CCA Blueprint: Difference between revisions
Jump to navigation
Jump to search
(5 intermediate revisions by the same user not shown) | |||
Line 261: | Line 261: | ||
== Domain 3: CMMC Assessment Process (CAP) v5.X == | == Domain 3: CMMC Assessment Process (CAP) v5.X == | ||
=== Task 1. Given a scenario, apply the appropriate phases and steps to plan, prepare, conduct, and report on a CMMC Level 2 Assessment. === | === Task 1. Given a scenario, apply the appropriate phases and steps to plan, prepare, conduct, and report on a CMMC Level 2 Assessment. === | ||
{|class="wikitable" | {|class="wikitable" style="width: 85%;" | ||
|- | |- | ||
| | ! style="width: 10%"|Lesson Topic | ||
: | ! style="width: 10%"|Objective | ||
: | ! style="width: 80%"|Objective Description | ||
|- | |- | ||
|3. Phase | |3A, 3B, 3C | ||
:a. Deliver | |3.1.1 | ||
|1. Phase 1 - Plan and Prepare Assessments: | |||
|- | |||
|3B | |||
|3.1.1.A | |||
| | |||
:A. Analyze requirements | |||
|- | |||
|3C | |||
|3.1.1.B | |||
| | |||
:B. Develop Assessment plan | |||
|- | |||
|3B | |||
|3.1.1.C | |||
| | |||
:C. Verify readiness to conduct assessment | |||
|- | |||
|3A, 3D | |||
|3.1.2 | |||
|2. Phase 2 - Conduct assessment: | |||
|- | |||
|3D | |||
|3.1.2.A | |||
| | |||
:a. Collect and examine Evidence | |||
|- | |||
|3D | |||
|3.1.2.B | |||
| | |||
:b. Score practices and validate preliminary results | |||
|- | |||
|3D | |||
|3.1.2.C | |||
| | |||
:c. Generate final recommended Assessment Results | |||
|- | |||
|3A | |||
|3.1.3 | |||
|3. Phase 3 - Report Recommended Assessment Results: | |||
|- | |||
|3F | |||
|3.1.3.A | |||
| | |||
:a. Deliver Recommended Assessment Results | |||
|} | |} | ||
== Domain 4: CMMC Levels 2 Practices == | == Domain 4: CMMC Levels 2 Practices == | ||
=== Task 1. Identify evidence verification/validation methods and objects for Practices based on the CMMC Level 2 Assessment Guide and CMMC Assessment Process (CAP) documentation. === | === Task 1. Identify evidence verification/validation methods and objects for Practices based on the CMMC Level 2 Assessment Guide and CMMC Assessment Process (CAP) documentation. === | ||
{|class="wikitable" | {|class="wikitable" style="width: 85%;" | ||
|- | |||
! style="width: 10%"|Lesson Topic | |||
! style="width: 10%"|Objective | |||
! style="width: 80%"|Objective Description | |||
|- | |||
|3D | |||
|4.1.1 | |||
|1. Methods and objects for determining evidence | |1. Methods and objects for determining evidence | ||
|- | |||
|3D | |||
|4.1.1.A | |||
| | |||
:A. Examine | :A. Examine | ||
|- | |||
|3D | |||
|4.1.1.B | |||
| | |||
:B. Interview | :B. Interview | ||
|- | |||
|3D | |||
|4.1.1.C | |||
| | |||
:C. Test | :C. Test | ||
|- | |- | ||
|2. Adequacy and sufficiency related to | |3D | ||
:A. Characteristics of acceptable | |4.1.2 | ||
|2. Adequacy and sufficiency related to Evidence around all below practices | |||
|- | |||
|3D | |||
|4.1.2.A | |||
| | |||
:A. Characteristics of acceptable Evidence | |||
|- | |||
|3D | |||
|4.1.2.B | |||
| | |||
:B. Evidence of enabling persistent and habitual application of practices | :B. Evidence of enabling persistent and habitual application of practices | ||
|- | |||
|3D | |||
|4.1.2.B(1) | |||
| | |||
::(1) Policy | ::(1) Policy | ||
|- | |||
|3D | |||
|4.1.2.B(2) | |||
| | |||
::(2) Plan | ::(2) Plan | ||
|- | |||
|3D | |||
|4.1.2.B(3) | |||
| | |||
::(3) Resourcing | ::(3) Resourcing | ||
|- | |||
|3D | |||
|4.1.2.B(4) | |||
| | |||
::(4) Communication | ::(4) Communication | ||
|- | |||
|3D | |||
|4.1.2.B(5) | |||
| | |||
::(5) Training | ::(5) Training | ||
|- | |||
|3D | |||
|4.1.2.C | |||
| | |||
:C. Characterization of evidence | :C. Characterization of evidence | ||
|- | |||
|2C, 3D | |||
|4.1.2.C(1) | |||
| | |||
::(1) Validate that evidence effectively meets intent of standard | ::(1) Validate that evidence effectively meets intent of standard | ||
|- | |||
|3D | |||
|4.1.2.C(2) | |||
| | |||
::(2) An objective and systematic examination of evidence for the purpose of providing an independent assessment of the performance of CMMC | ::(2) An objective and systematic examination of evidence for the purpose of providing an independent assessment of the performance of CMMC | ||
|- | |- | ||
|5A, 6A, 7A, 8A, 9A, 10A, 11A, 12A, 13A, 14A, 15A, 16, 17A, 18A | |||
|4.1.3 | |||
|3. CMMC Level 2 Assessment Practice objectives including potential methods, objects, and assessment considerations (by domain): | |3. CMMC Level 2 Assessment Practice objectives including potential methods, objects, and assessment considerations (by domain): | ||
(at a minimum the practices listed below must be evaluated for CCA candidates) | (at a minimum the practices listed below must be evaluated for CCA candidates) | ||
|- | |- | ||
|5A, 5B | |||
|4.1.3.A | |||
|A. Access Control (AC) | |A. Access Control (AC) | ||
|- | |||
|5A | |||
|4.1.3.A(1) | |||
| | |||
:(1) AC.L2-3.1.3 – Control CUI Flow | :(1) AC.L2-3.1.3 – Control CUI Flow | ||
|- | |||
|5A | |||
|4.1.3.A(2) | |||
| | |||
:(2) AC.L2-3.1.4 – Separation of Duties | :(2) AC.L2-3.1.4 – Separation of Duties | ||
|- | |||
|5A | |||
|4.1.3.A(3) | |||
| | |||
:(3) AC.L2-3.1.5 – Least Privilege | :(3) AC.L2-3.1.5 – Least Privilege | ||
|- | |||
|5A | |||
|4.1.3.A(4) | |||
| | |||
:(4) AC.L2-3.1.6 – Non-Privileged Account Use | :(4) AC.L2-3.1.6 – Non-Privileged Account Use | ||
|- | |||
|5A | |||
|4.1.3.A(5) | |||
| | |||
:(5) AC.L2-3.1.7 – Privileged Functions | :(5) AC.L2-3.1.7 – Privileged Functions | ||
|- | |||
|5A | |||
|4.1.3.A(6) | |||
| | |||
:(6) AC.L2-3.1.8 – Unsuccessful Logon Attempts | :(6) AC.L2-3.1.8 – Unsuccessful Logon Attempts | ||
|- | |||
|5A | |||
|4.1.3.A(7) | |||
| | |||
:(7) AC.L2-3.1.9 – Privacy & Security Notices | :(7) AC.L2-3.1.9 – Privacy & Security Notices | ||
|- | |||
|5A | |||
|4.1.3.A(8) | |||
| | |||
:(8) AC.L2-3.1.10 – Session Lock | :(8) AC.L2-3.1.10 – Session Lock | ||
|- | |||
|5A | |||
|4.1.3.A(9) | |||
| | |||
:(9) AC.L2-3.1.11 – Session Termination | :(9) AC.L2-3.1.11 – Session Termination | ||
|- | |||
|5A | |||
|4.1.3.A(10) | |||
| | |||
:(10) AC.L2-3.1.12 – Control Remote Access | :(10) AC.L2-3.1.12 – Control Remote Access | ||
|- | |||
|5A | |||
|4.1.3.A(11) | |||
| | |||
:(11) AC.L2-3.1.13 – Remote Access Confidentiality | :(11) AC.L2-3.1.13 – Remote Access Confidentiality | ||
|- | |||
|5A | |||
|4.1.3.A(12) | |||
| | |||
:(12) AC.L2-3.1.14 – Remote Access Routing | :(12) AC.L2-3.1.14 – Remote Access Routing | ||
|- | |||
|5A | |||
|4.1.3.A(13) | |||
| | |||
:(13) AC.L2-3.1.15 – Privileged Remote Access | :(13) AC.L2-3.1.15 – Privileged Remote Access | ||
|- | |||
|5A | |||
|4.1.3.A(14) | |||
| | |||
:(14) AC.L2-3.1.16 – Wireless Access Authorization | :(14) AC.L2-3.1.16 – Wireless Access Authorization | ||
|- | |||
|5A | |||
|4.1.3.A(15) | |||
| | |||
:(15) AC.L2-3.1.17 – Wireless Access Protection | :(15) AC.L2-3.1.17 – Wireless Access Protection | ||
|- | |||
|5A | |||
|4.1.3.A(16) | |||
| | |||
:(16) AC.L2-3.1.18 – Mobile Device Connection | :(16) AC.L2-3.1.18 – Mobile Device Connection | ||
|- | |||
|5A | |||
|4.1.3.A(17) | |||
| | |||
:(17) AC.L2-3.1.19 – Encrypt CUI on Mobile | :(17) AC.L2-3.1.19 – Encrypt CUI on Mobile | ||
|- | |||
|5A | |||
|4.1.3.A(18) | |||
| | |||
:(18) AC.L2-3.1.21 – Portable Storage Use | :(18) AC.L2-3.1.21 – Portable Storage Use | ||
|- | |- | ||
|6A, 6B | |||
|4.1.3.B | |||
|B. Awareness & Training (AT) | |B. Awareness & Training (AT) | ||
|- | |||
|6A | |||
|4.1.3.B(1) | |||
| | |||
:(1) AT.L2-3.2.1 – Role-Based Risk Awareness | :(1) AT.L2-3.2.1 – Role-Based Risk Awareness | ||
|- | |||
|6A | |||
|4.1.3.B(2) | |||
| | |||
:(2) AT.L2-3.2.2 – Role-Based Training | :(2) AT.L2-3.2.2 – Role-Based Training | ||
|- | |||
|6A | |||
|4.1.3.B(3) | |||
| | |||
:(3) AT.L2-3.2.3 – Insider Threat Awareness | :(3) AT.L2-3.2.3 – Insider Threat Awareness | ||
|- | |- | ||
|7A, 7B | |||
|4.1.3.C | |||
|C. Audit & Accountability (AU) | |C. Audit & Accountability (AU) | ||
|- | |||
|7A | |||
|4.1.3.C(1) | |||
| | |||
:(1) AU.L2-3.3.1 – System Auditing | :(1) AU.L2-3.3.1 – System Auditing | ||
|- | |||
|7A | |||
|4.1.3.C(2) | |||
| | |||
:(2) AU.L2-3.3.2 – User Accountability | :(2) AU.L2-3.3.2 – User Accountability | ||
|- | |||
|7A | |||
|4.1.3.C(3) | |||
| | |||
:(3) AU.L2-3.3.3 – Event Review | :(3) AU.L2-3.3.3 – Event Review | ||
|- | |||
|7A | |||
|4.1.3.C(4) | |||
| | |||
:(4) AU.L2-3.3.4 – Audit Failure Alerting | :(4) AU.L2-3.3.4 – Audit Failure Alerting | ||
|- | |||
|7A | |||
|4.1.3.C(5) | |||
| | |||
:(5) AU.L2-3.3.5 – Audit Correlation | :(5) AU.L2-3.3.5 – Audit Correlation | ||
|- | |||
|7A | |||
|4.1.3.C(6) | |||
| | |||
:(6) AU.L2-3.3.6 – Reduction & Reporting | :(6) AU.L2-3.3.6 – Reduction & Reporting | ||
|- | |||
|7A | |||
|4.1.3.C(7) | |||
| | |||
:(7) AU.L2-3.3.7 – Authoritative Time Source | :(7) AU.L2-3.3.7 – Authoritative Time Source | ||
|- | |||
|7A | |||
|4.1.3.C(8) | |||
| | |||
:(8) AU.L2-3.3.8 – Audit Protection | :(8) AU.L2-3.3.8 – Audit Protection | ||
|- | |||
|7A | |||
|4.1.3.C(9) | |||
| | |||
:(9) AU.L2-3.3.9 – Audit Management | :(9) AU.L2-3.3.9 – Audit Management | ||
|- | |- | ||
|9A, 9B | |||
|4.1.3.D | |||
|D. Configuration Management (CM) | |D. Configuration Management (CM) | ||
|- | |||
|9A | |||
|4.1.3.D(1) | |||
| | |||
:(1) CM.L2-3.4.1 – System Baselining | :(1) CM.L2-3.4.1 – System Baselining | ||
|- | |||
|9A | |||
|4.1.3.D(2) | |||
| | |||
:(2) CM.L2-3.4.2 – Security Configuration Enforcement | :(2) CM.L2-3.4.2 – Security Configuration Enforcement | ||
|- | |||
|9A | |||
|4.1.3.D(3) | |||
| | |||
:(3) CM.L2-3.4.3 – System Change Management | :(3) CM.L2-3.4.3 – System Change Management | ||
|- | |||
|9A | |||
|4.1.3.D(4) | |||
| | |||
:(4) CM.L2-3.4.4 – Security Impact Analysis | :(4) CM.L2-3.4.4 – Security Impact Analysis | ||
|- | |||
|9A | |||
|4.1.3.D(5) | |||
| | |||
:(5) CM.L2-3.4.5 – Access Restrictions for Change | :(5) CM.L2-3.4.5 – Access Restrictions for Change | ||
|- | |||
|9A | |||
|4.1.3.D(6) | |||
| | |||
:(6) CM.L2-3.4.6 – Least Functionality | :(6) CM.L2-3.4.6 – Least Functionality | ||
|- | |||
|9A | |||
|4.1.3.D(7) | |||
| | |||
:(7) CM.L2-3.4.7 – Nonessential Functionality | :(7) CM.L2-3.4.7 – Nonessential Functionality | ||
|- | |||
|9A | |||
|4.1.3.D(8) | |||
| | |||
:(8) CM.L2-3.4.8 – Application Execution Policy | :(8) CM.L2-3.4.8 – Application Execution Policy | ||
|- | |||
|9A | |||
|4.1.3.D(9) | |||
| | |||
:(9) CM.L2-3.4.9 – User-Installed Software | :(9) CM.L2-3.4.9 – User-Installed Software | ||
|- | |- | ||
|10A, 10B | |||
|4.1.3.E | |||
|E. Identification & Authentication (IA) | |E. Identification & Authentication (IA) | ||
|- | |||
|10A | |||
|4.1.3.E(1) | |||
| | |||
:(1) IA.L2-3.5.3 – Multifactor Authentication | :(1) IA.L2-3.5.3 – Multifactor Authentication | ||
|- | |||
|10A | |||
|4.1.3.E(2) | |||
| | |||
:(2) IA.L2-3.5.4 – Replay-Resistant Authentication | :(2) IA.L2-3.5.4 – Replay-Resistant Authentication | ||
|- | |||
|10A | |||
|4.1.3.E(3) | |||
| | |||
:(3) IA.L2-3.5.5 – Identifier Reuse | :(3) IA.L2-3.5.5 – Identifier Reuse | ||
|- | |||
|10A | |||
|4.1.3.E(4) | |||
| | |||
:(4) IA.L2-3.5.6 – Identifier Handling | :(4) IA.L2-3.5.6 – Identifier Handling | ||
|- | |||
|10A | |||
|4.1.3.E(5) | |||
| | |||
:(5) IA.L2-3.5.7 – Password Complexity | :(5) IA.L2-3.5.7 – Password Complexity | ||
|- | |||
|10A | |||
|4.1.3.E(6) | |||
| | |||
:(6) IA.L2-3.5.8 – Password Reuse | :(6) IA.L2-3.5.8 – Password Reuse | ||
|- | |||
|10A | |||
|4.1.3.E(7) | |||
| | |||
:(7) IA.L2-3.5.9 – Temporary Passwords | :(7) IA.L2-3.5.9 – Temporary Passwords | ||
|- | |||
|10A | |||
|4.1.3.E(8) | |||
| | |||
:(8) IA.L2-3.5.10 – Cryptographically-Protected Passwords | :(8) IA.L2-3.5.10 – Cryptographically-Protected Passwords | ||
|- | |||
|10A | |||
|4.1.3.E(9) | |||
| | |||
:(9) IA.L2-3.5.11 – Obscure Feedback | :(9) IA.L2-3.5.11 – Obscure Feedback | ||
|- | |- | ||
|11A, 11B | |||
|4.1.3.F | |||
|F. Incident Response (IR) | |F. Incident Response (IR) | ||
|- | |||
|11A | |||
|4.1.3.F(1) | |||
| | |||
:(1) IR.L2-3.6.1 – Incident Handling | :(1) IR.L2-3.6.1 – Incident Handling | ||
|- | |||
|11A | |||
|4.1.3.F(2) | |||
| | |||
:(2) IR.L2-3.6.2 – Incident Reporting | :(2) IR.L2-3.6.2 – Incident Reporting | ||
|- | |||
|11A | |||
|4.1.3.F(3) | |||
| | |||
:(3) IR.L2-3.6.3 – Incident Response Testing | :(3) IR.L2-3.6.3 – Incident Response Testing | ||
|- | |- | ||
|12A, 12B | |||
|4.1.3.G | |||
|G. Maintenance (MA) | |G. Maintenance (MA) | ||
|- | |||
|12A | |||
|4.1.3.G(1) | |||
| | |||
:(1) MA.L2-3.7.1 – Perform Maintenance | :(1) MA.L2-3.7.1 – Perform Maintenance | ||
|- | |||
|12A | |||
|4.1.3.G(2) | |||
| | |||
:(2) MA.L2-3.7.2 – System Maintenance Control | :(2) MA.L2-3.7.2 – System Maintenance Control | ||
|- | |||
|12A | |||
|4.1.3.G(3) | |||
| | |||
:(3) MA.L2-3.7.3 – Equipment Sanitization | :(3) MA.L2-3.7.3 – Equipment Sanitization | ||
|- | |||
|12A | |||
|4.1.3.G(4) | |||
| | |||
:(4) MA.L2-3.7.4 – Media Inspection | :(4) MA.L2-3.7.4 – Media Inspection | ||
|- | |||
|12A | |||
|4.1.3.G(5) | |||
| | |||
:(5) MA.L2-3.7.5 – Nonlocal Maintenance | :(5) MA.L2-3.7.5 – Nonlocal Maintenance | ||
|- | |||
|12A | |||
|4.1.3.G(6) | |||
| | |||
:(6) MA.L2-3.7.6 – Maintenance Personnel | :(6) MA.L2-3.7.6 – Maintenance Personnel | ||
|- | |- | ||
|13A, 13B | |||
|4.1.3.H | |||
|H. Media Protection (MP) | |H. Media Protection (MP) | ||
|- | |||
|13A | |||
|4.1.3.H(1) | |||
| | |||
:(1) MP.L2-3.8.1 – Media Protection | :(1) MP.L2-3.8.1 – Media Protection | ||
|- | |||
|13A | |||
|4.1.3.H(2) | |||
| | |||
:(2) MP.L2-3.8.2 – Media Access | :(2) MP.L2-3.8.2 – Media Access | ||
|- | |||
|13A | |||
|4.1.3.H(3) | |||
| | |||
:(3) MP.L2-3.8.4 – Media Markings | :(3) MP.L2-3.8.4 – Media Markings | ||
|- | |||
|13A | |||
|4.1.3.H(4) | |||
| | |||
:(4) MP.L2-3.8.5 – Media Accountability | :(4) MP.L2-3.8.5 – Media Accountability | ||
|- | |||
|13A | |||
|4.1.3.H(5) | |||
| | |||
:(5) MP.L2-3.8.6 – Portable Storage Encryption | :(5) MP.L2-3.8.6 – Portable Storage Encryption | ||
|- | |||
|13A | |||
|4.1.3.H(6) | |||
| | |||
:(6) MP.L2-3.8.7 – Removeable Media | :(6) MP.L2-3.8.7 – Removeable Media | ||
|- | |||
|13A | |||
|4.1.3.H(7) | |||
| | |||
:(7) MP.L2-3.8.8 – Shared Media | :(7) MP.L2-3.8.8 – Shared Media | ||
|- | |||
|13A | |||
|4.1.3.H(8) | |||
| | |||
:(8) MP.L2-3.8.9 – Protect Backups | :(8) MP.L2-3.8.9 – Protect Backups | ||
|- | |- | ||
|15A, 15B | |||
|4.1.3.I | |||
|I. Personnel Security (PS) | |I. Personnel Security (PS) | ||
|- | |||
|15A | |||
|4.1.3.I(1) | |||
| | |||
:(1) PS.L2-3.9.1 – Screen Individuals | :(1) PS.L2-3.9.1 – Screen Individuals | ||
|- | |||
|15A | |||
|4.1.3.I(2) | |||
| | |||
:(2) PS.L2-3.9.2 – Personnel Actions | :(2) PS.L2-3.9.2 – Personnel Actions | ||
|- | |- | ||
|14A, 14B | |||
|4.1.3.J | |||
|J. Physical Protection (PE) | |J. Physical Protection (PE) | ||
|- | |||
|14A | |||
|4.1.3.J(1) | |||
| | |||
:(1) PE.L2-3.10.2 – Monitor Facility | :(1) PE.L2-3.10.2 – Monitor Facility | ||
|- | |||
|14A | |||
|4.1.3.J(2) | |||
| | |||
:(2) PE.L2-3.10.6 – Alternative Work Sites | :(2) PE.L2-3.10.6 – Alternative Work Sites | ||
|- | |- | ||
|16A, 16B | |||
|4.1.3.K | |||
|K. Risk Assessment (RA) | |K. Risk Assessment (RA) | ||
|- | |||
|16A | |||
|4.1.3.K(1) | |||
| | |||
:(1) RA.L2-3.11.1 – Risk Assessments | :(1) RA.L2-3.11.1 – Risk Assessments | ||
|- | |||
|16A | |||
|4.1.3.K(2) | |||
| | |||
:(2) RA.L2-3.11.2 – Vulnerability Scan | :(2) RA.L2-3.11.2 – Vulnerability Scan | ||
|- | |||
|16A | |||
|4.1.3.K(3) | |||
| | |||
:(3) RA.L2-3.11.3 – Vulnerability Remediation | :(3) RA.L2-3.11.3 – Vulnerability Remediation | ||
|- | |- | ||
|8A, 8B | |||
|4.1.3.L | |||
|L. Security Assessment (CA) | |L. Security Assessment (CA) | ||
|- | |||
|8A | |||
|4.1.3.L(1) | |||
| | |||
:(1) CA.L2-3.12.1 – Security Control Assessment | :(1) CA.L2-3.12.1 – Security Control Assessment | ||
|- | |||
|8A | |||
|4.1.3.L(2) | |||
| | |||
:(2) CA.L2-3.12.2 – Plan of Action | :(2) CA.L2-3.12.2 – Plan of Action | ||
|- | |||
|8A | |||
|4.1.3.L(3) | |||
| | |||
:(3) CA.L2-3.12.3 – Security Control Monitoring | :(3) CA.L2-3.12.3 – Security Control Monitoring | ||
|- | |||
|8A | |||
|4.1.3.L(4) | |||
| | |||
:(4) CA.L2-3.12.4 – System Security Plan | :(4) CA.L2-3.12.4 – System Security Plan | ||
|- | |- | ||
|17A, 17B | |||
|4.1.3.M | |||
|M. System & Communications Protection (SC) | |M. System & Communications Protection (SC) | ||
|- | |||
|17A | |||
|4.1.3.M(1) | |||
| | |||
:(1) SC.L2-3.13.2 – Security Engineering | :(1) SC.L2-3.13.2 – Security Engineering | ||
|- | |||
|17A | |||
|4.1.3.M(2) | |||
| | |||
:(2) SC.L2-3.13.3 – Role Separation | :(2) SC.L2-3.13.3 – Role Separation | ||
|- | |||
|17A | |||
|4.1.3.M(3) | |||
| | |||
:(3) SC.L2-3.13.4 – Shared Resource Control | :(3) SC.L2-3.13.4 – Shared Resource Control | ||
|- | |||
|17A | |||
|4.1.3.M(4) | |||
| | |||
:(4) SC.L2-3.13.6 – Network Communication by Exception | :(4) SC.L2-3.13.6 – Network Communication by Exception | ||
|- | |||
|17A | |||
|4.1.3.M(5) | |||
| | |||
:(5) SC.L2-3.13.7 – Split Tunneling | :(5) SC.L2-3.13.7 – Split Tunneling | ||
|- | |||
|17A | |||
|4.1.3.M(6) | |||
| | |||
:(6) SC.L2-3.13.8 – Data in Transit | :(6) SC.L2-3.13.8 – Data in Transit | ||
|- | |||
|17A | |||
|4.1.3.M(7) | |||
| | |||
:(7) SC.L2-3.13.9 – Connections Termination | :(7) SC.L2-3.13.9 – Connections Termination | ||
|- | |||
|17A | |||
|4.1.3.M(8) | |||
| | |||
:(8) SC.L2-3.13.10 – Key Management | :(8) SC.L2-3.13.10 – Key Management | ||
|- | |||
|17A | |||
|4.1.3.M(9) | |||
| | |||
:(9) SC.L2-3.13.11 – CUI Encryption | :(9) SC.L2-3.13.11 – CUI Encryption | ||
|- | |||
|17A | |||
|4.1.3.M(10) | |||
| | |||
:(10) SC.L2-3.13.12 – Collaborative Device Control | :(10) SC.L2-3.13.12 – Collaborative Device Control | ||
|- | |||
|17A | |||
|4.1.3.M(11) | |||
| | |||
:(11) SC.L2-3.13.13 – Mobile Code | :(11) SC.L2-3.13.13 – Mobile Code | ||
|- | |||
|17A | |||
|4.1.3.M(12) | |||
| | |||
:(12) SC.L2-3.13.14 – Voice over Internet Protocol | :(12) SC.L2-3.13.14 – Voice over Internet Protocol | ||
|- | |||
|17A | |||
|4.1.3.M(13) | |||
| | |||
:(13) SC.L2-3.13.15 – Communications Authenticity | :(13) SC.L2-3.13.15 – Communications Authenticity | ||
|- | |||
|17A | |||
|4.1.3.M(14) | |||
| | |||
:(14) SC.L2-3.13.16 – Data at Rest | :(14) SC.L2-3.13.16 – Data at Rest | ||
|- | |- | ||
|18A, 18B | |||
|4.1.3.N | |||
|N. System & Information Integrity (SI) | |N. System & Information Integrity (SI) | ||
|- | |||
|18A | |||
|4.1.3.N(1) | |||
| | |||
:(1) SI.L2-3.14.3 – Security Alerts & Advisories | :(1) SI.L2-3.14.3 – Security Alerts & Advisories | ||
|- | |||
|18A | |||
|4.1.3.N(2) | |||
| | |||
:(2) SI.L2-3.14.6 – Monitor Communications for Attacks | :(2) SI.L2-3.14.6 – Monitor Communications for Attacks | ||
|- | |||
|18A | |||
|4.1.3.N(3) | |||
| | |||
:(3) SI.L2-3.14.7 – Identify Unauthorized Use | :(3) SI.L2-3.14.7 – Identify Unauthorized Use | ||
|} | |} |
Latest revision as of 23:14, 8 May 2023
Source of Reference: The CCA blueprint document from Cybersecurity Maturity Model Certification Accreditation Body, Inc.
For inquiries and reporting errors on this wiki, please contact us. Thank you.
Domains
Upon successful completion of this exam, the candidate will be able to apply skills and knowledge to the below domains:
Domain | Exam Weight |
1. Evaluating Organizations Seeking Certification (OSC) against CMMC Level 2 requirement | 15% |
2. CMMC Level 2 Assessment Scoping | 20% |
3. CMMC Assessment Process (CAP) | 25% |
4. Assessing CMMC Level 2 Practices | 40% |
Domain 1: Evaluating Organizations Seeking Certification (OSC) against CMMC Level 2 requirements
Task 1. Assess the various environmental considerations of Organizations Seeking Certification (OSCs) against CMMC L2 practices.
Lesson Topic | Objective | Objective Description |
---|---|---|
4C | 1.1.1 | # The difference between logical (virtual) and physical locations |
4C | 1.1.2 | # The difference between professional and industrial environments |
4C | 1.1.3 | # Single and multi-site environmental constraints and Evidence requirements |
4C | 1.1.4 | # Cloud and hybrid environment constraints and Evidence requirements |
4C | 1.1.5 | # On-premises environmental constraints |
4C | 1.1.6 | # Environmental exclusions for a level 2 CMMC assessment |
Domain 2: Scoping
Task 1. Analyze the CMMC Assessment Scope of Controlled Unclassified Information (CUI) Assets as they pertain to a CMMC assessment using the five categories of CUI assets as defined in the CMMC Level 2 Assessment Scoping Guide.
Lesson Topic | Objective | Objective Description |
---|---|---|
4B | 2.1.1 | 1. Categorization of CUI data in the form of Assets that are in scope: |
4B | 2.1.1.A |
|
4B | 2.1.1.A(1) |
|
4B | 2.1.1.B |
|
4B | 2.1.1.B(1) |
|
4B | 2.1.1.C |
|
4B | 2.1.1.C(1) |
|
4B | 2.1.1.D |
|
4B | 2.1.1.D(1) |
|
4B | 2.1.1.D(2) |
|
4B | 2.1.1.E |
|
4B | 2.1.1.E(1) |
|
Task 2. Given a scenario, analyze the CMMC Assessment Scope based on the predetermined CUI categories within the CMMC Level 2 Assessment Scoping Guide.
Lesson Topic | Objective | Objective Description |
---|---|---|
4B | 2.2.1 | 1. CMMC assessment asset categories (In-scope) |
4B | 2.2.1.A |
|
4B | 2.2.1.B |
|
4B | 2.2.1.C |
|
4B | 2.2.1.D |
|
4B | 2.2.2 | 2. CMMC assessment asset categories (Out-of-scope) |
4A | 2.2.3 | 3. Separation Techniques |
4A | 2.2.3.A |
|
4A | 2.2.3.A(1) |
|
4A | 2.2.3.A(2) |
|
4A | 2.2.3.B |
|
4A | 2.2.3.B(1) |
|
4A | 2.2.3.B(2) |
|
4A | 2.2.3.B(3) |
|
4A | 2.2.3.B(4) |
|
Task 3. Evaluate CMMC assessment scope considerations based on the CMMC Level 2 Assessment Scoping Guide.
Lesson Topic | Objective | Objective Description |
---|---|---|
4E | 2.3.1 | 1. FCI and CUI within the same Assessment Scope: |
4E | 2.3.1.A |
|
4E | 2.3.1.B |
|
4E | 2.3.2 | 2. FCI and CUI NOT within the same Assessment Scope: |
4E | 2.3.2.A |
|
4E | 2.3.2.B |
|
4C, 4D | 2.3.3 | 3. External Services Providers |
4D | 2.3.3.A |
|
2C, 4E | 2.3.3.B |
|
4D | 2.3.3.C |
|
Domain 3: CMMC Assessment Process (CAP) v5.X
Task 1. Given a scenario, apply the appropriate phases and steps to plan, prepare, conduct, and report on a CMMC Level 2 Assessment.
Lesson Topic | Objective | Objective Description |
---|---|---|
3A, 3B, 3C | 3.1.1 | 1. Phase 1 - Plan and Prepare Assessments: |
3B | 3.1.1.A |
|
3C | 3.1.1.B |
|
3B | 3.1.1.C |
|
3A, 3D | 3.1.2 | 2. Phase 2 - Conduct assessment: |
3D | 3.1.2.A |
|
3D | 3.1.2.B |
|
3D | 3.1.2.C |
|
3A | 3.1.3 | 3. Phase 3 - Report Recommended Assessment Results: |
3F | 3.1.3.A |
|
Domain 4: CMMC Levels 2 Practices
Task 1. Identify evidence verification/validation methods and objects for Practices based on the CMMC Level 2 Assessment Guide and CMMC Assessment Process (CAP) documentation.
Lesson Topic | Objective | Objective Description |
---|---|---|
3D | 4.1.1 | 1. Methods and objects for determining evidence |
3D | 4.1.1.A |
|
3D | 4.1.1.B |
|
3D | 4.1.1.C |
|
3D | 4.1.2 | 2. Adequacy and sufficiency related to Evidence around all below practices |
3D | 4.1.2.A |
|
3D | 4.1.2.B |
|
3D | 4.1.2.B(1) |
|
3D | 4.1.2.B(2) |
|
3D | 4.1.2.B(3) |
|
3D | 4.1.2.B(4) |
|
3D | 4.1.2.B(5) |
|
3D | 4.1.2.C |
|
2C, 3D | 4.1.2.C(1) |
|
3D | 4.1.2.C(2) |
|
5A, 6A, 7A, 8A, 9A, 10A, 11A, 12A, 13A, 14A, 15A, 16, 17A, 18A | 4.1.3 | 3. CMMC Level 2 Assessment Practice objectives including potential methods, objects, and assessment considerations (by domain):
(at a minimum the practices listed below must be evaluated for CCA candidates) |
5A, 5B | 4.1.3.A | A. Access Control (AC) |
5A | 4.1.3.A(1) |
|
5A | 4.1.3.A(2) |
|
5A | 4.1.3.A(3) |
|
5A | 4.1.3.A(4) |
|
5A | 4.1.3.A(5) |
|
5A | 4.1.3.A(6) |
|
5A | 4.1.3.A(7) |
|
5A | 4.1.3.A(8) |
|
5A | 4.1.3.A(9) |
|
5A | 4.1.3.A(10) |
|
5A | 4.1.3.A(11) |
|
5A | 4.1.3.A(12) |
|
5A | 4.1.3.A(13) |
|
5A | 4.1.3.A(14) |
|
5A | 4.1.3.A(15) |
|
5A | 4.1.3.A(16) |
|
5A | 4.1.3.A(17) |
|
5A | 4.1.3.A(18) |
|
6A, 6B | 4.1.3.B | B. Awareness & Training (AT) |
6A | 4.1.3.B(1) |
|
6A | 4.1.3.B(2) |
|
6A | 4.1.3.B(3) |
|
7A, 7B | 4.1.3.C | C. Audit & Accountability (AU) |
7A | 4.1.3.C(1) |
|
7A | 4.1.3.C(2) |
|
7A | 4.1.3.C(3) |
|
7A | 4.1.3.C(4) |
|
7A | 4.1.3.C(5) |
|
7A | 4.1.3.C(6) |
|
7A | 4.1.3.C(7) |
|
7A | 4.1.3.C(8) |
|
7A | 4.1.3.C(9) |
|
9A, 9B | 4.1.3.D | D. Configuration Management (CM) |
9A | 4.1.3.D(1) |
|
9A | 4.1.3.D(2) |
|
9A | 4.1.3.D(3) |
|
9A | 4.1.3.D(4) |
|
9A | 4.1.3.D(5) |
|
9A | 4.1.3.D(6) |
|
9A | 4.1.3.D(7) |
|
9A | 4.1.3.D(8) |
|
9A | 4.1.3.D(9) |
|
10A, 10B | 4.1.3.E | E. Identification & Authentication (IA) |
10A | 4.1.3.E(1) |
|
10A | 4.1.3.E(2) |
|
10A | 4.1.3.E(3) |
|
10A | 4.1.3.E(4) |
|
10A | 4.1.3.E(5) |
|
10A | 4.1.3.E(6) |
|
10A | 4.1.3.E(7) |
|
10A | 4.1.3.E(8) |
|
10A | 4.1.3.E(9) |
|
11A, 11B | 4.1.3.F | F. Incident Response (IR) |
11A | 4.1.3.F(1) |
|
11A | 4.1.3.F(2) |
|
11A | 4.1.3.F(3) |
|
12A, 12B | 4.1.3.G | G. Maintenance (MA) |
12A | 4.1.3.G(1) |
|
12A | 4.1.3.G(2) |
|
12A | 4.1.3.G(3) |
|
12A | 4.1.3.G(4) |
|
12A | 4.1.3.G(5) |
|
12A | 4.1.3.G(6) |
|
13A, 13B | 4.1.3.H | H. Media Protection (MP) |
13A | 4.1.3.H(1) |
|
13A | 4.1.3.H(2) |
|
13A | 4.1.3.H(3) |
|
13A | 4.1.3.H(4) |
|
13A | 4.1.3.H(5) |
|
13A | 4.1.3.H(6) |
|
13A | 4.1.3.H(7) |
|
13A | 4.1.3.H(8) |
|
15A, 15B | 4.1.3.I | I. Personnel Security (PS) |
15A | 4.1.3.I(1) |
|
15A | 4.1.3.I(2) |
|
14A, 14B | 4.1.3.J | J. Physical Protection (PE) |
14A | 4.1.3.J(1) |
|
14A | 4.1.3.J(2) |
|
16A, 16B | 4.1.3.K | K. Risk Assessment (RA) |
16A | 4.1.3.K(1) |
|
16A | 4.1.3.K(2) |
|
16A | 4.1.3.K(3) |
|
8A, 8B | 4.1.3.L | L. Security Assessment (CA) |
8A | 4.1.3.L(1) |
|
8A | 4.1.3.L(2) |
|
8A | 4.1.3.L(3) |
|
8A | 4.1.3.L(4) |
|
17A, 17B | 4.1.3.M | M. System & Communications Protection (SC) |
17A | 4.1.3.M(1) |
|
17A | 4.1.3.M(2) |
|
17A | 4.1.3.M(3) |
|
17A | 4.1.3.M(4) |
|
17A | 4.1.3.M(5) |
|
17A | 4.1.3.M(6) |
|
17A | 4.1.3.M(7) |
|
17A | 4.1.3.M(8) |
|
17A | 4.1.3.M(9) |
|
17A | 4.1.3.M(10) |
|
17A | 4.1.3.M(11) |
|
17A | 4.1.3.M(12) |
|
17A | 4.1.3.M(13) |
|
17A | 4.1.3.M(14) |
|
18A, 18B | 4.1.3.N | N. System & Information Integrity (SI) |
18A | 4.1.3.N(1) |
|
18A | 4.1.3.N(2) |
|
18A | 4.1.3.N(3) |
|