CSF Identifiers: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 25: Line 25:
|Business Environment
|Business Environment
|-
|-
|'''Security Protection Assets'''
|rowspan="6" style="text-align:center;"|'''PR'''
|
|rowspan="6" style="text-align:center;"|Protect
* Assets that provide security functions or capabilities to the contractor's CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI
|style="text-align:center;"|PR.AC
|Identity Management and Access Control
|-
|-
|'''Contractor Risk Managed Assets'''
|style="text-align:center;"|PR.AT
|
|Awareness and Training
* Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
|-
* Assets are not required to be physically or logically separated from CUI assets
|style="text-align:center;"|PR.DS
|rowspan="2"|
|Data Security
* Document in the asset inventory
|-
* Document in the SSP
|style="text-align:center;"|PR.IP
** Show these assets are managed using the contractor’s risk-based security policies, procedures, and practices
|Information Protection Processes and Procedures
* Document in the network diagram of the CMMC Assessment Scope
|-
|
|style="text-align:center;"|PR.MA
* Review the SSP in accordance with practice CA.L2-3.12.4
|Maintenance
** If appropriately documented, do not assess against other CMMC practices
|-
** If contractor’s risk-based security policies, procedures, and practices documentation or other findings raise questions about these assets, the assessor can conduct a limited spot check to identify risks
|style="text-align:center;"|PR.PT
** The limited spot check(s) shall not materially increase the assessment duration nor the assessment cost
|Protective Technology
** The limited spot check(s) will be within the defined assessment scope
|-
|rowspan="3" style="text-align:center;"|'''DE'''
|rowspan="3" style="text-align:center;"|Detect
|style="text-align:center;"|DE.AE
|Anomalies and Events
|-
|style="text-align:center;"|DE.CM
|Security Continuous Monitoring
|-
|style="text-align:center;"|DE.DP
|Detection Process
|-
|-
|'''Specialized Assets'''
|'''Specialized Assets'''

Revision as of 20:58, 9 April 2023

Function Unique Identifier Function Category Unique Identifier Category
ID Identify ID.AM Asset Management
ID.BE Business Environment
ID.GV Governance
ID.RA Risk Assessment
ID.RM Risk Management Strategy
ID.SC Business Environment
PR Protect PR.AC Identity Management and Access Control
PR.AT Awareness and Training
PR.DS Data Security
PR.IP Information Protection Processes and Procedures
PR.MA Maintenance
PR.PT Protective Technology
DE Detect DE.AE Anomalies and Events
DE.CM Security Continuous Monitoring
DE.DP Detection Process
Specialized Assets
  • Assets that may or may not process, store, or transmit CUI
  • Assets include: government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment
  • Review the SSP in accordance with practice CA.L2-3.12.4
  • Do not assess against other CMMC practices
Assets that are not in the CMMC Assessment Scope
Out-of-Scope Assets
  • Assets that cannot process, store, or transmit CUI
  • Assets are required to be physically or logically separated from CUI assets
  • None