Level 2 Assessment Guide: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
No edit summary
Line 7: Line 7:
==== AC.L1-3.1.1 - Authorized Access Control ====
==== AC.L1-3.1.1 - Authorized Access Control ====
{|class="wikitable"
{|class="wikitable"
|-
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Line 24: Line 23:
==== AC.L1-3.1.2 - Transaction & Function Control ====
==== AC.L1-3.1.2 - Transaction & Function Control ====
{|class="wikitable"
{|class="wikitable"
|-
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Limit information system access to the types of transactions and functions that authorized  users are permitted to execute.
Limit information system access to the types of transactions and functions that authorized  users are permitted to execute.
Line 37: Line 35:
==== AC.L1-3.1.20 - External Connections ====
==== AC.L1-3.1.20 - External Connections ====
{|class="wikitable"
{|class="wikitable"
|-
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Verify and control/limit connections to and use of external information systems.
Verify and control/limit connections to and use of external information systems.
Line 54: Line 51:
==== AC.L1-3.1.22 - Control Public Information ====
==== AC.L1-3.1.22 - Control Public Information ====
{|class="wikitable"
{|class="wikitable"
|-
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Control information posted or processed on publicly accessible information systems.
Control information posted or processed on publicly accessible information systems.

Revision as of 00:47, 21 February 2022

Source of Reference: The official CMMC Level 2 Assessment Guide from the Office of the Under Secretary of Defense Acquisition & Sustainment.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

Access Control (AC)

Level 1 AC Practices

AC.L1-3.1.1 - Authorized Access Control

SECURITY REQUIREMENT

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

ASSESSMENT OBJECTIVES
[a] authorized users are identified;
[b] processes acting on behalf of authorized users are identified;
[c] devices (and other systems) authorized to connect to the system are identified;
[d] system access is limited to authorized users;
[e] system access is limited to processes acting on behalf of authorized users; and
[f] system access is limited to authorized devices (including other systems).
More Practice Details...

AC.L1-3.1.2 - Transaction & Function Control

SECURITY REQUIREMENT

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

ASSESSMENT OBJECTIVES
[a] the types of transactions and functions that authorized users are permitted to execute are defined; and
[b] system access is limited to the defined types of transactions and functions for authorized users.
More Practice Details...

AC.L1-3.1.20 - External Connections

SECURITY REQUIREMENT

Verify and control/limit connections to and use of external information systems.

ASSESSMENT OBJECTIVES
[a] connections to external systems are identified;
[b] the use of external systems is identified;
[c] connections to external systems are verified;
[d] the use of external systems is verified;
[e] connections to external systems are controlled/limited; and
[f] the use of external systems is controlled/limited.
More Practice Details...

AC.L1-3.1.22 - Control Public Information

SECURITY REQUIREMENT

Control information posted or processed on publicly accessible information systems.

ASSESSMENT OBJECTIVES
[a] individuals authorized to post or process information on publicly accessible systems are identified;
[b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;
[c] a review process is in place prior to posting of any content to publicly accessible systems;
[d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and
[e] mechanisms are in place to remove and address improper posting of FCI.
More Practice Details...

Level 2 AC Practices

AC.L2-3.1.3 – Control CUI Flow

SECURITY REQUIREMENT

Control the flow of CUI in accordance with approved authorizations.

ASSESSMENT OBJECTIVES
[a] information flow control policies are defined;
[b] methods and enforcement mechanisms for controlling the flow of CUI are defined;
[c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;
[d] authorizations for controlling the flow of CUI are defined; and
[e] approved authorizations for controlling the flow of CUI are enforced.
More Practice Details...

Awareness and Training (AT)

Level 2 AT Practices

Audit and Accountability (AU)

Level 2 AU Practices

Configuration Management (CM)

Level 2 CM Practices

Identification and Authentication (IA)

Level 1 IA Practices

Level 2 IA Practices

Incident Response (IR)

Level 2 IR Practices

Maintenance (MA)

Level 2 MA Practices

Media Protection (MP)

Level 1 MP Practices

Level 2 MP Practices

Personnel Security (PS)

Level 2 PS Practices

Physical Protection (PE)

Level 1 PE Practices

Level 2 PE Practices

Risk Assessment (RA)

Level 2 RA Practices

Security Assessment (CA)

Level 2 CA Practices

System and Communications Protection (SC)

Level 1 SC Practices

Level 2 SC Practices

System and Information Integrity (SI)

Level 1 SI Practices

Level 2 SI Practices