Evidence Collection Approach: Difference between revisions

Latest revision as of 19:35, 30 March 2025

CMMC assessments and certification require substantial evidence and documentation. The following tables outline general guidelines for collecting evidence to assess control requirements and objectives. While these guidelines provide a structured approach, they are not the only means of conducting an accurate assessment. Assessors should exercise professional judgment and may employ alternative methods appropriate to the specific organizational context and circumstances.

Evidence collection approaches are defined as:

Documentation: Tangible materials containing information over which an organization has authority, including all types of written records and their copies.
Artifacts: Tangible, reviewable records directly resulting from a practice or process being performed by a system or by personnel executing their role within that practice, control, or process.
Physical Review: Direct on-site observation and examination of evidence.
Screen Share: Real-time remote observation of a user demonstrating a task or process via shared computer screen, sometimes called "over-the-shoulder" review.

DISCLAIMER: Evidence requirements vary significantly across assessment types. The examples provided are illustrative only and should be tailored to meet the specific adequacy and sufficiency standards of your particular assessment context.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

Access Control (AC)

AC.L2-3.1.1 – Authorized Access Control [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
[a] authorized users are identified.	Document	Document defining account request, approval, provisioning.
[b] processes acting on behalf of authorized users are identified.	Document	Document defining account request, approval, provisioning.
[c] devices (and other systems) authorized to connect to the system are identified.	Document	Document defining account request, approval, provisioning.
[d] system access is limited to authorized users.	Screen Share	Screen share showing login requirements are enforced. Example of an unauthorized user denied (unauthorized username entered at login).
[e] system access is limited to processes acting on behalf of authorized users.	Screen Share	Screenshot showing that service accounts are assigned to authorized users only; no rogue accounts without an authorized user are active.
[f] system access is limited to authorized devices (including other systems).	Screen Share	Screen share showing that all devices running are authorized; no rogue devices on the network.

AC.L2-3.1.2 – Transaction & Function Control [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
[a] the types of transactions and functions that authorized users are permitted to execute are defined.	Document	SSP, AUP, or IAM document that defines what authorized users can execute.
[b] system access is limited to the defined types of transactions and functions for authorized users.	Screen Share	Screenshot of security roles in AD or IAM or other directory-based identity-related services tool that shows transactions are as defined in the SSP or IAM document; privileged and non-privileged accounts need to be defined and identified in the artifact; screenshot of a non-privileged user trying to execute a privileged function.

AC.L2-3.1.3 – Control CUI Flow

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.3 Control the flow of CUI in accordance with approved authorizations.
[a] information flow control policies are defined.	Document	SSP or other document describing the control of CUI on the network.
[b] methods and enforcement mechanisms for controlling the flow of CUI are defined.	Document	Document that defines the networking devices that are on the CUI network and answers what measures are in place to control the flow. List of firewalls, border and internal layer 3 devices, IDS/IPS, DLP, that process CUI.
[c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified.	Artifact	Network diagram, data flow diagram, external system connection diagrams, document describing the policies for CUI on the network; listing of VLANs and subnets where CUI is authorized; document must describe source and authorized destinations.
[d] authorizations for controlling the flow of CUI are defined.	Document	Document that defines how CUI is to be controlled, such as an InfoSec plan, and/or network management plan.
[e] approved authorizations for controlling the flow of CUI are enforced.	Screen Share	Screenshots of firewall rules, ACLs, etc.

AC.L2-3.1.4 – Separation of Duties

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
[a] the duties of individuals requiring separation are defined.	Document	Document, SSP, account management policy, defining separation of duties by person or role.
[b] responsibilities for duties that require separation are assigned to separate individuals.	Screen Share	Screenshot showing that separation of duties is enforced by showing admin accounts are assigned to different people based on role.
[c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.	Screen Share	Screen shot showing an example such as a security manager can not log into a network device and change ACLs, or network admins can not access security logs in the SIEM tool.

AC.L2-3.1.5 – Least Privilege

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
[a] privileged accounts are identified.	Document	"SSP or policy (documentation) identify what is considered a privileged account."
[b] access to privileged accounts is authorized in accordance with the principle of least privilege.	Artifact	An artifact that identifies the least amount of permissions associated with different types of privileged accounts are approved.
[c] security functions are identified.	Document	"SSP or policy (documentation) identifies what is considered a security account."
[d] access to security functions is authorized in accordance with the principle of least privilege.	Artifact	Artifact(s) that identify the least amount of permissions associated with different types of security accounts are approved.

AC.L2-3.1.6 – Non-Privileged Account Use

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
[a] nonsecurity functions are identified.	Document	SSP or account management document, AUP, that defines non-security functions.
[b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions.	Screen Share	Screenshot showing that a privileged user tried to use their admin account to access a non-security function, such as a browser or email (whatever is defined in their policy) and was blocked.

AC.L2-3.1.7 – Privileged Functions

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
[a] privileged functions are defined.	Document	SSP or policy (documentation) that defines privileged functions.
[b] non-privileged users are defined.	Document	SSP or policy (documentation) that defines non-privileged users.
[c] non-privileged users are prevented from executing privileged functions.	Screen Share	Screen share that shows that a non-privileged user is not allowed to complete a privileged function (installing software).
[d] the execution of privileged functions is captured in audit logs.	Screen Share	Screen share that shows logs being captured of the execution of privileged functions.

AC.L2-3.1.8 – Unsuccessful Logon Attempts

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.8 Limit unsuccessful logon attempts.
[a] the means of limiting unsuccessful logon attempts is defined.	Document	SSP or policy (documentation) showing unsuccessful logon attempts settings and or policy.
[b] the defined means of limiting unsuccessful logon attempts is implemented.	Artifact	Artifact showing GPO / Policy for limiting logon attempts.

AC.L2-3.1.9 – Privacy & Security Notices

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.9 Provide privacy and security notices consistent with applicable CUI rules.
[a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category.	Document	SSP or policy (documentation) showing CUI-specified rules are identified, consistent, and associated with the specific CUI category.
[b] privacy and security notices are displayed.	Artifact	Artifact that shows a consent banner or screen that a user sees as they log in to the system.

AC.L2-3.1.10 – Session Lock

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.10 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
[a] the period of inactivity after which the system initiates a session lock is defined.	Document	SSP or policy (documentation) that defines the period of inactivity and when a session lock is defined.
[b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity.	Artifact	Artifact that shows the setting of session lock (GPO or system policy or similar solution addressing the controls supporting centralized management and configuration of operating systems, applications, and users' settings for the working environment of user accounts and computer accounts).
[c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.	Artifact	Screenshot of GPO setting and configuration settings, or similar solution addressing the controls supporting centralized management and configuration of operating systems, applications, and users' settings for the working environment of user accounts and computer accounts.

AC.L2-3.1.11 – Session Termination

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.11 Terminate (automatically) a user session after a defined condition.
[a] conditions requiring a user session to terminate are defined.	Document	SSP or policy (documentation) that defines the conditions requiring a user session to be terminated.
[b] a user session is automatically terminated after any of the defined conditions.	Screen Share	Screen share showing GPO / VPN Settings that show when a session would be terminated (Idle time, max connection time).

AC.L2-3.1.12 – Control Remote Access

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.12 Monitor and control remote access sessions.
[a] remote access sessions are permitted.	Document	SSP or policy (documentation) that defines remote access sessions.
[b] the types of permitted remote access are identified.	Document	SSP or policy (documentation) that defines remote access is permitted.
[c] remote access sessions are controlled.	Screen Share	Screen share that shows how the remote access is controlled (access session, and or groups).
[d] remote access sessions are monitored.	Screen Share	Screen share that shows how remote sessions are monitored (logs).

AC.L2-3.1.13 – Remote Access Confidentiality

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
[a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified.	Document	SSP or policy (documentation) that discusses the CUI rules, consistent, and associated with the specific CUI category; FIPS Cert # of appliance or application.
[b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.	Screen Share	Screenshot of VPN concentration that shows encryption is on and enabled (point-to-point, etc.).

AC.L2-3.1.14 – Remote Access Routing

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.14 Route remote access via managed access control points.
[a] managed access control points are identified and implemented.	Screen Share	Screen share that shows access control points (groups and/or users).
[b] remote access is routed through managed network access control points.	Screen Share	Screen share that shows access control points and how they are managed.

AC.L2-3.1.15 – Privileged Remote Access

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.15 Authorize remote execution of privileged commands and remote access to security-relevant information.
[a] privileged commands authorized for remote execution are identified.	Document	SSP or policy (documentation) that defines what is authorized to be executed remotely and how that is handled.
[b] security-relevant information authorized to be accessed remotely is identified.	Document	SSP or policy (documentation) that defines what can be accessed remotely and what procedures are implemented to allow this (RDP, jump box).
[c] the execution of the identified privileged commands via remote access is authorized.	Screen Share	Screen share that shows who has access to perform privileged commands a remotely (access groups for privileged accounts).
[d] access to the identified security-relevant information via remote access is authorized.	Screen Share	Screen share that shows the routing of remote access and how it is monitored and how many locations (Firewall, VPN Concentrator).

AC.L2-3.1.16 – Wireless Access Authorization

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.16 Authorize wireless access prior to allowing such connections.
[a] wireless access points are identified.	Document	SSP, network administration document.
[b] wireless access is authorized prior to allowing such connections.	Screen Share	Authorization profile(s) in Wireless Access Controller or Identity Manager (i.e. Cisco ISE).

AC.L2-3.1.17 – Wireless Access Protection

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.17 Protect wireless access using authentication and encryption.
[a] wireless access to the system is protected using authentication.	Screen Share	Security page (or similar) of a Wireless Access Controller.
[b] wireless access to the system is protected using encryption.	Screen Share	Security page (or similar) of a Wireless Access Controller.

AC.L2-3.1.18 – Mobile Device Connection

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.18 Control connection of mobile devices.
[a] mobile devices that process, store, or transmit CUI are identified.	Document	SSP, Mobile Device Policy.
[b] mobile device connections are authorized.	Screen Share	Authorization profile(s) in Wireless Access Controller or Identity Manager (i.e. Cisco ISE).
[c] mobile device connections are monitored and logged.	Screen Share	Mobile device logs within the MDM, log intake (sources) configuration (within SIEM) showing MDM is feeding logs to the SIEM.

AC.L2-3.1.19 – Encrypt CUI on Mobile

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.19 Encrypt CUI on mobile devices and mobile computing platforms.
[a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified.	Document	SSP, Mobile Device Policy.
[b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.	Screen Share	Security policy page in MDM showing how encryption are enforced on mobile device. If no MDM or MDM doesn't enforce encryption, then validate if the devices used are on the list of devices with native FIPS approved validation.

AC.L2-3.1.20 – External Connections [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.20 Verify and control/limit connections to and use of external information systems.
[a] connections to external systems are identified.	Document	SSP, Systems Interconnection Agreements, SLA.
[b] the use of external systems is identified.	Document	SSP, Systems Interconnection Agreements, SLA.
[c] connections to external systems are verified.	Artifact	SLA for external systems, memorandum for interconnection, information to prove that any cloud solution is at FedRAMP impact level of moderate or higher (i.e. license information, screenshot of AWS cloud dashboard, purchase order document).
[d] the use of external systems is verified.	Artifact	SLA for external systems, memorandum for interconnection, information to prove that any cloud solution is at FedRAMP impact level of moderate or higher (i.e. license information, screenshot of AWS cloud dashboard, purchase order document).
[e] connections to external systems are controlled/limited.	Screen Share	Firewall ruleset for controlling access to cloud service or external system.
[f] the use of external systems is controlled/limited.	Screen Share	Firewall ruleset for controlling access to cloud service or external system.

AC.L2-3.1.21 – Portable Storage Use

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.21 Limit use of portable storage devices on external systems.
[a] the use of portable storage devices containing CUI on external systems is identified and documented.	Document	SSP, Removable Media Policy, Acceptable Use Policy (with emphasis on portable media use).
[b] limits on the use of portable storage devices containing CUI on external systems are defined.	Document	SSP, Removable Media Policy, Acceptable Use Policy (with emphasis on portable media use).
[c] the use of portable storage devices containing CUI on external systems is limited as defined.	Document	SSP, Removable Media Policy, Acceptable Use Policy (with emphasis on portable media use).

AC.L2-3.1.22 – Control Public Information [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.22 Control information posted or processed on publicly accessible information systems.
[a] individuals authorized to post or process information on publicly accessible systems are identified.	Document	SSP, Website Governance Plan, Information Release Document.
[b] procedures to ensure CUI is not posted or processed on publicly accessible systems are identified.	Document	SSP, Website Governance Plan, Information Release Document.
[c] a review process is in place prior to posting of any content to publicly accessible systems.	Artifact	"Information release approval process, i.e. chain of email communication from originator, approver, and final decision (may or may not include individual authorized to post); SharePoint/electronic or paper form/ ticket system showing information flow between requestor and approver (may or may not include individual authorized to post)."
[d] content on publicly accessible systems is reviewed to ensure that it does not include CUI.	Artifact	Incident response process, web design/update/modification SOP etc.
[e] mechanisms are in place to remove and address improper posting of CUI.	Artifact	Incident response process, web design/update/modification SOP etc.

Awareness and Training (AT)

AT.L2-3.2.1 – Role-Based Risk Awareness

Assessment Objectives	Collection Approach	Evidence Examples
AT.L2-3.2.1 Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
[a] security risks associated with organizational activities involving CUI are identified.	Document	Policy of Security Awareness Training; Security Awareness Training Briefing.
[b] policies, standards, and procedures related to the security of the system are identified.	Document	Acceptable Use Policy, Policy/Procedures/Instruction related to the security of the system.
[c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities.	Artifact	Security Training Brief, training records.
[d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.	Artifact	Policies, standards and procedures for employees within training (completed training report).

AT.L2-3.2.2 – Role-Based Training

Assessment Objectives	Collection Approach	Evidence Examples
AT.L2-3.2.2 Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.\|-
[a] information security-related duties, roles, and responsibilities are defined.	Document	Policy/Procedures/Instruction, Job Role Matrix, Position Descriptions, User Roles.
[b] information security-related duties, roles, and responsibilities are assigned to designated personnel.	Artifact	Screenshot of breakout of different roles/permissions assigned to individuals (i.e. ActiveDirectory); Privilege Access Agreement.
[c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.	Artifact	Screenshot of tool and/or training specifying security specific roles, duties and responsibilities; Screenshot of required certifications (i.e. Sec+, CISSP).

AT.L2-3.2.3 – Insider Threat Awareness

Assessment Objectives	Collection Approach	Evidence Examples
AT.L2-3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat.
[a] potential indicators associated with insider threats are identified.	Document	Insidert Threat Policy/Procedures/Instruction; Insider Threat Training/Briefing.
[b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.	Artifact	Screenshot of training records showing completion of Insider Threat training, emails showing completion of Insider Threat training, Screenshot of certificate showing completion with individual's name.

Audit and Accountability (AU)

AU.L2-3.3.1 – System Auditing

Assessment Objectives	Collection Approach	Evidence Examples
AU.L2-3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
[a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified.	Document	SSP, policy, or auditing and logging process that defines specific types of events to be logged.
[b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined.	Document	SSP, policy, or auditing and logging process that defines specific content of audit records/files.
[c] audit records are created (generated).	Screen Share	Screen share of tool that shows logs are generated for all systems.
[d] audit records, once created, contain the defined content.	Screen Share	Screen share of tool that shows logs contain defined content as defined in SSP, policy, or procedures.
[e] retention requirements for audit records are defined.	Document	SSP, Polocy, or Auditing and logging process that describes how long records are kept.
[f] audit records are retained as defined.	Screen Share	Screen share of tool that shows records and audit content retained at a minimum as defined.

AU.L2-3.3.2 – User Accountability

Assessment Objectives	Collection Approach	Evidence Examples
AU.L2-3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
[a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined.	Document	SSP, policy, or process that defines actions traced back to individuals.
[b] audit records, once created, contain the defined content.	Screen Share	Screen share of tool that shows audit records traced to specific users/roles.

AU.L2-3.3.3 – Event Review

Assessment Objectives	Collection Approach	Evidence Examples
AU.L2-3.3.3 Review and update logged events.
[a] a process for determining when to review logged events is defined.	Document	SSP, policy, or documented process that shows frequency of when to review types of logged events.
[b] event types being logged are reviewed in accordance with the defined review process.	Artifact	Evidence through a documented method such as meeting minutes, CAB minutes, etc. of log sources and log events being logged at the defined frequency.
[c] event types being logged are updated based on the review.	Artifact	Evidence of implementation based on the results of the review of logged events/sources through a ticket, meeting minutes, or screen share of the tool that shows changes implemented (finetuning).

AU.L2-3.3.4 – Audit Failure Alerting

Assessment Objectives	Collection Approach	Evidence Examples
AU.L2-3.3.4 Alert in the event of an audit logging process failure.
[a] personnel or roles to be alerted in the event of an audit logging process failure are identified.	Document	SSP, policy, or procedure that shows who needs to be notified in case of an audit failure.
[b] types of audit logging process failures for which alert will be generated are defined.	Document	SSP, policy, or procedure that shows what types of failure will generate notifications.
[c] identified personnel or roles are alerted in the event of an audit logging process failure.	Artifact	Artifact such as email or ticket that shows the identified personnel were alerted of any audit/logging process failure as defined.

AU.L2-3.3.5 – Audit Correlation

Assessment Objectives	Collection Approach	Evidence Examples
AU.L2-3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
[a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined.	Document	SSP, policy, or procedure covering audit logging, monitoring, and reporting.
[b] defined audit record review, analysis, and reporting processes are correlated.	Artifact	Artifact showing an audit event and the resultant corrective action or actions to the event; this can be a Help Desk ticket, meeting notes, or a change control board items showing the event and any corrective action taken.

AU.L2-3.3.6 – Reduction & Reporting

Assessment Objectives	Collection Approach	Evidence Examples
AU.L2-3.3.6 Provide audit record reduction and report generation to support on-demand analysis and reporting.
[a] an audit record reduction capability that supports on-demand analysis is provided.	Screen Share	Screen share of the logging environment where an event can be selected and traced back to a specific device, or dashboard showing realtime event analysis.
[b] a report generation capability that supports on-demand reporting is provided.	Screen Share	Screen share showing the generation of an on demand report.

AU.L2-3.3.7 – Authoritative Time Source

Assessment Objectives	Collection Approach	Evidence Examples
AU.L2-3.3.7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
[a] internal system clocks are used to generate time stamps for audit records.	Screen Share	Screen share showing the NTP settings of a windows, Unix, Linux device; a screen share showing the NTP settings of network appliances.
[b] an authoritative source with which to compare and synchronize internal system clocks is specified.	Document	SSP or policy indicating that devices need to be synched to a local authoritative time device that is synched with an authoritative time service.
[c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.	Screen Share	Screen share showing device logging appliance time is point to the appropriate authoritative time server.

AU.L2-3.3.8 – Audit Protection

Assessment Objectives	Collection Approach	Evidence Examples
AU.L2-3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
[a] audit information is protected from unauthorized access.	Screen Share	Screen share showing operating system permissions on the audit folders being restricted to appropriate users.
[b] audit information is protected from unauthorized modification.	Screen Share	Screen share showing operating system permissions on the audit folders being restricted to appropriate users.
[c] audit information is protected from unauthorized deletion.	Screen Share	Screen share showing operating system permissions on the audit folders being restricted to appropriate users.
[d] audit logging tools are protected from unauthorized access.	Screen Share	Artifact showing access permissions in the SIEM tool.
[e] audit logging tools are protected from unauthorized modification.	Screen Share	Artifact showing update permissions in the SIEM tool.
[f] audit logging tools are protected from unauthorized deletion.	Screen Share	Artifact showing delete permissions in the SIEM tool.

AU.L2-3.3.9 – Audit Management

Assessment Objectives	Collection Approach	Evidence Examples
AU.L2-3.3.9 Limit management of audit logging functionality to a subset of privileged users.
[a] a subset of privileged users granted access to manage audit logging functionality is defined.	Document	SSP or policy indicating which users or groups have access to audit logs.
[b] management of audit logging functionality is limited to the defined subset of privileged users.	Screen Share	Artifact showing SIEM or OS folder permissions (this should be limited to the assigned users or groups); artifact showing an ACL setting in SIEM tool in regards to logs.

Configuration Management (CM)

CM.L2-3.4.1 – System Baselining

Assessment Objectives	Collection Approach	Evidence Examples
CM.L2-3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
[a] a baseline configuration is established.	Document	Documentation showing or explaining standard imaging process (how standard images are deployed and where they are stored).
[b] the baseline configuration includes hardware, software, firmware, and documentation.	Artifact	Screenshot of repository of where images are maintained and information relating to hardware, software, and firmware.
[c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle.	Artifact	Screenshot/evidence displaying management of baseline configurations (how often they are being managed as stated).
[d] a system inventory is established.	Document	Screenshot/evidence displaying inventory listing of approved products for use.
[e] the system inventory includes hardware, software, firmware, and documentation.	Artifact	Screeenshot/evidence displaying inventory listing of approved products and versions permitted for use.
[f] the inventory is maintained (reviewed and updated) throughout the system development life cycle.	Artifact	Screeenshot/evidence displaying management of baseline configurations (How often and are they being managed as stated.

CM.L2-3.4.2 – Security Configuration Enforcement

Assessment Objectives	Collection Approach	Evidence Examples
CM.L2-3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems.
[a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration.	Document	Documentation explaining methodology used by organization to create secure baselines (STIGs, benchmarks).
[b] security configuration settings for information technology products employed in the system are enforced.	Artifact	Evidence of tool/s used to enforce security configurations to ensure images used are free from modification unless authorized.

CM.L2-3.4.3 – System Change Management

Assessment Objectives	Collection Approach	Evidence Examples
CM.L2-3.4.3 Track, review, approve or disapprove, and log changes to organizational systems.
[a] changes to the system are tracked.	Artifact	Evidence of IT Service Management tool / process used to track system changes.
[b] changes to the system are reviewed.	Artifact	Evidence of IT Service Management tool / process used to review system changes.
[c] changes to the system are approved or disapproved.	Artifact	Evidence of IT Service Management tool / process used to approve/disapprove system changes.
[d] changes to the system are logged.	Artifact	Evidence of IT Service Management tool / process used to log system changes.

CM.L2-3.4.4 – Security Impact Analysis

Assessment Objectives	Collection Approach	Evidence Examples
CM.L2-3.4.4 Analyze the security impact of changes prior to implementation.
[a] the security impact of changes to the system is analyzed prior to implementation.	Artifact	Document explaining that security impact analysis of proposed changes to a system is conducted prior to implementation.

CM.L2-3.4.5 – Access Restrictions for Change

Assessment Objectives	Collection Approach	Evidence Examples
CM.L2-3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
[a] physical access restrictions associated with changes to the system are defined.	Document	Document explaining the process of how physical access restrictions are defined for an individuals ability to make system changes.
[b] physical access restrictions associated with changes to the system are documented.	Document	Document explaining the process of how physical access restrictions are defined for an individuals ability to make system changes are documented; access request process.
[c] physical access restrictions associated with changes to the system are approved.	Artifact	Evidence of process of how physical access to systems are granted (i.e. physical access request sample).
[d] physical access restrictions associated with changes to the system are enforced.	Physical Review	Evidence of process of how physical access to systems are enforced (physical access system).
[e] logical access restrictions associated with changes to the system are defined.	Document	Document explaining the process of how logical access restrictions are defined for an individual's ability to make system changes.
[f] logical access restrictions associated with changes to the system are documented.	Document	Document explaining the process of how logical access restrictions are defined for an individual's ability to make system changes are documented.
[g] logical access restrictions associated with changes to the system are approved.	Artifact	Evidence of process of how logical access to systems are granted.
[h] logical access restrictions associated with changes to the system are enforced.	Artifact	Evidence of process of how logical access to systems are enforced.

CM.L2-3.4.6 – Least Functionality

Assessment Objectives	Collection Approach	Evidence Examples
CM.L2-3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
[a] essential system capabilities are defined based on the principle of least functionality.	Document	Documentation explaining how systems are configured to utilize the principle of least functionality for designated users.
[b] the system is configured to provide only the defined essential capabilities.	Screen Share	Evidence displaying how systems are configured to utilize the principle of least functionality for designated users; disabled service settings, accepted standards for hardening (CIS benchmarks, etc.).

CM.L2-3.4.7 – Nonessential Functionality

Assessment Objectives	Collection Approach	Evidence Examples
CM.L2-3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
[a] essential programs are defined.	Document	Documented essential programs specified; build documents; software center; SSP.
[b] the use of nonessential programs is defined.	Document	Documented listing of nonessential programs (whatever is NOT specified in [a]); AUP/User Agreement may identify nonessential use/programs.
[c] the use of nonessential programs is restricted, disabled, or prevented as defined.	Screen Share	Tool used to restrict nonessential programs displays restrictions as defined (McAfee ePO settings, Carbon Black rules, etc.).
[d] essential functions are defined.	Document	Documented essential functions are specified.
[e] the use of nonessential functions is defined.	Document	Documented nonessential functions are specified.
[f] the use of nonessential functions is restricted, disabled, or prevented as defined.	Screen Share	Tool used to restrict essential/nonessential functions displays restrictions as defined.
[g] essential ports are defined.	Document	Documented essential ports are specified.
[h] the use of nonessential ports is defined.	Document	Documented nonessential ports functions are specified.
[i] the use of nonessential ports is restricted, disabled, or prevented as defined.	Screen Share	Tool used to restrict essential/nonessential ports displays restrictions as defined (FW rules; McAfee; GPO, etc.).
[j] essential protocols are defined.	Document	Documented essential protocols are specified.
[k] the use of nonessential protocols is defined.	Document	Documented nonessential protocols functions are specified.
[l] the use of nonessential protocols is restricted, disabled, or prevented as defined.	Screen Share	Tool used to restrict essential/nonessential protocols displays restrictions as defined (FW rules; GPO, etc.).
[m] essential services are defined.	Document	Documented essential services specified.
[n] the use of nonessential services is defined.	Document	Documented nonessential services functions are specified.
[o] the use of nonessential services is restricted, disabled, or prevented as defined.	Screen Share	Tool used to restrict essential/nonessential services displays restrictions as defined.

CM.L2-3.4.8 – Application Execution Policy

Assessment Objectives	Collection Approach	Evidence Examples
CM.L2-3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
[a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified.	Document	Documentation explaining whitelisting or blacklisting process.
[b] the software allowed to execute under whitelisting or denied use under blacklisting is specified.	Document	Documentation explaining whitelisting or blacklisting process for software.
[c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.	Screen Share	Tool used for whitelisting or blacklisting for software shows capability of restricting/authorizing software (Carbon Black dashboard, "SW Store", web proxies, DNS Blackhole, etc.).

CM.L2-3.4.9 – User-Installed Software

Assessment Objectives	Collection Approach	Evidence Examples
CM.L2-3.4.9 Control and monitor user-installed software.
[a] a policy for controlling the installation of software by users is established.	Document	Documented software authorization process or methodology for approval.
[b] installation of software by users is controlled based on the established policy.	Screen Share	Evidence that approval/restriction in installation of software by authorized personnel is implemented as specified (AUP, GPO, etc.).
[c] installation of software by users is monitored.	Screen Share	Evidence that installation of software by authorized personnel is monitored (SCCM groups, SW Center, etc.).

Identification and Authentication (IA)

IA.L2-3.5.1 – Identification [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
IA.L2-3.5.1 Identify information system users, processes acting on behalf of users, or devices.
[a] system users are identified.	Document	Based on what is defined in their documentation (SSP, AUP, Policy, SOP), request to see a sample of non-privileged/privileged users in AD OU group (overlaps with 3.1.1 and 3.1.5).
[b] processes acting on behalf of users are identified.	Screen Share	Based on what is defined in their documentation (SSP, AUP, Policy, SOP), request to see a sample of service accounts in AD OU group (overlaps with 3.1.1 and 3.1.5).
[c] devices accessing the system are identified.	Screen Share	Based on what is defined in their documentation (SSP, AUP, Policy, SOP), request to see a sample of domain-joined workstation & servers in AD OU group (overlaps with 3.1.1 and 3.1.5). For network devices, request screen share/artifact to show how they are identified on the enterprise network.

IA.L2-3.5.2 – Authentication [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
IA.L2-3.5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
[a] the identity of each user is authenticated or verified as a prerequisite to system access.	Screen Share	If the user logs in with non-privileged account during other demoes and then a privileged account, then this should be satisfied. If screen share is unavailable, request logs to show successful and unsuccessful login by privileged and non-privilged users.
[b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access.	Screen Share	Request a log that shows successful/unsuccessful service account trying to log on to company's asset.
[c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.	Screen Share	Request a log that shows domain-joined workstation/server authenticating to AD (focus on the MAC/IP address/hostname).

IA.L2-3.5.3 – Multifactor Authentication

Assessment Objectives	Collection Approach	Evidence Examples
IA.L2-3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
[a] privileged accounts are identified.	Screen Share	Based on what is defined in their documentation, request to see a sample of privileged users in AD OU group. Overlaps with 3.1.5. Screenshot/screen share to show implementation is enforced.
[b] multifactor authentication is implemented for local access to privileged accounts.	Document	SSP, AUP, Policy, SOP that defines that MFA is needed for privileged local access.
[c] multifactor authentication is implemented for network access to privileged accounts.	Screen Share	Within the MFA implementation mechanism, show that privileged users are forced to use MFA; Screenshot/Screen share to show implementation is enforced.
[d] multifactor authentication is implemented for network access to non-privileged accounts.	Screen Share	Within the MFA implementation mechanism, show that non-privileged users are forced to use MFA; Screenshot/Screen share to show implementation is enforced.

IA.L2-3.5.4 – Replay-Resistant Authentication

Assessment Objectives	Collection Approach	Evidence Examples
IA.L2-3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
[a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.	Screen Share	Show the GPO setting that enforces Kerberos within AD. If MFA is used, show the implementation to enforce replay resistant techniques. For non-windows, show the technical solution to enforce replay resistant attacks.

IA.L2-3.5.5 – Identifier Reuse

Assessment Objectives	Collection Approach	Evidence Examples
IA.L2-3.5.5 Prevent reuse of identifiers for a defined period.
[a] a period within which identifiers cannot be reused is defined.	Document	SSP, policies, or SOP that defines identifier reuse.
[b] reuse of identifiers is prevented within the defined period.	Screen Share	Show the GPO setting/technical solution that enforces what is defined in policy/documentation (this can be automated or manual process; screen share/artifacts can be presented to satisfy this requirement.

IA.L2-3.5.6 – Identifier Handling

Assessment Objectives	Collection Approach	Evidence Examples
IA.L2-3.5.6 Disable identifiers after a defined period of inactivity.
[a] a period of inactivity after which an identifier is disabled is defined.	Document	SSP, policy that defines the period of inactivity after which an identifier is disabled.
[b] identifiers are disabled after the defined period of inactivity.	Screen Share	Screen share AD or similar tool supporting directory-based identity-related services for disabled accounts (can be done by hand or script).

IA.L2-3.5.7 – Password Complexity

Assessment Objectives	Collection Approach	Evidence Examples
IA.L2-3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created.
[a] password complexity requirements are defined.	Document	SSP, policy that defines password complexity requirements.
[b] password change of character requirements are defined.	Document	SSP, policy that defines change of character requirements are defined.
[c] minimum password complexity requirements as defined are enforced when new passwords are created.	Screen Share	Screen share of AD or similar directory-based identity-related service tool to show complexity requirements.
[d] minimum password change of character requirements as defined are enforced when new passwords are created.	Screen Share	Screen share of Group Policy configuration or similar tool providing centralized management and configuration of operating systems, applications, and users' settings to show that characters must be changed.

IA.L2-3.5.8 – Password Reuse

Assessment Objectives	Collection Approach	Evidence Examples
IA.L2-3.5.8 Prohibit password reuse for a specified number of generations.
[a] the number of generations during which a password cannot be reused is specified.	Document	SSP, policy that specifies the number of generations during which a password cannot be reused is specified.
[b] reuse of passwords is prohibited during the specified number of generations.	Screen Share	Screen share Group Policy or similar tool providing centralized management and configuration of operating systems, applications, and users' settings in a directory-based identity-related service tool's configuration to show reuse of passwords is prohibited.

IA.L2-3.5.9 – Temporary Passwords

Assessment Objectives	Collection Approach	Evidence Examples
IA.L2-3.5.9 Allow temporary password use for system logons with an immediate change to a permanent password.
[a] an immediate change to a permanent password is required when a temporary password is used for system logon.	Screen Share	Screen share of Group Policy or similar tool providing centralized management and configuration of operating systems, applications, and users' settings in a directory-based identity-related service tool's configuration to show "change password at first logon."

IA.L2-3.5.10 – Cryptographically-Protected Passwords

Assessment Objectives	Collection Approach	Evidence Examples
IA.L2-3.5.1 Store and transmit only cryptographically-protected passwords.
[a] passwords are cryptographically protected in storage.	Screen Share	Screen share Group Policy or similar tool providing centralized management and configuration of operating systems, applications, and users' settings in a directory-based identity-related service tool's configuration that Kerberos, or a similar network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner, is enabled.
[b] passwords are cryptographically protected in transit.	Screen Share	Screen share Group Policy or similar tool providing centralized management and configuration of operating systems, applications, and users' settings in a directory-based identity-related service tool's configuration that Kerberos, or a similar network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner, is enabled.

IA.L2-3.5.11 – Obscure Feedback

Assessment Objectives	Collection Approach	Evidence Examples
IA.L2-3.5.10 Obscure feedback of authentication information.
[a] authentication information is obscured during the authentication process.	Screen Share	Screen share of Group Policy or similar tool providing centralized management and configuration of operating systems, applications, and users' settings in a directory-based identity-related service tool's configuration to show that passwords are obscured.

Incident Response (IR)

IR.L2-3.6.1 – Incident Handling

Assessment Objectives	Collection Approach	Evidence Examples
IR.L2-3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
[a] an operational incident-handling capability is established.	Document	Incident Response SOP/Plan.
[b] the operational incident-handling capability includes preparation.	Document	Incident Response SOP/Plan, prior incident report, training, COOP plan.
[c] the operational incident-handling capability includes detection.	Document	Incident Response SOP/Plan; definition of tools used to detect; artifacts showing tools used; prior incident report.
[d] the operational incident-handling capability includes analysis.	Document	Incident Response SOP/Plan; Definition of tools used to analyze potential incidents; artifacts showing tools used for analysis; prior incident report.
[e] the operational incident-handling capability includes containment.	Document	Incident Response SOP/Plan; isolation/quarantine process; user training.
[f] the operational incident-handling capability includes recovery.	Document	Incident Response SOP/Plan; COOP Plan; prior incident reports, re-baselining impacted devices.
[g] the operational incident-handling capability includes user response.	Document	Incident Response SOP/Plan; user awareness training; Help Desk process.

IR.L2-3.6.2 – Incident Reporting

Assessment Objectives	Collection Approach	Evidence Examples
IR.L2-3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
[a] incidents are tracked.	Artifact	Incident Response SOP/Plan; ITSM artifact; technical implementation for incident tracking.
[b] incidents are documented.	Artifact	Incident Response SOP/Plan; ITSM artifact; technical implementation for incident tracking.
[c] authorities to whom incidents are to be reported are identified.	Document	Incident Response SOP/Plan.
[d] organizational officials to whom incidents are to be reported are identified.	Document	Incident Response SOP/Plan.
[e] identified authorities are notified of incidents.	Screen Share	Prior incident report; DIBNET login; prior email notifications.
[f] identified organizational officials are notified of incidents.	Artifact	Prior incident report; prior email notifications; tabletop exercises.

IR.L2-3.6.3 – Incident Response Testing

Assessment Objectives	Collection Approach	Evidence Examples
IR.L2-3.6.3 Test the organizational incident response capability.
[a] the incident response capability is tested.	Artifact	Incident response table top/scheduled or unscheduled test or penetration test.

Maintenance (MA)

MA.L2-3.7.1 – Perform Maintenance

Assessment Objectives	Collection Approach	Evidence Examples
MA.L2-3.7.1 Perform maintenance on organizational systems.
[a] system maintenance is performed.	Artifact	Establish typical maintenance activities (HVAC, UPS, power distribution, generators, copier maintenance) that are performed; maintenance agreements or contracts detailing these types of activities are acceptable; interview responses should be considered. This requirement should not be confused with 3.14.1 - report, remediate, and correct system flaws in a timely manner (patch management).

MA.L2-3.7.2 – System Maintenance Control

Assessment Objectives	Collection Approach	Evidence Examples
MA.L2-3.7.2 Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
[a] tools used to conduct system maintenance are controlled.	Artifact	Tools may largely depend on the assessed environment; discussion examples include network diagnostic and monitoring tools (including hardware and software); artifacts could demonstrate secured locations/areas for these tools (photos) or checkout sheets/rosters (documents) depicting responsible personnel and the dates/times of checkout.
[b] techniques used to conduct system maintenance are controlled.	Artifact	Processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system.
[c] mechanisms used to conduct system maintenance are controlled.	Artifact	Processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system.
[d] personnel used to conduct system maintenance are controlled.	Physical Review	Screenshot of who is authorized to conduct maintenance; maintenance personnel training program.

MA.L2-3.7.3 – Equipment Sanitization

Assessment Objectives	Collection Approach	Evidence Examples
MA.L2-3.7.3 Ensure equipment removed for off-site maintenance is sanitized of any CUI.
[a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.	Artifact	Document or artifact; record if equipment sanitized; categories of sanitization/destruction defined; sanitization procedural document.

MA.L2-3.7.4 – Media Inspection

Assessment Objectives	Collection Approach	Evidence Examples
MA.L2-3.7.4 Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
[a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.	Artifact	Screenshot of diagnostic/test program being used (such as Symantec and McAfee on access scans…).

MA.L2-3.7.5 – Nonlocal Maintenance

Assessment Objectives	Collection Approach	Evidence Examples
MA.L2-3.7.5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
[a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections.	Screen Share	Describe MFA used to remote from external service to organizational systems for maintenance and screenshot of MFA (3.5.3)(points associated with admin).
[b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.	Screen Share	Screenshot VPN session timeout.

MA.L2-3.7.6 – Maintenance Personnel

Assessment Objectives	Collection Approach	Evidence Examples
MA.L2-3.7.6 Supervise the maintenance activities of maintenance personnel without required access authorization.
[a] maintenance personnel without required access authorization are supervised during maintenance activities.	Document	System maintenance policy; list of authorized personnel; maintenance records or, contracts/SLAs; WebEx.

Media Protection (MP)

MP.L2-3.8.1 – Media Protection

Assessment Objectives	Collection Approach	Evidence Examples
MP.L2-3.8.1 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
[a] paper media containing CUI is physically controlled.	Document	Policy showing CUI paper media is controlled; artifact showing who has access; artifacts/records of inventories conducted; media check out procedures (i.e. file cabinets, encryption, password protection).
[b] digital media containing CUI is physically controlled.	Document	Policy showing CUI digital media is controlled; artifact showing who has access; artifacts/records of inventories conducted; media check out procedures (i.e. file cabinets, external drives, USBs, encryption, password protection).
[c] paper media containing CUI is securely stored.	Physical Review	Check out/sign out sheets; possible photo of storage container/video walk through of storage area; badge reader logs or access lists for keys for secured areas; interview response considered (i.e. file cabinets, encryption, password protection).
[d] digital media containing CUI is securely stored.	Physical Review	Check out/sign out sheets; possible photo of storage container/video walk through of storage area; badge reader logs or access lists for keys for secured areas; interview response considered (i.e. file cabinets, external drives, USBs, encryption, password protection).

MP.L2-3.8.2 – Media Access

Assessment Objectives	Collection Approach	Evidence Examples
MP.L2-3.8.2 Limit access to CUI on system media to authorized users.
[a] access to CUI on system media is limited to authorized users.	Artifact	Document describing how CUI is limited AND artifact showing principle of least access is implemented.

MP.L2-3.8.3 – Media Disposal [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
MP.L2-3.8.3 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
[a] system media containing CUI is sanitized or destroyed before disposal.	Document	Policy or artifact of media destruction logs; certificates of destruction; SLAs or contracts.
[b] system media containing CUI is sanitized before it is released for reuse.	Document	Policy or artifact describing method to sanitize, software used (i.e. DoD Wipe, ShredIT and Iron Mountain; Blancco; GDisk, DBAN).

MP.L2-3.8.4 – Media Markings

Assessment Objectives	Collection Approach	Evidence Examples
MP.L2-3.8.4 Mark media with necessary CUI markings and distribution limitations.
[a] media containing CUI is marked with applicable CUI markings.	Physical Review	Document or artifact showing CUI markings (i.e. labeling standards ).
[b] media containing CUI is marked with distribution limitations.	Physical Review	Document or artifact showing distro limitations (i.e. labeling standards ).

MP.L2-3.8.5 – Media Accountability

Assessment Objectives	Collection Approach	Evidence Examples
MP.L2-3.8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
[a] access to media containing CUI is controlled.	Document	Policy, artifact of audit logs showing tracking, Access Control Lists, records of transport activities (i.e. USB drives, CDs, chain of custody.
[b] accountability for media containing CUI is maintained during transport outside of controlled areas.	Artifact	Artifact of audit logs showing tracking, Access Control Lists, records of transport activities (i.e. USB drives, CDs; chain of custody.

MP.L2-3.8.6 – Portable Storage Encryption

Assessment Objectives	Collection Approach	Evidence Examples
MP.L2-3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
[a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.	Artifact	Artifact showing crypto mechanisms used to protect (are they FIPS 140-2 [13.11]); artifact showing what alternative physical safeguards are in place (i.e. encryption; BitLocker; McAfee ).

MP.L2-3.8.7 – Removable Media

Assessment Objectives	Collection Approach	Evidence Examples
MP.L2-3.8.7 Control the use of removable media on system components.
[a] the use of removable media on system components is controlled.	Artifact	Policy showing if removable media is allowed; writable removable media is restricted; tracking artifacts; what tools are used (i.e. Carbon Black, Crowd Strike, GPO, Zoho Desktop Central); procedure/process describing what happens if it is lost; what mechanisms are in place to control/restrict removable media (i.e. Active Directory Groups and Group Policy artifact showing restriction).

MP.L2-3.8.8 – Shared Media

Assessment Objectives	Collection Approach	Evidence Examples
MP.L2-3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner.ASSESSMENT OBJECTIVES
[a] the use of portable storage devices is prohibited when such devices have no identifiable owner.	Artifact	Policy and/or artifact showing company stance on portable storage devices if there is no owner (are personal USB devices allowed or are they company-issued; artifact showing alerts if device is connected to network (i.e. external HDD, Carbon Black, Crowd Strike, GPO, Zoho Desktop Central.

MP.L2-3.8.9 – Protect Backups

Assessment Objectives	Collection Approach	Evidence Examples
MP.L2-3.8.9 Protect the confidentiality of backup CUI at storage locations.
[a] the confidentiality of backup CUI is protected at storage locations.	Artifact	Policy on system backups; artifact showing media labeling; artifact showing encyption (is it FIPS 140-2 [13.11]); Access Control List artifact (i.e. backup tapes, Tivoli Storage Manager).

Personnel Security (PS)

PS.L2-3.9.1 – Screen Individuals

Assessment Objectives	Collection Approach	Evidence Examples
PS.L2-3.9.1 Screen individuals prior to authorizing access to organizational systems containing CUI.
[a] individuals are screened prior to authorizing access to organizational systems containing CUI.	Artifact	Screenshot of records of screened personnel/background checks.

PS.L2-3.9.2 – Personnel Actions

Assessment Objectives	Collection Approach	Evidence Examples
PS.L2-3.9.2 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
[a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established.	Document	Personnel security policy/procedures/instruction; Access control policy/procedure/instruction.
[b] system access and credentials are terminated consistent with personnel actions such as termination or transfer.	Artifact	Screenshot of records of personnel transfer and termination actions.
[c] the system is protected during and after personnel transfer actions.	Artifact	Completed outprocessing checklist.

Physical Protection (PE)

PE.L2-3.10.1 – Limit Physical Access [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
PE.L2-3.10.1 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
[a] authorized individuals allowed physical access are identified.	Artifact	Authorized personnel (names) access list.
[b] physical access to organizational systems is limited to authorized individuals.	Physical Review	Badge reader logs, audit logs, and/or card swipe test.
[c] physical access to equipment is limited to authorized individuals.	Physical Review	Badge reader logs, audit logs, and/or card swipe test.
[d] physical access to operating environments is limited to authorized.	Physical Review	Badge reader logs, audit logs, and/or card swipe test.

PE.L2-3.10.2 – Monitor Facility

Assessment Objectives	Collection Approach	Evidence Examples
PE.L2-3.10.2 Protect and monitor the physical facility and support infrastructure for organizational systems.
[a] the physical facility where organizational systems reside is protected.	Physical Review	Physical security measures and barriers into the physical facility (cameras/locks/gates/guards, etc.).
[b] the support infrastructure for organizational systems is protected.	Physical Review	Physical barriers to entries into computer spaces, server rooms, etc.
[c] the physical facility where organizational systems reside is monitored.	Physical Review	Audit logs/how the physical facility is being monitored (cameras/access system/guards, etc.).
[d] the support infrastructure for organizational systems is monitored.	Physical Review	Audit logs/how the physical facility is being monitored (cameras/access system/guards, etc.).

PE.L2-3.10.3 – Escort Visitors [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
PE.L2-3.10.3 Escort visitors and monitor visitor activity.
[a] visitors are escorted.	Physical Review	Policy/procedures/instruction on methodology for handling non-authorized personnel (entry to exit).
[b] visitor activity is monitored.	Physical Review	Policy/procedures/instructio on methodology for handling non-authorized personnel (entry to exit).

PE.L2-3.10.4 – Physical Access Logs [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
PE.L2-3.10.4 Maintain audit logs of physical access.
[a] audit logs of physical access are maintained.	Artifact	Log or report from badging system.

PE.L2-3.10.5 – Manage Physical Access [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
PE.L2-3.10.5 Control and manage physical access devices.
[a] physical access devices are identified.	Document	Physical access control systems description, guard force contract/policy, key locks, logical systems specifications, etc.
[b] physical access devices are controlled.	Physical Review	Inventory records of physical access control devices (e.g. keys, locks, card readers, locks, etc.).
[c] physical access devices are managed.	Physical Review	List of security safeguards controlling access to the facility (e.g. cameras, monitoring by guards, isolation of IT systems equiment and or system components).

PE.L2-3.10.6 – Alternative Work Sites

Assessment Objectives	Collection Approach	Evidence Examples
PE.L2-3.10.6 Enforce safeguarding measures for CUI at alternate work sites.
[a] safeguarding measures for CUI are defined for alternate work sites.	Document	Telework agreement, Acceptable Use Policy and SOP for alternate work locations; user security training validation which includes physical/logical/technical protections of system at alternate work sites.
[b] safeguarding measures for CUI are enforced for alternate work sites.	Artifact	Monitoring/audit log of user activity and logical/physical/technical mechanisms in place to preclude unauthorized activity (telework agreement , AUP?).

Risk Assessment (RA)

RA.L2-3.11.1 – Risk Assessments

Assessment Objectives	Collection Approach	Evidence Examples
RA.L2-3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
[a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined.	Document	Risk assessment policy.
[b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.	Artifact	Copy of last risk assessment done within defined frequency.

RA.L2-3.11.2 – Vulnerability Scan

Assessment Objectives	Collection Approach	Evidence Examples
RA.L2-3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
[a] the frequency to scan for vulnerabilities in organizational systems and applications is defined.	Document	Policy/procedures/instruction addressing vulnerability scanning records.
[b] vulnerability scans are performed on organizational systems with the defined frequency.	Screen Share	System configuration settings of vulnerability scanning scheduling and vulnerability scan results of systems within defined frequency.
[c] vulnerability scans are performed on applications with the defined frequency.	Screen Share	System configuration settings of vulnerability scanning scheduling and vulnerability scan results of applications within defined frequency.
[d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified.	Screen Share	View signatures in scanning tool/ad hoc scan performed as a result.
[e] vulnerability scans are performed on applications when new vulnerabilities are identified.	Screen Share	View signatures in scanning tool/ad hoc scan performed as a result.

RA.L2-3.11.3 – Vulnerability Remediation

Assessment Objectives	Collection Approach	Evidence Examples
RA.L2-3.11.3 Remediate vulnerabilities in accordance with risk assessments.
[a] vulnerabilities are identified.	Artifact	Scan results showing vulnerabilities identified.
[b] vulnerabilities are remediated in accordance with risk assessments.	Artifact	Screenshot/document of scan results of remediated vulnerabilities in accordance to risk assessments.

Security Assessment (CA)

CA.L2-3.12.1 – Security Control Assessment

Assessment Objectives	Collection Approach	Evidence Examples
CA.L2-3.12.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
[a] the frequency of security control assessments is defined.	Document	SSP.
[b] security controls are assessed with the defined frequency to determine if the controls are effective in their application.	Artifact	Copy of last security control assessment done within defined frequency.

CA.L2-3.12.2 – Operational Plan of Action

Assessment Objectives	Collection Approach	Evidence Examples
CA.L2-3.12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
[a] deficiencies and vulnerabilities to be addressed by the plan of action are identified.	Artifact	Plan of Action (POA).
[b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities.	Artifact	Plan of Action (POA).
[c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.	Artifact	Plan of Action (POA)/previously completed POAs.

CA.L2-3.12.3 – Security Control Monitoring

Assessment Objectives	Collection Approach	Evidence Examples
CA.L2-3.12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
[a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.	Artifact	Collection of risk assessment results, internal or third-party audits/security assessments and/or continuous monitoring reports/alerts (SIEM tool, etc.).

CA.L2-3.12.4 – System Security Plan =

Assessment Objectives	Collection Approach	Evidence Examples
CA.L2-3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
[a] a system security plan is developed.	Document	SSP.
[b] the system boundary is described and documented in the system security plan.	Document	SSP and any supporting documentation.
[c] the system environment of operation is described and documented in the system security plan.	Document	SSP and any supporting documentation.
[d] the security requirements identified and approved by the designated authority as non-applicable are identified.	Document	SSP and required adjudication from DoD CIO.
[e] the method of security requirement implementation is described and documented in the system security plan.	Document	SSP and any supporting documentation.
[f] the relationship with or connection to other systems is described and documented in the system security plan.	Document	SSP and any supporting documentation.
[g] the frequency to update the system security plan is defined.	Document	SSP.
[h] system security plan is updated with the defined frequency.	Document	SSP/any previous versions.

System and Communications Protection (SC)

SC.L2-3.13.1 – Boundary Protection [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
[a] the external system boundary is defined.	Document	SSP, network diagrams, CUI flow, cloud provider FedRAMP Moderate.
[b] key internal system boundaries are defined.	Document	SSP, network diagrams, CUI flow.
[c] communications are monitored at the external system boundary.	Screen Share	SSP, logging server, boundary device configurations, monitoring policy.
[d] communications are monitored at key internal boundaries.	Screen Share	SSP, logging server, boundary device configurations, monitoring policy.
[e] communications are controlled at the external system boundary.	Screen Share	SSP, boundary device configurations, ACL, subnets, DMZ.
[f] communications are controlled at key internal boundaries.	Screen Share	SSP, boundary device configurations, ACL, subnets.
[g] communications are protected at the external system boundary.	Screen Share	Configurations for IPS/IDS, email gateway, VLAN, proxy, firewall, malware protection, DNS, TSL.
[h] communications are protected at key internal boundaries.	Screen Share	Configurations for IPS/IDS, VLAN, firewall, malware protection, SSL.

SC.L2-3.13.2 – Security Engineering

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
[a] architectural designs that promote effective information security are identified.	Document	SSP, config management policy, network diagram, CCB minutes, enterprise architecture process.
[b] software development techniques that promote effective information security are identified.	Document	SSP, config management policy, SDLC, CCB minutes.
[c] systems engineering principles that promote effective information security are identified.	Document	SSP, config management policy, CCB minutes, security architecture engineering.
[d] identified architectural designs that promote effective information security are employed.	Artifact	CCB minutes, Network diagrams and configurations, Project Plans.
[e] identified software development techniques that promote effective information security are employed.	Artifact	CCB minutes, SDLC, code scanner results, code management tracking.
[f] identified systems engineering principles that promote effective information security are employed.	Artifact	CCB minutes, configuration management, ITSM, patch management, lifecycle replacement processes.

SC.L2-3.13.3 – Role Separation

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.3 Separate user functionality from system management functionality.
[a] user functionality is identified.	Document	SSP, AUP.
[b] system management functionality is identified.	Document	SSP, Privileged Account Agreement.
[c] user functionality is separated from system management functionality.	Screen Share	Active Directory, Jump Boxes, GPO, VM, RDP.

SC.L2-3.13.4 – Shared Resource Control

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.4 Prevent unauthorized and unintended information transfer via shared system resources.
[a] unauthorized and unintended information transfer via shared system resources is prevented.	Screen Share	SSP, OS configurations, Linux containers, system/media reuse policies, certificate management policies, media destruction policies, printer configs, VDI configuration.

SC.L2-3.13.5 – Public-Access System Separation [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
[a] publicly accessible system components are identified.	Document	SSP, network diagram, DMZ inventory/roles.
[b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.	Artifact	Network diagram, IPAM, VLAN, DHCP, DMZ.

SC.L2-3.13.6 – Network Communication by Exception

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
[a] network communications traffic is denied by default.	Screen Share	Host and network firewall rules, SIEM logs, hit counts.
[b] network communications traffic is allowed by exception.	Screen Share	Host and network firewall rules, SIEM logs, hit counts.

SC.L2-3.13.7 – Split Tunneling

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.7 Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
[a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).	Screen Share	VPN appliance/server configuration, endpoint VPN software configuration.

SC.L2-3.13.8 – Data in Transit

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
[a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified.	Document	SSP, PKI policies, configuration processes, config management, email attachment encryption policy, removable media policy, data at rest policy.
[b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified.	Document	SSP, physical security policy.
[c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.	Screen Share	TLS settings, SSL settings, VPN/Wireless Access Points/Mobile Devices cryptographic settings, ODBC connector settings, SAN configuration, IPSec/MPLS, backup configuration, physical security.

SC.L2-3.13.9 – Connections Termination

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
[a] a period of inactivity to terminate network connections associated with communications sessions is defined.	Document	SSP, network communications policy.
[b] network connections associated with communications sessions are terminated at the end of the sessions.	Screen Share	VPN appliance/server logs, VPN configurations, web server configurations, firewall connection settings.
[c] network connections associated with communications sessions are terminated after the defined period of inactivity.	Screen Share	VPN appliance/server logs, VPN configurations, web server configurations, frewall connection settings.

SC.L2-3.13.10 – Key Management

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems.
[a] cryptographic keys are established whenever cryptography is employed.	Artifact	SSP, PKI/certificate management policy, configuration management.
[b] cryptographic keys are managed whenever cryptography is employed.	Artifact	SSP, PKI/certificate management policy, configuration management, access control policy.

SC.L2-3.13.11 – CUI Encryption

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
[a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.	Screen Share	VPN, wireless, mobile devices, client certificates, server certificates, disk encryption, Outlook plugin, external mail, backup media, ePO server, removable storage, SAN, file compression; look for FIPS mode enabled on appliances.

SC.L2-3.13.12 – Collaborative Device Control

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
[a] collaborative computing devices are identified.	Document	SSP, network diagrams.
[b] collaborative computing devices provide indication to users of devices in use.	Physical Review	Physical inspection of device.
[c] remote activation of collaborative computing devices is prohibited.	Screen Share	Collaboration device configuration/console.

SC.L2-3.13.13 – Mobile Code

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.13 Control and monitor the use of mobile code.
[a] use of mobile code is controlled.	Screen Share	GPO settings, malware protection, software agent configurations, software development policies, code scanners, MDM configuration, firewall/secure web gateway/proxy config.
[b] use of mobile code is monitored.	Screen Share	SIEM/console monitoring.

SC.L2-3.13.14 – Voice over Internet Protocol

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
[a] use of Voice over Internet Protocol (VoIP) technologies is controlled.	Artifact	VLAN, ACL, firewall config, VoIP gateway/condenser configuration.
[b] use of Voice over Internet Protocol (VoIP) technologies is monitored.	Artifact	SIEM/VoIP console monitoring, session border controller.

SC.L2-3.13.15 – Communications Authenticity

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.15 Protect the authenticity of communications sessions.
[a] the authenticity of communications sessions is protected.	Screen Share	SSL, TLS, SMB3, SFTP, IPSec, SSH, Kerberos configs, MPLS, Network Access Control.

SC.L2-3.13.16 – Data at Rest

Assessment Objectives	Collection Approach	Evidence Examples
SC.L2-3.13.16 Protect the confidentiality of CUI at rest.
[a] the confidentiality of CUI at rest is protected.	Artifact	Full disk encryption, removable media encryption, SAN encryption, digital backups, mobile device encryption, third party offsite backup storage, cloud virtualization encryption, physical media storage policies.

System and Information Integrity (SI)

SI.L2-3.14.1 – Flaw Remediation [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
SI.L2-3.14.1 Identify, report, and correct information and information system flaws in a timely manner.
[a] the time within which to identify system flaws is specified.	Document	SSP, patch management policy.
[b] system flaws are identified within the specified time frame.	Screen Share	Vulnerability management scanner output and scan policy configuration.
[c] the time within which to report system flaws is specified.	Document	SSP, patch management policy.
[d] system flaws are reported within the specified time frame.	Screen Share	ITSM/trouble tickets, vulnerability management scanner output.
[e] the time within which to correct system flaws is specified.	Document	SSP, patch management policy.
[f] system flaws are corrected within the specified time frame.	Screen Share	Vulnerability management scanner output and scan policy configuration.

SI.L2-3.14.2 – Malicious Code ProTection [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
SI.L2-3.14.2 Provide protection from malicious code at appropriate locations within organizational information systems.
[a] designated locations for malicious code protection are identified.	Document	SSP, system protection policy, network diagrams, security architecture documents.
[b] protection from malicious code at designated locations is provided.	Screen Share	Endpoint security settings, email/web proxy gateways, firewall, IPS sensor, MDM configuration, Network Access Control.

SI.L2-3.14.3 – Security Alerts & Advisories

Assessment Objectives	Collection Approach	Evidence Examples
SI.L2-3.14.3 Monitor system security alerts and advisories and take action in response.
[a] response actions to system security alerts and advisories are identified.	Document	SSP, vulnerability management policy, Incident Response Plan.
[b] system security alerts and advisories are monitored.	Artifact	Threat intelligence subscriptions, email advisories.
[c] actions in response to system security alerts and advisories are taken.	Artifact	ITSM/trouble tickets, user notifications, updates to firewall/IPS, etc.

SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
SI.L2-3.14.4 Update malicious code protection mechanisms when new releases are available.
[a] malicious code protection mechanisms are updated when new releases are available.	Screen Share	Antivirus console dashboard, firewall AV, Email gateway signatures,proxy, IPS updates.

SI.L2-3.14.5 – System & File Scanning [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
SI.L2-3.14.5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
[a] the frequency for malicious code scans is defined.	Document	SSP, vulnerability management policy.
[b] malicious code scans are performed with the defined frequency.	Screen Share	Consoles for AV (endpoints, servers, and file shares), firewall, email gateway, proxy, IPS, MDM configurations.
[c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.	Screen Share	Consoles for AV (endpoints, servers, and file shares), firewall, email gateway, proxy, IPS, MDM configurations.

SI.L2-3.14.6 – Monitor Communications for Attacks

Assessment Objectives	Collection Approach	Evidence Examples
SI.L2-3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
[a] the system is monitored to detect attacks and indicators of potential attacks.	Screen Share	Firewall, IPS, endpoint protection, SIEM alerts and reports.
[b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks.	Screen Share	Firewall, IPS, endpoint protection, SIEM alerts and reports.
[c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks.	Screen Share	Firewall, IPS, endpoint protection, SIEM alerts and reports.

SI.L2-3.14.7 – Identify Unauthorized Use

Assessment Objectives	Collection Approach	Evidence Examples
SI.L2-3.14.7 Identify unauthorized use of organizational systems.
[a] authorized use of the system is defined.	Document	AUP, SSP.
[b] unauthorized use of the system is identified.	Artifact	SIEM logs, endpoint protection console, IPS, Firewall.

@@ Line 1: / Line 1: @@
-For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
+CMMC assessments and certification require substantial evidence and documentation. The following tables outline general guidelines for collecting evidence to assess control requirements and objectives. While these guidelines provide a structured approach, they are not the only means of conducting an accurate assessment. Assessors should exercise professional judgment and may employ alternative methods appropriate to the specific organizational context and circumstances.
-== Evidence Collection Approach for CMMC Practices Levels 1 and 2 ==
+Evidence collection approaches are defined as:
-The following table contains the DIBCAC Evidence collection approach for the CMMC Levels 1 and 2 practices and their Assessment Objectives.
+* '''Documentation''': Tangible materials containing information over which an organization has authority, including all types of written records and their copies.
+* '''Artifacts''': Tangible, reviewable records directly resulting from a practice or process being performed by a system or by personnel executing their role within that practice, control, or process.
+* '''Physical Review''': Direct on-site observation and examination of evidence.
+* '''Screen Share''': Real-time remote observation of a user demonstrating a task or process via shared computer screen, sometimes called "over-the-shoulder" review.
-The following tables provide a general approach between Assessment Objectives (AOs) and Assessment Methods that may be used. These are not to be construed as directive. The Assessor has the right to replace any Assessment Method with a different one based on what the OSC has provided in other requirements, previously gathered Evidence, or the lack therein.
+DISCLAIMER: Evidence requirements vary significantly across assessment types. '''The examples provided are illustrative only and should be tailored to meet the specific adequacy and sufficiency standards of your particular assessment context.'''
-The definition of the Evidence approaches are as follows:
+For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
-* '''Artifacts''': Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person, or persons performing a role in that practice, control, or process. (See CAP Glossary for additional details.)
-* '''Document''': Any tangible thing which constitutes or contains information and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writing of every kind and description over which an agency has authority. (See CAP Glossary for additional details.)
-* '''Physical Review''': An on-premise observation of Evidence.
-* '''Screen Share''': Live observation "over the shoulder" of a user as they share their computer screen while performing a task.
 == Access Control (AC) ==
 === AC.L2-3.1.1 – Authorized Access Control [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.1_Details|'''AC.L2-3.1.1''']] Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
+|-
+| [a] authorized users are identified. || Document || Document defining account request, approval, provisioning.
+|-
+| [b] processes acting on behalf of authorized users are identified. || Document || Document defining account request, approval, provisioning.
+|-
+| [c] devices (and other systems) authorized to connect to the system are identified. || Document || Document defining account request, approval, provisioning.
+|-
+| [d] system access is limited to authorized users. || Screen Share || Screen share showing login requirements are enforced. Example of an unauthorized user denied (unauthorized username entered at login).
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [e] system access is limited to processes acting on behalf of authorized users. || Screen Share || Screenshot showing that service accounts are assigned to authorized users only; no rogue accounts without an authorized user are active.
-: [a] authorized users are identified;
-: [b] processes acting on behalf of authorized users are identified;
-: [c] devices (and other systems) authorized to connect to the system are identified;
-: [d] system access is limited to authorized users;
-: [e] system access is limited to processes acting on behalf of authorized users; and
-: [f] system access is limited to authorized devices (including other systems).
 |-
-|[[Practice_AC.L2-3.1.1_Details|More Practice Details...]]
+| [f] system access is limited to authorized devices (including other systems). || Screen Share || Screen share showing that all devices running are authorized; no rogue devices on the network.
 |}
 === AC.L2-3.1.2 – Transaction & Function Control [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.2_Details|'''AC.L2-3.1.2''']] Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] the types of transactions and functions that authorized users are permitted to execute are defined. || Document || SSP, AUP, or IAM document that defines what authorized users can execute.
-: [a] the types of transactions and functions that authorized users are permitted to execute are defined; and
-: [b] system access is limited to the defined types of transactions and functions for authorized users.
 |-
-|[[Practice_AC.L2-3.1.2_Details|More Practice Details...]]
+| [b] system access is limited to the defined types of transactions and functions for authorized users. || Screen Share || Screenshot of security roles in AD or IAM or other directory-based identity-related services tool that shows transactions are as defined in the SSP or IAM document; privileged and non-privileged accounts need to be defined and identified in the artifact; screenshot of a non-privileged user trying to execute a privileged function.
 |}
 === AC.L2-3.1.3 – Control CUI Flow ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control the flow of CUI in accordance with approved authorizations.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.3_Details|'''AC.L2-3.1.3''']] Control the flow of CUI in accordance with approved authorizations.
+|-
+| [a] information flow control policies are defined. || Document || SSP or other document describing the control of CUI on the network.
+|-
+| [b] methods and enforcement mechanisms for controlling the flow of CUI are defined. || Document || Document that defines the networking devices that are on the CUI network and answers what measures are in place to control the flow. List of firewalls, border and internal layer 3 devices, IDS/IPS, DLP, that process CUI.
+|-
+| [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified. || Artifact || Network diagram, data flow diagram, external system connection diagrams, document describing the policies for CUI on the network; listing of VLANs and subnets where CUI is authorized; document must describe source and authorized destinations.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [d] authorizations for controlling the flow of CUI are defined. || Document || Document that defines how CUI is to be controlled, such as an InfoSec plan, and/or network management plan.
-: [a] information flow control policies are defined;
-: [b] methods and enforcement mechanisms for controlling the flow of CUI are defined;
-: [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;
-: [d] authorizations for controlling the flow of CUI are defined; and
-: [e] approved authorizations for controlling the flow of CUI are enforced.
 |-
-|[[Practice_AC.L2-3.1.3_Details|More Practice Details...]]
+| [e] approved authorizations for controlling the flow of CUI are enforced. || Screen Share || Screenshots of firewall rules, ACLs, etc.
 |}
 === AC.L2-3.1.4 – Separation of Duties ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.4_Details|'''AC.L2-3.1.4''']] Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
+|-
+| [a] the duties of individuals requiring separation are defined. || Document || Document, SSP, account management policy, defining separation of duties by person or role.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] responsibilities for duties that require separation are assigned to separate individuals. || Screen Share || Screenshot showing that separation of duties is enforced by showing admin accounts are assigned to different people based on role.
-: [a] the duties of individuals requiring separation are defined;
-: [b] responsibilities for duties that require separation are assigned to separate individuals; and
-: [c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
 |-
-|[[Practice_AC.L2-3.1.4_Details|More Practice Details...]]
+| [c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals. || Screen Share || Screen shot showing an example such as a security manager can not log into a network device and change ACLs, or network admins can not access security logs in the SIEM tool.
 |}
 === AC.L2-3.1.5 – Least Privilege ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Employ the principle of least privilege, including for specific security functions and privileged accounts.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.5_Details|'''AC.L2-3.1.5''']] Employ the principle of least privilege, including for specific security functions and privileged accounts.
+|-
+| [a] privileged accounts are identified. || Document || "SSP or policy (documentation) identify what is considered a privileged account."
+|-
+| [b] access to privileged accounts is authorized in accordance with the principle of least privilege. || Artifact || An artifact that identifies the least amount of permissions associated with different types of privileged accounts are approved.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] security functions are identified. || Document || "SSP or policy (documentation) identifies what is considered a security account."
-: [a] privileged accounts are identified;
-: [b] access to privileged accounts is authorized in accordance with the principle of least privilege;
-: [c] security functions are identified; and
-: [d] access to security functions is authorized in accordance with the principle of least privilege.
 |-
-|[[Practice_AC.L2-3.1.5_Details|More Practice Details...]]
+| [d] access to security functions is authorized in accordance with the principle of least privilege. || Artifact || Artifact(s) that identify the least amount of permissions associated with different types of security accounts are approved.
 |}
 === AC.L2-3.1.6 – Non-Privileged Account Use ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Use non-privileged accounts or roles when accessing nonsecurity functions.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.6_Details|'''AC.L2-3.1.6''']] Use non-privileged accounts or roles when accessing nonsecurity functions.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] nonsecurity functions are identified. || Document || SSP or account management document, AUP, that defines non-security functions.
-: [a] nonsecurity functions are identified; and
-: [b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions.
 |-
-|[[Practice_AC.L2-3.1.6_Details|More Practice Details...]]
+| [b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions. || Screen Share || Screenshot showing that a privileged user tried to use their admin account to access a non-security function, such as a browser or email (whatever is defined in their policy) and was blocked.
 |}
 === AC.L2-3.1.7 – Privileged Functions ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.7_Details|'''AC.L2-3.1.7''']] Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
+|-
+| [a] privileged functions are defined. || Document || SSP or policy (documentation) that defines privileged functions.
+|-
+| [b] non-privileged users are defined. || Document || SSP or policy (documentation) that defines non-privileged users.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] non-privileged users are prevented from executing privileged functions. || Screen Share || Screen share that shows that a non-privileged user is not allowed to complete a privileged function (installing software).
-: [a] privileged functions are defined;
-: [b] non-privileged users are defined;
-: [c] non-privileged users are prevented from executing privileged functions; and
-: [d] the execution of privileged functions is captured in audit logs.
 |-
-|[[Practice_AC.L2-3.1.7_Details|More Practice Details...]]
+| [d] the execution of privileged functions is captured in audit logs. || Screen Share || Screen share that shows logs being captured of the execution of privileged functions.
 |}
 === AC.L2-3.1.8 – Unsuccessful Logon Attempts ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Limit unsuccessful logon attempts.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.8_Details|'''AC.L2-3.1.8''']] Limit unsuccessful logon attempts.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] the means of limiting unsuccessful logon attempts is defined. || Document || SSP or policy (documentation) showing unsuccessful logon attempts settings and or policy.
-: [a] the means of limiting unsuccessful logon attempts is defined; and
-: [b] the defined means of limiting unsuccessful logon attempts is implemented.
 |-
-|[[Practice_AC.L2-3.1.8_Details|More Practice Details...]]
+| [b] the defined means of limiting unsuccessful logon attempts is implemented. || Artifact || Artifact showing GPO / Policy for limiting logon attempts.
 |}
 === AC.L2-3.1.9 – Privacy & Security Notices ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Provide privacy and security notices consistent with applicable CUI rules.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.9_Details|'''AC.L2-3.1.9''']] Provide privacy and security notices consistent with applicable CUI rules.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category. || Document || SSP or policy (documentation) showing CUI-specified rules are identified, consistent, and associated with the specific CUI category.
-: [a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and
-: [b] privacy and security notices are displayed.
 |-
-|[[Practice_AC.L2-3.1.9_Details|More Practice Details...]]
+| [b] privacy and security notices are displayed. || Artifact || Artifact that shows a consent banner or screen that a user sees as they log in to the system.
 |}
 === AC.L2-3.1.10 – Session Lock ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.10_Details|'''AC.L2-3.1.10''']] Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
+|-
+| [a] the period of inactivity after which the system initiates a session lock is defined. || Document || SSP or policy (documentation) that defines the period of inactivity and when a session lock is defined.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity. || Artifact || Artifact that shows the setting of session lock (GPO or system policy or similar solution addressing the controls supporting centralized management and configuration of operating systems, applications, and users' settings for the working environment of user accounts and computer accounts).
-: [a] the period of inactivity after which the system initiates a session lock is defined;
-: [b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and
-: [c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.
 |-
-|[[Practice_AC.L2-3.1.10_Details|More Practice Details...]]
+| [c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity. || Artifact || Screenshot of GPO setting and configuration settings, or similar solution addressing the controls supporting centralized management and configuration of operating systems, applications, and users' settings for the working environment of user accounts and computer accounts.
 |}
 === AC.L2-3.1.11 – Session Termination ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Terminate (automatically) a user session after a defined condition.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.11_Details|'''AC.L2-3.1.11''']] Terminate (automatically) a user session after a defined condition.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] conditions requiring a user session to terminate are defined. || Document || SSP or policy (documentation) that defines the conditions requiring a user session to be terminated.
-: [a] conditions requiring a user session to terminate are defined; and
-: [b] a user session is automatically terminated after any of the defined conditions
 |-
-|[[Practice_AC.L2-3.1.11_Details|More Practice Details...]]
+| [b] a user session is automatically terminated after any of the defined conditions. || Screen Share || Screen share showing GPO / VPN Settings that show when a session would be terminated (Idle time, max connection time).
 |}
 === AC.L2-3.1.12 – Control Remote Access ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Monitor and control remote access sessions.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.12_Details|'''AC.L2-3.1.12''']] Monitor and control remote access sessions.
+|-
+| [a] remote access sessions are permitted. || Document || SSP or policy (documentation) that defines remote access sessions.
+|-
+| [b] the types of permitted remote access are identified. || Document || SSP or policy (documentation) that defines remote access is permitted.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] remote access sessions are controlled. || Screen Share || Screen share that shows how the remote access is controlled (access session, and or groups).
-: [a] remote access sessions are permitted;
-: [b] the types of permitted remote access are identified;
-: [c] remote access sessions are controlled; and
-: [d] remote access sessions are monitored.
 |-
-|[[Practice_AC.L2-3.1.12_Details|More Practice Details...]]
+| [d] remote access sessions are monitored. || Screen Share || Screen share that shows how remote sessions are monitored (logs).
 |}
 === AC.L2-3.1.13 – Remote Access Confidentiality ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.13_Details|'''AC.L2-3.1.13''']] Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified. || Document || SSP or policy (documentation) that discusses the CUI rules, consistent, and associated with the specific CUI category; FIPS Cert # of appliance or application.
-: [a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and
-: [b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
 |-
-|[[Practice_AC.L2-3.1.13_Details|More Practice Details...]]
+| [b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented. || Screen Share || Screenshot of VPN concentration that shows encryption is on and enabled (point-to-point, etc.).
 |}
 === AC.L2-3.1.14 – Remote Access Routing ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Route remote access via managed access control points.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.14_Details|'''AC.L2-3.1.14''']] Route remote access via managed access control points.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] managed access control points are identified and implemented. || Screen Share || Screen share that shows access control points (groups and/or users).
-: [a] managed access control points are identified and implemented; and
-: [b] remote access is routed through managed network access control points.
 |-
-|[[Practice_AC.L2-3.1.14_Details|More Practice Details...]]
+| [b] remote access is routed through managed network access control points. || Screen Share || Screen share that shows access control points and how they are managed.
 |}
 === AC.L2-3.1.15 – Privileged Remote Access ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Authorize remote execution of privileged commands and remote access to security-relevant information.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.15_Details|'''AC.L2-3.1.15''']] Authorize remote execution of privileged commands and remote access to security-relevant information.
+|-
+| [a] privileged commands authorized for remote execution are identified. || Document || SSP or policy (documentation) that defines what is authorized to be executed remotely and how that is handled.
+|-
+| [b] security-relevant information authorized to be accessed remotely is identified. || Document || SSP or policy (documentation) that defines what can be accessed remotely and what procedures are implemented to allow this (RDP, jump box).
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] the execution of the identified privileged commands via remote access is authorized. || Screen Share || Screen share that shows who has access to perform privileged commands a remotely (access groups for privileged accounts).
-: [a] privileged commands authorized for remote execution are identified;
-: [b] security-relevant information authorized to be accessed remotely is identified;
-: [c] the execution of the identified privileged commands via remote access is authorized; and
-: [d] access to the identified security-relevant information via remote access is authorized.
 |-
-|[[Practice_AC.L2-3.1.15_Details|More Practice Details...]]
+| [d] access to the identified security-relevant information via remote access is authorized. || Screen Share || Screen share that shows the routing of remote access and how it is monitored and how many locations (Firewall, VPN Concentrator).
 |}
 === AC.L2-3.1.16 – Wireless Access Authorization ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Authorize wireless access prior to allowing such connections.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.16_Details|'''AC.L2-3.1.16''']] Authorize wireless access prior to allowing such connections.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] wireless access points are identified. || Document || SSP, network administration document.
-: [a] wireless access points are identified; and
-: [b] wireless access is authorized prior to allowing such connections.
 |-
-|[[Practice_AC.L2-3.1.16_Details|More Practice Details...]]
+| [b] wireless access is authorized prior to allowing such connections. || Screen Share || Authorization profile(s) in Wireless Access Controller or Identity Manager (i.e. Cisco ISE).
 |}
 === AC.L2-3.1.17 – Wireless Access Protection ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Protect wireless access using authentication and encryption.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.17_Details|'''AC.L2-3.1.17''']] Protect wireless access using authentication and encryption.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] wireless access to the system is protected using authentication. || Screen Share || Security page (or similar) of a Wireless Access Controller.
-: [a] wireless access to the system is protected using authentication; and
-: [b] wireless access to the system is protected using encryption.
 |-
-|[[Practice_AC.L2-3.1.17_Details|More Practice Details...]]
+| [b] wireless access to the system is protected using encryption. || Screen Share || Security page (or similar) of a Wireless Access Controller.
 |}
 === AC.L2-3.1.18 – Mobile Device Connection ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control connection of mobile devices.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.18_Details|'''AC.L2-3.1.18''']] Control connection of mobile devices.
+|-
+| [a] mobile devices that process, store, or transmit CUI are identified. || Document || SSP, Mobile Device Policy.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] mobile device connections are authorized. || Screen Share || Authorization profile(s) in Wireless Access Controller or Identity Manager (i.e. Cisco ISE).
-: [a] mobile devices that process, store, or transmit CUI are identified;
-: [b] mobile device connections are authorized; and
-: [c] mobile device connections are monitored and logged.
 |-
-|[[Practice_AC.L2-3.1.18_Details|More Practice Details...]]
+| [c] mobile device connections are monitored and logged. || Screen Share || Mobile device logs within the MDM, log intake (sources) configuration (within SIEM) showing MDM is feeding logs to the SIEM.
 |}
 === AC.L2-3.1.19 – Encrypt CUI on Mobile ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Encrypt CUI on mobile devices and mobile computing platforms.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.19_Details|'''AC.L2-3.1.19''']] Encrypt CUI on mobile devices and mobile computing platforms.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified. || Document || SSP, Mobile Device Policy.
-: [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and
-: [b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
 |-
-|[[Practice_AC.L2-3.1.19_Details|More Practice Details...]]
+| [b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms. || Screen Share || Security policy page in MDM showing how encryption are enforced on mobile device. If no MDM or MDM doesn't enforce encryption, then validate if the devices used are on the list of devices with native FIPS approved validation.
 |}
 === AC.L2-3.1.20 – External Connections [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Verify and control/limit connections to and use of external information systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.20_Details|'''AC.L2-3.1.20''']] Verify and control/limit connections to and use of external information systems.
+|-
+| [a] connections to external systems are identified. || Document || SSP, Systems Interconnection Agreements, SLA.
+|-
+| [b] the use of external systems is identified. || Document || SSP, Systems Interconnection Agreements, SLA.
+|-
+| [c] connections to external systems are verified. || Artifact || SLA for external systems, memorandum for interconnection, information to prove that any cloud solution is at FedRAMP impact level of moderate or higher (i.e. license information, screenshot of AWS cloud dashboard, purchase order document).
+|-
+| [d] the use of external systems is verified. || Artifact || SLA for external systems, memorandum for interconnection, information to prove that any cloud solution is at FedRAMP impact level of moderate or higher (i.e. license information, screenshot of AWS cloud dashboard, purchase order document).
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [e] connections to external systems are controlled/limited. || Screen Share || Firewall ruleset for controlling access to cloud service or external system.
-: [a] connections to external systems are identified;
-: [b] the use of external systems is identified;
-: [c] connections to external systems are verified;
-: [d] the use of external systems is verified;
-: [e] connections to external systems are controlled/limited; and
-: [f] the use of external systems is controlled/limited.
 |-
-|[[Practice_AC.L2-3.1.20_Details|More Practice Details...]]
+| [f] the use of external systems is controlled/limited. || Screen Share || Firewall ruleset for controlling access to cloud service or external system.
 |}
 === AC.L2-3.1.21 – Portable Storage Use ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Limit use of portable storage devices on external systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.21_Details|'''AC.L2-3.1.21''']] Limit use of portable storage devices on external systems.
+|-
+| [a] the use of portable storage devices containing CUI on external systems is identified and documented. || Document || SSP, Removable Media Policy, Acceptable Use Policy (with emphasis on portable media use).
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] limits on the use of portable storage devices containing CUI on external systems are defined. || Document || SSP, Removable Media Policy, Acceptable Use Policy (with emphasis on portable media use).
-: [a] the use of portable storage devices containing CUI on external systems is identified and documented;
-: [b] limits on the use of portable storage devices containing CUI on external systems are defined; and
-: [c] the use of portable storage devices containing CUI on external systems is limited as defined.
 |-
-|[[Practice_AC.L2-3.1.21_Details|More Practice Details...]]
+| [c] the use of portable storage devices containing CUI on external systems is limited as defined. || Document || SSP, Removable Media Policy, Acceptable Use Policy (with emphasis on portable media use).
 |}
 === AC.L2-3.1.22 – Control Public Information [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control information posted or processed on publicly accessible information systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.1.22_Details|'''AC.L2-3.1.22''']] Control information posted or processed on publicly accessible information systems.
+|-
+| [a] individuals authorized to post or process information on publicly accessible systems are identified. || Document || SSP, Website Governance Plan, Information Release Document.
+|-
+| [b] procedures to ensure CUI is not posted or processed on publicly accessible systems are identified. || Document || SSP, Website Governance Plan, Information Release Document.
+|-
+| [c] a review process is in place prior to posting of any content to publicly accessible systems. || Artifact || "Information release approval process, i.e. chain of email communication from originator, approver, and final decision (may or may not include individual authorized to post);
+SharePoint/electronic or paper form/ ticket system showing information flow between requestor and approver (may or may not include  individual authorized to post)."
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [d] content on publicly accessible systems is reviewed to ensure that it does not include CUI. || Artifact || Incident response process, web design/update/modification SOP etc.
-: [a] individuals authorized to post or process information on publicly accessible systems are identified;
-: [b] procedures to ensure CUI is not posted or processed on publicly accessible systems are identified;
-: [c] a review process is in place prior to posting of any content to publicly accessible systems;
-: [d] content on publicly accessible systems is reviewed to ensure that it does not include CUI; and
-: [e] mechanisms are in place to remove and address improper posting of CUI.
 |-
-|[[Practice_AC.L2-3.1.22_Details|More Practice Details...]]
+| [e] mechanisms are in place to remove and address improper posting of CUI. || Artifact || Incident response process, web design/update/modification SOP etc.
 |}
@@ Line 306: / Line 354: @@
 === AT.L2-3.2.1 – Role-Based Risk Awareness ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AT.L2-3.2.1_Details|'''AT.L2-3.2.1''']] Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
+|-
+| [a] security risks associated with organizational activities involving CUI are identified. || Document || Policy of Security Awareness Training; Security Awareness Training Briefing.
+|-
+| [b] policies, standards, and procedures related to the security of the system are identified. || Document || Acceptable Use Policy, Policy/Procedures/Instruction related to the security of the system.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities. || Artifact || Security Training Brief, training records.
-: [a] security risks associated with organizational activities involving CUI are identified;
-: [b] policies, standards, and procedures related to the security of the system are identified;
-: [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
-: [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
 |-
-|[[Practice_AT.L2-3.2.1_Details|More Practice Details...]]
+| [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system. || Artifact || Policies, standards and procedures for employees within training (completed training report).
 |}
 === AT.L2-3.2.2 – Role-Based Training ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|-
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AT.L2-3.2.2_Details|'''AT.L2-3.2.2''']] Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|-
+|-
+| [a] information security-related duties, roles, and responsibilities are defined. || Document || Policy/Procedures/Instruction, Job Role Matrix, Position Descriptions, User Roles.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] information security-related duties, roles, and responsibilities are assigned to designated personnel. || Artifact || Screenshot of breakout of different roles/permissions assigned to individuals (i.e. ActiveDirectory); Privilege Access Agreement.
-: [a] information security-related duties, roles, and responsibilities are defined;
-: [b] information security-related duties, roles, and responsibilities are assigned to designated personnel; and
-: [c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.
 |-
-|[[Practice_AT.L2-3.2.2_Details|More Practice Details...]]
+| [c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities. || Artifact || Screenshot of tool and/or training specifying security specific roles, duties and responsibilities; Screenshot of required certifications (i.e. Sec+, CISSP).
 |}
 === AT.L2-3.2.3 – Insider Threat Awareness ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Provide security awareness training on recognizing and reporting potential indicators of insider threat.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AT.L2-3.2.3_Details|'''AT.L2-3.2.3''']] Provide security awareness training on recognizing and reporting potential indicators of insider threat.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] potential indicators associated with insider threats are identified. || Document || Insidert Threat Policy/Procedures/Instruction; Insider Threat Training/Briefing.
-: [a] potential indicators associated with insider threats are identified; and
-: [b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
 |-
-|[[Practice_AT.L2-3.2.3_Details|More Practice Details...]]
+| [b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees. || Artifact || Screenshot of training records showing completion of Insider Threat training, emails showing completion of Insider Threat training, Screenshot of certificate showing completion with individual's name.
 |}
@@ Line 346: / Line 400: @@
 === AU.L2-3.3.1 – System Auditing ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AU.L2-3.3.1_Details|'''AU.L2-3.3.1''']] Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
+|-
+| [a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified. || Document || SSP, policy, or auditing and logging process that defines specific types of events to be logged.
+|-
+| [b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined. || Document || SSP, policy, or auditing and logging process that defines specific content of audit records/files.
+|-
+| [c] audit records are created (generated). || Screen Share || Screen share of tool that shows logs are generated for all systems.
+|-
+| [d] audit records, once created, contain the defined content. || Screen Share || Screen share of tool that shows logs contain defined content as defined in SSP, policy, or procedures.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [e] retention requirements for audit records are defined. || Document || SSP, Polocy, or Auditing and logging process that describes how long records are kept.
-: [a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified;
-: [b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined;
-: [c] audit records are created (generated);
-: [d] audit records, once created, contain the defined content;
-: [e] retention requirements for audit records are defined; and
-: [f] audit records are retained as defined.
 |-
-|[[Practice_AU.L2-3.3.1_Details|More Practice Details...]]
+| [f] audit records are retained as defined. || Screen Share || Screen share of tool that shows records and audit content retained at a minimum as defined.
 |}
 === AU.L2-3.3.2 – User Accountability ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AU.L2-3.3.2_Details|'''AU.L2-3.3.2''']] Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined. || Document || SSP, policy, or process that defines actions traced back to individuals.
-: [a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined; and
-: [b] audit records, once created, contain the defined content.
 |-
-|[[Practice_AU.L2-3.3.2_Details|More Practice Details...]]
+| [b] audit records, once created, contain the defined content. || Screen Share || Screen share of tool that shows audit records traced to specific users/roles.
 |}
 === AU.L2-3.3.3 – Event Review ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Review and update logged events.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AU.L2-3.3.3_Details|'''AU.L2-3.3.3''']] Review and update logged events.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] a process for determining when to review logged events is defined. || Document || SSP, policy, or documented process that shows frequency of when to review types of logged events.
-: [a] a process for determining when to review logged events is defined;
-: [b] event types being logged are reviewed in accordance with the defined review process; and
-: [c] event types being logged are updated based on the review.
 |-
-|[[Practice_AU.L2-3.3.3_Details|More Practice Details...]]
+| [b] event types being logged are reviewed in accordance with the defined review process. || Artifact || Evidence through a documented method such as meeting minutes, CAB minutes, etc. of log sources and log events being logged at the defined frequency.
+|-
+| [c] event types being logged are updated based on the review. || Artifact || Evidence of implementation based on the results of the review of logged events/sources through a ticket, meeting minutes, or screen share of the tool that shows changes implemented (finetuning).
 |}
 === AU.L2-3.3.4 – Audit Failure Alerting ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Alert in the event of an audit logging process failure.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AU.L2-3.3.4_Details|'''AU.L2-3.3.4''']] Alert in the event of an audit logging process failure.
-: [a] personnel or roles to be alerted in the event of an audit logging process failure are identified;
-: [b] types of audit logging process failures for which alert will be generated are defined; and
-: [c] identified personnel or roles are alerted in the event of an audit logging process failure.
 |-
-|[[Practice_AU.L2-3.3.4_Details|More Practice Details...]]
+| [a] personnel or roles to be alerted in the event of an audit logging process failure are identified. || Document || SSP, policy, or procedure that shows who needs to be notified in case of an audit failure.
+|-
+| [b] types of audit logging process failures for which alert will be generated are defined. || Document || SSP, policy, or procedure that shows what types of failure will generate notifications.
+|-
+| [c] identified personnel or roles are alerted in the event of an audit logging process failure. || Artifact || Artifact such as email or ticket that shows the identified personnel were alerted of any audit/logging process failure as defined.
 |}
 === AU.L2-3.3.5 – Audit Correlation ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AU.L2-3.3.5_Details|'''AU.L2-3.3.5''']] Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined. || Document || SSP, policy, or procedure covering audit logging, monitoring, and reporting.
-: [a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and
-: [b] defined audit record review, analysis, and reporting processes are correlated.
 |-
-|[[Practice_AU.L2-3.3.5_Details|More Practice Details...]]
+| [b] defined audit record review, analysis, and reporting processes are correlated. || Artifact || Artifact showing an audit event and the resultant corrective action or actions to the event; this can be a Help Desk ticket, meeting notes, or a change control board items showing the event and any corrective action taken.
 |}
 === AU.L2-3.3.6 – Reduction & Reporting ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Provide audit record reduction and report generation to support on-demand analysis and reporting.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AU.L2-3.3.6_Details|'''AU.L2-3.3.6''']] Provide audit record reduction and report generation to support on-demand analysis and reporting.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] an audit record reduction capability that supports on-demand analysis is provided. || Screen Share || Screen share of the logging environment where an event can be selected and traced back to a specific device, or dashboard showing realtime event analysis.
-: [a] an audit record reduction capability that supports on-demand analysis is provided; and
-: [b] a report generation capability that supports on-demand reporting is provided.
 |-
-|[[Practice_AU.L2-3.3.6_Details|More Practice Details...]]
+| [b] a report generation capability that supports on-demand reporting is provided. || Screen Share || Screen share showing the generation of an on demand report.
 |}
 === AU.L2-3.3.7 – Authoritative Time Source ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AU.L2-3.3.7_Details|'''AU.L2-3.3.7''']] Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
+|-
+| [a] internal system clocks are used to generate time stamps for audit records. || Screen Share || Screen share showing the NTP settings of a windows, Unix, Linux device; a screen share showing the NTP settings of network appliances.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] an authoritative source with which to compare and synchronize internal system clocks is specified. || Document || SSP or policy indicating that devices need to be synched to a local authoritative time device that is synched with an authoritative time service.
-: [a] internal system clocks are used to generate time stamps for audit records;
-: [b] an authoritative source with which to compare and synchronize internal system clocks is specified; and
-: [c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.
 |-
-|[[Practice_AU.L2-3.3.7_Details|More Practice Details...]]
+| [c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source. || Screen Share || Screen share showing device logging appliance time is point to the appropriate authoritative time server.
 |}
 === AU.L2-3.3.8 – Audit Protection ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AU.L2-3.3.8_Details|'''AU.L2-3.3.8''']] Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
+|-
+| [a] audit information is protected from unauthorized access. || Screen Share || Screen share showing operating system permissions on the audit folders being restricted to appropriate users.
+|-
+| [b] audit information is protected from unauthorized modification. || Screen Share || Screen share showing operating system permissions on the audit folders being restricted to appropriate users.
+|-
+| [c] audit information is protected from unauthorized deletion. || Screen Share || Screen share showing operating system permissions on the audit folders being restricted to appropriate users.
+|-
+| [d] audit logging tools are protected from unauthorized access. || Screen Share || Artifact showing access permissions in the SIEM tool.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [e] audit logging tools are protected from unauthorized modification. || Screen Share || Artifact showing update permissions in the SIEM tool.
-: [a] audit information is protected from unauthorized access;
-: [b] audit information is protected from unauthorized modification;
-: [c] audit information is protected from unauthorized deletion;
-: [d] audit logging tools are protected from unauthorized access;
-: [e] audit logging tools are protected from unauthorized modification; and
-: [f] audit logging tools are protected from unauthorized deletion.
 |-
-|[[Practice_AU.L2-3.3.8_Details|More Practice Details...]]
+| [f] audit logging tools are protected from unauthorized deletion. || Screen Share || Artifact showing delete permissions in the SIEM tool.
 |}
 === AU.L2-3.3.9 – Audit Management ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Limit management of audit logging functionality to a subset of privileged users.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AU.L2-3.3.9_Details|'''AU.L2-3.3.9''']] Limit management of audit logging functionality to a subset of privileged users.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] a subset of privileged users granted access to manage audit logging functionality is defined. || Document || SSP or policy indicating which users or groups have access to audit logs.
-: [a] a subset of privileged users granted access to manage audit logging functionality is defined; and
-: [b] management of audit logging functionality is limited to the defined subset of privileged users.
 |-
-|[[Practice_AU.L2-3.3.9_Details|More Practice Details...]]
+| [b] management of audit logging functionality is limited to the defined subset of privileged users. || Screen Share || Artifact showing SIEM or OS folder permissions (this should be limited to the assigned users or groups); artifact showing an ACL setting in SIEM tool in regards to logs.
 |}
@@ Line 466: / Line 540: @@
 === CM.L2-3.4.1 – System Baselining ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_CM.L2-3.4.1_Details|'''CM.L2-3.4.1''']] Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
+|-
+| [a] a baseline configuration is established. || Document || Documentation showing or explaining standard imaging process (how standard images are deployed and where  they are stored).
+|-
+| [b] the baseline configuration includes hardware, software, firmware, and documentation. || Artifact || Screenshot of repository of where images are maintained and information relating to hardware, software, and firmware.
+|-
+| [c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle. || Artifact || Screenshot/evidence displaying management of baseline configurations (how often they are being managed as stated).
+|-
+| [d] a system inventory is established. || Document || Screenshot/evidence displaying inventory listing of approved products for use.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [e] the system inventory includes hardware, software, firmware, and documentation. || Artifact || Screeenshot/evidence displaying inventory listing of approved products and versions permitted for use.
-: [a] a baseline configuration is established;
-: [b] the baseline configuration includes hardware, software, firmware, and documentation;
-: [c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle;
-: [d] a system inventory is established;
-: [e] the system inventory includes hardware, software, firmware, and documentation; and
-: [f] the inventory is maintained (reviewed and updated) throughout the system development life cycle.
 |-
-|[[Practice_CM.L2-3.4.1_Details|More Practice Details...]]
+| [f] the inventory is maintained (reviewed and updated) throughout the system development life cycle. || Artifact || Screeenshot/evidence displaying management of baseline configurations (How often and are they being managed as stated.
 |}
 === CM.L2-3.4.2 – Security Configuration Enforcement ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Establish and enforce security configuration settings for information technology products employed in organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_CM.L2-3.4.2_Details|'''CM.L2-3.4.2''']] Establish and enforce security configuration settings for information technology products employed in organizational systems.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration. || Document || Documentation explaining methodology used by organization to create secure baselines (STIGs, benchmarks).
-: [a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration; and
-: [b] security configuration settings for information technology products employed in the system are enforced.
 |-
-|[[Practice_CM.L2-3.4.2_Details|More Practice Details...]]
+| [b] security configuration settings for information technology products employed in the system are enforced. || Artifact || Evidence of tool/s used to enforce security configurations to ensure images used are free from modification unless authorized.
 |}
 === CM.L2-3.4.3 – System Change Management ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Track, review, approve or disapprove, and log changes to organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_CM.L2-3.4.3_Details|'''CM.L2-3.4.3''']] Track, review, approve or disapprove, and log changes to organizational systems.
+|-
+| [a] changes to the system are tracked. || Artifact || Evidence of IT Service Management tool / process used to track system changes.
+|-
+| [b] changes to the system are reviewed. || Artifact || Evidence of IT Service Management tool / process used to review system changes.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] changes to the system are approved or disapproved. || Artifact || Evidence of IT Service Management tool / process used to approve/disapprove system changes.
-: [a] changes to the system are tracked;
-: [b] changes to the system are reviewed;
-: [c] changes to the system are approved or disapproved; and
-: [d] changes to the system are logged.
 |-
-|[[Practice_CM.L2-3.4.3_Details|More Practice Details...]]
+| [d] changes to the system are logged. || Artifact || Evidence of IT Service Management tool / process used to log system changes.
 |}
 === CM.L2-3.4.4 – Security Impact Analysis ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Analyze the security impact of changes prior to implementation.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_CM.L2-3.4.4_Details|'''CM.L2-3.4.4''']] Analyze the security impact of changes prior to implementation.
-: [a] the security impact of changes to the system is analyzed prior to implementation.
 |-
-|[[Practice_CM.L2-3.4.4_Details|More Practice Details...]]
+| [a] the security impact of changes to the system is analyzed prior to implementation. || Artifact || Document explaining that security impact analysis of proposed changes to a system is conducted prior to implementation.
 |}
 === CM.L2-3.4.5 – Access Restrictions for Change ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_CM.L2-3.4.5_Details|'''CM.L2-3.4.5''']] Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
+|-
+| [a] physical access restrictions associated with changes to the system are defined. || Document || Document explaining the process of how physical access restrictions are defined for an individuals ability to make system changes.
+|-
+| [b] physical access restrictions associated with changes to the system are documented. || Document || Document explaining the process of how physical access restrictions are defined for an individuals ability to make system changes are documented; access request process.
+|-
+| [c] physical access restrictions associated with changes to the system are approved. || Artifact || Evidence of process of how physical access to systems are granted (i.e. physical access request sample).
+|-
+| [d] physical access restrictions associated with changes to the system are enforced. || Physical Review || Evidence of process of how physical access to systems are enforced (physical access system).
+|-
+| [e] logical access restrictions associated with changes to the system are defined. || Document || Document explaining the process of how logical access restrictions are defined for an individual's ability to make system changes.
+|-
+| [f] logical access restrictions associated with changes to the system are documented. || Document || Document explaining the process of how logical access restrictions are defined for an individual's ability to make system changes are documented.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [g] logical access restrictions associated with changes to the system are approved. || Artifact || Evidence of process of how logical access to systems are granted.
-: [a] physical access restrictions associated with changes to the system are defined;
-: [b] physical access restrictions associated with changes to the system are documented;
-: [c] physical access restrictions associated with changes to the system are approved;
-: [d] physical access restrictions associated with changes to the system are enforced;
-: [e] logical access restrictions associated with changes to the system are defined;
-: [f] logical access restrictions associated with changes to the system are documented;
-: [g] logical access restrictions associated with changes to the system are approved; and
-: [h] logical access restrictions associated with changes to the system are enforced.
 |-
-|[[Practice_CM.L2-3.4.5_Details|More Practice Details...]]
+| [h] logical access restrictions associated with changes to the system are enforced. || Artifact || Evidence of process of how logical access to systems are enforced.
 |}
 === CM.L2-3.4.6 – Least Functionality ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_CM.L2-3.4.6_Details|'''CM.L2-3.4.6''']] Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] essential system capabilities are defined based on the principle of least functionality. || Document || Documentation explaining how systems are configured to utilize the principle of least functionality for designated users.
-: [a] essential system capabilities are defined based on the principle of least functionality; and
-: [b] the system is configured to provide only the defined essential capabilities.
 |-
-|[[Practice_CM.L2-3.4.6_Details|More Practice Details...]]
+| [b] the system is configured to provide only the defined essential capabilities. || Screen Share || Evidence displaying how systems are configured to utilize the principle of least functionality for designated users; disabled service settings, accepted standards for hardening (CIS benchmarks, etc.).
 |}
 === CM.L2-3.4.7 – Nonessential Functionality ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_CM.L2-3.4.7_Details|'''CM.L2-3.4.7''']] Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
+|-
+| [a] essential programs are defined. || Document || Documented essential programs specified; build documents; software center; SSP.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] the use of nonessential programs is defined. || Document || Documented listing of nonessential programs (whatever is NOT specified in [a]); AUP/User Agreement may identify nonessential use/programs.
-: [a] essential programs are defined;
-: [b] the use of nonessential programs is defined;
-: [c] the use of nonessential programs is restricted, disabled, or prevented as defined;
-: [d] essential functions are defined;
-: [e] the use of nonessential functions is defined;
-: [f] the use of nonessential functions is restricted, disabled, or prevented as defined;
-: [g] essential ports are defined;
-: [h] the use of nonessential ports is defined;
-: [i] the use of nonessential ports is restricted, disabled, or prevented as defined;
-: [j] essential protocols are defined;
-: [k] the use of nonessential protocols is defined;
-: [l] the use of nonessential protocols is restricted, disabled, or prevented as defined;
-: [m] essential services are defined;
-: [n] the use of nonessential services is defined; and
-: [o] the use of nonessential services is restricted, disabled, or prevented as defined.
 |-
-|[[Practice_CM.L2-3.4.7_Details|More Practice Details...]]
+| [c] the use of nonessential programs is restricted, disabled, or prevented as defined. || Screen Share || Tool used to restrict nonessential programs displays restrictions as defined (McAfee ePO settings, Carbon Black rules, etc.).
+|-
+| [d] essential functions are defined. || Document || Documented essential functions are specified.
+|-
+| [e] the use of nonessential functions is defined. || Document || Documented nonessential functions are specified.
+|-
+| [f] the use of nonessential functions is restricted, disabled, or prevented as defined. || Screen Share || Tool used to restrict essential/nonessential functions displays restrictions as defined.
+|-
+| [g] essential ports are defined. || Document || Documented essential ports are specified.
+|-
+| [h] the use of nonessential ports is defined. || Document || Documented nonessential ports functions are specified.
+|-
+| [i] the use of nonessential ports is restricted, disabled, or prevented as defined. || Screen Share || Tool used to restrict essential/nonessential ports displays restrictions as defined (FW rules; McAfee; GPO, etc.).
+|-
+| [j] essential protocols are defined. || Document || Documented essential protocols are specified.
+|-
+| [k] the use of nonessential protocols is defined. || Document || Documented nonessential protocols functions are specified.
+|-
+| [l] the use of nonessential protocols is restricted, disabled, or prevented as defined. || Screen Share || Tool used to restrict essential/nonessential protocols displays restrictions as defined (FW rules; GPO, etc.).
+|-
+| [m] essential services are defined. || Document || Documented essential services specified.
+|-
+| [n] the use of nonessential services is defined. || Document || Documented nonessential services functions are specified.
+|-
+| [o] the use of nonessential services is restricted, disabled, or prevented as defined. || Screen Share || Tool used to restrict essential/nonessential services displays restrictions as defined.
 |}
 === CM.L2-3.4.8 – Application Execution Policy ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_CM.L2-3.4.8_Details|'''CM.L2-3.4.8''']] Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
+|-
+| [a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified. || Document || Documentation explaining whitelisting or blacklisting process.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] the software allowed to execute under whitelisting or denied use under blacklisting is specified. || Document || Documentation explaining whitelisting or blacklisting process for software.
-: [a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified;
-: [b] the software allowed to execute under whitelisting or denied use under blacklisting is specified; and
-: [c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
 |-
-|[[Practice_CM.L2-3.4.8_Details|More Practice Details...]]
+| [c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified. || Screen Share || Tool used for whitelisting or blacklisting for software shows capability of restricting/authorizing software (Carbon Black dashboard, "SW Store", web proxies, DNS Blackhole, etc.).
 |}
 === CM.L2-3.4.9 – User-Installed Software ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control and monitor user-installed software.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_CM.L2-3.4.9_Details|'''CM.L2-3.4.9''']] Control and monitor user-installed software.
+|-
+| [a] a policy for controlling the installation of software by users is established. || Document || Documented software authorization process or methodology for approval.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] installation of software by users is controlled based on the established policy. || Screen Share || Evidence that approval/restriction in installation of software by authorized personnel is implemented as specified (AUP, GPO, etc.).
-: [a] a policy for controlling the installation of software by users is established;
-: [b] installation of software by users is controlled based on the established policy; and
-: [c] installation of software by users is monitored.
 |-
-|[[Practice_CM.L2-3.4.9_Details|More Practice Details...]]
+| [c] installation of software by users is monitored. || Screen Share || Evidence that installation of software by authorized personnel is monitored (SCCM groups, SW Center, etc.).
 |}
@@ Line 601: / Line 710: @@
 === IA.L2-3.5.1 – Identification [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Identify information system users, processes acting on behalf of users, or devices.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_IA.L2-3.5.1_Details|'''IA.L2-3.5.1''']] Identify information system users, processes acting on behalf of users, or devices.
-: [a] system users are identified;
-: [b] processes acting on behalf of users are identified; and
-: [c] devices accessing the system are identified.
 |-
-|[[Practice_IA.L2-3.5.1_Details|More Practice Details...]]
+| [a] system users are identified. || Document || Based on what is defined in their documentation (SSP, AUP, Policy, SOP), request to see a sample of non-privileged/privileged users in AD OU group (overlaps with 3.1.1 and 3.1.5).
+|-
+| [b] processes acting on behalf of users are identified. || Screen Share || Based on what is defined in their documentation (SSP, AUP, Policy, SOP), request to see a sample of service accounts in AD OU group (overlaps with 3.1.1 and 3.1.5).
+|-
+| [c] devices accessing the system are identified. || Screen Share || Based on what is defined in their documentation (SSP, AUP, Policy, SOP), request to see a sample of domain-joined workstation & servers in AD OU group (overlaps with 3.1.1 and 3.1.5).  For network devices, request screen share/artifact to show how they are identified on the enterprise network.
 |}
 === IA.L2-3.5.2 – Authentication [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_IA.L2-3.5.2_Details|'''IA.L2-3.5.2''']] Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
+|-
+| [a] the identity of each user is authenticated or verified as a prerequisite to system access. || Screen Share || If the user logs in with non-privileged account during other demoes and then a privileged account, then this should be satisfied.  If screen share is unavailable, request logs to show successful and unsuccessful login by privileged and non-privilged users.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access. || Screen Share || Request a log that shows successful/unsuccessful service account trying to log on to company's asset.
-: [a] the identity of each user is authenticated or verified as a prerequisite to system access;
-: [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and
-: [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
 |-
-|[[Practice_IA.L2-3.5.2_Details|More Practice Details...]]
+| [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access. || Screen Share || Request a log that shows domain-joined workstation/server authenticating to AD (focus on the MAC/IP address/hostname).
 |}
 === IA.L2-3.5.3 – Multifactor Authentication ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_IA.L2-3.5.3_Details|'''IA.L2-3.5.3''']] Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
+|-
+| [a] privileged accounts are identified. || Screen Share|| Based on what is defined in their documentation, request to see a sample of privileged users in AD OU group.  Overlaps with 3.1.5.  Screenshot/screen share to show implementation is enforced.
+|-
+| [b] multifactor authentication is implemented for local access to privileged accounts. || Document || SSP, AUP, Policy, SOP that defines that MFA is needed for privileged local access.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] multifactor authentication is implemented for network access to privileged accounts. || Screen Share || Within the MFA implementation mechanism, show that privileged users are forced to use MFA;  Screenshot/Screen share to show implementation is enforced.
-: [a] privileged accounts are identified;
-: [b] multifactor authentication is implemented for local access to privileged accounts;
-: [c] multifactor authentication is implemented for network access to privileged accounts; and
-: [d] multifactor authentication is implemented for network access to non-privileged accounts.
 |-
-|[[Practice_IA.L2-3.5.3_Details|More Practice Details...]]
+| [d] multifactor authentication is implemented for network access to non-privileged accounts. || Screen Share || Within the MFA implementation mechanism, show that non-privileged users are forced to use MFA; Screenshot/Screen share to show implementation is enforced.
 |}
 === IA.L2-3.5.4 – Replay-Resistant Authentication ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_IA.L2-3.5.4_Details|'''IA.L2-3.5.4''']] Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
-: [a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.
 |-
-|[[Practice_IA.L2-3.5.4_Details|More Practice Details...]]
+| [a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts. || Screen Share || Show the GPO setting that enforces Kerberos within AD.  If MFA is used, show the implementation to enforce replay resistant techniques.  For non-windows, show the technical solution to enforce replay resistant attacks.
 |}
 === IA.L2-3.5.5 – Identifier Reuse ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Prevent reuse of identifiers for a defined period.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_IA.L2-3.5.5_Details|'''IA.L2-3.5.5''']] Prevent reuse of identifiers for a defined period.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] a period within which identifiers cannot be reused is defined. || Document || SSP, policies, or SOP that defines identifier reuse.
-: [a] a period within which identifiers cannot be reused is defined; and
-: [b] reuse of identifiers is prevented within the defined period.
 |-
-|[[Practice_IA.L2-3.5.5_Details|More Practice Details...]]
+| [b] reuse of identifiers is prevented within the defined period. || Screen Share || Show the GPO setting/technical solution that enforces what is defined in policy/documentation (this can be automated or manual process; screen share/artifacts can be presented to satisfy this requirement.
 |}
 === IA.L2-3.5.6 – Identifier Handling ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Disable identifiers after a defined period of inactivity.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_IA.L2-3.5.6_Details|'''IA.L2-3.5.6''']] Disable identifiers after a defined period of inactivity.
-: [a] a period of inactivity after which an identifier is disabled is defined; and
-: [b] identifiers are disabled after the defined period of inactivity.
 |-
-|[[Practice_IA.L2-3.5.6_Details|More Practice Details...]]
+| [a] a period of inactivity after which an identifier is disabled is defined. || Document || SSP, policy that defines the period of inactivity after which an identifier is disabled.
+|-
+| [b] identifiers are disabled after the defined period of inactivity. || Screen Share || Screen share AD or similar tool supporting directory-based identity-related services for disabled accounts (can be done by hand or script).
 |}
 === IA.L2-3.5.7 – Password Complexity ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Enforce a minimum password complexity and change of characters when new passwords are created.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_IA.L2-3.5.7_Details|'''IA.L2-3.5.7''']] Enforce a minimum password complexity and change of characters when new passwords are created.
-: [a] password complexity requirements are defined;
-: [b] password change of character requirements are defined;
-: [c] minimum password complexity requirements as defined are enforced when new passwords are created; and
-: [d] minimum password change of character requirements as defined are enforced when new passwords are created.
 |-
-|[[Practice_IA.L2-3.5.7_Details|More Practice Details...]]
+| [a] password complexity requirements are defined. || Document || SSP, policy that defines password complexity requirements.
+|-
+| [b] password change of character requirements are defined. || Document || SSP, policy that defines change of character requirements are defined.
+|-
+| [c] minimum password complexity requirements as defined are enforced when new passwords are created. || Screen Share || Screen share of AD or similar directory-based identity-related service tool to show complexity requirements.
+|-
+| [d] minimum password change of character requirements as defined are enforced when new passwords are created. || Screen Share || Screen share of Group Policy configuration or similar tool providing centralized management and configuration of operating systems, applications, and users' settings to show that characters must be changed.
 |}
 === IA.L2-3.5.8 – Password Reuse ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Prohibit password reuse for a specified number of generations.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_IA.L2-3.5.8_Details|'''IA.L2-3.5.8''']] Prohibit password reuse for a specified number of generations.
-: [a] the number of generations during which a password cannot be reused is specified and [b] reuse of passwords is prohibited during the specified number of generations.
 |-
-|[[Practice_IA.L2-3.5.8_Details|More Practice Details...]]
+| [a] the number of generations during which a password cannot be reused is specified. || Document || SSP, policy that specifies the number of generations during which a password cannot be reused is specified.
+|-
+| [b] reuse of passwords is prohibited during the specified number of generations. || Screen Share || Screen share Group Policy or similar tool providing centralized management and configuration of operating systems, applications, and users' settings in a directory-based identity-related service tool's configuration to show reuse of passwords is prohibited.
 |}
 === IA.L2-3.5.9 – Temporary Passwords ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Allow temporary password use for system logons with an immediate change to a permanent password.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_IA.L2-3.5.9_Details|'''IA.L2-3.5.9''']] Allow temporary password use for system logons with an immediate change to a permanent password.
-: [a] an immediate change to a permanent password is required when a temporary password is used for system logon.
 |-
-|[[Practice_IA.L2-3.5.9_Details|More Practice Details...]]
+| [a] an immediate change to a permanent password is required when a temporary password is used for system logon. || Screen Share || Screen share of Group Policy or similar tool providing centralized management and configuration of operating systems, applications, and users' settings in a directory-based identity-related service tool's configuration to show "change password at first logon."
 |}
 === IA.L2-3.5.10 – Cryptographically-Protected Passwords ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Store and transmit only cryptographically-protected passwords.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_IA.L2-3.5.1_Details|'''IA.L2-3.5.1''']] Store and transmit only cryptographically-protected passwords.
-: [a] passwords are cryptographically protected in storage; and
-: [b] passwords are cryptographically protected in transit.
 |-
-|[[Practice_IA.L2-3.5.10_Details|More Practice Details...]]
+| [a] passwords are cryptographically protected in storage. || Screen Share || Screen share Group Policy or similar tool providing centralized management and configuration of operating systems, applications, and users' settings in a directory-based identity-related service tool's configuration that Kerberos, or a similar network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner, is enabled.
+|-
+| [b] passwords are cryptographically protected in transit. || Screen Share || Screen share Group Policy or similar tool providing centralized management and configuration of operating systems, applications, and users' settings in a directory-based identity-related service tool's configuration that Kerberos, or a similar network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner, is enabled.
 |}
 === IA.L2-3.5.11 – Obscure Feedback ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Obscure feedback of authentication information.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_IA.L2-3.5.10_Details|'''IA.L2-3.5.10''']] Obscure feedback of authentication information.
-: [a] authentication information is obscured during the authentication process.
 |-
-|[[Practice_IA.L2-3.5.11_Details|More Practice Details...]]
+| [a] authentication information is obscured during the authentication process. || Screen Share || Screen share of Group Policy or similar tool providing centralized management and configuration of operating systems, applications, and users' settings in a directory-based identity-related service tool's configuration to show that passwords are obscured.
 |}
@@ Line 736: / Line 860: @@
 === IR.L2-3.6.1 – Incident Handling ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_IR.L2-3.6.1_Details|'''IR.L2-3.6.1''']] Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
+|-
+| [a] an operational incident-handling capability is established. || Document || Incident Response SOP/Plan.
+|-
+| [b] the operational incident-handling capability includes preparation. || Document || Incident Response SOP/Plan, prior incident report, training, COOP plan.
+|-
+| [c] the operational incident-handling capability includes detection. || Document || Incident Response SOP/Plan; definition of tools used to detect; artifacts showing tools used; prior incident report.
+|-
+| [d] the operational incident-handling capability includes analysis. || Document || Incident Response SOP/Plan; Definition of tools used to analyze potential incidents; artifacts showing tools used for analysis; prior incident report.
+|-
+| [e] the operational incident-handling capability includes containment. || Document || Incident Response SOP/Plan; isolation/quarantine process; user training.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [f] the operational incident-handling capability includes recovery. || Document || Incident Response SOP/Plan; COOP Plan; prior incident reports, re-baselining impacted devices.
-: [a] an operational incident-handling capability is established;
-: [b] the operational incident-handling capability includes preparation;
-: [c] the operational incident-handling capability includes detection;
-: [d] the operational incident-handling capability includes analysis;
-: [e] the operational incident-handling capability includes containment;
-: [f] the operational incident-handling capability includes recovery; and
-: [g] the operational incident-handling capability includes user response
 |-
-|[[Practice_IR.L2-3.6.1_Details|More Practice Details...]]
+| [g] the operational incident-handling capability includes user response. || Document || Incident Response SOP/Plan; user awareness training; Help Desk process.
 |}
 === IR.L2-3.6.2 – Incident Reporting ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_IR.L2-3.6.2_Details|'''IR.L2-3.6.2''']] Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
+|-
+| [a] incidents are tracked. || Artifact || Incident Response SOP/Plan; ITSM artifact; technical implementation for incident tracking.
+|-
+| [b] incidents are documented. || Artifact || Incident Response SOP/Plan; ITSM artifact; technical implementation for incident tracking.
+|-
+| [c] authorities to whom incidents are to be reported are identified. || Document || Incident Response SOP/Plan.
+|-
+| [d] organizational officials to whom incidents are to be reported are identified. || Document || Incident Response SOP/Plan.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [e] identified authorities are notified of incidents. || Screen Share || Prior incident report; DIBNET login; prior email notifications.
-: [a] incidents are tracked;
-: [b] incidents are documented;
-: [c] authorities to whom incidents are to be reported are identified;
-: [d] organizational officials to whom incidents are to be reported are identified;
-: [e] identified authorities are notified of incidents; and
-: [f] identified organizational officials are notified of incidents.
 |-
-|[[Practice_IR.L2-3.6.2_Details|More Practice Details...]]
+| [f] identified organizational officials are notified of incidents. || Artifact || Prior incident report; prior email notifications; tabletop exercises.
 |}
 === IR.L2-3.6.3 – Incident Response Testing ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Test the organizational incident response capability.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_IR.L2-3.6.3_Details|'''IR.L2-3.6.3''']] Test the organizational incident response capability.
-: [a] the incident response capability is tested.
 |-
-|[[Practice_IR.L2-3.6.3_Details|More Practice Details...]]
+| [a] the incident response capability is tested. || Artifact || Incident response table top/scheduled or unscheduled test or penetration test.
 |}
@@ Line 781: / Line 917: @@
 === MA.L2-3.7.1 – Perform Maintenance ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Perform maintenance on organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_MA.L2-3.7.1_Details|'''MA.L2-3.7.1''']] Perform maintenance on organizational systems.
-: [a] system maintenance is performed.
 |-
-|[[Practice_MA.L2-3.7.1_Details|More Practice Details...]]
+| [a] system maintenance is performed. || Artifact || Establish typical maintenance activities (HVAC, UPS, power distribution, generators, copier maintenance) that are performed; maintenance agreements or contracts detailing these types of activities are acceptable; interview responses should be considered.  This requirement should not be confused with 3.14.1 - report, remediate, and correct system flaws in a timely manner (patch management).
 |}
 === MA.L2-3.7.2 – System Maintenance Control ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_MA.L2-3.7.2_Details|'''MA.L2-3.7.2''']] Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
+|-
+| [a] tools used to conduct system maintenance are controlled. || Artifact || Tools may largely depend on the assessed environment; discussion examples include network diagnostic and monitoring tools (including hardware and software); artifacts could demonstrate secured locations/areas for these tools (photos) or checkout sheets/rosters (documents) depicting responsible personnel and the dates/times of checkout.
+|-
+| [b] techniques used to conduct system maintenance are controlled. || Artifact || Processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] mechanisms used to conduct system maintenance are controlled. || Artifact || Processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system.
-: [a] tools used to conduct system maintenance are controlled;
-: [b] techniques used to conduct system maintenance are controlled;
-: [c] mechanisms used to conduct system maintenance are controlled; and
-: [d] personnel used to conduct system maintenance are controlled.
 |-
-|[[Practice_MA.L2-3.7.2_Details|More Practice Details...]]
+| [d] personnel used to conduct system maintenance are controlled. || Physical Review || Screenshot of who is authorized to conduct maintenance; maintenance personnel training program.
 |}
 === MA.L2-3.7.3 – Equipment Sanitization ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Ensure equipment removed for off-site maintenance is sanitized of any CUI.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_MA.L2-3.7.3_Details|'''MA.L2-3.7.3''']] Ensure equipment removed for off-site maintenance is sanitized of any CUI.
-: [a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.
 |-
-|[[Practice_MA.L2-3.7.3_Details|More Practice Details...]]
+| [a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI. || Artifact || Document or artifact; record if equipment sanitized; categories of sanitization/destruction defined; sanitization procedural document.
 |}
 === MA.L2-3.7.4 – Media Inspection ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_MA.L2-3.7.4_Details|'''MA.L2-3.7.4''']] Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
-: [a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.
 |-
-|[[Practice_MA.L2-3.7.4_Details|More Practice Details...]]
+| [a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI. || Artifact || Screenshot of diagnostic/test program being used (such as Symantec and McAfee on access scans…).
 |}
 === MA.L2-3.7.5 – Nonlocal Maintenance ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_MA.L2-3.7.5_Details|'''MA.L2-3.7.5''']] Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections. || Screen Share || Describe MFA used to remote from external service to organizational systems for maintenance and screenshot of MFA (3.5.3)(points associated with admin).
-: [a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections; and
-: [b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.
 |-
-|[[Practice_MA.L2-3.7.5_Details|More Practice Details...]]
+| [b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete. || Screen Share || Screenshot VPN session timeout.
 |}
 === MA.L2-3.7.6 – Maintenance Personnel ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Supervise the maintenance activities of maintenance personnel without required access authorization.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_MA.L2-3.7.6_Details|'''MA.L2-3.7.6''']] Supervise the maintenance activities of maintenance personnel without required access authorization.
-: [a] maintenance personnel without required access authorization are supervised during maintenance activities.
 |-
-|[[Practice_MA.L2-3.7.6_Details|More Practice Details...]]
+| [a] maintenance personnel without required access authorization are supervised during maintenance activities. || Document || System maintenance policy; list of authorized personnel; maintenance records or, contracts/SLAs; WebEx.
 |}
@@ Line 852: / Line 992: @@
 === MP.L2-3.8.1 – Media Protection ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_MP.L2-3.8.1_Details|'''MP.L2-3.8.1''']] Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
+|-
+| [a] paper media containing CUI is physically controlled. || Document || Policy showing CUI paper media is controlled; artifact showing who has access; artifacts/records of  inventories conducted; media check out procedures (i.e. file cabinets, encryption, password protection).
+|-
+| [b] digital media containing CUI is physically controlled. || Document || Policy showing CUI digital media is controlled; artifact showing who has access; artifacts/records of inventories conducted; media check out procedures (i.e. file cabinets, external drives, USBs, encryption, password protection).
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] paper media containing CUI is securely stored. || Physical Review || Check out/sign out sheets; possible photo of storage container/video walk through of storage area; badge reader logs or access lists for keys for secured areas; interview response considered (i.e. file cabinets,  encryption, password protection).
-: [a] paper media containing CUI is physically controlled;
-: [b] digital media containing CUI is physically controlled;
-: [c] paper media containing CUI is securely stored; and
-: [d] digital media containing CUI is securely stored.
 |-
-|[[Practice_MP.L2-3.8.1_Details|More Practice Details...]]
+| [d] digital media containing CUI is securely stored. || Physical Review || Check out/sign out sheets; possible photo of storage container/video walk through of storage area; badge reader logs or access lists for keys for secured areas; interview response considered (i.e. file cabinets, external drives, USBs, encryption, password protection).
 |}
 === MP.L2-3.8.2 – Media Access ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Limit access to CUI on system media to authorized users.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_MP.L2-3.8.2_Details|'''MP.L2-3.8.2''']] Limit access to CUI on system media to authorized users.
-: [a] access to CUI on system media is limited to authorized users.
 |-
-|[[Practice_MP.L2-3.8.2_Details|More Practice Details...]]
+| [a] access to CUI on system media is limited to authorized users. || Artifact || Document describing how CUI is limited AND artifact showing principle of least access is implemented.
 |}
 === MP.L2-3.8.3 – Media Disposal [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_MP.L2-3.8.3_Details|'''MP.L2-3.8.3''']] Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] system media containing CUI is sanitized or destroyed before disposal. || Document || Policy or artifact of media destruction logs; certificates of destruction; SLAs or contracts.
-: [a] system media containing CUI is sanitized or destroyed before disposal; and
-: [b] system media containing CUI is sanitized before it is released for reuse.
 |-
-|[[Practice_MP.L2-3.8.3_Details|More Practice Details...]]
+| [b] system media containing CUI is sanitized before it is released for reuse. || Document || Policy or artifact describing method to sanitize, software used (i.e. DoD Wipe, ShredIT and Iron Mountain; Blancco; GDisk, DBAN).
 |}
 === MP.L2-3.8.4 – Media Markings ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Mark media with necessary CUI markings and distribution limitations.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_MP.L2-3.8.4_Details|'''MP.L2-3.8.4''']] Mark media with necessary CUI markings and distribution limitations.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] media containing CUI is marked with applicable CUI markings. || Physical Review || Document or artifact showing CUI markings (i.e. labeling standards ).
-: [a] media containing CUI is marked with applicable CUI markings; and
-: [b] media containing CUI is marked with distribution limitations.
 |-
-|[[Practice_MP.L2-3.8.4_Details|More Practice Details...]]
+| [b] media containing CUI is marked with distribution limitations. || Physical Review || Document or artifact showing distro limitations (i.e. labeling standards ).
 |}
 === MP.L2-3.8.5 – Media Accountability ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_MP.L2-3.8.5_Details|'''MP.L2-3.8.5''']] Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] access to media containing CUI is controlled. || Document || Policy, artifact of audit logs showing tracking, Access Control Lists, records of transport activities (i.e. USB drives, CDs, chain of custody.
-: [a] access to media containing CUI is controlled; and
-: [b] accountability for media containing CUI is maintained during transport outside of controlled areas.
 |-
-|[[Practice_MP.L2-3.8.5_Details|More Practice Details...]]
+| [b] accountability for media containing CUI is maintained during transport outside of controlled areas. || Artifact || Artifact of audit logs showing tracking, Access Control Lists, records of transport activities (i.e. USB drives, CDs; chain of custody.
 |}
 === MP.L2-3.8.6 – Portable Storage Encryption ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_MP.L2-3.8.6_Details|'''MP.L2-3.8.6''']] Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
-: [a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.
 |-
-|[[Practice_MP.L2-3.8.6_Details|More Practice Details...]]
+| [a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards. || Artifact || Artifact showing crypto mechanisms used to protect (are they FIPS 140-2 [13.11]); artifact showing what alternative physical safeguards are in place (i.e. encryption; BitLocker; McAfee ).
 |}
 === MP.L2-3.8.7 – Removable Media ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control the use of removable media on system components.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_MP.L2-3.8.7_Details|'''MP.L2-3.8.7''']] Control the use of removable media on system components.
-: [a] the use of removable media on system components is controlled.
 |-
-|[[Practice_MP.L2-3.8.7_Details|More Practice Details...]]
+| [a] the use of removable media on system components is controlled. || Artifact || Policy showing if removable media is allowed; writable removable media is restricted; tracking artifacts; what tools are used (i.e. Carbon Black, Crowd Strike, GPO, Zoho Desktop Central); procedure/process describing what happens if it is lost; what mechanisms are in place to control/restrict removable media (i.e. Active Directory Groups and Group Policy artifact showing restriction).
 |}
 === MP.L2-3.8.8 – Shared Media ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Prohibit the use of portable storage devices when such devices have no identifiable owner.ASSESSMENT OBJECTIVES'''
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_MP.L2-3.8.8_Details|'''MP.L2-3.8.8''']] Prohibit the use of portable storage devices when such devices have no identifiable owner.ASSESSMENT OBJECTIVES'''
-: [a] the use of portable storage devices is prohibited when such devices have no identifiable owner.
 |-
-|[[Practice_MP.L2-3.8.8_Details|More Practice Details...]]
+| [a] the use of portable storage devices is prohibited when such devices have no identifiable owner. || Artifact || Policy and/or artifact showing company stance on portable storage devices if there is no owner (are personal USB devices allowed or are they company-issued; artifact showing alerts if device is connected to network (i.e. external HDD, Carbon Black, Crowd Strike, GPO, Zoho Desktop Central.
 |}
 === MP.L2-3.8.9 – Protect Backups ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Protect the confidentiality of backup CUI at storage locations.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_MP.L2-3.8.9_Details|'''MP.L2-3.8.9''']] Protect the confidentiality of backup CUI at storage locations.
-: [a] the confidentiality of backup CUI is protected at storage locations.
 |-
-|[[Practice_MP.L2-3.8.9_Details|More Practice Details...]]
+| [a] the confidentiality of backup CUI is protected at storage locations. || Artifact || Policy on system backups; artifact showing media labeling; artifact showing encyption (is it FIPS 140-2 [13.11]); Access Control List artifact (i.e. backup tapes, Tivoli Storage Manager).
 |}
@@ Line 958: / Line 1,104: @@
 === PS.L2-3.9.1 – Screen Individuals ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Screen individuals prior to authorizing access to organizational systems containing CUI.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_PS.L2-3.9.1_Details|'''PS.L2-3.9.1''']] Screen individuals prior to authorizing access to organizational systems containing CUI.
-: [a] individuals are screened prior to authorizing access to organizational systems containing CUI.
 |-
-|[[Practice_PS.L2-3.9.1_Details|More Practice Details...]]
+| [a] individuals are screened prior to authorizing access to organizational systems containing CUI. || Artifact || Screenshot of records of screened personnel/background checks.
 |}
 === PS.L2-3.9.2 – Personnel Actions ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_PS.L2-3.9.2_Details|'''PS.L2-3.9.2''']] Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
+|-
+| [a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established. || Document || Personnel security policy/procedures/instruction; Access control policy/procedure/instruction.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] system access and credentials are terminated consistent with personnel actions such as termination or transfer. || Artifact || Screenshot of records of personnel transfer and termination actions.
-: [a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established;
-: [b] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and
-: [c] the system is protected during and after personnel transfer actions.
 |-
-|[[Practice_PS.L2-3.9.2_Details|More Practice Details...]]
+| [c] the system is protected during and after personnel transfer actions. || Artifact || Completed outprocessing checklist.
 |}
@@ Line 983: / Line 1,131: @@
 === PE.L2-3.10.1 – Limit Physical Access [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_PE.L2-3.10.1_Details|'''PE.L2-3.10.1''']] Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
+|-
+| [a] authorized individuals allowed physical access are identified. || Artifact || Authorized personnel (names) access list.
+|-
+| [b] physical access to organizational systems is limited to authorized individuals. || Physical Review || Badge reader logs, audit logs, and/or card swipe test.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] physical access to equipment is limited to authorized individuals. || Physical Review || Badge reader logs, audit logs, and/or card swipe test.
-: [a] authorized individuals allowed physical access are identified;
-: [b] physical access to organizational systems is limited to authorized individuals;
-: [c] physical access to equipment is limited to authorized individuals; and
-: [d] physical access to operating environments is limited to authorized.
 |-
-|[[Practice_PE.L2-3.10.1_Details|More Practice Details...]]
+| [d] physical access to operating environments is limited to authorized. || Physical Review || Badge reader logs, audit logs, and/or card swipe test.
 |}
 === PE.L2-3.10.2 – Monitor Facility ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Protect and monitor the physical facility and support infrastructure for organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_PE.L2-3.10.2_Details|'''PE.L2-3.10.2''']] Protect and monitor the physical facility and support infrastructure for organizational systems.
+|-
+| [a] the physical facility where organizational systems reside is protected. || Physical Review || Physical security measures and barriers into the physical facility (cameras/locks/gates/guards, etc.).
+|-
+| [b] the support infrastructure for organizational systems is protected. || Physical Review || Physical barriers to entries into computer spaces, server rooms, etc.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] the physical facility where organizational systems reside is monitored. || Physical Review || Audit logs/how the physical facility is being monitored (cameras/access system/guards, etc.).
-: [a] the physical facility where organizational systems reside is protected;
-: [b] the support infrastructure for organizational systems is protected;
-: [c] the physical facility where organizational systems reside is monitored; and
-: [d] the support infrastructure for organizational systems is monitored.
 |-
-|[[Practice_PE.L2-3.10.2_Details|More Practice Details...]]
+| [d] the support infrastructure for organizational systems is monitored. || Physical Review || Audit logs/how the physical facility is being monitored (cameras/access system/guards, etc.).
 |}
 === PE.L2-3.10.3 – Escort Visitors [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Escort visitors and monitor visitor activity.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_PE.L2-3.10.3_Details|'''PE.L2-3.10.3''']] Escort visitors and monitor visitor activity.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] visitors are escorted. || Physical Review || Policy/procedures/instruction on methodology for handling non-authorized personnel (entry to exit).
-: [a] visitors are escorted; and
-: [b] visitor activity is monitored.
 |-
-|[[Practice_PE.L2-3.10.3_Details|More Practice Details...]]
+| [b] visitor activity is monitored. || Physical Review || Policy/procedures/instructio on methodology for handling non-authorized personnel (entry to exit).
 |}
 === PE.L2-3.10.4 – Physical Access Logs [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Maintain audit logs of physical access.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_PE.L2-3.10.4_Details|'''PE.L2-3.10.4''']] Maintain audit logs of physical access.
-: [a] audit logs of physical access are maintained.
 |-
-|[[Practice_PE.L2-3.10.4_Details|More Practice Details...]]
+| [a] audit logs of physical access are maintained. || Artifact || Log or report from badging system.
 |}
 === PE.L2-3.10.5 – Manage Physical Access [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control and manage physical access devices.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_PE.L2-3.10.5_Details|'''PE.L2-3.10.5''']] Control and manage physical access devices.
+|-
+| [a] physical access devices are identified. || Document || Physical access control systems description, guard force contract/policy, key locks, logical systems specifications, etc.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] physical access devices are controlled. || Physical Review || Inventory records of physical access control devices (e.g. keys, locks, card readers, locks, etc.).
-: [a] physical access devices are identified;
-: [b] physical access devices are controlled; and
-: [c] physical access devices are managed.
 |-
-|[[Practice_PE.L2-3.10.5_Details|More Practice Details...]]
+| [c] physical access devices are managed. || Physical Review || List of security safeguards controlling access to the facility (e.g. cameras, monitoring by guards, isolation of IT systems equiment and or system components).
 |}
 === PE.L2-3.10.6 – Alternative Work Sites ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Enforce safeguarding measures for CUI at alternate work sites.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_PE.L2-3.10.6_Details|'''PE.L2-3.10.6''']] Enforce safeguarding measures for CUI at alternate work sites.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] safeguarding measures for CUI are defined for alternate work sites. || Document || Telework agreement, Acceptable Use Policy and SOP for alternate work locations; user security training validation which includes physical/logical/technical protections of system at alternate work sites.
-: [a] safeguarding measures for CUI are defined for alternate work sites; and
-: [b] safeguarding measures for CUI are enforced for alternate work sites.
 |-
-|[[Practice_PE.L2-3.10.6_Details|More Practice Details...]]
+| [b] safeguarding measures for CUI are enforced for alternate work sites. || Artifact || Monitoring/audit log of user activity and logical/physical/technical mechanisms in place to preclude unauthorized activity (telework agreement , AUP?).
 |}
@@ Line 1,060: / Line 1,218: @@
 === RA.L2-3.11.1 – Risk Assessments ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_RA.L2-3.11.1_Details|'''RA.L2-3.11.1''']] Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined. || Document || Risk assessment policy.
-: [a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined; and
-: [b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
 |-
-|[[Practice_RA.L2-3.11.1_Details|More Practice Details...]]
+| [b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency. || Artifact || Copy of last risk assessment done within defined frequency.
 |}
 === RA.L2-3.11.2 – Vulnerability Scan ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_RA.L2-3.11.2_Details|'''RA.L2-3.11.2''']] Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
+|-
+| [a] the frequency to scan for vulnerabilities in organizational systems and applications is defined. || Document || Policy/procedures/instruction addressing vulnerability scanning records.
+|-
+| [b] vulnerability scans are performed on organizational systems with the defined frequency. || Screen Share || System configuration settings of vulnerability scanning scheduling and vulnerability scan results of systems within defined frequency.
+|-
+| [c] vulnerability scans are performed on applications with the defined frequency. || Screen Share || System configuration settings of vulnerability scanning scheduling and vulnerability scan results of applications within defined frequency.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified. || Screen Share || View signatures in scanning tool/ad hoc scan performed as a result.
-: [a] the frequency to scan for vulnerabilities in organizational systems and applications is defined;
-: [b] vulnerability scans are performed on organizational systems with the defined frequency;
-: [c] vulnerability scans are performed on applications with the defined frequency;
-: [d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified; and
-: [e] vulnerability scans are performed on applications when new vulnerabilities are
-identified.
 |-
-|[[Practice_RA.L2-3.11.2_Details|More Practice Details...]]
+| [e] vulnerability scans are performed on applications when new vulnerabilities are identified. || Screen Share || View signatures in scanning tool/ad hoc scan performed as a result.
 |}
 === RA.L2-3.11.3 – Vulnerability Remediation ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Remediate vulnerabilities in accordance with risk assessments.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_RA.L2-3.11.3_Details|'''RA.L2-3.11.3''']] Remediate vulnerabilities in accordance with risk assessments.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] vulnerabilities are identified. || Artifact || Scan results showing vulnerabilities identified.
-: [a] vulnerabilities are identified; and
-: [b] vulnerabilities are remediated in accordance with risk assessments.
 |-
-|[[Practice_RA.L2-3.11.3_Details|More Practice Details...]]
+| [b] vulnerabilities are remediated in accordance with risk assessments. || Artifact || Screenshot/document of scan results of remediated vulnerabilities in accordance to risk assessments.
 |}
@@ Line 1,101: / Line 1,264: @@
 === CA.L2-3.12.1 – Security Control Assessment ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_CA.L2-3.12.1_Details|'''CA.L2-3.12.1''']] Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] the frequency of security control assessments is defined. || Document || SSP.
-: [a] the frequency of security control assessments is defined; and
-: [b] security controls are assessed with the defined frequency to determine if the controls are effective in their application.
 |-
-|[[Practice_CA.L2-3.12.1_Details|More Practice Details...]]
+| [b] security controls are assessed with the defined frequency to determine if the controls are effective in their application. || Artifact || Copy of last security control assessment done within defined frequency.
 |}
 === CA.L2-3.12.2 – Operational Plan of Action ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_CA.L2-3.12.2_Details|'''CA.L2-3.12.2''']] Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
+|-
+| [a] deficiencies and vulnerabilities to be addressed by the plan of action are identified. || Artifact || Plan of Action (POA).
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities. || Artifact || Plan of Action (POA).
-: [a] deficiencies and vulnerabilities to be addressed by the plan of action are identified;
-: [b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities; and
-: [c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
 |-
-|[[Practice_CA.L2-3.12.2_Details|More Practice Details...]]
+| [c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities. || Artifact || Plan of Action (POA)/previously completed POAs.
 |}
 === CA.L2-3.12.3 – Security Control Monitoring ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_CA.L2-3.12.3_Details|'''CA.L2-3.12.3''']] Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
-: [a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
 |-
-|[[Practice_CA.L2-3.12.3_Details|More Practice Details...]]
+| [a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls. || Artifact || Collection of risk assessment results, internal or third-party audits/security assessments and/or continuous monitoring reports/alerts (SIEM tool, etc.).
 |}
 === CA.L2-3.12.4 – System Security Plan ====
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_CA.L2-3.12.4_Details|'''CA.L2-3.12.4''']] Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
+|-
+| [a] a system security plan is developed. || Document || SSP.
+|-
+| [b] the system boundary is described and documented in the system security plan. || Document || SSP and any supporting documentation.
+|-
+| [c] the system environment of operation is described and documented in the system security plan. || Document || SSP and any supporting documentation.
+|-
+| [d] the security requirements identified and approved by the designated authority as non-applicable are identified. || Document || SSP and required adjudication from DoD CIO.
+|-
+| [e] the method of security requirement implementation is described and documented in the system security plan. || Document || SSP and any supporting documentation.
+|-
+| [f] the relationship with or connection to other systems is described and documented in the system security plan. || Document || SSP and any supporting documentation.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [g] the frequency to update the system security plan is defined. || Document || SSP.
-: [a] a system security plan is developed;
-: [b] the system boundary is described and documented in the system security plan;
-: [c] the system environment of operation is described and documented in the system security plan;
-: [d] the security requirements identified and approved by the designated authority as non-applicable are identified;
-: [e] the method of security requirement implementation is described and documented in the system security plan;
-: [f] the relationship with or connection to other systems is described and documented in the system security plan;
-: [g] the frequency to update the system security plan is defined; and
-: [h] system security plan is updated with the defined frequency.
 |-
-|[[Practice_CA.L2-3.12.4_Details|More Practice Details...]]
+| [h] system security plan is updated with the defined frequency. || Document || SSP/any previous versions.
 |}
@@ Line 1,156: / Line 1,329: @@
 === SC.L2-3.13.1 – Boundary Protection [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_SC.L2-3.13.1_Details|'''SC.L2-3.13.1''']] Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
+|-
+| [a] the external system boundary is defined. || Document || SSP, network diagrams, CUI flow, cloud provider FedRAMP Moderate.
+|-
+| [b] key internal system boundaries are defined. || Document || SSP, network diagrams, CUI flow.
+|-
+| [c] communications are monitored at the external system boundary. || Screen Share || SSP, logging server, boundary device configurations, monitoring policy.
+|-
+| [d] communications are monitored at key internal boundaries. || Screen Share || SSP, logging server, boundary device configurations, monitoring policy.
+|-
+| [e] communications are controlled at the external system boundary. || Screen Share || SSP, boundary device configurations, ACL, subnets, DMZ.
+|-
+| [f] communications are controlled at key internal boundaries. || Screen Share || SSP, boundary device configurations, ACL, subnets.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [g] communications are protected at the external system boundary. || Screen Share || Configurations for IPS/IDS, email gateway, VLAN, proxy, firewall, malware protection, DNS, TSL.
-: [a] the external system boundary is defined;
-: [b] key internal system boundaries are defined;
-: [c] communications are monitored at the external system boundary;
-: [d] communications are monitored at key internal boundaries;
-: [e] communications are controlled at the external system boundary;
-: [f] communications are controlled at key internal boundaries;
-: [g] communications are protected at the external system boundary; and
-: [h] communications are protected at key internal boundaries.
 |-
-|[[Practice_SC.L2-3.13.1_Details|More Practice Details...]]
+| [h] communications are protected at key internal boundaries. || Screen Share || Configurations for IPS/IDS, VLAN, firewall, malware protection, SSL.
 |}
 === SC.L2-3.13.2 – Security Engineering ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_SC.L2-3.13.2_Details|'''SC.L2-3.13.2''']] Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
+|-
+| [a] architectural designs that promote effective information security are identified. || Document || SSP, config management policy, network diagram, CCB minutes, enterprise architecture process.
+|-
+| [b] software development techniques that promote effective information security are identified. || Document || SSP, config management policy, SDLC, CCB minutes.
+|-
+| [c] systems engineering principles that promote effective information security are identified. || Document || SSP, config management policy, CCB minutes, security architecture engineering.
+|-
+| [d] identified architectural designs that promote effective information security are employed. || Artifact || CCB minutes, Network diagrams and configurations, Project Plans.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [e] identified software development techniques that promote effective information security are employed. || Artifact || CCB minutes, SDLC, code scanner results, code management tracking.
-: [a] architectural designs that promote effective information security are identified;
-: [b] software development techniques that promote effective information security are identified;
-: [c] systems engineering principles that promote effective information security are identified;
-: [d] identified architectural designs that promote effective information security are employed;
-: [e] identified software development techniques that promote effective information security are employed; and
-: [f] identified systems engineering principles that promote effective information security are employed.
 |-
-|[[Practice_SC.L2-3.13.2_Details|More Practice Details...]]
+| [f] identified systems engineering principles that promote effective information security are employed. || Artifact || CCB minutes, configuration management, ITSM, patch management, lifecycle replacement processes.
 |}
 === SC.L2-3.13.3 – Role Separation ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Separate user functionality from system management functionality.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_SC.L2-3.13.3_Details|'''SC.L2-3.13.3''']] Separate user functionality from system management functionality.
+|-
+| [a] user functionality is identified. || Document || SSP, AUP.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] system management functionality is identified. || Document || SSP, Privileged Account Agreement.
-: [a] user functionality is identified;
-: [b] system management functionality is identified; and
-: [c] user functionality is separated from system management functionality.
 |-
-|[[Practice_SC.L2-3.13.3_Details|More Practice Details...]]
+| [c] user functionality is separated from system management functionality. || Screen Share || Active Directory, Jump Boxes, GPO, VM, RDP.
 |}
 === SC.L2-3.13.4 – Shared Resource Control ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Prevent unauthorized and unintended information transfer via shared system resources.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_SC.L2-3.13.4_Details|'''SC.L2-3.13.4''']] Prevent unauthorized and unintended information transfer via shared system resources.
-: [a] unauthorized and unintended information transfer via shared system resources is
-prevented.
 |-
-|[[Practice_SC.L2-3.13.4_Details|More Practice Details...]]
+| [a] unauthorized and unintended information transfer via shared system resources is prevented. || Screen Share || SSP, OS configurations, Linux containers, system/media reuse policies, certificate management policies, media destruction policies, printer configs, VDI configuration.
 |}
 ===  SC.L2-3.13.5 – Public-Access System Separation [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_SC.L2-3.13.5_Details|'''SC.L2-3.13.5''']] Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] publicly accessible system components are identified. || Document || SSP, network diagram, DMZ inventory/roles.
-: [a] publicly accessible system components are identified; and
-: [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.
 |-
-|[[Practice_SC.L2-3.13.5_Details|More Practice Details...]]
+| [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks. || Artifact || Network diagram, IPAM, VLAN, DHCP, DMZ.
 |}
 === SC.L2-3.13.6 – Network Communication by Exception ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_SC.L2-3.13.6_Details|'''SC.L2-3.13.6''']] Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
-: [a] network communications traffic is denied by default; and
-: [b] network communications traffic is allowed by exception.
 |-
-|[[Practice_SC.L2-3.13.6_Details|More Practice Details...]]
+| [a] network communications traffic is denied by default. || Screen Share || Host and network firewall rules, SIEM logs, hit counts.
+|-
+| [b] network communications traffic is allowed by exception. || Screen Share || Host and network firewall rules, SIEM logs, hit counts.
 |}
 === SC.L2-3.13.7 – Split Tunneling ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_SC.L2-3.13.7_Details|'''SC.L2-3.13.7''']] Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
-: [a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).
 |-
-|[[Practice_SC.L2-3.13.7_Details|More Practice Details...]]
+| [a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling). || Screen Share || VPN appliance/server configuration, endpoint VPN software configuration.
 |}
 === SC.L2-3.13.8 – Data in Transit ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_SC.L2-3.13.8_Details|'''SC.L2-3.13.8''']] Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
-: [a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified;
-: [b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified; and
-: [c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.
 |-
-|[[Practice_SC.L2-3.13.8_Details|More Practice Details...]]
+| [a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified. || Document || SSP, PKI policies, configuration processes, config management, email attachment encryption policy, removable media policy, data at rest policy.
+|-
+| [b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified. || Document || SSP, physical security policy.
+|-
+| [c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission. || Screen Share || TLS settings, SSL settings, VPN/Wireless Access Points/Mobile Devices cryptographic settings, ODBC connector settings, SAN configuration, IPSec/MPLS, backup configuration, physical security.
 |}
 === SC.L2-3.13.9 – Connections Termination ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_SC.L2-3.13.9_Details|'''SC.L2-3.13.9''']] Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
+|-
+| [a] a period of inactivity to terminate network connections associated with communications sessions is defined. || Document || SSP, network communications policy.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] network connections associated with communications sessions are terminated at the end of the sessions. || Screen Share || VPN appliance/server logs, VPN configurations, web server configurations, firewall connection settings.
-: [a] a period of inactivity to terminate network connections associated with communications sessions is defined;
-: [b] network connections associated with communications sessions are terminated at the end of the sessions; and
-: [c] network connections associated with communications sessions are terminated after the defined period of inactivity.
 |-
-|[[Practice_SC.L2-3.13.9_Details|More Practice Details...]]
+| [c] network connections associated with communications sessions are terminated after the defined period of inactivity. || Screen Share || VPN appliance/server logs, VPN configurations, web server configurations, frewall connection settings.
 |}
 === SC.L2-3.13.10 – Key Management ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Establish and manage cryptographic keys for cryptography employed in organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_SC.L2-3.13.10_Details|'''SC.L2-3.13.10''']] Establish and manage cryptographic keys for cryptography employed in organizational systems.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] cryptographic keys are established whenever cryptography is employed. || Artifact || SSP, PKI/certificate management policy, configuration management.
-: [a] cryptographic keys are established whenever cryptography is employed; and
-: [b] cryptographic keys are managed whenever cryptography is employed.
 |-
-|[[Practice_SC.L2-3.13.10_Details|More Practice Details...]]
+| [b] cryptographic keys are managed whenever cryptography is employed. || Artifact || SSP, PKI/certificate management policy, configuration management, access control policy.
 |}
 === SC.L2-3.13.11 – CUI Encryption ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_SC.L2-3.13.11_Details|'''SC.L2-3.13.11''']] Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
-: [a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
 |-
-|[[Practice_SC.L2-3.13.11_Details|More Practice Details...]]
+| [a] FIPS-validated cryptography is employed to protect the confidentiality of CUI. || Screen Share || VPN, wireless, mobile devices, client certificates, server certificates, disk encryption, Outlook plugin, external mail, backup media, ePO server, removable storage, SAN, file compression; look for FIPS mode enabled on appliances.
 |}
 === SC.L2-3.13.12 – Collaborative Device Control ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_SC.L2-3.13.12_Details|'''SC.L2-3.13.12''']] Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
+|-
+| [a] collaborative computing devices are identified. || Document || SSP, network diagrams.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] collaborative computing devices provide indication to users of devices in use. || Physical Review || Physical inspection of device.
-: [a] collaborative computing devices are identified;
-: [b] collaborative computing devices provide indication to users of devices in use; and
-: [c] remote activation of collaborative computing devices is prohibited.
 |-
-|[[Practice_SC.L2-3.13.12_Details|More Practice Details...]]
+| [c] remote activation of collaborative computing devices is prohibited. || Screen Share || Collaboration device configuration/console.
 |}
 === SC.L2-3.13.13 – Mobile Code ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control and monitor the use of mobile code.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_SC.L2-3.13.13_Details|'''SC.L2-3.13.13''']] Control and monitor the use of mobile code.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] use of mobile code is controlled. || Screen Share || GPO settings, malware protection, software agent configurations, software development policies, code scanners, MDM configuration, firewall/secure web gateway/proxy config.
-: [a] use of mobile code is controlled; and
-: [b] use of mobile code is monitored.
 |-
-|[[Practice_SC.L2-3.13.13_Details|More Practice Details...]]
+| [b] use of mobile code is monitored. || Screen Share || SIEM/console monitoring.
 |}
 === SC.L2-3.13.14 – Voice over Internet Protocol ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_SC.L2-3.13.14_Details|'''SC.L2-3.13.14''']] Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] use of Voice over Internet Protocol (VoIP) technologies is controlled. || Artifact || VLAN, ACL, firewall config, VoIP gateway/condenser configuration.
-: [a] use of Voice over Internet Protocol (VoIP) technologies is controlled; and
-: [b] use of Voice over Internet Protocol (VoIP) technologies is monitored.
 |-
-|[[Practice_SC.L2-3.13.14_Details|More Practice Details...]]
+| [b] use of Voice over Internet Protocol (VoIP) technologies is monitored. || Artifact || SIEM/VoIP console monitoring, session border controller.
 |}
 === SC.L2-3.13.15 – Communications Authenticity ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Protect the authenticity of communications sessions.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_SC.L2-3.13.15_Details|'''SC.L2-3.13.15''']] Protect the authenticity of communications sessions.
-: [a] the authenticity of communications sessions is protected.
 |-
-|[[Practice_SC.L2-3.13.15_Details|More Practice Details...]]
+| [a] the authenticity of communications sessions is protected. || Screen Share || SSL, TLS, SMB3, SFTP, IPSec, SSH, Kerberos configs, MPLS, Network Access Control.
 |}
 === SC.L2-3.13.16 – Data at Rest ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Protect the confidentiality of CUI at rest.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_SC.L2-3.13.16_Details|'''SC.L2-3.13.16''']] Protect the confidentiality of CUI at rest.
-: [a] the confidentiality of CUI at rest is protected.
 |-
-|[[Practice_SC.L2-3.13.16_Details|More Practice Details...]]
+| [a] the confidentiality of CUI at rest is protected. || Artifact || Full disk encryption, removable media encryption, SAN encryption, digital backups, mobile device encryption, third party offsite backup storage, cloud virtualization encryption, physical media storage policies.
 |}
@@ Line 1,359: / Line 1,556: @@
 === SI.L2-3.14.1 – Flaw Remediation [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Identify, report, and correct information and information system flaws in a timely manner.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_SI.L2-3.14.1_Details|'''SI.L2-3.14.1''']] Identify, report, and correct information and information system flaws in a timely manner.
+|-
+| [a] the time within which to identify system flaws is specified. || Document || SSP, patch management policy.
+|-
+| [b] system flaws are identified within the specified time frame. || Screen Share || Vulnerability management scanner output and scan policy configuration.
+|-
+| [c] the time within which to report system flaws is specified. || Document || SSP, patch management policy.
+|-
+| [d] system flaws are reported within the specified time frame. || Screen Share || ITSM/trouble tickets, vulnerability management scanner output.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [e] the time within which to correct system flaws is specified. || Document || SSP, patch management policy.
-: [a] the time within which to identify system flaws is specified;
-: [b] system flaws are identified within the specified time frame;
-: [c] the time within which to report system flaws is specified;
-: [d] system flaws are reported within the specified time frame;
-: [e] the time within which to correct system flaws is specified; and
-: [f] system flaws are corrected within the specified time frame.
 |-
-|[[Practice_SI.L2-3.14.1_Details|More Practice Details...]]
+| [f] system flaws are corrected within the specified time frame. || Screen Share || Vulnerability management scanner output and scan policy configuration.
 |}
 === SI.L2-3.14.2 – Malicious Code ProTection [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Provide protection from malicious code at appropriate locations within organizational information systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_SI.L2-3.14.2_Details|'''SI.L2-3.14.2''']] Provide protection from malicious code at appropriate locations within organizational information systems.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] designated locations for malicious code protection are identified. || Document || SSP, system protection policy, network diagrams, security architecture documents.
-: [a] designated locations for malicious code protection are identified; and
-: [b] protection from malicious code at designated locations is provided.
 |-
-|[[Practice_SI.L2-3.14.2_Details|More Practice Details...]]
+| [b] protection from malicious code at designated locations is provided. || Screen Share || Endpoint security settings, email/web proxy gateways, firewall, IPS sensor, MDM configuration, Network Access Control.
 |}
 === SI.L2-3.14.3 – Security Alerts & Advisories ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Monitor system security alerts and advisories and take action in response.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_SI.L2-3.14.3_Details|'''SI.L2-3.14.3''']] Monitor system security alerts and advisories and take action in response.
+|-
+| [a] response actions to system security alerts and advisories are identified. || Document || SSP, vulnerability management policy, Incident Response Plan.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] system security alerts and advisories are monitored. || Artifact || Threat intelligence subscriptions, email advisories.
-: [a] response actions to system security alerts and advisories are identified;
-: [b] system security alerts and advisories are monitored; and
-: [c] actions in response to system security alerts and advisories are taken.
 |-
-|[[Practice_SI.L2-3.14.3_Details|More Practice Details...]]
+| [c] actions in response to system security alerts and advisories are taken. || Artifact || ITSM/trouble tickets, user notifications, updates to firewall/IPS, etc.
 |}
 === SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Update malicious code protection mechanisms when new releases are available.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_SI.L2-3.14.4_Details|'''SI.L2-3.14.4''']] Update malicious code protection mechanisms when new releases are available.
-: [a] malicious code protection mechanisms are updated when new releases are available.
 |-
-|[[Practice_SI.L2-3.14.4_Details|More Practice Details...]]
+| [a] malicious code protection mechanisms are updated when new releases are available. || Screen Share || Antivirus console dashboard, firewall AV, Email gateway signatures,proxy, IPS updates.
 |}
 === SI.L2-3.14.5 – System & File Scanning [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_SI.L2-3.14.5_Details|'''SI.L2-3.14.5''']] Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
+|-
+| [a] the frequency for malicious code scans is defined. || Document || SSP, vulnerability management policy.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] malicious code scans are performed with the defined frequency. || Screen Share || Consoles for AV (endpoints, servers, and file shares), firewall, email gateway, proxy, IPS, MDM configurations.
-: [a] the frequency for malicious code scans is defined;
-: [b] malicious code scans are performed with the defined frequency; and
-: [c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
 |-
-|[[Practice_SI.L2-3.14.5_Details|More Practice Details...]]
+| [c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed. || Screen Share || Consoles for AV (endpoints, servers, and file shares), firewall, email gateway, proxy, IPS, MDM configurations.
 |}
 === SI.L2-3.14.6 – Monitor Communications for Attacks ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_SI.L2-3.14.6_Details|'''SI.L2-3.14.6''']] Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
+|-
+| [a] the system is monitored to detect attacks and indicators of potential attacks. || Screen Share || Firewall, IPS, endpoint protection, SIEM alerts and reports.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks. || Screen Share || Firewall, IPS, endpoint protection, SIEM alerts and reports.
-: [a] the system is monitored to detect attacks and indicators of potential attacks;
-: [b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks; and
-: [c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks.
 |-
-|[[Practice_SI.L2-3.14.6_Details|More Practice Details...]]
+| [c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks. || Screen Share || Firewall, IPS, endpoint protection, SIEM alerts and reports.
 |}
 === SI.L2-3.14.7 – Identify Unauthorized Use ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Identify unauthorized use of organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_SI.L2-3.14.7_Details|'''SI.L2-3.14.7''']] Identify unauthorized use of organizational systems.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] authorized use of the system is defined. || Document || AUP, SSP.
-: [a] authorized use of the system is defined; and
-: [b] unauthorized use of the system is identified.
 |-
-|[[Practice_SI.L2-3.14.7_Details|More Practice Details...]]
+| [b] unauthorized use of the system is identified. || Artifact || SIEM logs, endpoint protection console, IPS, Firewall.
 |}
-AC.L1-3.1.1 Limit information system access to authorized users, processes acting on
-behalf of authorized users, or devices (including other information systems).
-[c] devices (and other systems) authorized to connect to the
-Document
-system are identified.
-[e] system access is limited to processes acting on behalf of
-Screen Share
-authorized users.
-[f] system access is limited to authorized devices (including other
-Screen Share
-systems).
-[a] information flow control policies are defined. Document
-  |  Certified CMMC Assessor (CCA)
-[d] authorizations for controlling the flow of CUI are defined. Document
-AC.L1-3.1.2 Limit information system access to the types of transactions and functions
-that authorized users are permitted to execute.
-[a] the types of transactions and functions that authorized users
-Document
-[a] the duties of individuals requiring separation are defined. Document
-are permitted to execute are defined.
-[b] system access is limited to the defined types of transactions
-Screen Share
-and functions for authorized users.
-Additional: HR policy or procedure discussing account creation
-Document
-process.
-AC.L3-3.1.3 Control the flow of CUI in accordance with approved authorizations. [a] privileged accounts are identified. Document
-[b] methods and enforcement mechanisms for controlling the
-Document
-flow of CUI are defined.
-[c] designated sources and destinations (e.g., networks,
-Artifact
-[c] security functions are identified. Document
-individuals, and devices) for CUI within the system and between interconnected systems are identified.
-[e] approved authorizations for controlling the flow of CUI are
-Screen Share
-enforced.
-AC.L2-3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity
-without collusion.
-[b] responsibilities for duties that require separation are assigned
-Screen Share
-to separate individuals.
-[c] access privileges that enable individuals to exercise the duties
-Screen Share
-that require separation are granted to separate individuals.
-AC.L2-3.1.5 Employ the principle of least privilege, including for specific security
-functions and privileged accounts.
-[b] access to privileged accounts is authorized in accordance
-Artifact
-with the principle of least privilege.
-[d] access to security functions is authorized in accordance with
-Artifact
-the principle of least privilege.
-Additional: Policy or procedure showing the separation of duties
-Document
-for general users and admin users.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[a] nonsecurity functions are identified. Document [a] privileged functions are defined. Document [b] non-privileged users are defined. Document
-CertifiedCMMCAssessor(CCA)  |
-AC.L2-3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
-[b] users are required to use non-privileged accounts or roles
-Screen Share
-when accessing nonsecurity functions.
-[b] privacy and security notices are displayed. Artifact
-AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
-[c] non-privileged users are prevented from executing privileged
-Screen Share
-functions.
-[d] the execution of privileged functions is captured in audit
-Screen Share
-logs.
-AC.L2-3.1.8 Limit unsuccessful logon attempts.
-[a] the means of limiting unsuccessful logon attempts are
-Document
-defined.
-[a] conditions requiring a user session to terminate are defined. Document
-[b] the defined means of limiting unsuccessful logon attempts is
-Artifact
-implemented.
-AC.L2-3.1.9 Provide privacy and security notices consistent with applicable CUI rules. [a] privacy and security notices required by CUI-specified rules
-Document
-are identified, consistent, and associated with the specific CUI
-category.
-AC.L2-3.1.10 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
-[a] the period of inactivity after which the system initiates a
-Document
-session lock is defined.
-[b] access to the system and viewing of data is prevented by
-Artifact
-initiating a session lock after the defined period of inactivity.
-[c] previously visible information is concealed via a pattern
-Document
-hiding display after the defined period of inactivity.
-AC.L2-3.1.11 Terminate (automatically) a user session after a defined condition.
-[b] a user session is automatically terminated after any of the
-Screen Share
-defined conditions occur.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[a] remote access sessions are permitted. Document [b] the types of permitted remote access are identified. Document [c] remote access sessions are controlled. Screen Share
-[d] remote access sessions are monitored. Screen Share
-Additional: Policy or procedure for setting up remote access. Document
-  |  Certified CMMC Assessor (CCA)
-AC.L2-3.1.12 Monitor and control remote access sessions.
-AC.L2-3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote
-access sessions.
-[a] cryptographic mechanisms to protect the confidentiality of
-Document
-remote access sessions are identified.
-[b] cryptographic mechanisms to protect the confidentiality of
-Screen Share
-remote access sessions are implemented.
-[a] wireless access points are identified. Document
-AC.L2-3.1.14 Route remote access via managed access control points.
-[a] managed access control points are identified and
-Screen Share
-implemented.
-[b] remote access is routed through managed network access
-Screen Share
-control points.
-AC.L2-3.1.15 Authorize remote execution of privileged commands and remote access to
-security-relevant information.
-[a] privileged commands authorized for remote execution are
-Document
-identified.
-[b] security-relevant information authorized to be accessed
-Document
-remotely is identified.
-[c] the execution of the identified privileged commands via
-Artifact
-remote access is authorized.
-[d] access to the identified security-relevant information via
-Artifact
-remote access is authorized.
-AC.L2-3.1.16 Authorize wireless access prior to allowing such connections.
-[b] wireless access is authorized prior to allowing such
-Screen Share
-connections.
-AC.L2-3.1.17 Protect wireless access using authentication and encryption.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[b] wireless access to the system is protected using encryption. Screen Share [b] mobile device connections are authorized. Artifact
-[c] mobile device connections are monitored and logged. Screen Share
-CertifiedCMMCAssessor(CCA)  |
-[a] connections to external systems are identified. Document
-[a] wireless access to the system is protected using
-Screen Share
-[b] the use of external systems is identified. Document
-authentication.
-[c] connections to external systems are verified. Artifact
-[d] the use of external systems is verified. Artifact
-[e] connections to external systems are controlled/limited. Screen Share
-AC.L2-3.1.18 Control connection of mobile devices.
-[f] the use of external systems is controlled/limited. Screen Share
-[a] mobile devices that process, store, or transmit CUI are
-Document
-identified.
-AC.L2-3.1.19 Encrypt CUI on mobile devices and mobile computing platforms.
-[a] mobile devices and mobile computing platforms that process,
-Document
-store, or transmit CUI are identified.
-[b] encryption is employed to protect CUI on identified mobile
-Screen Share
-devices and mobile computing platforms.
-AC.L1-3.1.20 Verify and control/limit connections to and use of external information systems.
-AC.L2-3.1.21 Limit use of portable storage devices on external systems.
-[a] the use of portable storage devices containing CUI on
-Document
-external systems is identified and documented.
-[b] limits on the use of portable storage devices containing CUI
-Document
-on external systems are defined.
-[c] the use of portable storage devices containing CUI on
-Document
-external systems is limited as defined.
-AC.L1-3.1.22 Control information posted or processed on publicly accessible information systems.
-[a] individuals authorized to post or process information on
-Document
-publicly accessible systems are identified.
-[b] procedures to ensure FCI is not posted or processed on
-Document
-publicly accessible systems are identified.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-  |  Certified CMMC Assessor (CCA)
-[c] a review process is in place prior to posting of any content to
-Artifact
-publicly accessible systems.
-[d] content on publicly accessible systems is reviewed to ensure
-Artifact
-that it does not include FCI.
-[e] mechanisms are in place to remove and address improper
-Artifact
-posting of FCI.
-AT.L2-3.2.1 Ensure that managers, systems administrators, and users of organizational systems
-are made aware of the security risks associated with their activities and of the applicable policies,
-standards, and procedures related to the security of those systems.
-[a] security risks associated with organizational activities involving
-Document
-CUI are identified.
-[a] potential indicators associated with insider threats are identified. Document
-[b] policies, standards, and procedures related to the security of the
-Document
-system are identified.
-[c] managers, systems administrators, and users of the system are
-Artifact
-made aware of the security risks associated with their activities.
-[d] managers, systems administrators, and users of the system are
-Artifact
-made aware of the applicable policies, standards, and procedures
-related to the security of the system.
-AT.L2-3.2.2 Ensure that personnel are trained to carry out their assigned information security
-related duties and responsibilities.
-[a] information security-related duties, roles, and responsibilities are
-Document
-defined.
-[b] information security-related duties, roles, and responsibilities are
-Artifact
-assigned to designated personnel.
-[c] personnel are adequately trained to carry out their assigned
-Artifact
-information security-related duties, roles, and responsibilities.
-AT.L2-3.2.3 Provide security awareness training on recognizing and reporting potential indicators
-of insider threat.
-[b] security awareness training on recognizing and reporting potential
-Artifact
-indicators of insider threat is provided to managers and employees.
-AU.L2-3.3.1 Create and retain system audit logs and records to the extent needed to enable the
-monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[c] audit records are created (generated). Screen Share [d] audit records, once created, contain the defined content. Screen Share [e] retention requirements for audit records are defined. Document [f] audit records are retained as defined. Screen Share [b] audit records, once created, contain the defined content. Screen Share
-CertifiedCMMCAssessor(CCA)  |
-[a] a process for determining when to review logged events is defined. Document
-[a] audit logs needed (i.e., event types to be logged) to enable the
-Document
-monitoring, analysis, investigation, and reporting of unlawful or
-unauthorized system activity are specified.
-[c] event types being logged are updated based on the review. Artifact
-[b] the content of audit records needed to support monitoring,
-Document
-analysis, investigation, and reporting of unlawful or unauthorized system activity is defined.
-AU.L2-3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
-[a] the content of the audit records needed to support the ability to
-Document
-uniquely trace users to their actions is defined.
-AU.L2-3.3.3 Review and update logged events.
-[b] event types being logged are reviewed in accordance with the
-Artifact
-defined review process.
-AU.L2-3.3.4 Alert in the event of an audit logging process failure.
-[a] personnel or roles to be alerted in the event of an audit logging
-Document
-process failure are identified.
-[b] types of audit logging process failures for which alert will be
-Document
-generated are defined.
-[c] identified personnel or roles are alerted in the event of an audit
-Artifact
-logging process failure.
-AU.L2-3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and
-response to indications of unlawful, unauthorized, suspicious, or unusual activity.
-[a] audit record review, analysis, and reporting processes for
-Document
-investigation and response to indications of unlawful, unauthorized,
-suspicious, or unusual activity are defined.
-[b] defined audit record review, analysis, and reporting processes are
-Artifact
-correlated.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-  |  Certified CMMC Assessor (CCA)
-[a] audit information is protected from unauthorized access. Screen Share
-AU.L2-3.3.6 Provide audit record reduction and report generation to support on-demand analysis
-[b] audit information is protected from unauthorized modification. Screen Share
-and reporting.
-[c] audit information is protected from unauthorized deletion. Screen Share
-[a] an audit record reduction capability that supports on-demand
-Screen Share
-[d] audit logging tools are protected from unauthorized access. Screen Share
-analysis is provided.
-[e] audit logging tools are protected from unauthorized modification. Screen Share
-[b] a report generation capability that supports on-demand reporting is
-Screen Share
-provided.
-[f] audit logging tools are protected from unauthorized deletion. Screen Share
-AU.L2-3.3.7 Provide a system capability that compares and synchronizes internal system clocks
-with an authoritative source to generate time stamps for audit records.
-[a] internal system clocks are used to generate time stamps for audit
-Screen Share
-records.
-[b] an authoritative source with which to compare and synchronize
-Document
-internal system clocks is specified.
-[c] internal system clocks used to generate time stamps for audit
-Screen Share
-records are compared to and synchronized with the specified
-authoritative time source.
-AU.L2-3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
-[a] a baseline configuration is established. Document
-AU.L2-3.3.9 Limit management of audit logging functionality to a subset of privileged users.
-[a] a subset of privileged users granted access to manage audit logging
-Document
-functionality is defined.
-[b] management of audit logging functionality is limited to the defined
-Screen Share
-subset of privileged users.
-CM.L2-3.4.1 Establish and maintain baseline configurations and inventories of organizational
-systems (including hardware, software, firmware, and documentation) throughout the respective
-system development life cycles.
-[b] the baseline configuration includes hardware, software, firmware,
-Artifact
-and documentation.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[d] a system inventory is established. Document
-CertifiedCMMCAssessor(CCA)  |
-[a] changes to the system are tracked. Artifact [b] changes to the system are reviewed. Artifact [c] changes to the system are approved or disapproved. Artifact
-[c] the baseline configuration is maintained (reviewed and updated)
-Artifact
-throughout the system development life cycle.
-[d] changes to the system are logged. Artifact
-[e] the system inventory includes hardware, software, firmware, and
-Artifact
-documentation.
-[f] the inventory is maintained (reviewed and updated) throughout the
-Artifact
-system development life cycle.
-CM.L2-3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems.
-[a] security configuration settings for information technology products
-Document
-employed in the system are established and included in the baseline
-configuration.
-[b] security configuration settings for information technology
-Artifact
-products employed in the system are enforced.
-CM.L2-3.4.3 Track, review, approve or disapprove, and log changes to organizational systems.
-CM.L2-3.4.4 Analyze the security impact of changes prior to implementation.
-[a] the security impact of changes to the system is analyzed prior to
-Artifact
-implementation.
-CM.L2-3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
-[a] physical access restrictions associated with changes to the system
-Document
-are defined.
-[b] physical access restrictions associated with changes to the system
-Document
-are documented.
-[c] physical access restrictions associated with changes to the system
-Artifact
-are approved.
-[d] physical access restrictions associated with changes to the system
-Physical Review
-are enforced.
-[e] logical access restrictions associated with changes to the system are
-Document
-defined.
-[f] logical access restrictions associated with changes to the system are
-Document
-documented.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[a] essential programs are defined. Document [b] the use of nonessential programs is defined. Document
-  |  Certified CMMC Assessor (CCA)
-[d] essential functions are defined. Document [e] the use of nonessential functions is defined. Document
-[g] logical access restrictions associated with changes to the system are
-Artifact
-approved.
-[h] logical access restrictions associated with changes to the system are
-Artifact
-enforced.
-[g] essential ports are defined. Document [h] the use of nonessential ports is defined. Document
-CM.L2-3.4.6 Employ the principle of least functionality by configuring organizational systems to
-provide only essential capabilities.
-[a] essential system capabilities are defined based on the principle of
-Document
-[j] essential protocols are defined. Document
-least functionality.
-[k] the use of nonessential protocols is defined. Document
-[b] the system is configured to provide only the defined essential
-Screen Share
-capabilities.
-[m] essential services are defined. Document
-CM.L2-3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports,
-[n] the use of nonessential services is defined. Document
-protocols, and services.
-[c] the use of nonessential programs is restricted, disabled, or
-Screen Share
-prevented as defined.
-[f] the use of nonessential functions is restricted, disabled, or
-Screen Share
-prevented as defined.
-[i] the use of nonessential ports is restricted, disabled, or prevented as
-Screen Share
-defined.
-[l] the use of nonessential protocols is restricted, disabled, or
-Screen Share
-prevented as defined.
-[o] the use of nonessential services is restricted, disabled, or prevented
-Screen Share
-as defined.
-CM.L2-3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized
-software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized
-software.
-[a] a policy specifying whether whitelisting or blacklisting is to be
-Document
-implemented is specified.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[c] installation of software by users is monitored. Screen Share [a] system users are identified. Document
-CertifiedCMMCAssessor(CCA)  |
-[b] processes acting on behalf of users are identified. Document [c] devices accessing the system are identified. Document
-[b] the software allowed to execute under whitelisting or denied use
-Document
-under blacklisting is specified.
-[c] whitelisting to allow the execution of authorized software or
-Screen Share
-blacklisting to prevent the use of unauthorized software is
-implemented as specified.
-CM.L2-3.4.9 Control and monitor user-installed software.
-[a] a policy for controlling the installation of software by users is
-Document
-established.
-[b] installation of software by users is controlled based on the
-Screen Share
-established policy.
-[a] privileged accounts are identified. Document
-IA.L1-3.5.1 Identify information system users, processes acting on behalf of users, or devices.
-IA.L1-3.5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
-[a] the identity of each user is authenticated or verified as a
-Screen Share
-prerequisite to system access.
-[b] the identity of each process acting on behalf of a user is
-Screen Share
-authenticated or verified as a prerequisite to system access.
-[c] the identity of each device accessing or connecting to the system is
-Screen Share
-authenticated or verified as a prerequisite to system access.
-IA.L2-3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
-[b] multifactor authentication is implemented for local access to
-Screen Share
-privileged accounts.
-[c] multifactor authentication is implemented for network access to
-Screen Share
-privileged accounts.
-[d] multifactor authentication is implemented for network access to
-Screen Share
-non-privileged accounts.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[a] a period within which identifiers cannot be reused is defined. Document [b] reuse of identifiers is prevented within the defined period. Artifact [a] a period of inactivity after which an identifier is disabled is defined. Document [b] identifiers are disabled after the defined period of inactivity. Artifact [a] password complexity requirements are defined. Document
-  |  Certified CMMC Assessor (CCA)
-[b] password change of character requirements are defined. Document
-IA.L2-3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged
-and non-privileged accounts.
-[a] replay-resistant authentication mechanisms are implemented for
-Screen Share
-network account access to privileged and non-privileged accounts.
-IA.L2-3.5.5 Prevent reuse of identifiers for a defined period.
-IA.L2-3.5.6 Disable identifiers after a defined period of inactivity.
-IA.L2-3.5.7 Enforce a minimum password complexity and change of characters when new
-passwords are created.
-[a] passwords are cryptographically protected in storage. Screen Share
-[b] passwords are cryptographically protected in transit. Screen Share
-[c] minimum password complexity requirements as defined are
-Screen Share
-enforced when new passwords are created.
-[d] minimum password change of character requirements as defined
-Screen Share
-are enforced when new passwords are created.
-IA.L2-3.5.8 Prohibit password reuse for a specified number of generations.
-[a] the number of generations during which a password cannot be
-Document
-reused is specified.
-[b] reuse of passwords is prohibited during the specified number of
-Screen Share
-generations.
-IA.L2-3.5.9 Allow temporary password use for system logons with an immediate change to a
-permanent password.
-[a] an immediate change to a permanent password is required when a
-Screen Share
-temporary password is used for system logon.
-IA.L2-3.5.10 Store and transmit only cryptographically-protected passwords.
-IA.L2-3.5.11 Obscure feedback of authentication information.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[a] an operational incident-handling capability is established. Document [b] the operational incident-handling capability includes preparation. Document [c] the operational incident-handling capability includes detection. Document [d] the operational incident-handling capability includes analysis. Document [e] the operational incident-handling capability includes containment. Document [f] the operational incident-handling capability includes recovery. Document
-CertifiedCMMCAssessor(CCA)  |
-[a] incidents are tracked. Artifact
-[a] authentication information is obscured during the authentication
-Screen Share
-[b] incidents are documented. Artifact
-process.
-[c] authorities to whom incidents are to be reported are identified. Document [e] identified authorities are notified of incidents. Screen Share
-IR.L2-3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
-[f] identified organizational officials are notified of incidents. Artifact [a] the incident response capability is tested. Artifact
-[g] the operational incident-handling capability includes user response
-Document
-activities.
-[a] system maintenance is performed. Artifact
-IR.L2-3.6.2 Track, document, and report incidents to designated officials and/or authorities both
-internal and external to the organization.
-[a] tools used to conduct system maintenance are controlled. Artifact
-[d] organizational officials to whom incidents are to be reported are
-Document
-identified.
-IR.L2-3.6.3 Test the organizational incident response capability.
-MA.L2-3.7.1 Perform maintenance on organizational systems.
-MA.L2-3.7.2 Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[b] techniques used to conduct system maintenance are controlled. Artifact [c] mechanisms used to conduct system maintenance are controlled. Artifact
-[d] personnel used to conduct system maintenance are controlled. Physical Review
-  |  Certified CMMC Assessor (CCA)
-MA.L2-3.7.3 Ensure equipment removed for off-site maintenance is sanitized of any CUI. [a] equipment to be removed from organizational spaces for off-site
-Artifact
-maintenance is sanitized of any CUI.
-MA.L2-3.7.4 Check media containing diagnostic and test programs for malicious code before the
-media are used in organizational systems.
-[a] media containing diagnostic and test programs are checked for
-Artifact
-malicious code before being used in organizational systems that
-[a] paper media containing CUI is physically controlled. Document
-process, store, or transmit CUI.
-[b] digital media containing CUI is physically controlled. Document [c] paper media containing CUI is securely stored. Physical Review
-MA.L2-3.7.5 Require multifactor authentication to establish nonlocal maintenance sessions via
-[d] digital media containing CUI is securely stored. Physical Review
-external network connections and terminate such connections when nonlocal maintenance is
-complete.
-[a] multifactor authentication is used to establish nonlocal
-Screen Share
-[a] access to CUI on system media is limited to authorized users. Artifact
-maintenance sessions via external network connections.
-[b] nonlocal maintenance sessions established via external network
-Screen Share
-connections are terminated when nonlocal maintenance is complete.
-MA.L2-3.7.6 Supervise the maintenance activities of maintenance personnel without required
-access authorization.
-[a] maintenance personnel without required access authorization are
-Document
-supervised during maintenance activities.
-MP.L2-3.8.1 Protect (i.e., physically control and securely store) system media containing CUI,
-both paper and digital.
-MP.L2-3.8.2 Limit access to CUI on system media to authorized users.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[a] media containing CUI is marked with applicable CUI markings. Physical Review
-[b] media containing CUI is marked with distribution limitations. Physical Review
-[a] access to media containing CUI is controlled. Document
-CertifiedCMMCAssessor(CCA)  |
-MP.L1-3.8.3 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
-[a] system media containing FCI is sanitized or destroyed before
-Document
-disposal.
-[b] system media containing FCI is sanitized before it is released for
-Document
-reuse.
-[a] the use of removable media on system components is controlled. Artifact
-MP.L2-3.8.4 Mark media with necessary CUI markings and distribution limitations.
-MP.L2-3.8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
-[a] the confidentiality of backup CUI is protected at storage locations. Artifact
-[b] accountability for media containing CUI is maintained during
-Artifact
-transport outside of controlled areas.
-MP.L2-3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
-[a] the confidentiality of CUI stored on digital media is protected
-Artifact
-during transport using cryptographic mechanisms or alternative
-physical safeguards.
-MP.L2-3.8.7 Control the use of removable media on system components.
-MP.L2-3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner.
-[a] the use of portable storage devices is prohibited when such devices
-Artifact
-have no identifiable owner.
-MP.L2-3.8.9 Protect the confidentiality of backup CUI at storage locations.
-PS.L2-3.9.1 Screen individuals prior to authorizing access to organizational systems containing CUI.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[c] the system is protected during and after personnel transfer actions. Artifact [a] authorized individuals allowed physical access are identified. Artifact
-  |  Certified CMMC Assessor (CCA)
-[c] physical access to equipment is limited to authorized individuals. Physical Review
-[a] individuals are screened prior to authorizing access to
-Artifact
-organizational systems containing CUI.
-PS.L2-3.9.2 Ensure that organizational systems containing CUI are protected during and after
-personnel actions such as terminations and transfers.
-[a] a policy and/or process for terminating system access and any
-Document
-credentials coincident with personnel actions is established.
-[b] the support infrastructure for organizational systems is protected. Physical Review
-[b] system access and credentials are terminated consistent with
-Artifact
-personnel actions such as termination or transfer.
-[d] the support infrastructure for organizational systems is monitored. Physical Review
-PE.L1-3.10.1 Limit physical access to organizational information systems, equipment, and the
-[a] visitors are escorted. Physical Review
-respective operating environments to authorized individuals.
-[b] visitor activity is monitored. Physical Review
-[b] physical access to organizational systems is limited to authorized
-Physical Review
-individuals.
-[a] audit logs of physical access are maintained. Artifact
-[d] physical access to operating environments is limited to authorized
-Physical Review
-individuals.
-PE.L2-3.10.2 Protect and monitor the physical facility and support infrastructure for
-organizational systems.
-[a] the physical facility where organizational systems reside is
-Physical Review
-protected.
-[c] the physical facility where organizational systems reside is
-Physical Review
-monitored.
-PE.L1-3.10.3 Escort visitors and monitor visitor activity.
-PE.L1-3.10.4 Maintain audit logs of physical access.
-PE.L1-3.10.5 Control and manage physical access devices.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[a] physical access devices are identified. Document [b] physical access devices are controlled. Physical Review
-[c] physical access devices are managed. Physical Review
-[a] safeguarding measures for CUI are defined for alternate work sites. Document
-CertifiedCMMCAssessor(CCA)  |
-PE.L2-3.10.6 Enforce safeguarding measures for CUI at alternate work sites.
-[b] safeguarding measures for CUI are enforced for alternate work
-Artifact
-sites.
-RA.L2-3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation
-of organizational systems and the associated processing, storage, or transmission of CUI. [a] the frequency to assess risk to organizational operations,
-Document
-organizational assets, and individuals is defined.
-[a] vulnerabilities are identified. Artifact
-[b] risk to organizational operations, organizational assets, and
-Artifact
-[b] vulnerabilities are remediated in accordance with risk assessments. Artifact
-individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
-RA.L2-3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
-[a] the frequency to scan for vulnerabilities in organizational systems
-Document
-and applications is defined.
-[b] vulnerability scans are performed on organizational systems with
-Screen Share
-the defined frequency.
-[c] vulnerability scans are performed on applications with the defined
-Screen Share
-frequency.
-[d] vulnerability scans are performed on organizational systems when
-Screen Share
-new vulnerabilities are identified.
-[e] vulnerability scans are performed on applications when new
-Screen Share
-vulnerabilities are identified.
-RA.L2-3.11.3 Remediate vulnerabilities in accordance with risk assessments.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[a] the frequency of security control assessments is defined. Document
-  |  Certified CMMC Assessor (CCA)
-CA.L2-3.12.1 Periodically assess the security controls in organizational systems to determine if thecontrols are effective in their application.
-[b] security controls are assessed with the defined frequency to Artifact
-[a] a system security plan is developed. Document
-determine if the controls are effective in their application.
-CA.L2-3.12.2 Develop and implement plans of action designed to correct deficiencies and reduceor eliminate vulnerabilities in organizational systems.
-[a] deficiencies and vulnerabilities to be addressed by the plan of
-Artifact
-action are identified.
-[b] a plan of action is developed to correct identified deficiencies and
-Artifact
-reduce or eliminate identified vulnerabilities.
-[c] the plan of action is implemented to correct identified deficiencies
-Artifact
-and reduce or eliminate identified vulnerabilities.
-[g] the frequency to update the system security plan is defined. Document
-CA.L2-3.12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness[h] system security plan is updated with the defined frequency. Document
-of the controls.
-[a] security controls are monitored on an ongoing basis to ensure the
-Artifact
-continued effectiveness of those controls.
-CA.L2-3.12.4 Develop, document, and periodically update system security plans that describe
-system boundaries, system environments of operation, how security requirements are
-implemented, and the relationships with or connections to other systems.
-[b] the system boundary is described and documented in the systemsecurity plan.
-Document
-[c] the system environment of operation is described and documented
-Document
-in the system security plan.
-[d] the security requirements identified and approved by the
-Document
-designated authority as non-applicable are identified.
-[e] the method of security requirement implementation is described
-Document
-and documented in the system security plan.
-[f] the relationship with or connection to other systems is described
-Document
-and documented in the system security plan.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[a] the external system boundary is defined. Document [b] key internal system boundaries are defined. Document [c] communications are monitored at the external system boundary. Screen Share [d] communications are monitored at key internal boundaries. Screen Share [e] communications are controlled at the external system boundary. Screen Share [f] communications are controlled at key internal boundaries. Screen Share [g] communications are protected at the external system boundary. Screen Share [h] communications are protected at key internal boundaries. Screen Share
-CertifiedCMMCAssessor(CCA)  |
-SC.L1-3.13.1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
-[a] user functionality is identified. Document [b] system management functionality is identified. Document
-SC.L2-3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
-[a] architectural designs that promote effective information security
-Document
-are identified.
-[b] software development techniques that promote effective
-Document
-information security are identified.
-[c] systems engineering principles that promote effective information
-Document
-security are identified.
-[d] identified architectural designs that promote effective information
-Artifact
-security are employed.
-[e] identified software development techniques that promote effective
-Artifact
-information security are employed.
-[f] identified systems engineering principles that promote effective
-Artifact
-information security are employed.
-SC.L2-3.13.3 Separate user functionality from system management functionality.
-[c] user functionality is separated from system management
-Screen Share
-functionality.
-SC.L2-3.13.4 Prevent unauthorized and unintended information transfer via shared system
-resources.
-[a] unauthorized and unintended information transfer via shared
-Screen Share
-system resources is prevented.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[a] publicly accessible system components are identified. Document [a] network communications traffic is denied by default. Screen Share
-[b] network communications traffic is allowed by exception. Screen Share
-  |  Certified CMMC Assessor (CCA)
-SC.L1-3.13.5 Implement subnetworks for publicly accessible system components that are
-physically or logically separated from internal networks.
-[b] subnetworks for publicly accessible system components are
-Artifact
-physically or logically separated from internal networks.
-SC.L2-3.13.6 Deny network communications traffic by default and allow network
-communications traffic by exception (i.e., deny all, permit by exception).
-SC.L2-3.13.7 Prevent remote devices from simultaneously establishing non-remote connections
-with organizational systems and communicating via some other connection to resources in
-external networks (i.e., split tunneling).
-[a] remote devices are prevented from simultaneously establishing
-Screen Share
-non-remote connections with the system and communicating via
-some other connection to resources in external networks (i.e., split
-tunneling).
-SC.L2-3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI
-during transmission unless otherwise protected by alternative physical safeguards.
-[a] cryptographic mechanisms intended to prevent unauthorized
-Document
-disclosure of CUI are identified.
-[b] alternative physical safeguards intended to prevent unauthorized
-Document
-disclosure of CUI are identified.
-[c] either cryptographic mechanisms or alternative physical safeguards
-Artifact
-are implemented to prevent unauthorized disclosure of CUI during transmission.
-SC.L2-3.13.9 Terminate network connections associated with communications sessions at the end
-of the sessions or after a defined period of inactivity.
-[a] a period of inactivity to terminate network connections associated
-Document
-with communications sessions is defined.
-[b] network connections associated with communications sessions are
-Screen Share
-terminated at the end of the sessions.
-[c] network connections associated with communications sessions are
-Screen Share
-terminated after the defined period of inactivity.
-SC.L2-3.13.10 Establish and manage cryptographic keys for cryptography employed in
-organizational systems.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[a] collaborative computing devices are identified. Document [c] remote activation of collaborative computing devices is prohibited. Artifact
-CertifiedCMMCAssessor(CCA)  |
-[a] use of mobile code is controlled. Screen Share
-[a] cryptographic keys are established whenever cryptography is
-Artifact
-[b] use of mobile code is monitored. Screen Share
-employed.
-[b] cryptographic keys are managed whenever cryptography is
-Artifact
-employed.
-SC.L2-3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
-[a] FIPS-validated cryptography is employed to protect the
-Screen Share
-confidentiality of CUI.
-[a] the authenticity of communications sessions is protected. Screen Share
-SC.L2-3.13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
-[b] collaborative computing devices provide indication to users of
-Physical Review
-[a] the confidentiality of CUI at rest is protected. Artifact
-devices in use
-SC.L2-3.13.13 Control and monitor the use of mobile code.
-[a] the time within which to identify system flaws is specified. Document
-SC.L2-3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. [a] use of Voice over Internet Protocol (VoIP) technologies is
-Artifact
-controlled.
-[b] use of Voice over Internet Protocol (VoIP) technologies is
-Artifact
-monitored.
-SC.L2-3.13.15 Protect the authenticity of communications sessions.
-SC.L2-3.13.16 Protect the confidentiality of CUI at rest.
-SI.L1-3.14.1 Identify, report, and correct information and information system flaws in a timely manner.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[b] system flaws are identified within the specified time frame. Screen Share
-[c] the time within which to report system flaws is specified. Document [d] system flaws are reported within the specified time frame. Screen Share
-[e] the time within which to correct system flaws is specified. Document [f] system flaws are corrected within the specified time frame. Screen Share
-[a] designated locations for malicious code protection are identified. Document [b] protection from malicious code at designated locations is provided. Screen Share
-[b] system security alerts and advisories are monitored. Artifact
-  |  Certified CMMC Assessor (CCA)
-[a] the frequency for malicious code scans is defined. Document
-SI.L1-3.14.2 Provide protection from malicious code at appropriate locations within
-[b] malicious code scans are performed with the defined frequency. Screen Share
-organizational information systems.
-SI.L2-3.14.3 Monitor system security alerts and advisories and take action in response. [a] response actions to system security alerts and advisories are
-Document
-identified.
-[c] actions in response to system security alerts and advisories are
-Artifact
-taken.
-SI.L1-3.14.4 Update malicious code protection mechanisms when new releases are available.
-[a] malicious code protection mechanisms are updated when newreleases are available.
-Screen Share
-SI.L1-3.14.5 Perform periodic scans of the information system and real-time scans of files from
-external sources as files are downloaded, opened, or executed.
-[c] real-time malicious code scans of files from external sources as files
-Screen Share
-are downloaded, opened, or executed are performed.
-SI.L2-3.14.6 Monitor organizational systems, including inbound and outbound communications
-traffic, to detect attacks and indicators of potential attacks.
-[a] the system is monitored to detect attacks and indicators of
-Screen Share
-potential attacks.
-[b] inbound communications traffic is monitored to detect attacks and
-Screen Share
-indicators of potential attacks.
-[c] outbound communications traffic is monitored to detect attacks
-Screen Share
-and indicators of potential attacks.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[a] authorized use of the system is defined. Document
-[b] unauthorized use of the system is identified. Artifact
-CertifiedCMMCAssessor(CCA)  |
-SI.L2-3.14.7 Identify unauthorized use of organizational systems.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |