitoring
-technologies  to help ensure that software does not perform functions other than the
-functions intended. NIST SP 800-83 provides guidance on malware incident prevention.
-'''FURTHER DISCUSSION '''
-A designated location may be a network device such as a firewall or an end user’s computer. <br />
-Malicious code, which can be delivered by a range of means (e.g., email, removable media, or
-websites), includes the following: <br />
-•
-  virus – program designed to damage, steal information, change data, send email, show
-messages, or any combination of these things;
-•
-  spyware – program designed to gather information about a person’s activity in secret
-when they click on a link, usually installed without the person knowing ;
-•
-  trojan horse – type of malware made to look like legitimate software and used by cyber
-criminals to get access to a company’s systems; and
-•
-  ransomware – type of malware that threatens to publish the victim’s data or perpetually
-block access to it unless a ransom is paid.
-Use anti-malware tools to stop or lessen the impact of malicious code.
-'''Example <br />
-'''You are buying a new computer and want to protect your company’s information from
-viruses, spyware, etc. You buy and install anti-malware software [a,b].
-'''Potential Assessment Considerations <br />
-'''•
-  Are system components (e.g., workstations, servers, email gateways, mobile devices) for
-which malicious code protection must be provided identified and documented [a]?
-''' '''
-SI.L2-3.14.2 – Malicious Code Protection [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.14.2
-•
-  FAR Clause 52.204-21 b.1.xiii
- <br />
-''' '''
-SI.L2-3.14.3 – Security Alerts &amp; Advisories
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SI.L2-3.14.3 – SECURITY ALERTS &amp; ADVISORIES '''
-Monitor system security alerts and advisories and take action in response.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#260|223 ]]'''
-Determine if: <br />
-[a] response actions to system security alerts and advisories are identified; <br />
-[b] system security alerts and advisories are monitored; and <br />
-[c]  actions in response to system security alerts and advisories are taken.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#260|A]223 ]]'''
-'''Examine '''
-[SELECT FROM: System and information integrity policy; procedures addressing security
-alerts, advisories, and directives; system security plan; records of security alerts and
-advisories; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Personnel with security alert and advisory responsibilities; personnel
-implementing, operating, maintaining, and using the system; personnel, organizational
-elements, and external organizations to whom alerts, advisories, and directives are to be
-disseminated; system or network administrators; personnel with information security
-responsibilities].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for defining, receiving, generating, disseminating,
-and complying with security alerts, advisories, and directives; mechanisms supporting or
-implementing definition, receipt, generation, and dissemination of security alerts,
-advisories, and directives; mechanisms supporting or implementing security directives].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#260|224]] '''
-There are many publicly available sources of system security alerts and advisories. The
-United States Computer Emergency Readiness Team (US-CERT) generates security alerts
-and advisories to maintain  situational awareness across the federal government and in
-nonfederal organizations. Software vendors, subscription services, and relevant industry
-information sharing and analysis centers (ISACs) may also provide security alerts and
-advisories. Examples of response actions include notifying relevant external organizations,
- NIST SP 800-171A, p. 62.
- NIST SP 800-171 Rev. 2, p. 41.
-''' '''
-SI.L2-3.14.3 – Security Alerts &amp; Advisories
-CMMC Assessment Guide – Level 2 | Version 2.13
-for example, external mission/business partners, supply chain partners, external service
-providers, and peer or supporting organizations. <br />
-NIST SP 800-161 provides guidance on supply chain risk management.
-'''FURTHER DISCUSSION '''
-Solicit and receive security alerts, advisories, and directives from reputable external
-organizations. Identify sources relevant to the industry and technology used by your
-company. Methods to receive alerts and advisories may include: <br />
-•
-  signing up for email distributions;
-•
-  subscribing to RSS feeds; and
-•
-  attending meetings.
-Review alerts and advisories for applicability as they are received. The frequency of the
-reviews should be based on the frequency of the alerts and advisories to ensure you have the
-most up-to-date information. <br />
-External alerts and advisories may prompt you to generate internal security alerts,
-advisories, or directives, and share these with all personnel with a need-to-know. The
-individuals should assess the risk related to a given alert and act to respond as appropriate.
-Sometimes it may require a configuration update. Other times, the information may also
-require adjusting system architecture in order to thwart a threat described in an advisory.
-'''Example <br />
-'''You  monitor  security  advisories each week.  You review the alert emails and online
-subscription service alerts to determine which ones apply [b].  You create a list of the
-applicable alerts and research what steps you need to take to address them. Next, you
-generate a plan that you review with your change management group so that the work can
-be scheduled [c].
-'''Potential Assessment Considerations <br />
-'''•
-  Are the responses to system security alerts and advisories identified in relation to the
-assessed severity of potential flaws (e.g., communicating with responsible personnel,
-initiating vulnerability scans, initiating system flaw remediation activities) [a]?
-•
-  Are system security alerts and advisories addressed (e.g., assessing potential severity or
-likelihood,  communicating with responsible personnel, initiating vulnerability scans,
-initiating system flaw remediation activities) [a,c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.14.3
-''' '''
-''' '''
-SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SI.L2-3.14.4 – UPDATE MALICIOUS CODE PROTECTION [CUI DATA] '''
-Update malicious code protection mechanisms when new releases are available.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#262|225 ]]'''
-Determine if: <br />
-[a] malicious code protection mechanisms are updated when new releases are available.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#262|]225 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and information integrity policy; configuration management policy
-and procedures; procedures addressing malicious code protection; malicious code
-protection mechanisms; records of malicious code protection updates; system security plan;
-system design documentation; system configuration settings and associated documentation;
-scan results from malicious code protection mechanisms; record of actions initiated by
-malicious code protection mechanisms in response to malicious code detection; system audit
-logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; personnel installing, configuring, and maintaining the system; personnel
-with responsibility for malicious code protection; personnel with configuration management
-responsibility].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for employing, updating, and configuring
-malicious code protection mechanisms; organizational process for addressing false positives
-and resulting potential impact; mechanisms supporting or implementing malicious code
-protection mechanisms (including updates and configurations); mechanisms supporting or
-implementing malicious code scanning and subsequent actions].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#262|226]] '''
-Malicious code protection mechanisms include anti-virus signature definitions and
-reputation-based technologies.  A variety of technologies and methods exist to limit or
-eliminate the effects of malicious code.  Pervasive configuration management and
-comprehensive software integrity controls may be effective in preventing execution of
-unauthorized code. In addition to commercial off-the-shelf software, malicious code may also
-be present in custom-built software. This could include logic bombs, back doors, and other
-types of cyber-attacks that could affect organizational missions/business functions.
- NIST SP 800-171A, pp. 62-63.
- NIST SP 800-171 Rev. 2, pp. 41-42.
-''' '''
-SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-Traditional malicious code protection mechanisms cannot always detect such code. In these
-situations, organizations rely instead on other safeguards including secure coding practices,
-configuration management and control, trusted procurement processes, and monitoring
-technologies  to help ensure that software does not perform functions  other than the
-functions intended.
-'''FURTHER DISCUSSION '''
-Malware changes on an hourly or daily basis, and it is important to update detection and
-protection mechanisms frequently to maintain the effectiveness of the protection.
-'''Example <br />
-'''You  have installed anti-malware software to protect a computer from malicious code.
-Knowing that malware evolves rapidly, you configure the software to automatically check
-for malware definition updates every day and update as needed [a].
-'''Potential Assessment Considerations <br />
-'''•
-  Is there a defined frequency by which malicious code protection mechanisms must be
-updated (e.g., frequency of automatic updates or manual processes) [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.14.4
-•
-  FAR Clause 52.204-21 b.1.xiv
- <br />
-''' '''
-SI.L2-3.14.5 – System &amp; File Scanning [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SI.L2-3.14.5 – SYSTEM &amp; FILE SCANNING [CUI DATA] '''
-Perform periodic scans of organizational systems and real-time scans of files from external
-sources as files are downloaded, opened, or executed.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#264|227 ]]'''
-Determine if: <br />
-[a] the frequency for malicious code scans is defined; <br />
-[b] malicious code scans are performed with the defined frequency; and <br />
-[c]  real-time malicious code scans of files from external sources as files are downloaded,
-opened, or executed are performed.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#264|]227 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and information integrity policy; configuration management policy
-and procedures; procedures addressing malicious code protection; malicious code
-protection mechanisms; records of malicious code protection updates; system security plan;
-system design documentation; system configuration settings and associated documentation;
-scan results from malicious code protection mechanisms; record of actions initiated by
-malicious code protection mechanisms in response to malicious code detection; system audit
-logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT  FROM: System or network administrators; personnel with information security
-responsibilities; personnel installing, configuring, and maintaining the system; personnel
-with responsibility for malicious code protection; personnel with configuration management
-responsibility].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for employing, updating, and configuring
-malicious code protection mechanisms; organizational process for addressing false positives
-and resulting potential impact; mechanisms supporting or implementing malicious code
-protection mechanisms (including updates and configurations); mechanisms supporting or
-implementing malicious code scanning and subsequent actions].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#264|228]] '''
-Periodic scans of organizational systems and real-time scans of files from external sources
-can detect malicious code.  Malicious code can be encoded in various formats (e.g.,
- NIST SP 800-171A, p. 63.
- NIST SP 800-171 Rev. 2, p. 42.
-''' '''
-SI.L2-3.14.5 – System &amp; File Scanning [CUI Data]
-CMMC Assessment Guide – Level 2 | Version 2.13
-UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using
-techniques such as steganography. Malicious code can be inserted into systems in a variety
-of ways including web accesses, electronic mail, electronic mail attachments, and portable
-storage devices.  Malicious code insertions occur through the exploitation of system
-vulnerabilities.
-'''FURTHER DISCUSSION '''
-Use anti-malware software to scan for and identify viruses in your computer systems and
-determine how often scans are conducted. Real-time scans look at the system whenever new
-files are downloaded, opened, and saved. Periodic scans check previously saved files against
-updated malware information.
-'''Example <br />
-'''You work with your company’s email provider to enable enhanced protections that will scan
-all attachments to identify and quarantine those that may be harmful prior to a user opening
-them [c]. In addition, you configure  antivirus software on each computer to scan for
-malicious code every day [a,b]. The software also scans files that are downloaded or copied
-from removable media such as USB drives. It quarantines any suspicious files and notifies
-the security team [c].
-'''Potential Assessment Considerations <br />
-'''•
-  Are files from media (e.g., USB drives, CD-ROM) included in the definition of external
-sources and are they being scanned [c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.14.5
-•
-  FAR Clause 52.204-21 b.1.xv
-''' '''
-SI.L2-3.14.6 – Monitor Communications for Attacks
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SI.L2-3.14.6 – MONITOR COMMUNICATIONS FOR ATTACKS '''
-Monitor organizational systems, including inbound and outbound communications traffic, to
-detect attacks and indicators of potential attacks.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#266|229 ]]'''
-Determine if: <br />
-[a] the system is monitored to detect attacks and indicators of potential attacks; <br />
-[b] inbound communications traffic is monitored to detect attacks and indicators of
-potential attacks; and
-[c]  outbound communications traffic is monitored to detect attacks and indicators of
-potential attacks.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#266|A]229 ]]'''
-'''Examine <br />
-'''[SELECT FROM: System and information integrity policy; procedures addressing system
-monitoring tools and techniques; continuous monitoring strategy; system and information
-integrity policy; procedures addressing system monitoring tools and techniques; facility
-diagram or layout; system security plan; system monitoring tools and techniques
-documentation; system design documentation; locations within system where monitoring
-devices are deployed; system protocols; system configuration settings and associated
-documentation; system audit logs and records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; personnel installing, configuring, and maintaining the system; personnel
-with responsibility monitoring the system; personnel with responsibility for the intrusion
-detection system].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for system monitoring; mechanisms supporting or
-implementing intrusion detection capability and system monitoring; mechanisms
-supporting or implementing system monitoring capability; organizational processes for
-intrusion detection and system monitoring; mechanisms supporting or implementing the
-monitoring of inbound and outbound communications traffic].
- NIST SP 800-171A, pp. 63-64.
-''' '''
-SI.L2-3.14.6 – Monitor Communications for Attacks
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#267|230]] '''
-System monitoring includes external and internal monitoring. External monitoring includes
-the observation of events occurring at the system boundary (i.e., part of perimeter defense
-and boundary protection). Internal monitoring includes the observation of events occurring
-within the system.  Organizations can monitor systems, for example, by observing audit
-record activities in real time or by observing other system aspects such as access patterns,
-characteristics of access, and other actions.  The  monitoring objectives may guide
-determination of the events. System monitoring capability is achieved through a variety of
-tools and techniques (e.g., intrusion detection systems, intrusion prevention systems,
-malicious code protection software, scanning tools, audit record monitoring software,
-network monitoring software). Strategic locations for monitoring devices include selected
-perimeter locations and near server farms supporting critical applications, with such devices
-being employed at managed system interfaces. The granularity of monitoring information
-collected is based on organizational monitoring objectives and the capability of systems to
-support such objectives. <br />
-System monitoring is an integral part of continuous monitoring and incident response
-programs. Output from system monitoring serves as input to continuous monitoring and
-incident response programs.  A network connection is any connection with a device that
-communicates through a network (e.g., local area network, Internet). A remote connection
-is any connection with a device communicating through an external network (e.g., the
-Internet). Local, network, and remote connections can be either wired or wireless. <br />
-Unusual or unauthorized activities or conditions related to inbound/outbound
-communications traffic include internal traffic that indicates the presence of malicious code
-in systems or propagating among system components, the unauthorized exporting of
-information, or signaling to external systems. Evidence of malicious code is used to identify
-potentially compromised systems or system components. System monitoring requirements,
-including the need for specific types of system monitoring, may be referenced in other
-requirements. <br />
-NIST SP 800-94 provides guidance on intrusion detection and prevention systems.
-'''FURTHER DISCUSSION '''
-Think of indicators of attack as a set of footprints an adversary leaves during an attack.
-Indicators of attack provide information on the steps the adversary followed and its intent.
-Indicators of attacks on organizational systems may include: <br />
-•
-  internal traffic that indicates the presence of malicious code;
-•
-  anomalous activity detected during non-business hours;
-•
-  unauthorized data leaving the organization; and
-•
-  communicating to external information systems.
- NIST SP 800-171 Rev. 2, pp. 42-43.
-''' '''
-SI.L2-3.14.6 – Monitor Communications for Attacks
-CMMC Assessment Guide – Level 2 | Version 2.13
-To detect attacks and indicators of attacks, deploy monitoring devices or agents. Place these
-sensors at strategic points within the systems and networks to collect essential information.
-Strategic points include internal and external system boundaries. Monitor both inbound
-traffic and outbound traffic as well as actions on hosts. <br />
-This requirement, SI.L2-3.14.6, provides details for the communications of organizational
-systems. SI.L2-3.14.6 supports the requirement AU.L2-3.3.1, which involves creating and
-retaining records for monitoring, analysis, and investigations.
-'''Example <br />
-'''It is your job to look for known indicators of attack or anomalous activity  within your
-systems and communications traffic [a,b,c]. Because these indicators can show up in a variety
-of places on your network, you have created a checklist of places to check each week. These
-include the office firewall logs, the audit logs of the file server where CUI is stored, and the
-connection log for your VPN gateway [b]. <br />
-You conduct additional reviews when you find an indicator, or something that does not
-perform as it should [a].
-'''Potential Assessment Considerations <br />
-'''•
-  Are details provided for the methodology of determining attacks and indicators of attack
-[a]?
-•
-  Are monitoring devices deployed within the information system to collect information
-that may indicate an attack [a]?
-•
-  Are communications traffic flows understood and is there a deployed capability to review
-that traffic [b,c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.14.6
-''' '''
-SI.L2-3.14.7 – Identify Unauthorized Use
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''SI.L2-3.14.7 – IDENTIFY UNAUTHORIZED USE '''
-Identify unauthorized use of organizational systems.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#269|231 ]]'''
-Determine if: <br />
-[a] authorized use of the system is defined; and <br />
-[b] unauthorized use of the system is identified.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#269|A]231 ]]'''
-'''Examine <br />
-'''[SELECT FROM: Continuous monitoring strategy; system and information integrity policy;
-procedures addressing system monitoring tools and techniques; facility diagram/layout;
-system security plan; system design documentation; system monitoring tools and
-techniques documentation; locations within system where monitoring devices are deployed;
-system configuration settings and associated documentation; other relevant documents or
-records].
-'''Interview <br />
-'''[SELECT FROM: System or network administrators; personnel with information security
-responsibilities; personnel installing, configuring, and maintaining the system; personnel
-with responsibility for monitoring the system].
-'''Test <br />
-'''[SELECT FROM: Organizational processes for system monitoring; mechanisms supporting or
-implementing system monitoring capability].
-'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#269|232]] '''
-System monitoring includes external and internal monitoring. System monitoring can detect
-unauthorized use of organizational systems.  System monitoring is an integral part of
-continuous monitoring and incident response programs. Monitoring is achieved through a
-variety  of tools and techniques (e.g., intrusion detection systems, intrusion prevention
-systems, malicious code protection software, scanning tools, audit record monitoring
-software, network monitoring software). Output from system monitoring serves as input to
-continuous monitoring and incident response programs. <br />
-Unusual/unauthorized activities or conditions related to inbound and outbound
-communications traffic include internal traffic that indicates the presence of malicious code
-in systems or propagating among  system components, the unauthorized exporting of
- NIST SP 800-171A, p. 64.
- NIST SP 800-171 Rev. 2, p. 43.
-''' '''
-SI.L2-3.14.7 – Identify Unauthorized Use
-CMMC Assessment Guide – Level 2 | Version 2.13
-information, or signaling to external systems. Evidence of malicious code is used to identify
-potentially compromised systems or system components. System monitoring requirements,
-including the need for specific types of system monitoring, may be referenced in other
-requirements. <br />
-NIST SP 800-94 provides guidance on intrusion detection and prevention systems.
-'''FURTHER DISCUSSION '''
-Define authorized use of your systems. Create an acceptable use policy to  establish the
-baseline for how users access devices, internal network services, and the internet. Define
-authorized use by specific roles such as: user, administrator, and technician. After authorized
-use is defined, identify unauthorized use of systems. <br />
-Monitor systems by observing audit activities from the system logs. This can be
-accomplished in real time using automated solutions or by manual means. To identify
-unauthorized use, leverage existing tools and techniques, such as: <br />
-•
-  intrusion detection systems;
-•
-  intrusion prevention systems;
-•
-  malicious code protection software;
-•
-  scanning tools;
-•
-  audit record monitoring software; and
-•
-  network monitoring software.
-This requirement, SI.L2-3.14.7, which deals with identifying unauthorized use of
-organizational systems, is related to requirements: AC.L2-3.1.1, AU.L2-3.3.1, IA.L2-3.5.1,
-and IA.L2-3.5.2. All of these requirements help create the building blocks that support
-SI.L2-3.14.7.
-'''Example 1 <br />
-'''You are in charge of IT operations. You need to ensure that everyone using an organizational
-system is authorized to do so and conforms to the written authorized use policy. To do this,
-you deploy an application that monitors user activity and records the information for later
-analysis. You review the data from this application for signs of activity that does not conform
-to the acceptable use policy [a,b].
-'''Example 2 <br />
-'''You are alerted through your Intrusion Detection System (IDS) that one of your users is
-connecting to a server that is from a high-risk domain (based on your commercial domain
-reputation service). You investigate and determine that it’s not the user, but instead an
-unauthorized connection attempt [b]. You add the domain to your list of blocked domains
-to prevent connections in the future.
-''' '''
-SI.L2-3.14.7 – Identify Unauthorized Use
-CMMC Assessment Guide – Level 2 | Version 2.13
-'''Potential Assessment Considerations <br />
-'''•
-  Is authorized use of systems defined (e.g., data types permitted for storage or processing,
-personnel authorized to access, times or days of permitted use, permitted software) [a]?
-•
-  Is unauthorized use of systems defined (e.g., not authorized to use systems for bitcoin
-mining, not authorized for pornographic content, not authorized to access gambling
-games/content) [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-171 Rev. 2 3.14.7
-''' '''
-Appendix A – Acronyms and Abbreviations
-CMMC Assessment Guide – Level 2 | Version 2.13
-Appendix A – Acronyms and Abbreviations
-AC
-Access Control
-AES
-Advanced Encryption Standard
-API
-Application Programming Interface
-AT
-Awareness and Training
-AU
-Audit and Accountability
-C3PAO
-CMMC Third-Party Assessment Organization
-CA
-Security Assessment
-CD-ROM
-Compact Disk Read-Only Memory
-CFR
-Code of Federal Regulations
-CM
-Configuration Management
-CMMC
-Cybersecurity Maturity Model Certification
-CMVP
-Cryptographic Module Validation Program
-CUI
-Controlled Unclassified Information
-CVE
-Common Vulnerabilities and Exposures
-CWE
-Common Weakness Enumeration
-DCMA
-Defense Contract Management Agency
-DFARS
-Defense Federal Acquisition Regulation Supplement
-DHC
-Device Health Check
-DIBCAC
-Defense Industrial Base Cybersecurity Assessment Center
-DMZ
-Demilitarized Zone
-DoD
-Department of Defense
-DVD
-Digital Versatile Disc or Digital Video Disc
-ESP
-External Service Provider
-FAQ
-Frequently Asked Question
-FAR
-Federal Acquisition Regulation
-FDDI
-Fiber Distributed Data Interface
-FDE
-Full Disk Encryption
-FIPS
-Federal Information Processing Standard
-FTP
-File Transfer Protocol
-IA
-Identification and Authentication
-ID
-Identification
-IDS
-Intrusion Detection System
-''' '''
-Appendix A – Acronyms and Abbreviations
-CMMC Assessment Guide – Level 2 | Version 2.13
-IoT
-Internet of Things
-IP
-Internet Protocol
-IPSec
-Internet Protocol Security
-IR
-Incident Response
-ISAC
-Information Sharing and Analysis Center
-ISDN
-Integrated Services Digital Network
-IT
-Information Technology
-LAN
-Local Area Network
-MA
-Maintenance
-MAC
-Media Access Control
-MDM
-Mobile Device Management
-MFA
-Multifactor Authentication
-MP
-Media Protection
-NARA
-National Archives and Records Administration
-NAS
-Networked Attached Storage
-NIST
-National Institute of Standards and Technology
-NSA
-National Security Agency
-NTP
-Network Time Protocol
-OS
-Operating System
-OSA
-Organization Seeking Assessment
-OSC
-Organization Seeking Certification
-OT
-Operational Technology
-PDA
-Personal Digital Assistant
-PE
-Physical Protection
-PIV
-Personal Identity Verification
-PKI
-Public Key Infrastructure
-POTS
-Plain Old Telephone Service
-PS
-Personnel Security
-RADIUS
-Remote Authentication Dial-in User Service
-RA
-Risk Assessment
-SC
-System and Communications Protection
-SI
-System and Information Integrity
-SMS
-Short Message Service
-SOC
-Security Operations Center
-''' '''
-Appendix A – Acronyms and Abbreviations
-CMMC Assessment Guide – Level 2 | Version 2.13
-SP
-Special Publication
-SSP
-System Security Plan
-TLS
-Transport Layer Security
-URL
-Universal Resource Locator (aka Uniform Resource Locator)
-USB
-Universal Serial Bus
-UTC
-Coordinated Universal Time
-UUENCODE  Unix-to-Unix Encode <br />
-VLAN
-Virtual Local Area Network
-VoIP
-Voice over Internet Protocol
-VPN
-Virtual Private Network
-WPA2-PSK  WiFi Protected Access-Pre-shared Key
-''' '''
-CMMC Assessment Guide – Level 2 | Version 2.13
-''This page intentionally left blank. ''
-= Document Outline =
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#9|Introduction]]
-** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#9|Level 2 Description]]
-** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#10|Purpose and Audience]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#11|Assessment and Certification]]
-** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#11|Assessment Scope]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#12|CMMC-Custom Terms]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#15|Assessment Criteria and Methodology]]
-** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#16|Criteria]]
-** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#16|Methodology]]
-*** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#17|Who Is Interviewed]]
-*** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#17|What Is Examined]]
-*** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#17|What Is Tested]]
-** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#17|Assessment Findings]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#20|Requirement Descriptions]]
-** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#20|Introduction]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#22|Access Control (AC)]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#73|Awareness and Training (AT)]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#80|Audit and Accountability (AU)]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#99|Configuration Management (CM)]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#120|Identification and Authentication (IA)]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#144|Incident Response (IR)]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#152|Maintenance (MA)]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#165|Media Protection (MP)]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#183|Personnel Security (PS)]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#188|Physical Protection (PE)]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#200|Risk Assessment (RA)]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#208|Security Assessment (CA)]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#219|System and Communications Protection (SC)]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#254|System and Information Integrity (SI)]]
-* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#272|Appendix A – Acronyms and Abbreviations]]
------
-Original source: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2v2.pdf