Revision as of 03:53, 24 March 2025

Source of Reference: The official CMMC Level 3 Assessment Guide Version 2.13, September 2024 from the Department of Defense Chief Information Officer (DoD CIO).

For inquiries and reporting errors on this wiki, please contact us. Thank you.

NOTICES

The contents of this document do not have the force and effect of law and are not meant to bind the public in any way. This document is intended only to provide clarity to the public regarding existing CMMC requirements under the law or departmental policies.

DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.

Introduction

This document provides guidance in the preparation for and conduct of a Level 3 certification assessment under the Cybersecurity Maturity Model Certification (CMMC) Program as set forth in section 170.18 of title 32, Code of Federal Regulations (CFR). Certification at each CMMC level occurs independently. Guidance for conducting a Level 1 self-assessment can be found in CMMC Assessment Guide – Level 1. Guidance for conducting both a Level 2 self-assessment and Level 2 certification assessment, can be found in CMMC Assessment Guide – Level 2. More details on the model can be found in the CMMC Model Overview document.

An Assessment as defined in 32 CFR § 170.4 means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system, or organization as defined in 32 CFR § 170.15 to 32 CFR § 170.18. A Level 3 certification assessment as defined in 32 CFR § 170.4 is the activity performed by the Department of Defense (DoD) to evaluate the CMMC level of an Organization Seeking Certification (OSC). For Level 3, assessments are conducted exclusively by the DCMA DIBCAC.

An OSC seeking a Level 3 certification assessment must have first achieved a CMMC Status of Final Level 2 (C3PAO), as set forth in 32 CFR § 170.18(a), for all applicable information systems within the CMMC Assessment Scope, and the OSC must implement the Level 3 requirements specified in 32 CFR § 170.14(c)(4). This is followed by the Level 3 certification assessment conducted by the DCMA DIBCAC.

OSCs may also use this guide to perform Level 3 self-assessments (for example, in preparation for an annual affirmation); however, they are not eligible to submit results from a self-assessment in support of a Level 3 certification assessment. Only the results from an assessment by DCMA DIBCAC are considered for award of the CMMC Statuses Conditional Level 3 (DIBCAC) or Final Level 3 (DIBCAC). Level 3 reporting and affirmation requirements can be found in 32 CFR § 170.18 and 32 CFR § 170.22.

Level 3 Description

Level 3 consists of selected security requirements derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, with DoD-approved parameters where applicable. Level 3 only applies to systems that have already achieved a Final Level 2 (C3PAO) CMMC Status. Level 2 consists of the security requirements specified in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Like Level 2, Level 3 addresses the protection of Controlled Unclassified Information (CUI), as defined in 32 CFR § 2002.4(h):

Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.

Level 3 provides additional protections against advanced persistent threats (APTs), and increased assurance to the DoD that an OSC can adequately protect CUI at a level commensurate with the adversarial risk, to include protecting information flow with the government and with subcontractors in a multitier supply chain.

Purpose and Audience

This guide is intended for assessors, OSCs, cybersecurity professionals, and individuals and companies that support CMMC efforts. This document can be used as part of preparation for and conducting a Level 3 certification assessment.

Document Organization

This document is organized into the following sections:

Assessment and Certification: provides an overview of the Level 3 assessment processes set forth in 32 CFR § 170.18. It provides guidance regarding the scope requirements set forth in 32 CFR § 170.19(d).
CMMC-Custom Terms: incorporates definitions from 32 CFR § 170.4, definitions included by reference from 32 CFR § 170.2, and provides clarification of the intent and scope of specific terms as used in the context of CMMC.
Assessment Criteria and Methodology: provides guidance on the criteria and methodology (i.e., interview, examine, and test) to be employed during a Level 3 assessment, as well as on assessment findings.
Requirement Descriptions: Provides guidance specific to each Level 3 security requirement.

Assessment and Certification

The DCMA DIBCAC will use the assessment methods defined in NIST SP 800-172A^[1], Assessing Enhanced Security Requirements for Controlled Unclassified Information, along with the supplemental information in this guide to conduct Level 3 certification assessments. Assessors will review information and evidence to verify that an OSC meets the stated assessment objectives for all of the requirements.

An OSC can obtain a Level 3 certification assessment for an entire enterprise network or for specific enclave(s), depending on how the CMMC Assessment Scope is defined in accordance with 32 CFR § 170.19(d).

Assessment Scope

Prior to conducting a CMMC Level 3 certification assessment, the Level 3 CMMC Assessment Scope must be defined as addressed in 32 CFR § 170.19(d) and the CMMC Scoping Guide – Level 3 document^[2]. The CMMC Assessment Scope informs which assets within the OSC’s environment will be assessed and the details of the assessment. The OSC must have achieved a CMMC Status of Final Level 2 (C3PAO) of all systems included within the Level 3 CMMC Assessment Scope prior to requesting the Level 3 assessment, as set forth in 32 CFR § 170.18.

The Level 3 assessment scoping is based on the requirements defined in 32 CFR § 170.19(d) and supported by the CMMC Scoping Guide – Level 3 document. The CMMC Scoping Guide – Level 3 document is available on the official CMMC documentation site at https://dodcio.defense.gov/CMMC/Documentation/. If a Final Level 2 (C3PAO) CMMC Status has not already been achieved for the desired CMMC Assessment Scope, the OSC may not proceed with the Level 3 assessment.

CMMC-Custom Terms

The CMMC Program has custom terms that align with program requirements. Although some terms may have other definitions in open forums, it is important to understand these terms as they apply to the CMMC Program.

The custom terms associated with Level 3 are:

Assessment: As defined 32 CFR § 170.4 means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization defined in 32 CFR § 170.15 to 32 CFR § 170.18.
- Level 3 certification assessment is the term for the activity performed by the DCMA DIBCAC to evaluate the information system of an OSC when seeking a CMMC Status of Level 3 (DIBCAC).
- POA&M closeout certification assessment is the term for the activity performed by a C3PAO or DCMA DIBCAC to evaluate only the NOT MET requirements that were identified with POA&M during the initial assessment, when seeking a CMMC Status of Final Level 2 (C3PAO) or Final Level 3 (DIBCAC) respectively.
Assessment Objective: Means a set of determination statements that, taken together, expresses the desired outcome for the assessment of a security requirement. Successful implementation of the corresponding CMMC security requirement requires meeting all applicable assessment objectives defined in NIST SP 800–171A or NIST SP 800-172A.
Asset: Means an item of value to stakeholders. An asset may be tangible (e.g., a physical item such as hardware, firmware, computing platform, network device, or other technology component) or intangible (e.g., humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation). The value of an asset is determined by stakeholders in consideration of loss concerns across the entire system life cycle. Such concerns include but are not limited to business or mission concerns. Understanding assets is critical to identifying the CMMC Assessment Scope; for more information see CMMC Scoping Guide – Level 3.
CMMC Assessment Scope: As defined in 32 CFR § 170.4 means the set of all assets in the OSC’s environment that will be assessed against CMMC security requirements.
CMMC Status: The result of meeting or exceeding the minimum required score for the corresponding assessment. The CMMC Status of an OSA information system is officially stored in SPRS and additionally presented on a Certificate of CMMC Status, if the assessment was conducted by a C3PAO or DCMA DIBCAC.
- Conditional Level 3 (DIBCAC): Defined in 32 CFR § 170.18(a)(1)(ii). The OSC will achieve CMMC Status of Conditional Level 3 (DIBCAC) if a POA&M exists upon completion of the assessment and the POA&M meets all Level 3 POA&M requirements listed in 32 CFR § 170.21(a)(3).
- Final Level 3 (DIBCAC): Defined in 32 CFR § 170.18(a)(1)(iii). The OSC will achieve Final Level 3 (DIBCAC) CMMC Status for the information systems within the CMMC Assessment Scope upon implementation of all security requirements and, if applicable a POA&M closeout assessment within 180 days. Additional guidance can be found in 32 CFR §170.21.
Enduring Exception: As defined 32 CFR § 170.4 means a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible. Examples include systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT. No operational plan of action is required but the circumstance must be documented within a system security plan. Specialized Assets and Government Furnished Equipment (GFE) may be Enduring Exceptions.
Event: Any observable occurrence in a system^[3]. As described in NIST SP 800-171A^[4], the terms “information system” and “system” can be used interchangeably. Events sometimes provide indication that an incident is occurring.
Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.^[5]
Monitoring: The act of continually checking, supervising, critically observing, or determining the status in order to identify change from the performance level required or expected at an organization-defined frequency and rate.^[6]
Operational plan of action: As used in security requirement CA.L2-3.12.2, means the formal artifact which identifies temporary vulnerabilities and temporary deficiencies in implementation of requirements and documents how and when they will be mitigated, corrected, or eliminated. The OSA defines the format (e.g., document, spreadsheet, database) and specific content of its operational plan of action. An operational plan of action is not the same as a POA&M associated with an assessment.
Organization-defined: As determined by the OSC being assessed except as defined in the case of Organization-Defined Parameter (ODP). This can be applied to a frequency or rate at which something occurs within a given time period, or it could be associated with describing the configuration of a OSC’s solution.
Organization-Defined Parameters (ODPs): Selected enhanced security requirements contain selection and assignment operations to give organizations^[7] flexibility in defining variable parts of those requirements, as defined in NIST SP 800-172A. ODPs are used in NIST SP 800-172 and NIST SP 800-172A to allow Federal agencies, in this case the DoD, to customize security requirements. Once specified, the values for the assignment and selection operations become part of the requirement and objectives, where applicable.

The assignments and selections chosen for Level 3 are underlined in the requirement statement and objectives. In some cases, further specificity of the assignment or selection will need to be made by the OSC. In those cases, the term and abbreviation ODPs is used in the assessment objectives to denote where additional definition is required.

Periodically: Means occurring at a regular interval as determined by the OSA that may not exceed one year. As used in many requirements within CMMC, the interval length is organization-defined to provide OSC flexibility, with an interval length of no more than one year.
Security Protection Data: As defined 32 CFR § 170.4 means data stored or processed by Security Protection Assets (SPA) that are used to protect an OSC's assessed environment. Security Protection Data is security relevant information and includes, but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment.
System Security Plan (SSP): Means the formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. The system security plan describes the system components that are included within the system, the environment in which the system operates, how the security requirements are implemented, and the relationships with or connections to other systems.
Temporary deficiency: As defined 32 CFR § 170.4 means a condition where remediation of a discovered deficiency is feasible and a known fix is available or is in process. The deficiency must be documented in an operational plan of action. A temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC security requirement but arises after implementation. A temporary deficiency may apply during the initial implementation of a security requirement if, during roll-out, specific issues with a very limited subset of equipment is discovered that must be separately addressed. There is no standard duration for which a temporary deficiency may be active. For example, FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version may be a temporary deficiency.

Assessment Criteria and Methodology

The CMMC Assessment Guide – Level 3 leverages the assessment procedure described in NIST SP 800-172A Section 2.1:

An assessment procedure consists of an assessment objective and a set of potential assessment methods and objects that can be used to conduct the assessment. Each assessment objective includes a set of determination statements related to the CUI enhanced security requirement that is the subject of the assessment. Organization-defined parameters (ODP) that are part of selected enhanced security requirements are included in the initial determination statements for the assessment procedure. ODPs are included since the specified parameter values are used in subsequent determination statements. ODPs are numbered sequentially and noted in bold italics.

Determination statements reflect the content of the enhanced security requirements to ensure traceability of the assessment results to the requirements. The application of an assessment procedure to an enhanced security requirement produces assessment findings. The findings are used to determine if the enhanced security requirement has been satisfied.

Assessment objects are associated with the specific items being assessed. These objects can include specifications, mechanisms, activities, and individuals.

* Specifications are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with a system.

* Mechanisms are the specific hardware, software, or firmware safeguards employed within a system.

* Activities are the protection-related actions supporting a system that involve people (e.g., conducting system backup operations, exercising a contingency plan, and monitoring network traffic).

* Individuals, or groups of individuals, are people applying the specifications, mechanisms, or activities described above.

Assessment methods define the nature and the extent of the assessor’s actions. The methods include examine, interview, and test.

* The examine method is the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specifications, mechanisms, activities).

* The interview method is the process of holding discussions with individuals or groups of individuals to facilitate understanding, achieve clarification, or obtain evidence.

* The test method is the process of exercising assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior.

The purpose of the assessment methods is to facilitate understanding, achieve clarification, and obtain evidence. The results obtained from applying the methods are used for making the specific determinations called for in the determination statements and thereby achieving the objectives for the assessment procedure.

Criteria

Assessment objectives are provided for each requirement and are based on existing criteria from NIST SP 800-172A. The criteria are authoritative and provide a basis for the assessor to conduct an assessment of a requirement.

Methodology

During the CMMC certification assessment, the assessor will verify and validate that the OSC has met the requirements. Because an OSC can meet the assessment objectives in different ways (e.g., through documentation, computer configuration, network configuration, or training), the assessor may use a variety of techniques, including one or more of the three assessment methods described above from NIST SP 800-172A, to determine if the OSC meets the intent of the requirements.

The assessor will follow the guidance in NIST SP 800-172A when determining which assessment methods to use:

Organizations [DoD] are not expected to use all of the assessment methods and objects contained within the assessment procedures identified in this publication. Rather, organizations have the flexibility to establish the level of effort needed and the assurance required for an assessment (e.g., which assessment methods and objects are deemed to be the most useful in obtaining the desired results). The decision on level of effort is made based on how the organization can accomplish the assessment objectives in the most cost-effective and efficient manner and with sufficient confidence to support the determination that the CUI enhanced security requirements have been satisfied.

The primary deliverable of an assessment is a compliance score and accompanying report that contains the findings associated with each requirement. For more detailed information on assessment methods, see Appendix C of NIST SP 800-172A.

Figure 1 illustrates an example of an assessment procedure for requirement AC.L3-3.1.3e.

Who Is Interviewed

The assessor has discussions with OSC staff to understand if a requirement has been addressed. Interviews with applicable staff (possibly at different organizational levels) determine if CMMC security requirements are implemented and if adequate resourcing, training, and planning have occurred for individuals to perform the requirements.

What Is Examined

Examination includes reviewing, inspecting, observing, studying, or analyzing assessment objects. The objects can be documents, mechanisms, or activities. The primary focus will be to examine through demonstrations during interviews.

For some requirements, the assessor reviews documentation to determine if assessment objectives are met. Interviews with OSC staff may identify the documents uses. Documents need to be in their final forms; working papers (e.g., drafts) of documentation are not eligible to be submitted as evidence because they are not yet official and are still subject to change.

Common types of documents that can be used as evidence include:

policy, process, and procedure documents;
training materials;
plans and planning documents; and
system-level, network, and data flow diagrams.

This list of documents is not exhaustive or prescriptive. An OSC may not have these specific documents, and other documents may be used to provide evidence of compliance.

In other cases, the requirement is best assessed by observing that safeguards are in place by viewing hardware or associated configuration information or observe staff exercising a process.

What Is Tested

Testing is an important part of the assessment process. Interviews tell the assessor what the OSC staff believe to be true, documentation provides evidence of intent, and testing demonstrates what has or has not been done and is the preferred assessment method when possible. For example, staff may talk about how users are identified and documentation may provide details on how users are identified, but seeing a demonstration of user identification provides evidence that the requirement is met. The assessor will determine which requirements or objectives within a requirement need demonstration or testing. Most objectives will require testing.

Assessment Findings

The assessment of a CMMC security requirement results in one of three possible findings: MET, NOT MET, or NOT APPLICABLE as defined in 32 CFR § 170.24. To achieve CMMC Status of Final Level 3 (DIBCAC) as described in 32 CFR § 170.18, the OSC will need a finding of MET or NOT APPLICABLE on all Level 3 security requirements.

MET: All applicable assessment objectives for the security requirement are satisfied based on evidence. All evidence must be in final form and a not draft. Unacceptable forms of evidence include working papers, drafts, and unofficial or unapproved policies. For each security requirement marked MET, it is best practice to record statements that indicate the response conforms to all objectives and document the appropriate evidence to support the response.
- Enduring Exceptions when described, along with any mitigations, in the system security plan shall be assessed as MET.
- Temporary deficiencies that are appropriately addressed in operational plans of action (i.e., include deficiency reviews, milestones, and show progress towards the implementation of corrections to reduce or eliminate identified vulnerabilities) shall be assessed as MET.
NOT MET: One or more objectives for the security requirement is not satisfied. During a Level 3 certification assessment, for each requirement objective marked NOT MET, the assessor will document why the evidence provided by the OSC does not conform.
NOT APPLICABLE (N/A): A security requirement and/or objective does not apply at the time of the assessment. For example, SI.L3-3.14.3e might be N/A if there are no Internet of Things (IoT), Industrial Internet of Things (IIoT), Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, or test equipment included in the Level 3 CMMC Assessment Scope.

If an OSC previously received a favorable adjudication from the DoD CIO indicating that a requirement is not applicable or that an alternative security measure is equally effective, the DoD CIO adjudication must be included in the system security plan to receive consideration during an assessment. Implemented security measures adjudicated by the DoD CIO as equally effective are assessed as MET if there have been no changes in the environment.

Each assessment objective in NIST SP 800-171A and NIST SP 800-172A must yield a finding of MET or NOT APPLICABLE in order for the overall security requirement to be scored as MET. Assessors exercise judgment in determining when sufficient and adequate evidence has been presented to make an assessment finding.

CMMC certification assessments are conducted and results are captured at the assessment objective level. One NOT MET assessment objective results in a failure of the entire security requirement.

A security requirement can be applicable even when assessment objectives included in the security requirements are scored as N/A. The security requirement is NOT MET when one or more applicable assessment objectives is NOT MET.

Satisfaction of security requirements may be accomplished by other parts of the enterprise or an External Service Provider (ESP), as defined in 32 CFR § 170.4. A security requirement is considered MET if adequate evidence is provided that the enterprise or ESP, implements the requirement objectives. An ESP may be external people, technology, or facilities that the OSC uses, including cloud service providers, managed service providers, managed security service providers, or cybersecurity-as-a-service providers.

Requirement Descriptions

This section provides detailed information and guidance for assessing each Level 3 security requirement. The section is organized first by domain and then by individual security requirement. Each security requirement description contains the following elements as described in 32 CFR § 170.14(c):

Requirement Number, Name, and Statement: Headed by the requirement identification number in the format DD.L#-REQ (e.g., AC.L3-3.1.2e); followed by the requirement short name identifier, meant to be used for quick reference only; and finally followed by the complete CMMC security requirement statement. In the case where the original NIST SP 800-172 requirement requires an assignment and/or selection statement, the Level 3 assignment (and any necessary selection) text is emphasized using underlining. See Section 2.2 in NIST SP 800-172 for the discussion on assignments and selections.
Assessment Objectives [NIST SP 800-172A]: Identifies the specific list of objectives that must be met to receive MET for the requirement as defined in NIST SP 800-172A and includes the Level 3 assignment/selection text (as appropriate). In cases where a Level 3 assignment fully satisfies the definition(s) required in an organization-defined parameter (ODP) in NIST SP 800-172A, the ODP statement is not included as an objective, since that objective has been met by the assignment itself. However, when the assignment does not fully contain all required aspects of a NIST SP 800-172A ODP, the ODP is included as its own objective, using the original NIST SP 800-172A ODP number (e.g., “[ODP4]”). See the breakout box ORGANIZATION-DEFINED PARAMETERS in Section 2.1 of NIST SP 800-172A for additional details on an ODP. In all cases where an assignment is used within an objective, it also emphasized using underlining.
Potential Assessment Methods and Objects [NIST SP 800-172A]: Defines the nature and extent of the assessor’s actions. Potential assessment methods and objects are as defined in NIST SP 800-172A. The methods include examine, interview, and test. Assessment objects identify the items being assessed and can include specifications, mechanisms, activities, and individuals.
Discussion [NIST SP 800-172]: Contains discussion from the associated NIST SP 800-172 security requirement.
Further Discussion:
- Expands upon the NIST content to provide supplemental information on the requirement intent.
- Contains examples illustrating how the OSC might apply the requirement. These examples provide insight but are not intended to be prescriptive of how the requirement must be implemented, nor comprehensive of all assessment objectives necessary to achieve the requirement. The assessment objectives met within the example are referenced by letter in brackets (e.g., [a,d] for objectives “a” and “d”) within the text. Note that some of the examples contain company names; all company names used in this document are fictitious.
- Provides potential assessment considerations. These may include common considerations for assessing the requirement and potential questions the assessor may ask when assessing the objectives.
Key References: Lists the security requirement from NIST SP 800-172.

Access Control (AC)

AC.L3-3.1.2E – ORGANIZATIONALLY CONTROLLED ASSETS

Restrict access to systems and system components to only those information resources that

are owned, provisioned, or issued by the organization.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] Information resources that are owned, provisioned, or issued by the organization are

identified; and

[b] Access to systems and system components is restricted to only those information

resources that are owned, provisioned, or issued by the organization.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Access control policy; procedures addressing the use of external systems;

list of information resources owned, provisioned, or issued by the organization; security

plan; system design documentation; system configuration settings and associated

documentation; system connection or processing agreements; system audit records; account

management documents; other relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for restricting or prohibiting the use

of non-organizationally owned systems, system components, or devices; system and

network administrators; organizational personnel responsible for system security].

Test
[SELECT FROM: Mechanisms implementing restrictions on the use of non-organizationally

owned systems, components, or devices].

DISCUSSION [NIST SP 800-172]

Information resources that are not owned, provisioned, or issued by the organization include

systems or system components owned by other organizations and personally owned

devices. Non-organizational information resources present significant risks to the

organization and complicate the ability to employ a “comply-to-connect” policy or

implement component or device attestation techniques to ensure the integrity of the

organizational system.

AC.L3-3.1.2e – Organizationally Controlled Assets

CMMC Assessment Guide – Level 3 | Version 2.13

16

FURTHER DISCUSSION

Implementing this requirement ensures that an organization has control over the systems

that can connect to organizational assets. This control will allow more effective and efficient

application of security policy. The terms “has control over” provides policy for systems that

are not owned outright by the organization. Control includes policies, regulations or

standards that are enforced on the resource accessing contractor systems. Control may also

be exercised through contracts or agreements with the external party. Provisioned includes

setting configuration, whether through direct technical means or by policy or agreement. For

purposes of this requirement, GFE can be considered provisioned by the OSA.

Example 1
You are the chief network architect for your company. Company policy states that all

company-owned assets must be separated from all non-company-owned (i.e., guest or

employee) assets. You decide the best way forward is to modify the corporate wired and

wireless networks to only allow company-owned devices to connect [b]. All other devices

are connected to a second (untrusted) network that non-corporate devices may use to access

the internet. The two environments are physically separated and are not allowed to be

connected. You also decide to limit the virtual private network (VPN) services of the

company to devices owned by the corporation by installing certificate keys and have the VPN

validate the configuration of connecting devices before they are allowed in [b].

Example 2
You are a small company that uses an External Service Provider (ESP) to provide your audit

logging. Access between the ESP and the organization is controlled by the agreement

between the organization and the ESP. That agreement will include the policies, standards,

and configuration for the required access. Technical controls should be documented and in

place which limit the ESP’s access to the minimum required to perform the logging service.

Potential Assessment Considerations
•

Can the organization demonstrate a non-company-owned device failing to access

information resources owned by the company [b]?

•

How is this requirement met for organizational devices that are specialized assets (GFE,

restricted information systems) [a,b]?

•

Does the company allow employees to charge personal cell phones on organizational

systems [b]?

KEY REFERENCES

•

NIST SP 800-172 3.1.2e

AC.L3-3.1.3e – Secured Information Transfer

CMMC Assessment Guide – Level 3 | Version 2.13

17

AC.L3-3.1.3E – SECURED INFORMATION TRANSFER

Employ secure information transfer solutions to control information flows between security

domains on connected systems.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[ODP1] Secure information transfer solutions are defined;
[a] Information flows between security domains on connected systems are identified; and
[b] Secure information transfer solutions are employed to control information flows

between security domains on connected systems.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Access control policy; information flow control policies; procedures

addressing information flow enforcement; system design documentation; security plan;

system configuration settings and associated documentation; system audit records; system

baseline configuration; list of information flow authorizations; other relevant documents or

records].

Interview
[SELECT FROM: System and network administrators; organizational personnel responsible

for information security; system developers].

Test
[SELECT FROM: Mechanisms implementing information flow enforcement policy;

mechanisms implementing secure information transfer solutions].

DISCUSSION [NIST SP 800-172]

Organizations employ information flow control policies and enforcement mechanisms to

control the flow of information between designated sources and destinations within systems

and between connected systems. Flow control is based on the characteristics of the

information and/or the information path. Enforcement occurs, for example, in boundary

protection devices that employ rule sets or establish configuration settings that restrict

system services, provide a packet-filtering capability based on header information, or

provide a message-filtering capability based on message content. Organizations also

consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware,

firmware, and software components) that are critical to information flow enforcement.
Transferring information between systems in different security domains with different

security policies introduces the risk that the transfers violate one or more domain security

AC.L3-3.1.3e – Secured Information Transfer

CMMC Assessment Guide – Level 3 | Version 2.13

18

policies. In such situations, information owners or information stewards provide guidance

at designated policy enforcement points between connected systems. Organizations

mandate specific architectural solutions when required to enforce logical or physical

separation between systems in different security domains. Enforcement includes prohibiting

information transfers between connected systems, employing hardware mechanisms to

enforce one-way information flows, verifying write permissions before accepting

information from another security domain or connected system, and implementing

trustworthy regrading mechanisms to reassign security attributes and labels.
Secure information transfer solutions often include one or more of the following properties:

use of cross-domain solutions when traversing security domains, mutual authentication of

the sender and recipient (using hardware-based cryptography), encryption of data in transit

and at rest, isolation from other domains, and logging of information transfers (e.g., title of

file, file size, cryptographic hash of file, sender, recipient, transfer time and Internet Protocol

[IP] address, receipt time, and IP address).

FURTHER DISCUSSION

The organization implementing this requirement must decide on the secure information

transfer solutions they will use. The solutions must be configured to have strong protection

mechanisms for information flow between security domains. Secure information transfer

solutions control information flow between a Level 3 enclave and other CMMC or non-CMMC

enclaves. If CUI requiring Level 3 protection resides in one area of the environment or within

a given enclave outside of the normal working environment, protection to prevent

unauthorized personnel from accessing, disseminating, and sharing the protected

information is required. Physical and virtual methods can be employed to implement secure

information transfer solutions.

Example
You are the administrator for an enterprise that stores and processes CUI requiring Level 3

protection. The files containing CUI information are tagged by the company as CUI. To ensure

secure information transfer, you use an intermediary device to check the transfer of any CUI

files. The device sits at the boundary of the CUI enclave, is aware of all other CUI domains in

the enterprise, and has the ability to examine the metadata in the encrypted payload. The

tool checks all outbound communications paths. It first checks the metadata for all data being

transferred. If that data is identified as CUI, the device checks the destination to see if the

transfer is to another, sufficiently certified CUI domain. If the destination is not a sufficient

CUI domain, the tool blocks the communication path and does not allow the transfer to take

place. If the destination is a sufficient CUI domain, the transfer is allowed. The intermediary

device logs all blocks.

Potential Assessment Considerations
•

Has the organization defined the secure information transfer solutions it is using [b]?

•

Has the organization defined domains, boundaries, and flows between those domains

that need to be controlled [a]?

AC.L3-3.1.3e – Secured Information Transfer

CMMC Assessment Guide – Level 3 | Version 2.13

19

•

Has the organization defined attributes to be associated with the CUI, and both source

and destination objects [b]?

•

Has the organization defined metadata or some other tagging mechanism to be used as a

means of enforcing CUI flow control [b]?

•

Has the organization defined filters to be used as a basis for enforcing flow control

decisions [b]?

•

Has the organization identified CUI flows for which flow control decisions are to be

applied and enforced [a,b]?

KEY REFERENCES

•

NIST SP 800-172 3.1.3e

AT.L3-3.2.1e – Advanced Threat Awareness

CMMC Assessment Guide – Level 3 | Version 2.13

20

Awareness and Training (AT)
AT.L3-3.2.1E – ADVANCED THREAT AWARENESS

Provide awareness training upon initial hire, following a significant cyber event, and at least

annually, focused on recognizing and responding to threats from social engineering,

advanced persistent threat actors, breaches, and suspicious behaviors; update the training

at least annually or when there are significant changes to the threat.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] Threats from social engineering, advanced persistent threat actors, breaches, and

suspicious behaviors are identified;

[b] Awareness training focused on recognizing and responding to threats from social

engineering, advanced persistent threat actors, breaches, and suspicious behaviors is

provided upon initial hire, following a significant cyber event, and at least annually;

[c] Significant changes to the threats from social engineering, advanced persistent threat

actors, breaches, and suspicious behaviors are identified; and

[d] Awareness training is updated at least annually or when there are significant changes to

the threat.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Awareness training policy; procedures addressing awareness training

implementation; appropriate codes of federal regulations; awareness training curriculum;

awareness training materials; security plan; training records; threat information on social

engineering, advanced persistent threat actors, suspicious behaviors, and breaches; other

relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for awareness training;

organizational personnel responsible for information security; organizational personnel

comprising the general system user community].

Test
[SELECT FROM: Mechanisms managing awareness training; mechanisms managing threat

information].

AT.L3-3.2.1e – Advanced Threat Awareness

CMMC Assessment Guide – Level 3 | Version 2.13

21

DISCUSSION [NIST SP 800-172]

An effective method to detect APT activities and reduce the effectiveness of those activities

is to provide specific awareness training for individuals. A well-trained and security-aware

workforce provides another organizational safeguard that can be employed as part of a

defense-in-depth strategy to protect organizations against malicious code injections via

email or web applications. Threat awareness training includes educating individuals on the

various ways that APTs can infiltrate organizations, including through websites, emails,

advertisement pop-ups, articles, and social engineering. Training can include techniques for

recognizing suspicious emails, the use of removable systems in non-secure settings, and the

potential targeting of individuals by adversaries outside the workplace. Awareness training

is assessed and updated periodically to ensure that the training is relevant and effective,

particularly with respect to the threat since it is constantly, and often rapidly, evolving.
[NIST SP 800-50] provides guidance on security awareness and training programs.

FURTHER DISCUSSION

All organizations, regardless of size, should have a cyber training program that helps

employees understand threats they will face on a daily basis. This training must include

knowledge about APT actors, breaches, and suspicious behaviors.

Example
You are the cyber training coordinator for a small business with eight employees. You do not

have your own in-house cyber training program. Instead, you use a third-party company to

provide cyber training. New hires take the course when they start, and all current staff

members receive refresher training at least once a year [b]. When significant changes to the

threat landscape take place, the company contacts you and informs you that an update to the

training has been completed [c,d] and everyone will need to receive training [b]. You keep a

log of all employees who have gone through the cyber training program and the dates of

training.

Potential Assessment Considerations
•

Does the organization have evidence that employees participate in cyber awareness

training at initial hire and at least annually thereafter or when there have been significant

changes to the threat [b]?

KEY REFERENCES

•

NIST SP 800-172 3.2.1e

AT.L3-3.2.2e – Practical Training Exercises

CMMC Assessment Guide – Level 3 | Version 2.13

22

AT.L3-3.2.2E – PRACTICAL TRAINING EXERCISES

Include practical exercises in awareness training for all users, tailored by roles, to include

general users, users with specialized roles, and privileged users, that are aligned with

current threat scenarios and provide feedback to individuals involved in the training and

their supervisors.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] Practical exercises are identified;
[b] Current threat scenarios are identified;
[c] Individuals involved in training and their supervisors are identified;
[d] Practical exercises that are aligned with current threat scenarios are included in

awareness training for all users, tailored by roles, to include general users, users with

specialized roles, and privileged users; and

[e] Feedback is provided to individuals involved in the training and their supervisors.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Awareness training policy; procedures addressing awareness training

implementation; appropriate codes of federal regulations; awareness training curriculum;

awareness training materials; security plan; training records; threat information on social

engineering, advanced persistent threat actors, suspicious behaviors, breaches, or other

relevant adversary tactics, techniques, or procedures; feedback on practical exercises and

awareness training; other relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for awareness training; organizational

personnel responsible for information security; organizational personnel with roles identified

for practical exercises; supervisors of personnel with roles identified for practical exercises].

Test
[SELECT FROM: Mechanisms managing awareness training; mechanisms managing threat

information].

AT.L3-3.2.2e – Practical Training Exercises

CMMC Assessment Guide – Level 3 | Version 2.13

23

DISCUSSION [NIST SP 800-172]

Awareness training is most effective when it is complemented by practical exercises tailored

to the tactics, techniques, and procedures (TTP) of the threat. Examples of practical exercises

include unannounced social engineering attempts to gain unauthorized access, collect

information, or simulate the adverse impact of opening malicious email attachments or

invoking, via spear phishing attacks, malicious web links. Rapid feedback is essential to

reinforce desired user behavior. Training results, especially failures of personnel in critical

roles, can be indicative of a potentially serious problem. It is important that senior

management are made aware of such situations so that they can take appropriate

remediating actions.
[NIST SP 800-181] provides guidance on role-based security training, including a lexicon and

taxonomy that describes cybersecurity work via work roles.

FURTHER DISCUSSION

This requirement can be performed by the organization or by a third-party company.

Training exercises (including unannounced exercises, such as phishing training) should be

performed at various times throughout the year to encourage employee readiness. After

each exercise session has been completed, the results should be recorded (date, time, what

and who the training tested, and the percent of successful and unsuccessful responses). The

purpose of training is to help employees in all roles act appropriately for any given training

situation, which should reflect real-life scenarios. Collected results will help identify

shortcomings in the cyber training and/or whether additional instructional training may be

needed.
General exercises can be included for all users, but exercises tailored for specific roles are

important, too. Training tailored for specific roles helps make sure individuals are ready for

actions and events specific to their positions in a company. Privileged users receive training

that emphasizes what permissions their privileged account has in a given environment and

what extra care is required when using their privileged account.

Example
You are the cyber training coordinator for a medium-sized business. You and a coworker

have developed a specialized awareness training to increase cybersecurity awareness

around your organization. Your training includes social media campaigns, social engineering

phone calls, and phishing emails with disguised links to staff to train them beyond the

standard cybersecurity training [a,b].
To send simulated phishing emails to staff, you subscribe to a third-party service that

specializes in this area [a]. The service sets up fictitious websites with disguised links to help

train general staff against this TTP used by APTs [d]. The third-party company tracks the

individuals who were sent phishing emails and whether they click on any of the of the links

within the emails. After the training action is completed, you receive a report from the third-

party company. The results show that 20% of the staff clicked on one or more phishing email

links, demonstrating a significant risk to your company. As the cyber training coordinator,

AT.L3-3.2.2e – Practical Training Exercises

CMMC Assessment Guide – Level 3 | Version 2.13

24

you notify the individuals, informing them they failed the training and identifying the area(s)

of concern [e]. You send an email to the supervisors informing them who in their

organization has received training. You also send an email out to the entire company

explaining the training that just took place and the overall results [e].

Potential Assessment Considerations
•

Are the individuals being trained and the results recorded [e]?

•

Are the training exercises performed [c]?

•

Are the exercises set up for all users? Are there tailored exercises based on roles within

the organization (general users, users with specialized roles, and privileged users) [d]?

•

Does the organization have documentation recording the training exercises, who

participated, and feedback provided to those who participated in a training session [c,e]?

KEY REFERENCES

•

NIST SP 800-172 3.2.2e

CM.L3-3.4.1e – Authoritative Repository

CMMC Assessment Guide – Level 3 | Version 2.13

25

Configuration Management (CM)
CM.L3-3.4.1E – AUTHORITATIVE REPOSITORY

Establish and maintain an authoritative source and repository to provide a trusted source

and accountability for approved and implemented system components.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] Approved system components are identified;
[b] Implemented system components are identified;
[c] An authoritative source and repository are established to provide a trusted source and

accountability for approved and implemented system components; and

[d] An authoritative source and repository are maintained to provide a trusted source and

accountability for approved and implemented system components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Configuration management policy; procedures addressing the baseline

configuration of the system; configuration management plan; enterprise architecture

documentation; system design documentation; system architecture and configuration

documentation; system configuration settings and associated documentation; change

control records; system and system component inventory records; inventory reviews and

update records; security plan; system audit records; change control audit and review

reports; other relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for configuration management;

organizational personnel responsible for system component inventory; organizational

personnel responsible for configuration change control; organizational personnel

responsible for information security; system/network administrators; members of a change

control board or similar].

Test
[SELECT FROM: Mechanisms that implement configuration change control; mechanisms

supporting configuration control of the baseline configuration; mechanisms supporting

and/or implementing the system component inventory].

CM.L3-3.4.1e – Authoritative Repository

CMMC Assessment Guide – Level 3 | Version 2.13

26

DISCUSSION [NIST SP 800-172]

The establishment and maintenance of an authoritative source and repository includes a

system component inventory of approved hardware, software, and firmware; approved

system baseline configurations and configuration changes; and verified system software and

firmware, as well as images and/or scripts. The authoritative source implements integrity

controls to log changes or attempts to change software, configurations, or data in the

repository. Additionally, changes to the repository are subject to change management

procedures and require authentication of the user requesting the change. In certain

situations, organizations may also require dual authorization for such changes. Software

changes are routinely checked for integrity and authenticity to ensure that the changes are

legitimate when updating the repository and when refreshing a system from the known,

trusted source. The information in the repository is used to demonstrate adherence to or

identify deviation from the established configuration baselines and to restore system

components from a trusted source. From an automated assessment perspective, the system

description provided by the authoritative source is referred to as the desired state. The

desired state is compared to the actual state to check for compliance or deviations. [NIST SP

800-128] provides guidance on security configuration management, including security

configuration settings and configuration change control.
[NIST IR 8011-1] provides guidance on automation support to assess system and system

component configurations.

FURTHER DISCUSSION

Trusted software, whether securely developed in house or obtained from a trusted source,

should have baseline data integrity established when first created or obtained, such as by

using hash algorithms to obtain a hash value that would be used to validate the source prior

to use of the software in a given system. Hardware in the repository should be stored in boxes

or containers with tamper-evident seals. Hashes and seals should be checked on a regular

basis employing the principle of separation of duties.

Example
You are the primary system build technician at a medium-sized company. You have been put

in charge of creating, documenting, and implementing a baseline configuration for all user

systems [c]. You have identified a minimum set of software that is needed by all employees

to complete their work (e.g., office automation software). You acquire trusted versions of the

software and build one or more baselines of all system software, firmware, and applications

required by the organization. The gold version of each baseline is stored in a secure

configuration management system repository and updated as required to maintain integrity

and security. Access to the build repository for updates and use is carefully controlled using

access control mechanisms that limit access to you and your staff. All interactions with the

repository are logged. Using an automated build tool, your team builds each organizational

system using the standard baseline

CM.L3-3.4.1e – Authoritative Repository

CMMC Assessment Guide – Level 3 | Version 2.13

27

Potential Assessment Considerations
•

Does an authoritative source and repository exist to provide a trusted source and

accountability for approved and implemented system components [c,d]?

KEY REFERENCES

•

NIST SP 800-172 3.4.1e

CM.L3-3.4.2e – Automated Detection & Remediation

CMMC Assessment Guide – Level 3 | Version 2.13

28

CM.L3-3.4.2E – AUTOMATED DETECTION & REMEDIATION

Employ automated mechanisms to detect misconfigured or unauthorized system

components; after detection, remove the components or place the components in a

quarantine or remediation network to facilitate patching, re-configuration, or other

mitigations.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] Automated mechanisms to detect misconfigured or unauthorized system components

are identified;

[b] Automated mechanisms are employed to detect misconfigured or unauthorized system

components;

[c] Misconfigured or unauthorized system components are detected; and
[d] After detection, system components are removed or placed in a quarantine or

remediation network to facilitate patching, re-configuration, or other mitigations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Configuration management policy; procedures addressing the baseline

configuration of the system; configuration management plan; authoritative source or

repository; enterprise architecture documentation; system design documentation; system

architecture and configuration documentation; system procedures addressing system

configuration change control; configuration settings and associated documentation; change

control records; change control audit and review reports; agenda/minutes from

configuration change control oversight meetings; alerts/notifications of unauthorized

baseline configuration changes; security plan; system audit records; other relevant

documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for configuration management;

organizational personnel responsible for information security; organizational personnel

responsible for configuration change control; system developers; system/network

administrators; members of a change control board or similar roles].

Test
[SELECT FROM: Automated mechanisms supporting configuration control of the baseline

configuration; automated mechanisms that implement security responses to changes to the

baseline configurations; automated mechanisms that implement configuration change

control; automated mechanisms that detect misconfigured or unauthorized system

components].

CM.L3-3.4.2e – Automated Detection & Remediation

CMMC Assessment Guide – Level 3 | Version 2.13

29

DISCUSSION [NIST SP 800-172]

System components used to process, store, transmit, or protect CUI are monitored and

checked against the authoritative source (i.e., hardware and software inventory and

associated baseline configurations). From an automated assessment perspective, the system

description provided by the authoritative source is referred to as the desired state. Using

automated tools, the desired state is compared to the actual state to check for compliance or

deviations. Security responses to system components that are unknown or that deviate from

approved configurations can include removing the components; halting system functions or

processing; placing the system components in a quarantine or remediation network that

facilitates patching, re-configuration, or other mitigations; or issuing alerts and/or

notifications to personnel when there is an unauthorized modification of an organization-

defined configuration item. Responses can be automated, manual, or procedural.

Components that are removed from the system are rebuilt from the trusted configuration

baseline established by the authoritative source.
[NIST IR 8011-1] provides guidance on using automation support to assess system

configurations

FURTHER DISCUSSION

For this requirement, the organization is required to implement automated tools to help

identify misconfigured components. Once under an attacker’s control, the system may be

modified in some manner and the automated tool should detect this. Or, if a user performs a

manual configuration adjustment, the system will be viewed as misconfigured, and that

change should be detected. Another common example is if a component has been offline and

not updated, the tool should detect the incorrect configuration. If any of these scenarios

occurs, the automated configuration management system (ACMS) will notice a change and

can take the system offline, quarantine the system, or send an alert so the component(s) can

be manually removed. Quarantining a misconfigured component does not require it to be

removed from the network. Quarantining only requires that a temporary limitation be put

in place eliminating the component’s ability to process, store, or transmit CUI until it is

properly configured. If a component has the potential of disrupting business operations then

the OSC should take extra care to ensure configuration updates are properly tested and that

components are properly configured and tested before being added to the network. Once

one of these actions is accomplished, a system technician may need to manually inspect the

system or rebuild it using the baseline configuration. Another option is for an ACMS to make

adjustments while the system is running rather than performing an entire rebuild. These

adjustments can include replacing configuration files, executable files, scripts, or library files

on the fly.

Example 1
As the system administrator, you implement company policy stating that every system

connecting to the company network via VPN will be checked for specific configuration

settings and software versioning before it is allowed to connect to the network, after it passes

authentication [a,b]. If any deviations from the authoritative baseline are identified, the

CM.L3-3.4.2e – Automated Detection & Remediation

CMMC Assessment Guide – Level 3 | Version 2.13

30

system is placed in a VPN quarantine zone (remediation network) using a virtual local area

network (VLAN) [b,c,d]. This VLAN is set up for system analysis, configuration changes, and

rebuilding after forensic information is pulled from the system. Once the system updates are

complete, the system will be removed from the quarantine zone and placed on the network

through the VPN connection.

Example 2
As the system administrator, you have chosen to use a network access control (NAC) solution

to validate system configurations before they are allowed to connect to the corporate

network [a]. When a system plugs into or connects to a local network port or the VPN, the

NAC solution checks the hash of installed system software [b,c]. If the system does not pass

the configuration check, it is put in quarantine until an administrator can examine it or the

ACMS updates the system to pass the system checks [d].

Potential Assessment Considerations
•

Can the organization explain the automated process that identifies, quarantines, and

remediates a system when a misconfiguration or unauthorized system component is

identified [a,b,c,d]?

•

Does the organization have a patching and rebuild process for all assets that may be taken

offline [d]?

KEY REFERENCES

•

NIST SP 800-172 3.4.2e

CM.L3-3.4.3e – Automated Inventory

CMMC Assessment Guide – Level 3 | Version 2.13

31

CM.L3-3.4.3E – AUTOMATED INVENTORY

Employ automated discovery and management tools to maintain an up-to-date, complete,

accurate, and readily available inventory of system components.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] Automated discovery and management tools for the inventory of system components are

identified;

[b] An up-to-date, complete, accurate, and readily available inventory of system components

exists; and

[c] Automated discovery and management tools are employed to maintain an up-to-date,

complete, accurate, and readily available inventory of system components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Configuration management policy; configuration management plan;

procedures addressing system component inventory; procedures addressing the baseline

configuration of the system; configuration management plan; system design documentation;

system architecture and configuration documentation; security plan; system configuration

settings and associated documentation; configuration change control records; system

inventory records; change control records; system maintenance records; system audit

records; other relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for information security;

organizational personnel responsible for configuration management; organizational

personnel responsible for managing the automated mechanisms implementing the system

component inventory; system developers; system/network administrators].

Test
[SELECT FROM: Automated mechanisms implementing baseline configuration maintenance;

automated mechanisms implementing the system component inventory].

DISCUSSION [NIST SP 800-172]

The system component inventory includes system-specific information required for

component accountability and to provide support to identify, control, monitor, and verify

configuration items in accordance with the authoritative source. The information necessary

for effective accountability of system components includes the system name, hardware and

software component owners, hardware inventory specifications, software license

CM.L3-3.4.3e – Automated Inventory

CMMC Assessment Guide – Level 3 | Version 2.13

32

information, software version numbers, and— for networked components—the machine

names and network addresses. Inventory specifications include the manufacturer, supplier

information, component type, date of receipt, cost, model, serial number, and physical

location. Organizations also use automated mechanisms to implement and maintain

authoritative (i.e., up-to-date, complete, accurate, and available) baseline configurations for

systems that include hardware and software inventory tools, configuration management

tools, and network management tools. Tools can be used to track version numbers on

operating systems, applications, types of software installed, and current patch levels.

FURTHER DISCUSSION

Organizations use an automated capability to discover components connected to the

network and system software installed. The automated capability must also be able to

identify attributes associated with those components. For systems that have already been

coupled to the environment, they should allow remote access for inspection of the system

software configuration and components. Another option is to place an agent on systems that

performs internal system checks to identify system software configuration and components.

Collection of switch and router data can also be used to identify systems on networks.

Example
Within your organization, you are in charge of implementing an authoritative inventory of

system components. You first create a list of the automated technologies you will use and

what each technology will be responsible for identifying [a]. This includes gathering

information from switches, routers, access points, primary domain controllers, and all

connected systems or devices, whether wired or wireless (printers, IoT, IIoT, OT, IT, etc.) [b].

To keep the data up-to-date, you set a very short search frequency for identifying new

components. To maximize availability of this data, all information will be placed in a central

inventory/configuration management system, and automated reporting is performed every

day [c]. A user dashboard is set up that allows you and other administrators to run reports

at any time.

Potential Assessment Considerations
•

Can the organization explain the process by which current inventory information is

acquired [a]?

•

Is the organization able to produce an inventory of components on the network [b,c]?

•

Has the organization implemented a valid frequency for the component discovery

solution [b,c]?

•

Can the organization demonstrate that the inventory is current and accurate [b]?

•

Has the organization developed a defined list of identifiable attributes for each

component type, and is that list adequate to support component accountability [a]?

•

Is the organization able to track, monitor, and verify configuration items in accordance

with the organization’s authoritative list of components [b,c]?

CM.L3-3.4.3e – Automated Inventory

CMMC Assessment Guide – Level 3 | Version 2.13

33

KEY REFERENCES

•

NIST SP 800-172 3.4.3e

IA.L3-3.5.1e – Bidirectional Authentication

CMMC Assessment Guide – Level 3 | Version 2.13

34

Identification and Authentication (IA)
IA.L3-3.5.1E – BIDIRECTIONAL AUTHENTICATION

Identify and authenticate systems and system components, where possible, before

establishing a network connection using bidirectional authentication that is

cryptographically based and replay resistant.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[ODP1] Systems and system components to identify and authenticate are defined;
[a] Bidirectional authentication that is cryptographically-based is implemented;
[b] Bidirectional authentication that is replay-resistant is implemented; and
[c] Systems and system components, where possible, are identified and authenticated before

establishing a network connection using bidirectional authentication that is

cryptographically-based and replay-resistant.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Identification and authentication policy; procedures addressing device

identification and authentication; network connection policy; security plan; system

configuration settings and associated documentation; system design documentation; list of

devices requiring unique identification and authentication; device connection reports;

system audit records; list of privileged system accounts; other relevant documents or

records].

Interview
[SELECT FROM: Organizational personnel responsible for system operations; organizational

personnel responsible for account management; organizational personnel responsible for

device identification and authentication; organizational personnel responsible for

information security; system/network administrators; system developers].

Test
[SELECT FROM: Cryptographically-based bidirectional authentication mechanisms;

mechanisms supporting and/or implementing network connection policy; mechanisms

supporting and/or implementing replay-resistant authentication mechanisms; mechanisms

supporting and/or implementing an identification and authentication capability;

mechanisms supporting and/or implementing a device identification and authentication

capability].

IA.L3-3.5.1e – Bidirectional Authentication

CMMC Assessment Guide – Level 3 | Version 2.13

35

DISCUSSION [NIST SP 800-172]

Cryptographically-based and replay-resistant authentication between systems, components,

and devices addresses the risk of unauthorized access from spoofing (i.e., claiming a false

identity). The requirement applies to client-server authentication, server-server

authentication, and device authentication (including mobile devices). The cryptographic key

for authentication transactions is stored in suitably secure storage available to the

authenticator application (e.g., keychain storage, Trusted Platform Module [TPM], Trusted

Execution Environment [TEE], or secure element). Mandating authentication requirements

at every connection point may not be practical, and therefore, such requirements may only

be applied periodically or at the initial point of network connection.
[NIST SP 800-63-3] provides guidance on identity and authenticator management.

FURTHER DISCUSSION

The intent of this practice is to prevent unauthorized devices from connecting to one

another. One example satisfying this requirement is a web server configured with transport

layer security (TLS) using mutual authentication. At a lower level in the OSI stack, IPsec

provides application-transparent mutual authentication. Another example would be

implementing 802.1X technology to enforce port-based NAC. This is done by enabling 802.1X

on switches, wireless access points, and VPN connections for a given network. 802.1X defines

authentication controls for devices trying to access a given network. NAC controls

authorization and policy management. For this to be implemented, bidirectional

authentication must be turned on via 802.1X. Once successfully authenticated, the device

may communicate on the network. A final example, at the application-server level, involves

the use of Kerberos to control 1) which files a client can access and 2) the transmission of

sensitive data from the client to the server.

Example 1
You are the network engineer in charge of implementing this requirement. You have been

instructed to implement a technology that will provide mutual authentication for client

server connections. You implement Kerberos.
On the server side, client authentication is implemented by having the client establish a local

security context. This is initially accomplished by having the client present credentials which

are confirmed by the Active Directory Domain Controller (DC). After that, the client may

establish context via a session of a logged-in user. The service does not accept connections

from any unauthenticated client.
On the client side, server authentication requires registration, using administrator

privileges, of unique Service Provider Names (SPNs) for each service instance offered. The

names are registered in the Active Directory Domain Controller. When a client requests a

connection to a service, it composes an SPN for a service instance, using known data or data

provided by the user. For authentication, the client presents its SPN to the Key Distribution

Center (KDC), and the KDC searches for computers with the registered SPN before allowing

a connection via an encrypted message passed to the client for forwarding to the server.

IA.L3-3.5.1e – Bidirectional Authentication

CMMC Assessment Guide – Level 3 | Version 2.13

36

Example 2
You are the network engineer in charge of implementing this requirement. You have been

instructed to implement a technology that will provide authentication for each system prior

to connecting to the environment. You implement the company-approved scheme that uses

cryptographic keys installed on each system for it to authenticate to the environment, as well

as user-based cryptographic keys that are used in combination with a user’s password for

user-level authentication [a,c]. Your authentication implementation is finalized on each

system using an ACM solution. When a system connects to the network, the system uses the

system-level certificate to authenticate itself to the switch before the switch will allow it to

access the corporate network [a,c]. This is accomplished using 802.1x technology on the

switch and by authenticating with a RADIUS server that authenticates itself with the system

via cryptographic keys. If either system fails to authenticate to the other, the trust is broken,

and the system will not be able to connect to or communicate on the network. You also set

up a similar implementation in your wireless access point.

Example 3
You are the network engineer in charge of implementing the VPN solution used by the

organization. To meet this requirement, you use a VPN gateway server and public key

infrastructure (PKI) certificates via a certification authority (CA) and a chain of trust. When

a client starts a VPN connection, the server presents its certificate to the client and if the

certificate is trusted, the client then presents its certificate to the server [a]. If the server

validates the client certificate, an established communications channel is opened for the

client to finish the authentication process and gain access to the network via the VPN

gateway server [c]. If the client fails final authentication, fails the certification validation, or

the VPN gateway fails the certificate check by the client, the communication channel will be

denied.

Potential Assessment Considerations
•

Are cryptographic keys stored securely [a]?

•

Has the requirement been implemented for any of the three use cases, where applicable:

client-server authentication, server-server authentication, and device authentication

[b,c]?

KEY REFERENCES

•

NIST SP 800-172 3.5.1e

IA.L3-3.5.3e – Block Untrusted Assets

CMMC Assessment Guide – Level 3 | Version 2.13

37

IA.L3-3.5.3E – BLOCK UNTRUSTED ASSETS

Employ automated or manual/procedural mechanisms to prohibit system components from

connecting to organizational systems unless the components are known, authenticated, in a

properly configured state, or in a trust profile.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] System components that are known, authenticated, in a properly configured state, or in

a trust profile are identified;

[b] Automated or manual/procedural mechanisms to prohibit system components from

connecting to organizational systems are identified; and

[c] Automated or manual/procedural mechanisms are employed to prohibit system

components from connecting to organizational systems unless the components are

known, authenticated, in a properly configured state, or in a trust profile.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Configuration management policy; identification and authentication policy;

system and information integrity policy; procedures addressing system component

inventory; procedures addressing device identification and authentication; procedures

addressing device configuration management; procedures addressing system monitoring

tools and techniques; configuration management plan; security plan; system design

documentation; system configuration settings and associated documentation; system

inventory records; configuration management records; system monitoring records;

alerts/notifications of unauthorized components within the system; change control records;

system audit records; system monitoring tools and techniques documentation; documented

authorization/approval of network services; notifications or alerts of unauthorized network

services; system monitoring logs or records; other relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for managing the mechanisms

implementing unauthorized system component detection; organizational personnel

responsible for device identification and authentication; organizational personnel

responsible for information security; organizational personnel responsible for installing,

configuring, and/or maintaining the system; system/network administrators;

organizational personnel responsible for monitoring the system; system developers].

IA.L3-3.5.3e – Block Untrusted Assets

CMMC Assessment Guide – Level 3 | Version 2.13

38

Test
[SELECT FROM: Mechanisms implementing the detection of unauthorized system

components; mechanisms supporting and/or implementing a device identification and

authentication capability; mechanisms for providing alerts; mechanisms supporting and/or

implementing configuration management; cryptographic mechanisms supporting device

attestation; mechanisms supporting and/or implementing a system monitoring capability;

mechanisms for auditing network services].

DISCUSSION [NIST SP 800-172]

Identification and authentication of system components and component configurations can

be determined, for example, via a cryptographic hash of the component. This is also known

as device attestation and known operating state or trust profile. A trust profile based on

factors such as the user, authentication method, device type, and physical location is used to

make dynamic decisions on authorizations to data of varying types. If device attestation is

the means of identification and authentication, then it is important that patches and updates

to the device are handled via a configuration management process such that the patches and

updates are done securely and do not disrupt the identification and authentication of other

devices.
[NIST IR 8011-1] provides guidance on using automation support to assess system

configurations.

FURTHER DISCUSSION

This requirement can be achieved in several ways, such as blocking based on posture

assessments, conditional access, or trust profiles. A posture assessment can be used to assess

a given system’s posture to validate that it meets the standards set by the organization before

allowing it to connect. Conditional access is the set of policies and configurations that control

devices receiving access to services and data sources. Conditional access helps an organization

build rules that manage security controls, perform blocking, and restrict components. A trust

profile is a set of factors that are checked to inform a device that a system can be trusted.

Example 1
In a Windows environment, you authorize devices to connect to systems by defining

configuration rules in one or more Group Policy Objects (GPO) that can be automatically

applied to all relevant devices in a domain [a]. This provides you with a mechanism to apply

rules for which devices are authorized to connect to any given system and prevent devices

that are not within the defined list from connecting [b,c]. For instance, universal serial bus

(USB) device rules for authorization can be defined by using a USB device’s serial number,

model number, and manufacturer information. This information can be used to build a trust

profile for a device and authorize it for use by a given system. You use security policies to

prevent unauthorized components from connecting to systems [c].

IA.L3-3.5.3e – Block Untrusted Assets

CMMC Assessment Guide – Level 3 | Version 2.13

39

Example 2
You have been assigned to build trust profiles for all devices allowed to connect to your

organization’s systems. You want to test the capability starting with printers. You talk to your

purchasing department, and they tell you that policy states every printer must be from a

specific manufacturer; they only purchase four different models. They also collect all serial

numbers from purchased printers. You gather this information and build trust profiles for

each device [a,b]. Because your organization shares printers, you push the trust profiles out

to organizational systems. Now, the systems are not allowed to connect to a network printer

unless they are within the trust profiles you have provided [b,c].

Example 3
Your organization has implemented a network access control solution (NAC) to help ensure

that only properly configured computers are allowed to connect to the corporate network

[a,b]. The solution first checks for the presence of a certificate to indicate that the device is

company-owned. It next reviews the patch state of the computer and forces the installation

of any patches that are required by the organization. Finally, it reviews the computer’s

configuration to ensure that the firewall is active and that the appropriate security policies

have been applied. Once the computer has passed all of these requirements, it is allowed

access to network resources and defined as a trusted asset for the length of its session [a].

Devices that do not meet all of the requirements are automatically blocked from connecting

to the network [c].

Potential Assessment Considerations
•

If the organization is using a manual method, is the method outlined in detail so any user

will be able to follow it without making an error [b,c]?

•

If the organization is using an automated method, can the organization explain how the

technology performs the task? Can they explain the steps needed to implement [a,b,c]?

•

Can the organization provide evidence showing they have trust profiles for specific

devices [a,b,c]?

•

Can the organization explain how their system components authenticate to a system if

they are not using trust profiles [b,c]?

KEY REFERENCES

•

NIST SP 800-172 3.5.3e

IR.L3-3.6.1e – Security Operations Center

CMMC Assessment Guide – Level 3 | Version 2.13

40

Incident Response (IR)
IR.L3-3.6.1E – SECURITY OPERATIONS CENTER

Establish and maintain a security operations center capability that operates 24/7, with

allowance for remote/on-call staff.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] A security operations center capability is established;
[b] The security operations center capability operates 24/7, with allowance for remote/on-

call staff; and

[c] The security operations center capability is maintained.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Incident response policy; contingency planning policy; procedures

addressing incident handling; procedures addressing the security operations center

operations; mechanisms supporting dynamic response capabilities; incident response plan;

contingency plan; security plan; other relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for incident handling; organizational

personnel responsible for contingency planning; security operations center personnel;

organizational personnel responsible for information security].

Test
[SELECT FROM: Mechanisms that support and/or implement the security operations center

capability; mechanisms that support and/or implement the incident handling process].

DISCUSSION [NIST SP 800-172]

A security operations center (SOC) is the focal point for security operations and computer

network defense for an organization. The purpose of the SOC is to defend and monitor an

organization’s systems and networks (i.e., cyber infrastructure) on an ongoing basis. The SOC

is also responsible for detecting, analyzing, and responding to cybersecurity incidents in a

timely manner. The SOC is staffed with skilled technical and operational personnel (e.g.,

security analysts, incident response personnel, systems security engineers); in some

instances operates 24 hours per day, seven days per week; and implements technical,

management, and operational controls (e.g., monitoring, scanning, and forensics tools) to

IR.L3-3.6.1e – Security Operations Center

CMMC Assessment Guide – Level 3 | Version 2.13

41

monitor, fuse, correlate, analyze, and respond to security-relevant event data from multiple

sources. Sources of event data include perimeter defenses, network devices (e.g., gateways,

routers, and switches), and endpoint agent data feeds. The SOC provides a holistic situational

awareness capability to help organizations determine the security posture of the system and

organization. An SOC capability can be obtained in many ways. Larger organizations may

implement a dedicated SOC while smaller organizations may employ third-party

organizations to provide such a capability.
[NIST SP 800-61] provides guidance on incident handling. [NIST SP 800-86] and [NIST SP

800-101] provide guidance on integrating forensic techniques into incident response. [NIST

SP 800-150] provides guidance on cyber threat information sharing. [NIST SP 800-184]

provides guidance on cybersecurity event recovery.

FURTHER DISCUSSION

Security operations centers are created to monitor and respond to suspicious activities

across an organization’s IT applications and infrastructure. A SOC may be implemented in a

variety of physical, virtual, and geographic constructs. The organization may also opt to not

hire their own staff but to engage a third-party external service provider to serve as their

SOC.
The SOC is typically comprised of multiple levels of cybersecurity analysts. Each tier of

cybersecurity analysts works on increasingly complex aspects of Incident Response. The SOC

may also have dedicated cybersecurity engineers to support configuration and management

of defensive cyber tools. The SOC may work with staff in IT operations who provide support

to the SOC.
SOC capabilities run 24/7, and while staff may not always be performing tasks for the SOC,

the capability alerts staff members and directs them to go to a facility or perform SOC actions

from a remote location. Staff members should be scheduled or on call to ensure they are

available when needed.

Example
You are the Chief Information Security Officer (CISO) of a medium-sized organization. To

meet the goal of 24/7 SOC operation, you have decided to adjust the current SOC, which

operates five days a week for 12 hours a day, by minimizing active staff members and hiring

trusted expert consultants to have on call at all times (i.e., seven days a week, 24 hours a day)

[a,b]. You design your SOC to be remotely accessible so your experts can access your

environment when needed. You also decide to set up a very strong automated capability that

is good at identifying questionable activities and alerting the appropriate staff. You create a

policy stating that after an alert goes out, two members of the SOC team must remotely

connect to the environment within 15 minutes to address the problem. All staff members

also have regular working hours during which they perform other SOC activities, such as

updating information to help the automated tool perform its functions [c].

IR.L3-3.6.1e – Security Operations Center

CMMC Assessment Guide – Level 3 | Version 2.13

42

Potential Assessment Considerations
•

How does the organization enable 24/7 SOC capabilities? Does the organization have

people in seats 24/7 or on-call members? If on-call members are used, what are the

trigger and alerting mechanisms that allow for 24/7 coverage [a,b]?

•

Does the organization have sufficient trained full-time equivalent staff to enable 24/7

SOC services [a,b]?

KEY REFERENCES

•

NIST SP 800-172 3.6.1e

IR.L3-3.6.2e – Cyber Incident Response Team

CMMC Assessment Guide – Level 3 | Version 2.13

43

IR.L3-3.6.2E – CYBER INCIDENT RESPONSE TEAM

Establish and maintain a cyber incident response team that can be deployed by the

organization within 24 hours.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] A cyber incident response team is established;
[b] The cyber incident response team can be deployed by the organization within 24 hours;

and

[c] The cyber incident response team is maintained.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Incident response policy; procedures addressing incident response;

incident response plan; security plan; other relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for incident response; organizational

personnel from the incident response team; organizational personnel responsible for

information security].

Test
[SELECT FROM: Mechanisms supporting and/or implementing incident response].

DISCUSSION [NIST SP 800-172]

A cyber incident response team (CIRT) is a team of experts that assesses, documents, and

responds to cyber incidents so that organizational systems can recover quickly and

implement the necessary controls to avoid future incidents. CIRT personnel include, for

example, forensic analysts, malicious code analysts, systems security engineers, and real-

time operations personnel. The incident handling capability includes performing rapid

forensic preservation of evidence and analysis of and response to intrusions. The team

members may or may not be full-time but need to be available to respond in the time period

required. The size and specialties of the team are based on known and anticipated threats.

The team is typically pre-equipped with the software and hardware (e.g., forensic tools)

necessary for rapid identification, quarantine, mitigation, and recovery and is familiar with

how to preserve evidence and maintain chain of custody for law enforcement or

counterintelligence uses. For some organizations, the CIRT can be implemented as a cross

organizational entity or as part of the Security Operations Center (SOC).

IR.L3-3.6.2e – Cyber Incident Response Team

CMMC Assessment Guide – Level 3 | Version 2.13

44

[NIST SP 800-61] provides guidance on incident handling. [NIST SP 800-86] and [NIST SP

800-101] provide guidance on integrating forensic techniques into incident response. [NIST

SP 800-150] provides guidance on cyber threat information sharing. [NIST SP 800-184]

provides guidance on cybersecurity event recovery.

FURTHER DISCUSSION

The CIRT’s primary function is to handle information security incident management and

response for the environments the SOC oversees. The primary goals of the CIRT are triage

and initial response to an incident. They also communicate with all the proper people to

ensure understanding of an incident and the response actions, including collection of

forensic evidence, have been conveyed.
If and when an incident is detected by the organization’s SOC, the IR team is responsible for

handling the incident and communicating what has happened to the appropriate people

within the organization, as well to the authorities (as needed).
The deployment of a team does not necessarily mean they are “physically deployed.”

Deployment may simply mean connecting to a remote system in a manner that is equivalent

to being on the system’s keyboard. Remote access can provide just as much capability as local

access in many cases.
Some situations require physical access. For instance, if the company has a physically

isolated environment located at a remote location, a team must be physically present at the

remote facility to perform the duties required.

Example
You are the lead for an IR team within your organization. Your manager is the SOC lead, and

she reports to the chief information officer (CIO). As the SOC is alerted and/or identifies

incidents within the organization’s environments, you lead and deploy teams to resolve the

issues, including incidents involving cloud-based systems. You use a custom dashboard that

was created for your team members to view and manage incidents, perform response

actions, and record actions and notes for each case. You also have your team create an after

action report for all incidents to which they respond; this information is used to determine

if a given incident requires additional action and reporting [a].
One day, you receive a message from the SOC that your website has become corrupted.

Within minutes, you have a team on the system inspecting logs, analyzing applications,

preserving key information, and looking for evidence of tampering/attack [b]. Your team

runs through a procedure set for this specific incident type based on a handbook the

organization has created and maintains [c]. It is found that a cyberattack caused the

corruption, but the corruption caused a crash, which prevented the attack from continuing.

Your team takes note of all actions they perform, and at the end of the incident analysis, you

send a message to the website lead to inform them of the issue, case number, and notes

created by the team. The website lead has their team rebuild the system and validate that

the attack no longer works. At the end of the incident, the CISO and CIO are informed of the

issue.

IR.L3-3.6.2e – Cyber Incident Response Team

CMMC Assessment Guide – Level 3 | Version 2.13

45

Potential Assessment Considerations
•

Does the organization have a response capability that has remote access to the

organization’s systems and system components within 24 hours in place of physical

access [a,b]?

KEY REFERENCES

•

NIST SP 800-172 3.6.2e

PS.L3-3.9.2e – Adverse Information

CMMC Assessment Guide – Level 3 | Version 2.13

46

Personnel Security (PS)
PS.L3-3.9.2E – ADVERSE INFORMATION

Ensure that organizational systems are protected if adverse information develops or is

obtained about individuals with access to CUI.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] Individuals with access to CUI are identified;
[b] Adverse information about individuals with access to CUI is defined;
[c] Organizational systems to which individuals have access are identified; and
[d] Mechanisms are in place to protect organizational systems if adverse information

develops or is obtained about individuals with access to CUI.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Personnel security policy; system and services acquisition policy;

procedures addressing personnel screening; records of screened personnel; enterprise

architecture documentation; system design documentation; system architecture and

configuration documentation; security plan; list of individuals who have been identified as

posing an increased level of risk; list of appropriate access authorizations required for

system personnel; personnel screening criteria and associated documentation; other

relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for personnel security; organizational

personnel responsible for information security; organizational personnel responsible for

system and services acquisition; organizational personnel responsible for personnel

screening].

Test
[SELECT FROM: Organizational processes for personnel screening; mechanisms supporting

personnel screening].

PS.L3-3.9.2e – Adverse Information

CMMC Assessment Guide – Level 3 | Version 2.13

47

DISCUSSION [NIST SP 800-172]

If adverse information develops or is obtained about an individual with access to CUI which

calls into question whether the individual should have continued access to systems

containing CUI, actions are taken (e.g., preclude or limit further access by the individual,

audit actions taken by the individual) to protect the CUI while the adverse information is

resolved.

FURTHER DISCUSSION

According to Defense Counterintelligence and Security Agency, or DCSA (Industrial Security

Letter ISL 2011-04, revised July 15, 2020), adverse information consists of any information

that negatively reflects the integrity or character of an individual. This pertains to an

individual’s ability to safeguard sensitive information, such as CUI. Adverse information may

simply be a report showing someone has sent sensitive information outside the organization

or used unapproved software, against company policy. An organization may receive adverse

information about an individual through police reports, reported violations of company

policies (including social media posts that directly violate company policies), and revocation

or suspension of DoD clearance.
When adverse information is identified about a given individual, the organization should

take action to validate that information resources accessible by the individual have been

identified and appropriate protection mechanisms are in place to safeguard information and

system configurations. Based on organizational policy, an individual’s access to resources

may be more closely monitored or restricted until further review. Logs should be examined

to identify any attempt to perform unauthorized actions.

Example
You learn that one of your employees has been convicted on shoplifting charges. Based on

organizational policy, you report this information to human resources (HR), which verifies

the information with a criminal background check [a,b,c]. Per policy, you increase the

monitoring of the employee’s access to ensure that the employee does not exhibit patterns

of behavior consistent with an insider threat [d]. You maintain contact with HR as they

investigate the adverse information so that you can take stronger actions if required, such as

removing access to organizational systems.

Potential Assessment Considerations
•

Does the organization define the protection mechanisms for organizational systems if

adverse information develops or is obtained about an individual with access to CUI [d]?

KEY REFERENCES

•

NIST SP 800-172 3.9.2e

RA.L3-3.11.1e – Threat-Informed Risk Assessment

CMMC Assessment Guide – Level 3 | Version 2.13

48

Risk Assessment (RA)
RA.L3-3.11.1E – THREAT-INFORMED RISK ASSESSMENT

Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-

provided sources, as part of a risk assessment to guide and inform the development of

organizational systems, security architectures, selection of security solutions, monitoring,

threat hunting, and response and recovery activities.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[ODP1] Sources of threat intelligence are defined;
[a] A risk assessment methodology is identified;
[b] Threat intelligence, at a minimum from open or commercial sources, and any

DoD-provided sources, are employed as part of a risk assessment to guide and inform the

development of organizational systems and security architectures;

[c] Threat intelligence, at a minimum from open or commercial sources, and any

DoD-provided sources, are employed as part of a risk assessment to guide and inform the

selection of security solutions;

[d] Threat intelligence, at a minimum from open or commercial sources, and any

DoD-provided sources, are employed as part of a risk assessment to guide and inform

system monitoring activities;

[e] Threat intelligence, at a minimum from open or commercial sources, and any

DoD-provided sources, are employed as part of a risk assessment to guide and inform

threat hunting activities; and

[f] Threat intelligence, at a minimum from open or commercial sources, and any

DoD-provided sources, are employed as part of a risk assessment to guide and inform

response and recovery activities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Information security program plan; risk assessment policy; threat

awareness program documentation; procedures for the threat awareness program; security

planning policy and procedures; procedures addressing organizational assessments of risk;

threat hunting program documentation; procedures for the threat hunting program; risk

assessment results relevant to threat awareness; threat hunting results; list or other

documentation on the cross-organization, information-sharing capability; security plan; risk

assessment; risk assessment results; risk assessment reviews; risk assessment updates;

RA.L3-3.11.1e – Threat-Informed Risk Assessment

CMMC Assessment Guide – Level 3 | Version 2.13

49

contingency planning policy; contingency plan; incident response policy; incident response

plan; other relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for information security program

planning and plan implementation; organizational personnel responsible for the threat

awareness and threat hunting programs; organizational personnel responsible for risk

assessments; organizational personnel responsible for the cross-organization, information-

sharing capability; organizational personnel responsible for information security;

organizational personnel responsible for contingency planning; organizational personnel

responsible for incident response; personnel with whom threat awareness information is

shared by the organization].

Test
[SELECT FROM: Mechanisms supporting and/or implementing the threat awareness

program; mechanisms supporting and/or implementing the cross-organization,

information-sharing capability; mechanisms supporting and/or implementing the threat

hunting program; mechanisms for conducting, documenting, reviewing, disseminating, and

updating risk assessments; mechanisms supporting and/or implementing contingency

plans; mechanisms supporting and/or implementing incident response plans].

DISCUSSION [NIST SP 800-172]

The constant evolution and increased sophistication of adversaries, especially the APT,

makes it more likely that adversaries can successfully compromise or breach organizational

systems. Accordingly, threat intelligence can be integrated into each step of the risk

management process throughout the system development life cycle. This risk management

process includes defining system security requirements, developing system and security

architectures, selecting security solutions, monitoring (including threat hunting), and

remediation efforts.
[NIST SP 800-30] provides guidance on risk assessments. [NIST SP 800-39] provides

guidance on the risk management process. [NIST SP 800-160-1] provides guidance on

security architectures and systems security engineering. [NIST SP 800-150] provides

guidance on cyber threat information sharing.

FURTHER DISCUSSION

An organization consumes threat intelligence and improves their security posture based on

the intelligence relevant to that organization and/or a system(s). The organization can

obtain threat intelligence from open or commercial sources but must also use any

DoD-provided sources. Threat information can be received in high volumes from various

providers and must be processed and analyzed by the organization. It is the responsibility of

the organization to process the threat information in a manner that is useful and actionable

to their needs. Processing, analyzing, and extracting the intelligence from the threat feeds

RA.L3-3.11.1e – Threat-Informed Risk Assessment

CMMC Assessment Guide – Level 3 | Version 2.13

50

and applying it to all organizational security engineering needs is the primary benefit of this

requirement. Note that more than one source is required to meet assessment objectives.

Example
Your organization receives a commercial threat intelligence feed from FIRST and

government threat intelligence feeds from both USCERT and DoD/DC3 to help learn about

recent threats and any additional information the threat feeds provide [b,c,d,e,f]. Your

organization uses the threat intelligence for multiple purposes:
•

To perform up-to-date risk assessments for the organization [a];

•

To add rules to the automated system put in place to identify threats (indicators of

compromise, or IOCs) on the organization’s network [e];

•

To guide the organization in making informed selections of security solutions [c];

•

To shape the way the organization performs system monitoring activities [d];

•

To manage the escalation process for identified incidents, handling specific events, and

performing recovery actions [f];

•

To provide additional information to the hunt team to identify threat activities [e];

•

To inform the development and design decisions for organizational systems and the

overall security architecture, as well as the network architecture [b,c];

•

To assist in decision-making regarding systems that are part of the primary network and

systems that are placed in special enclaves for additional protections [b]; and

•

To determine additional security measures based on current threat activities taking place

in similar industry networks [c,d,e,f].

Potential Assessment Considerations
•

Does the organization detail how threat feed information is to be ingested, analyzed, and

used [a]?

•

Can the organization’s SOC or hunt teams discuss how they use the threat feed

information after it is processed [e,f]?

KEY REFERENCES

•

NIST SP 800-172 3.11.1e

RA.L3-3.11.2e – Threat Hunting

CMMC Assessment Guide – Level 3 | Version 2.13

51

RA.L3-3.11.2E – THREAT HUNTING

Conduct cyber threat hunting activities on an on-going aperiodic basis or when indications

warrant, to search for indicators of compromise in organizational systems and detect, track,

and disrupt threats that evade existing controls.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[ODP4] Organizational systems to search for indicators of compromise are defined;
[a] Indicators of compromise are identified;
[b] Cyber threat hunting activities are conducted on an on-going aperiodic basis or when

indications warrant, to search for indicators of compromise in organizational systems;

and

[c] Cyber threat hunting activities are conducted on an on-going aperiodic basis or when

indications warrant, to detect, track, and disrupt threats that evade existing controls.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: System and information integrity policy; policy and procedures addressing

system monitoring; threat hunting program documentation; procedures for the threat

hunting program; threat hunting results; system design documentation; security plan;

system monitoring tools and techniques documentation; security planning policy and

procedures; system configuration settings and associated documentation; system

monitoring logs or records; system audit records; other relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for threat hunting program;

system/network administrators; organizational personnel responsible for information

security; system developers; organizational personnel installing, configuring, and/or

maintaining the system; organizational personnel responsible for monitoring the system

and/or network].

Test
[SELECT FROM: Mechanisms supporting and/or implementing a threat hunting program;

mechanisms supporting and/or implementing a system monitoring capability; mechanisms

supporting and/or supporting and/or implementing incident response plans].

DISCUSSION [NIST SP 800-172]

Threat hunting is an active means of defense that contrasts with traditional protection

measures, such as firewalls, intrusion detection and prevention systems, quarantining

RA.L3-3.11.2e – Threat Hunting

CMMC Assessment Guide – Level 3 | Version 2.13

52

malicious code in sandboxes, and Security Information and Event Management (SIEM)

technologies and systems. Cyber threat hunting involves proactively searching

organizational systems, networks, and infrastructure for advanced threats. The objective is

to track and disrupt cyber adversaries as early as possible in the attack sequence and to

measurably improve the speed and accuracy of organizational responses. Indicators of

compromise are forensic artifacts from intrusions that are identified on organizational

systems at the host or network level and can include unusual network traffic, unusual file

changes, and the presence of malicious code.
Threat hunting teams use existing threat intelligence and may create new threat information,

which may be shared with peer organizations, Information Sharing and Analysis

Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant

government departments and agencies. Threat indicators, signatures, tactics, techniques,

procedures, and other indicators of compromise may be available via government and non-

government cooperatives, including Forum of Incident Response and Security Teams, United

States Computer Emergency Response Team, Defense Industrial Base Cybersecurity

Information Sharing Program, and CERT Coordination Center.
[NIST SP 800-30] provides guidance on threat and risk assessments, risk analyses, and risk

modeling. [NIST SP 800-160-2] provides guidance on systems security engineering and

cyber resiliency. [NIST SP 800-150] provides guidance on cyber threat information sharing.

FURTHER DISCUSSION

For this requirement, threat hunting is conducted on an on-going aperiodic basis. On-going

aperiodic refers to activities that happen over and over but without an identifiable repeating

pattern over time. For threat hunting, on-going activities take place in an automated manner

(e.g., collecting logs, automated analysis, and alerts). Aperiodicity includes humans

performing the hunt activities, which take place on an as-needed or as-planned basis.
APTs can penetrate an environment by means that defeat or avoid conventional monitoring

methods and alert triggers—for example, by using zero-day attacks. Zero-day attacks

become known only after the attack has happened and alerts are sent via threat intelligence

feeds based on expert analysis. Because of the nature of zero-day attacks, automated alerts

do not generally trigger when the event occurs but the activity is captured in system logs and

forwarded for analysis and retention by the SIEM. Threat intelligence information is typically

used by hunt teams to search SIEM systems, system event and security logs, and other

components to identify activity that has already taken place on an environment. The hunt

team will identify systems related to the event(s) and pass the case to Incident Response

team for action on the event(s). The hunt team will also use indicators to identify smaller

components of an attack and search for that activity, which may help uncover a broader

attack on the environment.
Threat hunting can also look for anomalous behavior or activity based on an organization’s

normal pattern of activity. Understanding the roles and information flows within an

organization can help identify activity that might be indicative of adversary behavior before

the adversary completes their attack or mission.

RA.L3-3.11.2e – Threat Hunting

CMMC Assessment Guide – Level 3 | Version 2.13

53

Example
You are the lead for your organization’s cyber threat hunting team. You have local and

remote staff on the team to process threat intelligence. Your team is tied closely with the SOC

and IR teams. Through a DoD (DC3) intelligence feed, you receive knowledge of a recent

APT’s attacks on defense contractors. The intelligence feed provided the indicators of

compromise for a zero-day attack that most likely started within the past month. After

receiving the IOCs, you use a template for your organization to place the information in a

standard format your team understands. You then email the information to your team

members and place the information in your hunt team’s dashboard, which tracks all IOCs [a].
Your team starts by using the information to hunt for IOCs on the environment [b]. One of

your team members quickly responds, providing information from the SIEM that an HR

system’s logs show evidence that IOCs related to this threat occurred three days ago. The

team contacts the owner of the system as they take the system offline into a quarantined

environment. Your team pulls all logs from the system and clones the storage on the system.

Members go through the logs to look for other systems that may be part of the APT’s attack

[c]. While the team is cloning the storage system for evidence, you alert the IR team about

the issue. After full forensics of the system, your team has verified your company has been

hit by the APT, but nothing was taken and no additional attacks happened. You also alert DoD

(DC3) about the finding and discuss the matter with them. There is an after action report and

a briefing given to management to make them aware of the issue.

Potential Assessment Considerations
•

Does the organization have a methodology for performing cyber threat hunting actions

[b,c]?

•

Has the organization defined all organizational systems within scope of cyber threat

hunting, including valid and approved documentation for any organization systems that

are not within scope [b,c]?

•

Has the organization identified a specific set of individuals to perform cyber threat

hunting [b,c]?

•

Does the threat hunting team have qualified staff members using the threat feed

information [b,c]?

•

Does the threat hunting team use combinations of events to determine suspicious

behaviors [b,c]?

•

Does the organization have a documented list of trusted threat feeds that are used by

their cyber hunt teams as the latest indicators of compromise during their efforts [a]?

•

Does the organization have a clear methodology for processing threat feed information

and turning it into actionable information they can use for their threat hunting approach

[a]?

KEY REFERENCES

•

NIST SP 800-172 3.11.2e

RA.L3-3.11.3e – Advanced Risk Identification

CMMC Assessment Guide – Level 3 | Version 2.13

54

RA.L3-3.11.3E – ADVANCED RISK IDENTIFICATION

Employ advanced automation and analytics capabilities in support of analysts to predict and

identify risks to organizations, systems, and system components.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] Advanced automation and analytics capabilities to predict and identify risks to

organizations, systems, and system components are identified;

[b] Analysts to predict and identify risks to organizations, systems, and system components

are identified; and

[c] Advanced automation and analytics capabilities are employed in support of analysts to

predict and identify risks to organizations, systems, and system components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: System and information integrity policy; risk assessment policy; security

planning policy and procedures; procedures addressing organizational assessments of risk;

procedures addressing system monitoring; enterprise architecture documentation; system

design documentation; system architecture and configuration documentation; system

monitoring tools and techniques documentation; system configuration settings and

associated documentation; system monitoring logs or records; system audit records;

security plan; risk assessment artifacts; risk assessment results; risk assessment reviews;

risk assessment updates; other relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for information security;

organizational personnel responsible for risk assessments; risk analysts; system developers;

organizational personnel installing, configuring, and/or maintaining the system;

organizational personnel responsible for monitoring; system/network administrators].

Test
[SELECT FROM: Automated mechanisms supporting and/or implementing risk analytics

capabilities; automated mechanisms supporting and/or implementing system monitoring

capability; automated mechanisms supporting and/or implementing the discovery,

collection, distribution, and use of indicators of compromise; automated mechanisms for

conducting, documenting, reviewing, disseminating, and updating risk assessments].

RA.L3-3.11.3e – Advanced Risk Identification

CMMC Assessment Guide – Level 3 | Version 2.13

55

DISCUSSION [NIST SP 800-172]

A properly resourced Security Operations Center (SOC) or Computer Incident Response

Team (CIRT) may be overwhelmed by the volume of information generated by the

proliferation of security tools and appliances unless it employs advanced automation and

analytics to analyze the data. Advanced automation and predictive analytics capabilities are

typically supported by artificial intelligence concepts and machine learning. Examples

include Automated Workflow Operations, Automated Threat Discovery and Response

(which includes broad-based collection, context-based analysis, and adaptive response

capabilities), and machine-assisted decision tools.
[NIST SP 800-30] provides guidance on risk assessments and risk analyses.

FURTHER DISCUSSION

Advanced automation includes tools to correlate and reduce the cyber data overload created

by defensive tools, making the data understandable to the analyst. Automation also allows

the defensive mechanisms to respond rapidly when adversary events are identified.

Examples of such capabilities are SIEM; Security Orchestration, Automation, and Response

(SOAR); and Extended Detection and Response (XDR) tools. An example of an automated

rapid response action is a security alert being pushed to the SIEM while the organization’s

SOAR solution communicates to the network firewall to block communications to the remote

system identified in the security alert.
SIEM is primarily a log collection tool intended to support data storage and analysis. It

collects and sends alerts to security personnel for further investigation. SOAR is a software

stack that enables an organization to collect data about security threats and respond to

security events without human assistance in order to improve security operations.

Orchestration connects and integrates disparate internal and external tools. Automation, fed

by the data and alerts collected from security orchestration, ingests and analyzes data and

creates repeated, automated responses. SOAR incorporates these capabilities based on the

SIEM data and enables disparate security tools to coordinate with one another. SOAR can use

artificial intelligence to predict and respond to similar future threats, if such tools are

employed.
XDR streamlines security data ingestion, analysis, prevention, and remediation workflows

across an organization’s entire security stack, providing a single console to view and act on

threat data. However, the presence of these tools by themselves does not necessarily provide

an advanced capability. It is essential that the security team employ critical thinking in

support of the intrusion detection and threat hunting processes.

Example
You are responsible for information security in your organization. The organization holds

and processes CUI in an enterprise. To protect that data, you want to minimize phishing

attacks through the use of Security Orchestration and Automated Response (SOAR). Rather

than relying on analysts to manually inspect each inbound item, emails containing links

and/or attachments are processed by your automation playbook. Implementation of these

RA.L3-3.11.3e – Advanced Risk Identification

CMMC Assessment Guide – Level 3 | Version 2.13

56

processes involves sending all email links and attachments to detonation chambers or

sandboxes prior to delivery to the recipient. When the email is received, SOAR extracts all

URL links and attachments from the content and sends them for analysis and testing [a]. The

domains in the URLs and the full URLs are processed against bad domain and URL lists. Next,

a browser in a sandbox downloads the URLs for malware testing. Lastly, any attachments are

sent to detonation chambers to identify if they attempt malicious activities. The hash of the

attachments is sent to services to identify if it is known malware [b]. If any one of the items

triggers a malware warning from the sandbox, detonation chamber, domain/URL validation

service, attachment hash check services, or AV software, an alert about the original email is

sent to team members with the recommendation to quarantine it. The team is given the

opportunity to select a “take action” button, which would have the SOAR solution take

actions to block that email and similar emails from being received by the organization [c].

Potential Assessment Considerations
•

Has the organization implemented a security information and event management system

[a,c]?

•

Has the organization implemented security orchestration, automation, and response

tools [a,b,c]?

•

Does the organization use automated processing integrated with the SIEM system to

perform analytics [c]?

•

Can the organization demonstrate use of relevant threat data to inform detection

methods that in turn provide automated alerts/recommendations [c]?

•

Has the organization implemented an extended detection capability [c]?

•

Does the organization have the ability to merge traditional cyber data, such as network

packet captures (e.g., PCAP), or process logs with enrichment data, such as reputation or

categorization data [c]?

•

Can the organization provide examples of both basic and emerging analytics used to

analyze alert anomalies, e.g., both simple queries and unsupervised machine learning

algorithms that both improve their effectiveness and automatically filter, reduce, or

enrich alerting capabilities [c]?

KEY REFERENCES

•

NIST SP 800-172 3.11.3e

RA.L3-3.11.4e – Security Solution Rationale

CMMC Assessment Guide – Level 3 | Version 2.13

57

RA.L3-3.11.4E – SECURITY SOLUTION RATIONALE

Document or reference in the system security plan the security solution selected, the

rationale for the security solution, and the risk determination.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] The system security plan documents or references the security solution selected;
[b] The system security plan documents or references the rationale for the security solution;

and

[c] The system security plan documents or references the risk determination.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: system security plan; records of security plan reviews and updates; system

design documentation; security planning policy; procedures addressing security plan

development; procedures addressing security plan reviews and updates; enterprise

architecture documentation; enterprise security architecture documentation; system

interconnection security agreements and other information exchange agreements; other

relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for information security;

organizational personnel responsible for developing, implementing, or approving system

interconnection and information exchange agreements; personnel managing the systems to

which the Interconnection Security Agreement/Information Exchange Agreement applies;

system developers; organizational personnel responsible for security planning and plan

implementation; organizational personnel responsible for boundary protection; system

developers; system/network administrators].

Test
[SELECT FROM: Organizational processes for security plan development, review, update,

and approval].

DISCUSSION [NIST SP 800-172]

System security plans relate security requirements to a set of security controls and solutions.

The plans describe how the controls and solutions meet the security requirements. For the

enhanced security requirements selected when the APT is a concern, the security plan

provides traceability between threat and risk assessments and the risk-based selection of a

security solution, including discussion of relevant analyses of alternatives and rationale for

RA.L3-3.11.4e – Security Solution Rationale

CMMC Assessment Guide – Level 3 | Version 2.13

58

key security-relevant architectural and design decisions. This level of detail is important as

the threat changes, requiring reassessment of the risk and the basis for previous security

decisions.
When incorporating external service providers into the system security plan, organizations

state the type of service provided (e.g., software as a service, platform as a service), the point

and type of connections (including ports and protocols), the nature and type of the

information flows to and from the service provider, and the security controls implemented

by the service provider. For safety critical systems, organizations document situations for

which safety is the primary reason for not implementing a security solution (i.e., the solution

is appropriate to address the threat but causes a safety concern).
[NIST SP 800-18] provides guidance on the development of system security plans.

FURTHER DISCUSSION

The System Security Plan (SSP) is a fundamental component of an organization’s security

posture. When solutions for implementing a requirement have differing levels of capabilities

associated with their implementation, it is essential that the plan specifically document the

rationale for the selected solution and what was acquired for the implementation. This

information allows the organization to monitor the environment for threat changes and

identify which solutions may no longer be applicable. While not required, it may also be

useful to document alternative solutions reviewed and differing levels of risk associated with

each alternative, as that information may facilitate future analyses when the threat changes.

In addition to the implementations required for Level 2 certification, which may not be risk

based, at Level 3, the SSP must carefully document the link between the assessed threat and

the risk-based selection of a security solution for the enhanced security requirements (i.e.,

all CMMC L3 requirements derived from NIST SP 800-172).

Example
You are responsible for information security in your organization. Following CMMC

requirement RA.L3-3.11.1e – Threat Informed Risk Assessment, your team uses threat

intelligence to complete a risk assessment and make a risk determination for all elements of

your enterprise. Based on that view of risk, your team decides that requirement

RA.L3-3.11.2e – Threat Hunting is a requirement that is very important in protecting your

organization’s use of CUI, and you have determined the solution selected could potentially

add risk. You want to detect an adversary as soon as possible when they breach the network

before any CUI can be exfiltrated. However, there are multiple threat hunting solutions, and

each solution has a different set of features that will provide different success rates in

identifying IOCs.
As a result, some solutions increase the risk to the organization by being less capable in

detecting and tracking an adversary in your networks. To reduce risk, you evaluate five

threat hunting solutions and in each case determine the number of IOCs for which there is a

monitoring mechanism. You pick the solution that is cost effective, easy to operate, and

optimizes IOC detection for your enterprise; purchase, install, and train SOC personnel on its

use; and document the risk-based analysis of alternatives in the SSP. In creating that

RA.L3-3.11.4e – Security Solution Rationale

CMMC Assessment Guide – Level 3 | Version 2.13

59

documentation in the SSP, you follow the guidance found in NIST SP 800-18, Guide for

Developing Security Plans for Federal Information Systems [a,b,c].

Potential Assessment Considerations
•

Has the organization completed a risk assessment and made a risk determinations for

enterprise components that need to be protected [c]?

•

Can the organization identify what is being protected and explain why specific protection

solutions were selected [a,b]?

•

Have all the decisions been documented in the SSP [a,b,c]?

KEY REFERENCES

•

NIST SP 800-172 3.11.4e

RA.L3-3.11.5e – Security Solution Effectiveness

CMMC Assessment Guide – Level 3 | Version 2.13

60

RA.L3-3.11.5E – SECURITY SOLUTION EFFECTIVENESS

Assess the effectiveness of security solutions at least annually or upon receipt of relevant

cyber threat information, or in response to a relevant cyber incident, to address anticipated

risk to organizational systems and the organization based on current and accumulated threat

intelligence.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] Security solutions are identified;
[b] Current and accumulated threat intelligence is identified;
[c] Anticipated risk to organizational systems and the organization based on current and

accumulated threat intelligence is identified; and

[d] The effectiveness of security solutions is assessed at least annually or upon receipt of

relevant cyber threat information, or in response to a relevant cyber incident, to address

anticipated risk to organizational systems and the organization based on current and

accumulated threat intelligence.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Risk assessment policy; security planning policy and procedures; security

assessment policy and procedures; security assessment plans; security assessment results;

procedures addressing organizational assessments of risk; security plan; risk assessment;

risk assessment results; risk assessment reviews; risk assessment updates; threat

intelligence information; other relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for security assessments;

organizational personnel responsible for risk assessments; organizational personnel

responsible for threat analysis; organizational personnel responsible for information

security].

Test
[SELECT FROM: Mechanisms supporting, conducting, documenting, reviewing,

disseminating, and updating risk assessments; mechanisms supporting and/or

implementing security assessments].

RA.L3-3.11.5e – Security Solution Effectiveness

CMMC Assessment Guide – Level 3 | Version 2.13

61

DISCUSSION [NIST SP 800-172]

Threat awareness and risk assessment of the organization are dynamic, continuous, and

inform system operations, security requirements for the system, and the security solutions

employed to meet those requirements. Threat intelligence (i.e., threat information that has

been aggregated, transformed, analyzed, interpreted, or enriched to help provide the

necessary context for decision making) is infused into the risk assessment processes and

information security operations of the organization to identify any changes required to

address the dynamic threat environment.
[NIST SP 800-30] provides guidance on risk assessments, threat assessments, and risk

analyses.

FURTHER DISCUSSION

This requirement requires the organization to analyze threat intelligence and consider the

effectiveness of currently deployed cybersecurity solutions against existing, new, and

emerging threats. The goal is to understand the risk to the systems and the organization

based on threat intelligence and to make adjustments to security solutions to reduce the risk

to an acceptable level. Analysis of solutions should include analysis of operational system

settings of the deployed systems and not be solely a conceptual capability analysis. This

analysis includes verifying configuration settings are configured as desired by the

organization and have not been changed over time.
Threat information can be thought of as raw data that may be limited in terms of evaluating

the effectiveness of controls across the enterprise. For example, knowledge of a threat that

has not been correlated with other threats may result in evaluation of an implementation

that only provides partial protection for one set of systems when, in fact, the emerging threat

is applicable to the entire enterprise. Large organizations may also have the resources to

aggregate, transform, analyze, correlate, interpret, and enrich information to support

decision-making about adequacy of existing security mechanisms and methods.

Example
You are responsible for information security in your organization, which holds and

processes CUI. The organization subscribes to multiple threat intelligence sources [b]. In

order to assess the effectiveness of current security solutions, the security team analyzes any

new incidents reported in the threat feed. They identify weaknesses that were leveraged by

malicious actors and subsequently look for similar weaknesses in their own security

architecture[a,c]. This analysis is passed to the architecture team for engineering change

recommendations, including system patching guidance, new sensors, and associated alerts

that should be generated, and to identify ways to mitigate, transfer, or accept the risk

necessary to respond to events if they occur within their own organization [d].

RA.L3-3.11.5e – Security Solution Effectiveness

CMMC Assessment Guide – Level 3 | Version 2.13

62

Potential Assessment Considerations
•

Does the organization make adjustments during an incident or operational

improvements after an incident has occurred [d]?

•

Has the organization implemented an analytical process to assess the effectiveness of

security solutions against new or compiled threat intelligence [b,c,d]?

•

Has the organization implemented a process to identify if an operational security

solution fails to contribute to the protections needed against specific adversarial actions

based on new threat intelligence [a,b,c,d]?

KEY REFERENCES

•

NIST SP 800-172 3.11.5e

RA.L3-3.11.6e – Supply Chain Risk Response

CMMC Assessment Guide – Level 3 | Version 2.13

63

RA.L3-3.11.6E – SUPPLY CHAIN RISK RESPONSE

Assess, respond to, and monitor supply chain risks associated with organizational systems

and system components.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] Supply chain risks associated with organizational systems and system components are

identified;

[b] Supply chain risks associated with organizational systems and system components are

assessed;

[c] Supply chain risks associated with organizational systems and system components are

responded to; and

[d] Supply chain risks associated with organizational systems and system components are

monitored.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Risk assessment policy; procedures addressing organizational assessments

of risk; security planning policy and procedures; supply chain risk management plan;

security plan; risk assessment; risk assessment results; risk assessment reviews; risk

assessment updates; threat intelligence information; other relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for information security;

organizational personnel responsible for risk assessments; organizational personnel

responsible for supply chain risk management].

Test
[SELECT FROM: Mechanisms supporting, conducting, documenting, reviewing,

disseminating, and updating risk assessments].

DISCUSSION [NIST SP 800-172]

Supply chain events include disruption, use of defective components, insertion of

counterfeits, theft, malicious development practices, improper delivery practices, and

insertion of malicious code. These events can have a significant impact on a system and its

information and, therefore, can also adversely impact organizational operations (i.e.,

mission, functions, image, or reputation), organizational assets, individuals, other

organizations, and the Nation. The supply chain-related events may be unintentional or

malicious and can occur at any point during the system life cycle. An analysis of supply chain

RA.L3-3.11.6e – Supply Chain Risk Response

CMMC Assessment Guide – Level 3 | Version 2.13

64

risk can help an organization identify systems or components for which additional supply

chain risk mitigations are required.
[NIST SP 800-30] provides guidance on risk assessments, threat assessments, and risk

analyses. [NIST SP 800-161 Rev. 1] provides guidance on supply chain risk management.

FURTHER DISCUSSION

Organizations will have varying policies, definitions, and actions for this requirement. It is

important for a single organization to be consistent and to build a process that makes sense

for their organization, strategy, unique supply chain, and the technologies available to them.

Example
You are responsible for information security in your organization, which holds and

processes CUI. One of your responsibilities is to manage risk associated with your supply

chain that may provide an entry point for the adversary. First, you acquire threat information

by subscribing to reports that identify supply chain attacks in enough detail that you are able

to identify the risk points in your organization’s supply chain [a]. You create an organization-

defined prioritized list of risks the organization may encounter and determine the responses

to be implemented to mitigate those risks [b,c].
In addition to incident information, the intelligence provider also makes recommendations

for monitoring and auditing your supply chain. You assess, integrate, correlate, and analyze

this information so you can use it to acquire monitoring tools to help identify supply chain

events that could be an indicator of an incident. This monitoring tool provides visibility of

the entire attack surface, including your vendors’ security posture [d]. Second, you analyze

the incident information in the intelligence report to help identify defensive tools that will

help respond to each of those known supply chain attack techniques as soon as possible after

such an incident is detected, thus mitigating risk associated with known techniques.

Potential Assessment Considerations
•

Has the organization prioritized risks to the supply chain [a,b]?

•

Does the organization have viable service-level agreements that describe and enable

responses to supply chain incidents [c,d]?

KEY REFERENCES

•

NIST SP 800-172 3.11.6e

RA.L3-3.11.7e – Supply Chain Risk Plan

CMMC Assessment Guide – Level 3 | Version 2.13

65

RA.L3-3.11.7E – SUPPLY CHAIN RISK PLAN

Develop a plan for managing supply chain risks associated with organizational systems and

system components; update the plan at least annually, and upon receipt of relevant cyber

threat information, or in response to a relevant cyber incident.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] Supply chain risks associated with organizational systems and system components are

identified;

[b] Organizational systems and system components to include in a supply chain risk

management plan are identified;

[c] A plan for managing supply chain risks associated with organizational systems and

system components is developed; and

[d] The plan for managing supply chain risks is updated at least annually, and upon receipt

of relevant cyber threat information, or in response to a relevant cyber incident.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Risk assessment policy; supply chain risk management plan; security

planning policy and procedures; procedures addressing organizational assessments of risk;

security plan; risk assessment; risk assessment results; risk assessment reviews; risk

assessment updates; threat intelligence information; other relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for information security;

organizational personnel responsible for risk assessments; organizational personnel

responsible for supply chain risk management].

Test
[SELECT FROM: Automated mechanisms supporting, conducting, documenting, reviewing,

disseminating, and updating risk assessments].

DISCUSSION [NIST SP 800-172]

The growing dependence on products, systems, and services from external providers, along

with the nature of the relationships with those providers, present an increasing level of risk

to an organization. Threat actions that may increase risk include the insertion or use of

counterfeits, unauthorized production, tampering, theft, insertion of malicious software and

hardware, and poor manufacturing and development practices in the supply chain. Supply

chain risks can be endemic or systemic within a system element or component, a system, an

RA.L3-3.11.7e – Supply Chain Risk Plan

CMMC Assessment Guide – Level 3 | Version 2.13

66

organization, a sector, or the Nation. Managing supply chain risk is a multifaceted

undertaking that requires a coordinated effort across an organization to build trust

relationships and communicate with both internal and external stakeholders. Supply chain

risk management (SCRM) activities involve identifying and assessing risks, determining

appropriate mitigating actions, developing SCRM plans to document selected mitigating

actions, and monitoring performance against plans. SCRM plans address requirements for

developing trustworthy, secure, and resilient systems and system components, including the

application of the security design principles implemented as part of life cycle-based systems

security engineering processes.
[NIST SP 800-161 Rev. 1] provides guidance on supply chain risk management.

FURTHER DISCUSSION

An organization is required to have a supply chain risk management plan that assesses and

responds to the identified risks from those organizations that provide IT products or

services, including any cloud or other third-party services with a role in the operation of the

system. The organization should be cognizant of services outside the scope of the system but

required for the operation of the system as part of their plan. Since the cyber environment

changes rapidly and continuously, it is equally important for the organization to update the

plan in response to supply chain cyber incidents or emerging information.

Example
You are responsible for information security in your organization, and you have created a

supply chain risk management plan [a,b,c]. One of the organization’s suppliers determines

that it has been the victim of a cyberattack. Your security team meets with the supplier to

determine the nature of the attack and to understand the adversary, the attack, the potential

for corruption of delivered goods or services, and current as well as future risks. The

understanding of the supply chain will help protect the local environment. Subsequently, you

update the risk management plan to include a description of the necessary configuration

changes or upgrades to monitoring tools to improve the ability to identify the new risks, and

when improved tools are available, you document the acquisition of defensive tools and

associated functionality to help mitigate any of the identified techniques [d].

Potential Assessment Considerations
•

Does the organization’s current supply chain risk management plan apply across the

enterprise, or does it only apply to a limited portion of the supply chain [b]?

KEY REFERENCES

•

NIST SP 800-172 3.11.7e

CA.L3-3.12.1e – Penetration Testing

CMMC Assessment Guide – Level 3 | Version 2.13

67

Security Assessment (CA)
CA.L3-3.12.1E – PENETRATION TESTING

Conduct penetration testing at least annually or when significant security changes are made

to the system, leveraging automated scanning tools and ad hoc tests using subject matter

experts.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] Automated scanning tools are identified;
[b] Ad hoc tests using subject matter experts are identified; and
[c] Penetration testing is conducted at least annually or when significant security changes

are made to the system, leveraging automated scanning tools and ad hoc tests using

subject matter experts.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Security assessment policy; procedures addressing penetration testing;

security plan; security assessment plan; penetration test report; security assessment report;

security assessment evidence; other relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for security assessments; penetration

testing team; system/network administrators; organizational personnel responsible for

information security].

Test
[SELECT FROM: Automated mechanisms supporting security assessments; automated

mechanisms supporting penetration testing].

DISCUSSION [NIST SP 800-172]

Penetration testing is a specialized type of assessment conducted on systems or individual

system components to identify vulnerabilities that could be exploited by adversaries.

Penetration testing goes beyond automated vulnerability scanning. It is conducted by

penetration testing agents and teams with particular skills and experience that include

technical expertise in network, operating system, and application-level security. Penetration

testing can be used to validate vulnerabilities or determine a system’s penetration resistance

to adversaries within specified constraints. Such constraints include time, resources, and

CA.L3-3.12.1e – Penetration Testing

CMMC Assessment Guide – Level 3 | Version 2.13

68

skills. Organizations may also supplement penetration testing with red team exercises. Red

teams attempt to duplicate the actions of adversaries in carrying out attacks against

organizations and provide an in-depth analysis of security-related weaknesses or

deficiencies.
Organizations can use the results of vulnerability analyses to support penetration testing

activities. Penetration testing can be conducted internally or externally on the hardware,

software, or firmware components of a system and can exercise both physical and technical

controls. A standard method for penetration testing includes pretest analysis based on full

knowledge of the system, pretest identification of potential vulnerabilities based on the

pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All

parties agree to the specified rules of engagement before the commencement of penetration

testing. Organizations correlate the rules of engagement for penetration tests and red

teaming exercises (if used) with the tools, techniques, and procedures that they anticipate

adversaries may employ. The penetration testing or red team exercises may be organization-

based or external to the organization. In either case, it is important that the team possesses

the necessary skills and resources to do the job and is objective in its assessment.
[NIST SP 800-53A] provides guidance on conducting security assessments.

FURTHER DISCUSSION

It is important that the organization has a repeatable penetration testing capability,

regardless of who performs the penetration testing. This requirement entails performing

tests against components of the organization’s architecture to identify cyber weaknesses and

vulnerabilities. It does not mean everything in the architecture requires penetration testing.

This requirement provides findings and mitigation strategies that benefit the organization

and help create a stronger environment against adversary efforts. It may be beneficial for

the organization to define the scope of penetration testing. The organization’s approach may

involve hiring an expert penetration testing team to perform testing on behalf of the

organization. When an organization has penetration testing performed, either by an internal

team or external firm, they should establish rules of engagement and impose limits on what

can be performed by the penetration test team(s).
Ensuring the objectivity of the test team is important as well. Potential conflicts of interest,

such as having internal testers report directly or indirectly to network defenders or an

external test team contracted by network defense leadership, must be carefully managed by

organizational leadership.
Reports on the findings should be used by the organization to determine where to focus

funding, staffing, training, or technical improvements for future mitigation strategies.

CA.L3-3.12.1e – Penetration Testing

CMMC Assessment Guide – Level 3 | Version 2.13

69

Example
You are responsible for information security in your organization. Leveraging a contract

managed by the CIO, you hire an external expert penetration team annually to test the

security of the organization’s enclave that stores and processes CUI [a,c]. You hire the same

firm annually or on an ad hoc basis when significant changes are made to the architecture or

components that affect security [b,c].

Potential Assessment Considerations
•

Does the organization have internal team members who possess the proper level of

expertise to perform a valued penetration testing effort [b]?

•

If the penetration testing is performed by an internal team, are the individuals

performing the testing objectively [b]?

•

Is a penetration testing final report provided to the internal team responsible for

organizational defense?

•

If previous penetration tests have been conducted, can the organization provide samples

of penetration test plans, findings reports, and mitigation guidance based on the findings

[a,b,c]?

KEY REFERENCES

•

NIST SP 800-172 3.12.1e

SC.L3-3.13.4e – isolation

CMMC Assessment Guide – Level 3 | Version 2.13

70

System and Communications Protection (SC)
SC.L3-3.13.4E – ISOLATION

Employ physical isolation techniques or logical isolation techniques or both in organizational

systems and system components.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[ODP1] One or more of the following is/are selected: physical isolation techniques;

logical isolation techniques;
[ODP2] Physical isolation techniques are defined (if selected);
[ODP3] Logical isolation techniques are defined (if selected);
[a] Physical isolation techniques or logical isolation techniques or both are employed in

organizational systems and system components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

boundary protection; system design documentation; procedures addressing the use of thin

nodes; list of key internal boundaries of the system; security plan; boundary protection

hardware and software; system configuration settings and associated documentation;

enterprise architecture documentation; system architecture; security architecture

documentation; system audit records; system component inventory; list of security tools and

support components to be isolated from other system components; other relevant

documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for information security;

system/network administrators; system developers; organizational personnel responsible

for boundary protection].

Test
[SELECT FROM: Mechanisms implementing the boundary protection capability; mechanisms

implementing physical isolation techniques; mechanisms supporting and/or implementing

the isolation of information security tools, mechanisms, and support components;

mechanisms supporting and/or implementing the capability to separate system components

supporting organizational missions and business functions; mechanisms implementing

SC.L3-3.13.4e – isolation

CMMC Assessment Guide – Level 3 | Version 2.13

71

logical isolation techniques; mechanisms supporting or implementing separate network

addresses/different subnets; mechanisms supporting and/or implementing thin nodes].

DISCUSSION [NIST SP 800-172]

A mix of physical and logical isolation techniques (described below) implemented as part of

the system architecture can limit the unauthorized flow of CUI, reduce the system attack

surface, constrain the number of system components that must be secure, and impede the

movement of an adversary. When implemented with a set of managed interfaces, physical

and logical isolation techniques for organizational systems and components can isolate CUI

into separate security domains where additional protections can be implemented. Any

communications across the managed interfaces (i.e., across security domains), including for

management or administrative purposes, constitutes remote access even if the

communications remain within the organization. Separating system components with

boundary protection mechanisms allows for the increased protection of individual

components and more effective control of information flows between those components.

This enhanced protection limits the potential harm from and susceptibility to hostile cyber-

attacks and errors. The degree of isolation can vary depending on the boundary protection

mechanisms selected. Boundary protection mechanisms include routers, gateways, and

firewalls separating system components into physically separate networks or subnetworks;

virtualization and micro-virtualization techniques; encrypting information flows among

system components using distinct encryption keys; cross-domain devices separating

subnetworks; and complete physical separation (i.e., air gaps).
System architectures include logical isolation, partial physical and logical isolation, or

complete physical isolation between subsystems and at system boundaries between

resources that store, process, transmit, or protect CUI and other resources. Examples

include:
•

Logical isolation: Data tagging, digital rights management (DRM), and data loss

prevention (DLP) that tags, monitors, and restricts the flow of CUI; virtual machines or

containers that separate CUI and other information on hosts; and virtual local area

networks (VLAN) that keep CUI and other information separate on networks.

•

Partial physical and logical isolation: Physically or cryptographically isolated networks,

dedicated hardware in data centers, and secure clients that (a) may not directly access

resources outside of the domain (i.e., all applications with cross-enclave connectivity

execute as remote virtual applications hosted in a demilitarized zone [DMZ] or internal

and protected enclave), (b) access via remote virtualized applications or virtual desktop

with no file transfer capability other than with dual authorization, or (c) employ

dedicated client hardware (e.g., a zero or thin client) or hardware approved for multi-

level secure (MLS) usage.

•

Complete physical isolation: Dedicated (not shared) client and server hardware;

physically isolated, stand-alone enclaves for clients and servers; and (a) logically

separate network traffic (e.g., using a VLAN) with end-to-end encryption using Public Key

Infrastructure (PKI)-based cryptography or (b) physical isolation from other networks.

SC.L3-3.13.4e – isolation

CMMC Assessment Guide – Level 3 | Version 2.13

72

Isolation techniques are selected based on a risk management perspective that balances the

threat, the information being protected, and the cost of the options for protection.

Architectural and design decisions are guided and informed by the security requirements

and selected solutions. Organizations consider the trustworthiness of the isolation

techniques employed (e.g., the logical isolation relies on information technology that could

be considered a high value target because of the function being performed), introducing its

own set of vulnerabilities.
[NIST SP 800-160-1] provides guidance on developing trustworthy, secure, and cyber

resilient systems using systems security engineering practices and security design concepts.

FURTHER DISCUSSION

For this requirement, organizations must identify the systems or enclaves that need to be

isolated, then design and implement the isolation. The resulting isolation solutions are

documented or referenced in the SSP. Documentation will be dependent on the design

selected and may include a high-level diagram, but specific details that may change on some

frequency would be omitted. During an assessment, providing details such as subnet and

VLAN implementation identifiers, internal boundary protection hardware and software,

interface device functionality, and system configuration and Access Control List (ACL)

settings will be useful.

Example
You are responsible for information security in your organization, which holds and

processes CUI. You have decided to isolate the systems processing CUI by limiting all

communications in and out that enclave with cross-domain interface devices that implement

access control [a]. Your security team has identified all the systems containing such CUI,

documented network design details, developed network diagrams showing access control

points, documented the logic for the access control enforcement decisions, described the

interface and protocol to the identification and authentication mechanisms, and documented

all details associated with the ACLs, including review, updates, and credential revocation

procedures.

Potential Assessment Considerations
•

Has the organization clearly identified where they use physical, logical, or both isolation

techniques [a]?

•

Can the organization describe the isolation techniques they have employed [a]?

•

Has the organization deployed subnetting, internal firewalls, and VLANs to control

packet flow between internal segments [a]?

•

Does the organization employ metadata to inform isolation techniques [a]?

KEY REFERENCES

•

NIST SP 800-172 3.13.4e

SI.L3-3.14.1e – Integrity Verification

CMMC Assessment Guide – Level 3 | Version 2.13

73

System and Information Integrity (SI)
SI.L3-3.14.1E – INTEGRITY VERIFICATION

Verify the integrity of security critical and essential software using root of trust mechanisms

or cryptographic signatures.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[ODP1] Security critical or essential software is defined;
[a] Root of trust mechanisms or cryptographic signatures are identified; and
[b] The integrity of security critical and essential software is verified using root of trust

mechanisms or cryptographic signatures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: System and information integrity policy; procedures addressing software,

firmware, and information integrity; system design documentation; security plan; system

configuration settings and associated documentation; system component inventory;

integrity verification tools and associated documentation; records of integrity verification

scans; system audit records; cryptographic mechanisms and associated documentation;

records of detected unauthorized changes to software, firmware, and information; other

relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for information security;

organizational personnel responsible for software, firmware, and/or information integrity;

system developers; system/network administrators].

Test
[SELECT FROM: Software, firmware, and information integrity verification tools;

mechanisms supporting and/or implementing integrity verification of the boot process;

mechanisms supporting and/or implementing protection of the integrity of boot firmware;

cryptographic mechanisms implementing software, firmware, and information integrity;

safeguards implementing protection of the integrity of boot firmware].

SI.L3-3.14.1e – Integrity Verification

CMMC Assessment Guide – Level 3 | Version 2.13

74

DISCUSSION [NIST SP 800-172]

Verifying the integrity of the organization’s security-critical or essential software is an

important capability since corrupted software is the primary attack vector used by

adversaries to undermine or disrupt the proper functioning of organizational systems. There

are many ways to verify software integrity throughout the system development life cycle.

Root of trust mechanisms (e.g., secure boot, trusted platform modules, Unified Extensible

Firmware Interface [UEFI]), verify that only trusted code is executed during boot processes.

This capability helps system components protect the integrity of boot firmware in

organizational systems by verifying the integrity and authenticity of updates to the firmware

prior to applying changes to the system component and preventing unauthorized processes

from modifying the boot firmware. The employment of cryptographic signatures ensures the

integrity and authenticity of critical and essential software that stores, processes, or

transmits, CUI. Cryptographic signatures include digital signatures and the computation and

application of signed hashes using asymmetric cryptography, protecting the confidentiality

of the key used to generate the hash, and using the public key to verify the hash information.

Hardware roots of trust are considered to be more secure. This requirement supports 3.4.1e

and 3.4.3.e.
[FIPS 140-3] provides security requirements for cryptographic modules. [FIPS 180-4] and

[FIPS 202] provide secure hash standards. [FIPS 186-4] provides a digital signature

standard. [NIST SP 800-147] provides BIOS protection guidance. [NIST TRUST] provides

guidance on the roots of trust project.

FURTHER DISCUSSION

Organizations verify the integrity of security critical and essential software every time that

software is executed. Secure boot mechanisms for firmware and a cryptographically

protected boot chain ensure the integrity of the operating system (OS) and security critical

software, and cryptographic techniques ensure the essential software has not been

tampered with after development prior to execution. If software is itself considered to be

CUI or if it uses CUI, this requirement ensures it has not been compromised.
Software and information integrity verification tools can help check the integrity during the

development process for those organizations developing software. As critical software is

updated, the integrity of any configuration data and the software must result in updated

signatures and an ongoing verification process.
Operating systems include mechanisms to validate digital signatures for installed software.

Most software packages use signatures to prove the integrity of the provided software, and

the organization should leverage these capabilities. Similarly, most hardware appliance

vendors have secure boot checks in place for their devices and built-in features that check

the digital signature of an upgrade/update package before they allow an upgrade to take

place. For locally developed software, the organization should sign the software to ensure its

integrity.

SI.L3-3.14.1e – Integrity Verification

CMMC Assessment Guide – Level 3 | Version 2.13

75

Example 1
You are responsible for information security in your organization. Your security team has

identified the software used to process CUI, and the organization has decided it is mission-

critical software that must be protected. You take three actions. First, you ensure all of the

platform’s configuration information used at boot is hashed and stored in a TPM [a]. Second,

you ensure that the platforms used to execute the software are started with a digitally signed

software chain to a secure boot process using the TPM. Finally, you ensure the essential

applications are cryptographically protected with a digital signature when stored and the

signature is verified prior to execution [b].

Example 2
Your organization has a software security team, and they are required to validate unsigned

essential software provided to systems that do not have TPM modules. The organization has

a policy stating no software can be executed on a system unless its hash value matches that

of a hash stored in the approved software library kept by the software security team [a]. This

action is performed by implementing software restriction policies on systems. The team

tests the software on a sandbox system, and once it is proven safe, they run a hashing

function on the software to create a hash value. This hash value is placed in a software library

so the system will know it can execute the software [b]. Any changes to the software without

the software security team’s approval will result in the software failing the security tests,

and it will be prevented from executing.

Potential Assessment Considerations
•

Does the organization use cryptographic signatures to ensure the integrity and

authenticity of critical and essential software and data [b]?

•

Has the organization identified those devices that require integrity verification of the

boot process [a]?

•

Does the organization use a TPM to store hashes of pre-run time configuration

parameters for those systems [b]?

•

Does the organization leverage the TPM configuration hash to verify the hardware and

software configuration is unchanged in order to determine that a system is trustworthy

before running mission-essential applications [b,c]?

•

Does the organization use the TPM for remote attestation to determine to which extent

information can be trusted from another system [b,c]?

•

Has the organization identified devices requiring organization-defined security

safeguards that must be implemented to protect the integrity of boot firmware [a]?

•

Has the organization defined security safeguards that will be implemented to protect the

integrity of boot firmware in mission-essential devices [a]?

•

Has the organization implemented organization-defined security safeguards to protect

the integrity of boot firmware in organization-defined essential devices [b]?

SI.L3-3.14.1e – Integrity Verification

CMMC Assessment Guide – Level 3 | Version 2.13

76

KEY REFERENCES

•

NIST SP 800-172 3.14.1e

SI.L3-3.14.3e – Specialized Asset Security

CMMC Assessment Guide – Level 3 | Version 2.13

77

SI.L3-3.14.3E – SPECIALIZED ASSET SECURITY

Ensure that specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems

and test equipment are included in the scope of the specified enhanced security

requirements or are segregated in purpose-specific networks.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[a] Specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems and test

equipment are included in the scope of the specified enhanced security requirements;

and

[b] Systems and system components that are not included in specialized assets including IoT,

IIoT, OT, GFE, Restricted Information Systems and test equipment are segregated in

purpose-specific networks.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: Access control policy; information flow control policies; system and services

acquisition policy; system and communications protection policy; procedures addressing

security function isolation; procedures addressing application partitioning; procedures

addressing security engineering principles used in the specification, design, development,

implementation, and modification of the system; procedures addressing information flow

enforcement; procedures addressing access enforcement; system architecture; system

design documentation; security plan; system component inventory; system configuration

settings and associated documentation; system baseline configuration; list of security

functions to be isolated from non-security functions; system audit records; security

requirements and specifications for the system; list of approved authorizations (user

privileges); list of information flow authorizations; other relevant documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for access enforcement;

system/network administrators; organizational personnel responsible for information

security; system developers; system integrators; organizational personnel responsible for

acquisition/contracting; organizational personnel responsible for determining system

security requirements; system security architects; enterprise architects; organizational

personnel responsible for system specification, design, development, implementation, and

modification].

Test
[SELECT FROM: Mechanisms implementing the access control policy; mechanisms

implementing the information flow enforcement policy; mechanisms supporting the

SI.L3-3.14.3e – Specialized Asset Security

CMMC Assessment Guide – Level 3 | Version 2.13

78

application of security engineering principles in system specification, design, development,

implementation, and modification].

DISCUSSION [NIST SP 800-172]

Organizations may have a variety of systems and system components in their inventory,

including Information Technology (IT), Internet of Things (IoT), Operational Technology

(OT), and Industrial Internet of Things (IIoT). The convergence of IT, OT, IoT, and IIoT

significantly increases the attack surface of organizations and provides attack vectors that

are challenging to address. Compromised IoT, OT, and IIoT system components can serve as

launching points for attacks on organizational IT systems that handle CUI. Some IoT, OT, and

IIoT system components can store, transmit, or process CUI (e.g., specifications or

parameters for objects manufactured in support of critical programs). Most of the current

generation of IoT, OT, and IIoT system components are not designed with security as a

foundational property and may not be able to be configured to support security functionality.

Connections to and from such system components are generally not encrypted, do not

provide the necessary authentication, are not monitored, and are not logged. Therefore,

these components pose a significant cyber threat. Gaps in IoT, OT, and IIoT security

capabilities may be addressed by employing intermediary system components that can

provide encryption, authentication, security scanning, and logging capabilities—thus,

preventing the components from being accessible from the Internet. However, such

mitigation options are not always available or practicable. The situation is further

complicated because some of the IoT, OT, and IIoT devices may be needed for essential

missions and business functions. In those instances, it is necessary for such devices to be

isolated from the Internet to reduce the susceptibility to cyber-attacks.
[NIST SP 800-160-1] provides guidance on security engineering practices and security

design concepts.

FURTHER DISCUSSION

Specialized Assets are addressed in the scoping guidance, which should be overlaid on this

requirement. The OSC must document Specialized Assets in the asset inventory; develop,

document, and periodically update system security plans; and include Specialized Assets in

the network diagram. The Specialized Asset section of the SSP should describe associated

system boundaries, system environments of operation, how security requirements are

implemented, and the relationships with or connections to other systems.
Specialized Assets within the Level 3 CMMC assessment scope must be either assessed

against all CMMC security requirements or separated into purpose-specific networks.

Specialized Assets may have limitations on the application of certain security requirements.

To accommodate such issues, the SSP should describe any mitigations.
Intermediary devices are permitted to mitigate an inability for the asset itself to implement

one or more CMMC requirements. An example of an intermediary device used in conjunction

with a specialized asset is a boundary device or a proxy.
The high-level list of Specialized Assets includes:

SI.L3-3.14.3e – Specialized Asset Security

CMMC Assessment Guide – Level 3 | Version 2.13

79

•

Government Furnished Equipment;

•

IoT and IIoT devices (physical or virtual) with sensing/actuation capability and

programmability features;

•

OT used in manufacturing systems, industrial control systems (ICS), or supervisory

control and data acquisition (SCADA) systems;

•

Restricted Information Systems, which can include systems and IT components that are

configured based on government requirements; and

•

Test equipment.

Example
You are responsible for information security in your organization, which processes CUI on

the network, and this same network includes GFE for which the configuration is mandated

by the government. The GFE is needed to process CUI information [a]. Because the company

cannot manage the configuration of the GFE, it has been augmented by placing a bastion host

between it and the network. The bastion host meets the requirements that the GFE cannot,

and is used to send CUI files to and from the GFE for processing. You and your security team

document in the SSP all of the GFE to include GFE connectivity diagrams, a description of the

isolation mechanism, and a description of how your organization manages risk associated

with that GFE [a].

Potential Assessment Considerations
•

Has the organization documented all specialized assets in asset inventory [a]?

•

Has the organization documented all specialized assets in the SSP to show how risk is

managed [b]?

•

Has the organization provided a network diagram for specialized assets [a,b]?

KEY REFERENCES

•

NIST SP 800-172 3.14.3e

SI.L3-3.14.6e – Threat-Guided Intrusion Detection

CMMC Assessment Guide – Level 3 | Version 2.13

80

SI.L3-3.14.6E – THREAT-GUIDED INTRUSION DETECTION

Use threat indicator information and effective mitigations obtained from, at a minimum,

open or commercial sources, and any DoD-provided sources, to guide and inform intrusion

detection and threat hunting.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:
[ODP1] External organizations from which to obtain threat indicator information and

effective mitigations are defined;
[a] Threat indicator information is identified;
[b] Effective mitigations are identified;
[c] Intrusion detection approaches are identified;
[d] Threat hunting activities are identified; and
[e] Threat indicator information and effective mitigations obtained from, at a minimum,

open or commercial sources and any DoD-provided sources, are used to guide and inform

intrusion detection and threat hunting.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine
[SELECT FROM: System and information integrity policy; information security program plan;

procedures addressing security alerts, advisories, and directives; threat awareness program

documentation; procedures addressing system monitoring; procedures for the threat

awareness program; risk assessment results relevant to threat awareness; records of

security alerts and advisories; system design documentation; security plan; system

monitoring tools and techniques documentation; system configuration settings and

associated documentation; system monitoring logs or records; system audit records;

documentation on the cross-organization information-sharing capability; other relevant

documents or records].

Interview
[SELECT FROM: Organizational personnel responsible for information security program

planning and plan implementation; system/network administrators; organizational

personnel responsible for the threat awareness program; organizational personnel

responsible for the cross-organization information-sharing capability; organizational

personnel responsible for information security; organizational personnel responsible for

installing, configuring, and/or maintaining the system; organizational personnel security

alerts and advisories; organizational personnel responsible for implementing, operating,

maintaining, and using the system; organizational personnel, organizational elements,

and/or external organizations to whom alerts, advisories, and directives are to be

SI.L3-3.14.6e – Threat-Guided Intrusion Detection

CMMC Assessment Guide – Level 3 | Version 2.13

81

disseminated; personnel with whom threat awareness information is shared by the

organization; system developers].

Test
[SELECT FROM: Mechanisms supporting and/or implementing the threat awareness

program; mechanisms supporting and/or implementing the cross-organization information-

sharing capability; mechanisms supporting and/or implementing the system monitoring

capability; mechanisms supporting and/or implementing the definition, receipt, generation,

and dissemination of security alerts, advisories, and directives; mechanisms supporting

and/or implementing security directives; mechanisms supporting and/or implementing

threat hunting; mechanisms supporting and/or implementing intrusion detection;

mechanisms supporting and/or implementing the discovery, collection, distribution, and use

of indicators of compromise].

DISCUSSION [NIST SP 800-172]

Threat information related to specific threat events (e.g., TTPs, targets) that organizations

have experienced, threat mitigations that organizations have found to be effective against

certain types of threats, and threat intelligence (i.e., indications and warnings about threats

that can occur) are sourced from and shared with trusted organizations. This threat

information can be used by organizational Security Operations Centers (SOC) and

incorporated into monitoring capabilities. Threat information sharing includes threat

indicators, signatures, and adversary TTPs from organizations participating in threat-

sharing consortia, government-commercial cooperatives, and government-government

cooperatives (e.g., CERTCC, CISA/US-CERT, FIRST, ISAO, DIB CS Program). Unclassified

indicators, based on classified information but which can be readily incorporated into

organizational intrusion detection systems, are available to qualified nonfederal

organizations from government sources.

FURTHER DISCUSSION

One way to effectively leverage threat indicator information is to access human- or machine-

readable threat intelligence feeds. Effectiveness may also require the organization to create

TTPs in support of operational requirements, which will typically include defensive cyber

tools supporting incident detection, alerts, incident response, and threat hunting. It is

possible that this requirement will be implemented by a third-party managed service

provider, and in that case, it will be necessary to carefully define the boundary and

responsibilities between the OSC and the ESP to guarantee a robust implementation. It is also

important that the OSC validate threat indicator integration into the defensive cyber toolset

by being able to (1) implement mitigations for sample industry relevant indicators of

compromise (e.g., IP address, file hash), (2) identify sample indicators of compromise across

sample endpoints, and (3) identify sample indicators of compromise using analytical

processes on a system data repository.

SI.L3-3.14.6e – Threat-Guided Intrusion Detection

CMMC Assessment Guide – Level 3 | Version 2.13

82

Example
You are responsible for information security in your organization. You have maintained an

effective intrusion detection capability for some time, but now you decide to introduce a

threat hunting capability informed by internal and external threat intelligence [a,c,d,e]. You

install a SIEM system that leverages threat information to provide functionality to:
•

analyze logs, data sources, and alerts;

•

query data to identify anomalies;

•

identify variations from baseline threat levels;

•

provide machine learning capabilities associated with the correlation of anomalous data

characteristics across the enterprise; and

•

categorize data sets based on expected data values.

Your team also manages an internal mitigation plan (playbook) for all known threats for your

environment. This playbook is used to implement effective mitigation strategies across the

environment [b]. Some of the mitigation strategies are developed by team members, and

others are obtained by threat feed services.

Potential Assessment Considerations
•

Which external sources has the organization identified as threat information sources [a]?

•

Does the organization understand the TTPs of key attackers [c,d]?

•

Does the organization deploy threat indicators to EDR systems, network intrusion

detection systems, or both [c,d,e]?

•

What actions does the organization implement when a threat alert/indicator is signaled

[c,d,e]?

•

Does the organization use internal threat capabilities within their existing security tools

[e]?

•

How does the organization respond to a third-party notification of a threat indicator [e]?

KEY REFERENCES

•

NIST SP 800-172 3.14.6e

Appendix A – Acronyms and Abbreviations

CMMC Assessment Guide – Level 3 | Version 2.13

83

Appendix A – Acronyms and Abbreviations

AC

Access Control

ACL

Access Control List

ACM

Automated Configuration Management

ACMS

Automated Configuration Management System

APT

Advanced Persistent Threat

AT

Awareness and Training

C3PAO

CMMC Third-Party Assessment Organization

CA

Certification Authority

CA

Security Assessment

CERT

Computer Emergency Response Team

CFR

Code of Federal Regulations

CIO

Chief Information Officer

CIRT

Computer Incident Response Team; Cyber Incident Response Team

CISO

Chief Information Security Officer

CM

Configuration Management

CMMC

Cybersecurity Maturity Model Certification

CUI

Controlled Unclassified Information

DCSA

Defense Counterintelligence and Security Agency

DFARS

Defense Federal Acquisition Regulation Supplement

DIB

Defense Industrial Base

DLP

Data Loss Prevention

DMZ

Demilitarized Zone

DoD

Department of Defense

DRM

Digital Rights Management

ESP

External Service Provider

FIPS

Federal Information Processing Standard

GFE

Government Furnished Equipment

GPO

Group Policy Object

HR

Human Resources

IA

Identification and Authentication

ICS

Industrial Control System

IIoT

Industrial Internet of Things

IOC

Indicators of Compromise

IoT

Internet of Things

IP

Internet Protocol

IR

Incident Response

ISAC

Information Sharing and Analysis Center

Appendix A – Acronyms and Abbreviations

CMMC Assessment Guide – Level 3 | Version 2.13

84

ISAO

Information Sharing and Analysis Organization

IT

Information Technology

MLS

Multi-Level Secure

N/A

Not Applicable

NAC

Network Access Control

NIST

National Institute of Standards and Technology

ODP

Organization-Defined Parameters

OS

Operating System

OT

Operational Technology

PKI

Public Key Infrastructure

PS

Personnel Security

RA

Risk Assessment

SC

System and Communications Protection

SCADA

Supervisory Control and Data Acquisition

SCRM

Supply Chain Risk Management

SI

System and Information Integrity

SIEM

Security Information and Event Management

SOAR

Security Orchestration, Automation, and Response

SOC

Security Operations Center

SP

Special Publication

SSP

System Security Plan

TEE

Trusted Execution Environment

TLS

Transport Layer Security

TPM

Trusted Platform Module

TTP

Tactics, Techniques, and Procedures

UEFI

Unified Extensible Firmware Interface

USB

Universal Serial Bus

VLAN

Virtual Local Area Network

VPN

Virtual Private Network

XDR

Extended Detection and Response

Appendix A – Acronyms and Abbreviations

CMMC Assessment Guide – Level 3 | Version 2.13

85

This page intentionally left blank.

Document Outline

Original source: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL3v2.pdf

↑ NIST SP800-172A, March 2022
↑ Note that an OSC ought to be mindful of their full Level 3 scoping in their request for a Level 2 assessment.
↑ NIST SP 800-53 Rev. 5, p. 402
↑ NIST SP 800-171A, June 2018, p. v
↑ NIST SP 800-171 Rev. 2, Appendix B, p. 54 (adapted)
↑ NIST SP 800-160 Vol. 1 R1, Engineering Trustworthy Secure Systems, 2022, Appendix B., p. 55
↑ The organization defining the parameters is the DoD.

[1] NIST SP800-172A, March 2022

[2] Note that an OSC ought to be mindful of their full Level 3 scoping in their request for a Level 2 assessment.

[3] NIST SP 800-53 Rev. 5, p. 402

[4] NIST SP 800-171A, June 2018, p. v

[5] NIST SP 800-171 Rev. 2, Appendix B, p. 54 (adapted)

[6] NIST SP 800-160 Vol. 1 R1, Engineering Trustworthy Secure Systems, 2022, Appendix B., p. 55

[7] The organization defining the parameters is the DoD.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

Level 3 Assessment Guide: Difference between revisions

Revision as of 03:53, 24 March 2025

Contents

NOTICES

Introduction

Level 3 Description

Purpose and Audience

Document Organization

Assessment and Certification

Assessment Scope

CMMC-Custom Terms

Assessment Criteria and Methodology

Criteria

Methodology

Who Is Interviewed

What Is Examined

What Is Tested

Assessment Findings

Requirement Descriptions

Access Control (AC)

Document Outline

Navigation menu

@@ Line 1: / Line 1: @@
-'''Source of Reference: The official [https://dodcio.defense.gov/CMMC/Resources-Documentation/ CMMC Level 3 Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).'''
+'''Source of Reference: The official [https://dodcio.defense.gov/CMMC/Resources-Documentation/ CMMC Level 3 Assessment Guide Version 2.13, September 2024] from the Department of Defense Chief Information Officer (DoD CIO).'''
 For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
@@ Line 9: / Line 9: @@
 == Introduction ==
-This document provides guidance in the preparation for and conduct of a Level 3 certification assessment under the Cybersecurity Maturity Model Certification (CMMC) Program as set forth in section 170.18 of title 32, Code of Federal Regulations (CFR). Certification at each CMMC level occurs independently. Guidance for conducting a Level 1 self-assessment can be found in ''CMMC Assessment Guide  –  Level 1''. Guidance for conducting both a Level 2 self-assessment and Level 2 certification assessment, can be found in ''CMMC Assessment Guide – Level 2''. More details on the model can be found in the ''CMMC Model Overview'' document.
+This document provides guidance in the preparation for and conduct of a Level 3 certification assessment under the Cybersecurity Maturity Model Certification (CMMC) Program as set forth in section 170.18 of title 32, Code of Federal Regulations (CFR). Certification at each CMMC level occurs independently. Guidance for conducting a Level 1 self-assessment can be found in ''CMMC Assessment Guide – Level 1''. Guidance for conducting both a Level 2 self-assessment and Level 2 certification assessment, can be found in ''CMMC Assessment Guide – Level 2''. More details on the model can be found in the ''CMMC Model Overview'' document.
-An ''Assessment'' as defined in 32 CFR § 170.4 means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system, or organization as defined in 32 CFR § 170.15 to 32 CFR § 170.18''. A ''Level 3  certification  assessment'' as defined in 32 CFR § 170.4  is ''the activity performed by the Department of Defense (DoD) to evaluate the CMMC level of an Organization Seeking Certification (OSC)''. For Level 3, assessments are conducted exclusively by the DCMA DIBCAC.
+An ''Assessment'' as defined in 32 CFR § 170.4 means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system, or organization as defined in 32 CFR § 170.15 to 32 CFR § 170.18''. A ''Level 3 certification assessment'' as defined in 32 CFR § 170.4 is ''the activity performed by the Department of Defense (DoD) to evaluate the CMMC level of an Organization Seeking Certification (OSC)''. For Level 3, assessments are conducted exclusively by the DCMA DIBCAC.
 An OSC seeking a Level 3 certification assessment must have first achieved a CMMC Status of Final Level 2 (C3PAO), as set forth in 32 CFR § 170.18(a), for all applicable information systems within the CMMC Assessment Scope, and the OSC must implement the Level 3 requirements specified in 32 CFR § 170.14(c)(4). This is followed by the Level 3 certification assessment conducted by the DCMA DIBCAC.
-OSCs  may also use this guide to perform Level  3  self-assessments  (for example, in
+OSCs may also use this guide to perform Level 3 self-assessments (for example, in preparation for an annual affirmation); however, they are not eligible to submit results from a self-assessment in support of a Level 3 certification assessment. Only the results from an assessment by DCMA DIBCAC are considered for award of the CMMC Statuses Conditional Level 3 (DIBCAC) or Final Level 3 (DIBCAC). Level 3 reporting and affirmation requirements can be found in 32 CFR § 170.18 and 32 CFR § 170.22.
-preparation for an annual affirmation); however, they are not eligible to submit results from
+=== Level 3 Description ===
+Level 3 consists of selected security requirements derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172, ''Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171'', with DoD-approved parameters where applicable. Level 3 only applies to systems that have already achieved a Final Level 2 (C3PAO) CMMC Status. Level 2 consists of the security requirements specified in NIST SP 800-171, ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations''.
-a self-assessment in support of a Level 3 certification assessment. Only the results from an
+Like Level 2, Level 3 addresses the protection of Controlled Unclassified Information (CUI), as defined in 32 CFR § 2002.4(h):
-assessment by DCMA DIBCAC are considered for award of the CMMC Statuses Conditional
+: ''Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.''
-Level 3 (DIBCAC) or Final Level 3 (DIBCAC). Level 3 reporting and affirmation requirements
+Level 3 provides additional protections against advanced persistent threats (APTs), and increased assurance to the DoD that an OSC can adequately protect CUI at a level commensurate with the adversarial risk, to include protecting information flow with the government and with subcontractors in a multitier supply chain.
-can be found in 32 CFR § 170.18 and 32 CFR § 170.22.
+=== Purpose and Audience ===
+This guide is intended for assessors, OSCs, cybersecurity professionals, and individuals and companies that support CMMC efforts. This document can be used as part of preparation for and conducting a Level 3 certification assessment.
-Level 3 Description
+=== Document Organization ===
+This document is organized into the following sections:
+* '''Assessment and Certification:''' provides an overview of the Level 3 assessment processes set forth in 32 CFR § 170.18. It provides guidance regarding the scope requirements set forth in 32 CFR § 170.19(d).
+* '''CMMC-Custom Terms:''' incorporates definitions from 32 CFR § 170.4, definitions included by reference from 32 CFR § 170.2, and provides clarification of the intent and scope of specific terms as used in the context of CMMC.
+* '''Assessment Criteria and Methodology:''' provides guidance on the criteria and methodology (i.e., ''interview'', ''examine'', and ''test'') to be employed during a Level 3 assessment, as well as on assessment findings.
+* '''Requirement Descriptions:''' Provides guidance specific to each Level 3 security requirement.
-Level  3  consists of selected  security requirements derived from  National Institute of
+== Assessment and Certification ==
+The DCMA DIBCAC will use the assessment methods defined in NIST SP 800-172A<ref>NIST SP800-172A, March 2022</ref>, ''Assessing Enhanced Security Requirements for Controlled Unclassified Information'', along with the supplemental information in this guide to conduct Level 3 certification assessments. Assessors will review information and evidence to verify that an OSC meets the stated assessment objectives for all of the requirements.
-Standards and Technology (NIST) Special Publication (SP) 800-172,  ''Enhanced Security ''
+An OSC can obtain a Level 3 certification assessment for an entire enterprise network or for specific enclave(s), depending on how the CMMC Assessment Scope is defined in accordance with 32 CFR § 170.19(d).
-''Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST ''
+=== Assessment Scope ===
+Prior to conducting a CMMC Level 3 certification assessment, the Level 3 CMMC Assessment Scope must be defined as addressed in 32 CFR § 170.19(d) and the ''CMMC Scoping Guide – Level 3'' document<ref>Note that an OSC ought to be mindful of their full Level 3 scoping in their request for a Level 2 assessment.</ref>. The CMMC Assessment Scope informs which assets within the OSC’s environment will be assessed and the details of the assessment. The OSC must have achieved a CMMC Status of Final Level 2 (C3PAO) of all systems included within the Level 3 CMMC Assessment Scope prior to requesting the Level 3 assessment, as set forth in 32 CFR § 170.18.
-''Special Publication 800-171'', with DoD-approved parameters where applicable. Level 3 only
+The Level 3 assessment scoping is based on the requirements defined in 32 CFR § 170.19(d) and supported by the ''CMMC Scoping Guide – Level 3 ''document. The ''CMMC Scoping Guide – Level 3'' document is available on the official CMMC documentation site at https://dodcio.defense.gov/CMMC/Documentation/. If a Final Level 2 (C3PAO) CMMC Status has not already been achieved for the desired CMMC Assessment Scope, the OSC may not proceed with the Level 3 assessment.
-applies to systems that have already achieved a Final Level 2 (C3PAO) CMMC Status. Level 2
+== CMMC-Custom Terms ==
+The CMMC Program has custom terms that align with program requirements. Although some terms may have other definitions in open forums, it is important to understand these terms as they apply to the CMMC Program.
-consists of the security requirements specified in NIST SP 800-171, ''Protecting Controlled ''
+The custom terms associated with Level 3 are:
+* '''Assessment:''' As defined 32 CFR § 170.4 means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization defined in 32 CFR § 170.15 to 32 CFR § 170.18.
+** Level 3 certification assessment is the term for the activity performed by the DCMA DIBCAC to evaluate the information system of an OSC when seeking a CMMC Status of Level 3 (DIBCAC).
+** POA&M closeout certification assessment is the term for the activity performed by a C3PAO or DCMA DIBCAC to evaluate only the NOT MET requirements that were identified with POA&amp;M during the initial assessment, when seeking a CMMC Status of Final Level 2 (C3PAO) or Final Level 3 (DIBCAC) respectively.
+* '''Assessment Objective:''' Means a set of determination statements that, taken together, expresses the desired outcome for the assessment of a security requirement. Successful implementation of the corresponding CMMC security requirement requires meeting all applicable assessment objectives defined in NIST SP 800–171A or NIST SP 800-172A.
+* '''Asset:''' Means an item of value to stakeholders. An asset may be tangible (e.g., a physical item such as hardware, firmware, computing platform, network device, or other technology component) or intangible (e.g., humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation). The value of an asset is determined by stakeholders in consideration of loss concerns across the entire system life cycle. Such concerns include but are not limited to business or mission concerns. Understanding ''assets'' is critical to identifying the ''CMMC Assessment Scope''; for more information see ''CMMC Scoping Guide – Level 3''.
+* '''CMMC Assessment Scope:''' As defined in 32 CFR § 170.4 means the set of all ''assets'' in the OSC’s environment that will be assessed against CMMC security requirements.
+* '''CMMC Status:''' The result of meeting or exceeding the minimum required score for the corresponding assessment. The CMMC Status of an OSA information system is officially stored in SPRS and additionally presented on a Certificate of CMMC Status, if the assessment was conducted by a C3PAO or DCMA DIBCAC.
+** '''Conditional Level 3 (DIBCAC):''' Defined in 32 CFR § 170.18(a)(1)(ii). The OSC will achieve CMMC Status of Conditional Level 3 (DIBCAC) if a POA&amp;M exists upon completion of the assessment and the POA&amp;M meets all Level 3 POA&amp;M requirements listed in 32 CFR § 170.21(a)(3).
+** '''Final Level 3 (DIBCAC):''' Defined in 32 CFR § 170.18(a)(1)(iii). The OSC will achieve Final Level 3 (DIBCAC) CMMC Status for the information systems within the CMMC Assessment Scope upon implementation of all security requirements and, if applicable a POA&amp;M closeout assessment within 180 days. Additional guidance can be found in 32 CFR §170.21.
+* '''Enduring Exception:''' As defined 32 CFR § 170.4 means a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible. Examples include systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT. No operational plan of action is required but the circumstance must be documented within a system security plan. Specialized Assets and Government Furnished Equipment (GFE) may be Enduring Exceptions.
+* '''Event:''' Any observable occurrence in a system<ref>NIST SP 800-53 Rev. 5, p. 402</ref>. As described in NIST SP 800-171A<ref>NIST SP 800-171A, June 2018, p. v</ref>, the terms “information system” and “system” can be used interchangeably. ''Events'' sometimes provide indication that an ''incident'' is occurring.
+* '''Incident:''' An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.<ref>NIST SP 800-171 Rev. 2, Appendix B, p. 54 (adapted)</ref>
+* '''Monitoring:''' The act of continually checking, supervising, critically observing, or determining the status in order to identify change from the performance level required or expected at an ''organization-defined'' frequency and rate.<ref>NIST SP 800-160 Vol. 1 R1, Engineering Trustworthy Secure Systems, 2022, Appendix B., p. 55</ref>
+* '''Operational plan of action:''' As used in security requirement CA.L2-3.12.2, means the formal artifact which identifies temporary vulnerabilities and temporary deficiencies in implementation of requirements and documents how and when they will be mitigated, corrected, or eliminated. The OSA defines the format (e.g., document, spreadsheet, database) and specific content of its operational plan of action. An operational plan of action is not the same as a POA&amp;M associated with an assessment.
+* '''Organization-defined:''' As determined by the OSC being assessed except as defined in the case of Organization-Defined Parameter (ODP). This can be applied to a frequency or rate at which something occurs within a given time period, or it could be associated with describing the configuration of a OSC’s solution.
+* '''Organization-Defined Parameters (ODPs):''' Selected enhanced security requirements contain selection and assignment operations to give organizations<ref>The organization defining the parameters is the DoD.</ref> flexibility in defining variable parts of those requirements, as defined in NIST SP 800-172A. ODPs are used in NIST SP 800-172 and NIST SP 800-172A to allow Federal agencies, in this case the DoD, to customize security requirements. Once specified, the values for the assignment and selection operations become part of the requirement and objectives, where applicable.
+: The assignments and selections chosen for Level 3 are underlined in the requirement statement and objectives. In some cases, further specificity of the assignment or selection will need to be made by the OSC. In those cases, the term and abbreviation ODPs is used in the assessment objectives to denote where additional definition is required.
+* '''Periodically:''' Means occurring at a regular interval as determined by the OSA that may not exceed one year. As used in many requirements within CMMC, the interval length is ''organization-defined'' to provide OSC flexibility, with an interval length of no more than one year.
+* '''Security Protection Data:''' As defined 32 CFR § 170.4 means data stored or processed by Security Protection Assets (SPA) that are used to protect an OSC's assessed environment. Security Protection Data is security relevant information and includes, but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment.
+* '''System Security Plan (SSP):''' Means the formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. The system security plan describes the system components that are included within the system, the environment in which the system operates, how the security requirements are implemented, and the relationships with or connections to other systems.
+* '''Temporary deficiency:''' As defined 32 CFR § 170.4 means a condition where remediation of a discovered deficiency is feasible and a known fix is available or is in process. The deficiency must be documented in an operational plan of action. A temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC security requirement but arises after implementation. A temporary deficiency may apply during the initial implementation of a security requirement if, during roll-out, specific issues with a very limited subset of equipment is discovered that must be separately addressed. There is no standard duration for which a temporary deficiency may be active. For example, FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version may be a temporary deficiency.
-''Unclassified Information in Nonfederal Systems and Organizations''.
+== Assessment Criteria and Methodology ==
+The ''CMMC Assessment Guide – Level 3'' leverages the assessment procedure described in NIST SP 800-172A Section 2.1:
+: ''An assessment procedure consists of an assessment objective and a set of potential assessment methods and objects that can be used to conduct the assessment. Each assessment objective includes a set of determination statements related to the CUI enhanced security requirement that is the subject of the assessment. Organization-defined parameters (ODP) that are part of selected enhanced security requirements are included in the initial determination statements for the assessment procedure. ODPs are included since the specified parameter values are used in subsequent determination statements. ODPs are numbered sequentially and noted in bold italics.
+: Determination statements reflect the content of the enhanced security requirements to ensure traceability of the assessment results to the requirements. The application of an assessment procedure to an enhanced security requirement produces assessment findings. The findings are used to determine if the enhanced security requirement has been satisfied.
+: Assessment objects are associated with the specific items being assessed. These objects can include specifications, mechanisms, activities, and individuals.''
+: * ''Specifications are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with a system.''
+: * ''Mechanisms are the specific hardware, software, or firmware safeguards employed within a system.''
+: * ''Activities are the protection-related actions supporting a system that involve people (e.g., conducting system backup operations, exercising a contingency plan, and monitoring network traffic).''
+: * ''Individuals, or groups of individuals, are people applying the specifications, mechanisms, or activities described above.''
+: ''Assessment methods define the nature and the extent of the assessor’s actions. The methods include examine, interview, and test.''
+: * ''The examine method is the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specifications, mechanisms, activities).''
+: * ''The interview method is the process of holding discussions with individuals or groups of individuals to facilitate understanding, achieve clarification, or obtain evidence.''
+: * ''The test method is the process of exercising assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior.''
+: ''The purpose of the assessment methods is to facilitate understanding, achieve clarification, and obtain evidence. The results obtained from applying the methods are used for making the specific determinations called for in the determination statements and thereby achieving the objectives for the assessment procedure.''
+=== Criteria ===
+Assessment objectives are provided for each requirement and are based on existing criteria from NIST SP 800-172A. The criteria are authoritative and provide a basis for the assessor to conduct an assessment of a requirement.
+=== Methodology ===
+During the CMMC certification assessment, the assessor will verify and validate that the OSC has met the requirements. Because an OSC can meet the assessment objectives in different ways (e.g., through documentation, computer configuration, network configuration, or training), the assessor may use a variety of techniques, including one or more of the three assessment methods described above from NIST SP 800-172A, to determine if the OSC meets the intent of the requirements.
+The assessor will follow the guidance in NIST SP 800-172A when determining which assessment methods to use:
+: ''Organizations [DoD] are not expected to use all of the assessment methods and objects contained within the assessment procedures identified in this publication. Rather, organizations have the flexibility to establish the level of effort needed and the assurance required for an assessment (e.g., which assessment methods and objects are deemed to be the most useful in obtaining the desired results). The decision on level of effort is made based on how the organization can accomplish the assessment objectives in the most cost-effective and efficient manner and with sufficient confidence to support the determination that the CUI enhanced security requirements have been satisfied.''
+The primary deliverable of an assessment is a compliance score and accompanying report that contains the findings associated with each requirement. For more detailed information on assessment methods, see Appendix C of NIST SP 800-172A.
+Figure 1 illustrates an example of an assessment procedure for requirement AC.L3-3.1.3e.
-Introduction
+=== Who Is Interviewed ===
+The assessor has discussions with OSC staff to understand if a requirement has been addressed. Interviews with applicable staff (possibly at different organizational levels) determine if CMMC security requirements are implemented and if adequate resourcing, training, and planning have occurred for individuals to perform the requirements.
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+=== What Is Examined ===
+Examination includes reviewing, inspecting, observing, studying, or analyzing assessment objects. The objects can be documents, mechanisms, or activities. The primary focus will be to examine through demonstrations during interviews.
+For some requirements, the assessor reviews documentation to determine if assessment objectives are met. Interviews with OSC staff may identify the documents uses. Documents need to be in their final forms; working papers (e.g., drafts) of documentation are not eligible to be submitted as evidence because they are not yet official and are still subject to change.
-''' '''
+Common types of documents that can be used as evidence include: <br />
+* policy, process, and procedure documents;
+* training materials;
+* plans and planning documents; and
+* system-level, network, and data flow diagrams.
-Like Level 2, Level 3 addresses the protection of Controlled Unclassified Information (CUI), as
+This list of documents is not exhaustive or prescriptive. An OSC may not have these specific documents, and other documents may be used to provide evidence of compliance.
-defined in 32 CFR § 2002.4(h):
+In other cases, the requirement is best assessed by observing that safeguards are in place by viewing hardware or associated configuration information or observe staff exercising a process.
-''Information the Government creates or possesses, or that an entity creates or ''
+=== What Is Tested ===
+Testing is an important part of the assessment process. Interviews tell the assessor what the OSC staff believe to be true, documentation provides evidence of intent, and testing demonstrates what has or has not been done and is the preferred assessment method when possible. For example, staff may talk about how users are identified and documentation may provide details on how users are identified, but seeing a demonstration of user identification provides evidence that the requirement is met. The assessor will determine which requirements or objectives within a requirement need demonstration or testing. Most objectives will require testing.
-''possesses for or on behalf of the Government, that a law, regulation, or ''
+=== Assessment Findings ===
+The assessment of a CMMC security requirement results in one of three possible findings: MET, NOT MET, or NOT APPLICABLE as defined in 32 CFR § 170.24. To achieve CMMC Status of Final Level 3 (DIBCAC) as described in 32 CFR § 170.18, the OSC will need a finding of MET or NOT APPLICABLE on all Level 3 security requirements.
-''Government-wide policy requires or permits an agency to handle using ''
+* '''MET:''' All applicable assessment objectives for the security requirement are satisfied based on evidence. All evidence must be in final form and a not draft. Unacceptable forms of evidence include working papers, drafts, and unofficial or unapproved policies. For each security requirement marked MET, it is best practice to record statements that indicate the response conforms to all objectives and document the appropriate evidence to support the response.
+** Enduring Exceptions when described, along with any mitigations, in the system security plan shall be assessed as MET.
+** Temporary deficiencies that are appropriately addressed in operational plans of action (i.e., include deficiency reviews, milestones, and show progress towards the implementation of corrections to reduce or eliminate identified vulnerabilities) shall be assessed as MET.
+* '''NOT MET:''' One or more objectives for the security requirement is not satisfied. During a Level 3 certification assessment, for each requirement objective marked NOT MET, the assessor will document why the evidence provided by the OSC does not conform.
+* '''NOT APPLICABLE (N/A):''' A security requirement and/or objective does not apply at the time of the assessment. For example, SI.L3-3.14.3e might be N/A if there are no Internet of Things (IoT), Industrial Internet of Things (IIoT), Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, or test equipment included in the Level 3 CMMC Assessment Scope.
-''safeguarding or dissemination controls. However, CUI does not include classified ''
+If an OSC previously received a favorable adjudication from the DoD CIO indicating that a requirement is not applicable or that an alternative security measure is equally effective, the DoD CIO adjudication must be included in the system security plan to receive consideration during an assessment. Implemented security measures adjudicated by the DoD CIO as equally effective are assessed as MET if there have been no changes in the environment.
-''information (see paragraph (e) of this section) or information a non-executive ''
+Each assessment objective in NIST SP 800-171A and NIST SP 800-172A must yield a finding of MET or NOT APPLICABLE in order for the overall security requirement to be scored as MET. Assessors exercise judgment in determining when sufficient and adequate evidence has been presented to make an assessment finding.
-''branch entity possesses and maintains in its own systems that did not come from, ''
+CMMC certification assessments are conducted and results are captured at the assessment objective level. One NOT MET assessment objective results in a failure of the entire security requirement.
-''or was not created or possessed by or for, an executive branch agency or an entity ''
+A security requirement can be applicable even when assessment objectives included in the security requirements are scored as N/A. The security requirement is NOT MET when one or more applicable assessment objectives is NOT MET.
-''acting for an agency. Law, regulation, or Government-wide policy may require ''
+Satisfaction of security requirements may be accomplished by other parts of the enterprise or an External Service Provider (ESP), as defined in 32 CFR § 170.4. A security requirement is considered MET if adequate evidence is provided that the enterprise or ESP, implements the requirement objectives. An ESP may be external people, technology, or facilities that the OSC uses, including cloud service providers, managed service providers, managed security service providers, or cybersecurity-as-a-service providers.
-''or permit safeguarding or dissemination controls in three ways: Requiring or ''
+== Requirement Descriptions ==
+This section provides detailed information and guidance for assessing each Level 3 security requirement. The section is organized first by domain and then by individual security requirement. Each security requirement description contains the following elements as described in 32 CFR § 170.14(c):
+* '''Requirement Number, Name, and Statement:''' Headed by the requirement identification number in the format DD.L#-REQ (e.g., AC.L3-3.1.2e); followed by the requirement short name identifier, meant to be used for quick reference only; and finally followed by the complete CMMC security requirement statement. In the case where the original NIST SP 800-172 requirement requires an assignment and/or selection statement, the Level 3 assignment (and any necessary selection) text is emphasized using underlining. See Section 2.2 in NIST SP 800-172 for the discussion on assignments and selections.
+* '''Assessment Objectives [NIST SP 800-172A]:''' Identifies the specific list of objectives that must be met to receive MET for the requirement as defined in NIST SP 800-172A and includes the Level 3 assignment/selection text (as appropriate). In cases where a Level 3 assignment fully satisfies the definition(s) required in an organization-defined parameter (ODP) in NIST SP 800-172A, the ODP statement is not included as an objective, since that objective has been met by the assignment itself. However, when the assignment does not fully contain all required aspects of a NIST SP 800-172A ODP, the ODP is included as its own objective, using the original NIST SP 800-172A ODP number (e.g., “[ODP4]”). See the breakout box ''ORGANIZATION-DEFINED PARAMETERS'' in Section 2.1 of NIST SP 800-172A for additional details on an ODP. In all cases where an assignment is used within an objective, it also emphasized using underlining.
+* '''Potential Assessment Methods and Objects [NIST SP 800-172A]:''' Defines the nature and extent of the assessor’s actions. Potential assessment methods and objects are as defined in NIST SP 800-172A. The methods include ''examine'', ''interview'', and ''test''. Assessment objects identify the items being assessed and can include specifications, mechanisms, activities, and individuals.
+* '''Discussion [NIST SP 800-172]:''' Contains discussion from the associated NIST SP 800-172 security requirement.
+* '''Further Discussion:'''
+** Expands upon the NIST content to provide supplemental information on the requirement intent.
+** Contains examples illustrating how the OSC might apply the requirement. These examples provide insight but are not intended to be prescriptive of how the requirement must be implemented, nor comprehensive of all assessment objectives necessary to achieve the requirement. The assessment objectives met within the example are referenced by letter in brackets (e.g., [a,d] for objectives “a” and “d”) within the text. Note that some of the examples contain company names; all company names used in this document are fictitious.
+** Provides potential assessment considerations. These may include common considerations for assessing the requirement and potential questions the assessor may ask when assessing the objectives.
+* '''Key References:''' Lists the security requirement from NIST SP 800-172.
-''permitting agencies to control or protect the information but providing no ''
+== Access Control (AC) ==
-''specific controls, which makes the information CUI Basic; requiring or ''
+'''AC.L3-3.1.2E – ORGANIZATIONALLY CONTROLLED ASSETS '''
-''permitting agencies to control or protect the information and providing specific ''
+Restrict access to systems and system components to only those information resources that
-''controls for doing so, which makes the information CUI Specified; or requiring or ''
+are owned, provisioned, or issued by the organization.
-''permitting agencies to control the information and specifying only some of those ''
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-''controls, which makes the information CUI Specified, but with CUI Basic controls ''
+Determine if: <br />
+[a] Information resources that are owned, provisioned, or issued by the organization are
-''where the authority does not specify. ''
+identified; and
-Level  3  provides  additional protections against advanced persistent threats  (APTs),  and
+[b] Access to systems and system components is restricted to only those information
-increased  assurance  to the DoD that an  OSC  can adequately protect CUI at a level
+resources that are owned, provisioned, or issued by the organization.
-commensurate with the adversarial risk, to include protecting information flow with the
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-government and with subcontractors in a multitier supply chain.
+'''Examine <br />
+'''[SELECT FROM: Access control policy; procedures addressing the use of external systems;
-Purpose and Audience
+list of information resources owned, provisioned, or issued by the organization; security
-This guide is intended for assessors, OSCs, cybersecurity professionals, and individuals and
+plan; system design documentation; system configuration settings and associated
-companies that support CMMC efforts. This document can be used as part of preparation for
+documentation; system connection or processing agreements; system audit records; account
-and conducting a Level 3 certification assessment.
+management documents; other relevant documents or records].
-Document Organization
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for restricting or prohibiting the use
-This document is organized into the following sections: <br />
+of non-organizationally owned systems, system components, or devices; system and
-•
-  '''Assessment and Certification:''  '''''provides an overview of the Level 3  assessment
+network administrators; organizational personnel responsible for system security].
-processes  set forth in 32 CFR § 170.18.  It provides guidance regarding  the scope
+'''Test <br />
+'''[SELECT FROM: Mechanisms implementing restrictions on the use of non-organizationally
-requirements set forth in 32 CFR § 170.19(d).
+owned systems, components, or devices].
-•
+'''DISCUSSION [NIST SP 800-172] '''
-  '''CMMC-Custom Terms:'''  incorporates definitions from 32 CFR  §  170.4, definitions
+Information resources that are not owned, provisioned, or issued by the organization include
-included by reference from 32 CFR § 170.2, and provides clarification of the intent and
+systems or system components owned by other organizations and personally owned
-scope of specific terms as used in the context of CMMC.
+devices. Non-organizational information resources present significant risks to the
-•
+organization and complicate the ability to employ a “comply-to-connect” policy or
-  '''Assessment Criteria and Methodology:  '''provides guidance on the criteria and
+implement component or device attestation techniques to ensure the integrity of the
-methodology (i.e., ''interview'',  ''examine'', and ''test'')  to be employed  during a Level 3
+organizational system.
-assessment, as well as on assessment findings.
@@ Line 148: / Line 222: @@
-Introduction
+AC.L3-3.1.2e – Organizationally Controlled Assets
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-•
+'''FURTHER DISCUSSION '''
-  '''Requirement Descriptions: '''Provides  guidance  specific to  each  Level  3  security
+Implementing this requirement ensures that an organization has control over the systems
-requirement.
+that can connect to organizational assets. This control will allow more effective and efficient
+application of security policy. The terms “has control over” provides policy for systems that
+are not owned outright by the organization. Control includes policies, regulations or
+standards that are enforced on the resource accessing contractor systems. Control may also
+be exercised through contracts or agreements with the external party. Provisioned includes
+setting configuration, whether through direct technical means or by policy or agreement. For
+purposes of this requirement, GFE can be considered provisioned by the OSA.
+'''Example 1 <br />
+'''You are the chief network architect for your company. Company policy states that all
+company-owned assets must be separated from all non-company-owned (i.e., guest or
-Assessment and Certification
+employee) assets. You decide the best way forward is to modify the corporate wired and
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+wireless networks to only allow company-owned devices to connect [b]. All other devices
+are connected to a second (untrusted) network that non-corporate devices may use to access
-''' '''
+the internet. The two environments are physically separated and are not allowed to be
-Assessment and Certification <br />
+connected. You also decide to limit the virtual private network (VPN) services of the
-The DCMA DIBCAC will use the assessment methods defined in NIST SP 800-172A[[6198c0a322e23aa1e1020689fc487ef0dcad6945.html#8|1, ]]''Assessing ''
-''Enhanced Security Requirements for Controlled Unclassified Information'',  along with the
+company to devices owned by the corporation by installing certificate keys and have the VPN
-supplemental information in this guide to conduct Level 3  certification  assessments.
+validate the configuration of connecting devices before they are allowed in [b].
-Assessors  will review information and evidence to  verify that an  OSC  meets  the stated
+'''Example 2 <br />
+'''You are a small company that uses an External Service Provider (ESP) to provide your audit
-assessment objectives for all of the requirements. <br />
+logging. Access between the ESP and the organization is controlled by the agreement
-An OSC can obtain a Level 3 certification assessment for an entire enterprise network or for
-specific enclave(s), depending on how the CMMC Assessment Scope is defined in accordance
+between the organization and the ESP. That agreement will include the policies, standards,
-with 32 CFR § 170.19(d).
+and configuration for the required access. Technical controls should be documented and in
-Assessment Scope
+place which limit the ESP’s access to the minimum required to perform the logging service.
-Prior to conducting a CMMC Level 3 certification assessment, the Level 3 CMMC Assessment
+'''Potential Assessment Considerations <br />
+'''•
-Scope must be defined as addressed in 32 CFR § 170.19(d) and the ''CMMC Scoping Guide – ''
+ Can the organization demonstrate a non-company-owned device failing to access
-''Level  3  ''document[[6198c0a322e23aa1e1020689fc487ef0dcad6945.html#8|2]]. The CMMC Assessment Scope informs which assets within the OSC’s
+information resources owned by the company [b]?
-environment will be assessed and the details of the assessment. The OSC must have achieved
+•
-a CMMC Status of Final Level 2 (C3PAO) of all systems included within the Level 3 CMMC
+ How is this requirement met for organizational devices that are specialized assets (GFE,
-Assessment Scope prior to requesting the Level 3 assessment, as set forth in 32 CFR § 170.18.
+restricted information systems) [a,b]?
-The Level 3 assessment scoping is based on the requirements defined in 32 CFR § 170.19(d)
+•
-and supported by the ''CMMC Scoping Guide – Level 3 ''document. The ''CMMC Scoping Guide – ''
+ Does the company allow employees to charge personal cell phones on organizational
-''Level  3  ''document is available on the official CMMC documentation site at
+systems [b]?
-https://dodcio.defense.gov/CMMC/Documentation/.  If a Final  Level 2  (C3PAO) CMMC
+'''KEY REFERENCES '''
-Status has not already been achieved for the desired CMMC Assessment Scope, the OSC may
+•
-not proceed with the Level 3 assessment.
+ NIST SP 800-172 3.1.2e
-  NIST SP800-172A, March 2022
- Note that an OSC ought to be mindful of their full Level 3 scoping in their request for a Level 2 assessment.
@@ Line 240: / Line 316: @@
-CMMC-Custom Terms
+AC.L3-3.1.3e – Secured Information Transfer
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-CMMC-Custom Terms <br />
+'''AC.L3-3.1.3E – SECURED INFORMATION TRANSFER '''
-The CMMC Program has custom terms that align with program requirements. Although some
-terms may have other definitions in open forums, it is important to understand these terms
+Employ secure information transfer solutions to control information flows between security
-as they apply to the CMMC Program. <br />
+domains on connected systems.
-The custom terms associated with Level 3 are: <br />
-•
-  '''Assessment:  '''As defined 32  CFR'''  '''§ 170.4  means  the testing or evaluation of security
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-controls to determine the extent to which the controls are implemented correctly,
+Determine if: <br />
+[ODP1] Secure information transfer solutions are defined; <br />
+[a] Information flows between security domains on connected systems are identified; and <br />
+[b] Secure information transfer solutions are employed to control information flows
-operating as intended, and producing the desired outcome with respect to meeting the
+between security domains on connected systems.
-security requirements for an information system or organization defined in 32 CFR §
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-.15 to 32 CFR § 170.18.''' <br />
+'''Examine <br />
-'''o  Level 3 certification assessment is the term for the activity performed by the DCMA
+'''[SELECT FROM: Access control policy; information flow control policies; procedures
-DIBCAC to evaluate the information system of an OSC when seeking a CMMC Status of
+addressing information flow enforcement; system design documentation; security plan;
-Level 3 (DIBCAC).
+system configuration settings and associated documentation; system audit records; system
-o  POA&amp;M closeout certification assessment is the term for the activity performed by a
+baseline configuration; list of information flow authorizations; other relevant documents or
-C3PAO or DCMA DIBCAC to evaluate only the NOT MET requirements that were
+records].
-identified with POA&amp;M during the initial assessment, when seeking a CMMC Status of
+'''Interview <br />
+'''[SELECT FROM: System and network administrators; organizational personnel responsible
-Final Level 2 (C3PAO) or Final Level 3 (DIBCAC) respectively.
+for information security; system developers].
-•
+'''Test <br />
+'''[SELECT FROM: Mechanisms implementing information flow enforcement policy;
-  '''Assessment Objective:''' Means a set of determination statements that, taken together,
+mechanisms implementing secure information transfer solutions].
-expresses the desired outcome for the assessment of a security requirement. Successful
+'''DISCUSSION [NIST SP 800-172] '''
-implementation of the corresponding CMMC security requirement requires meeting all
+Organizations employ information flow control policies and enforcement mechanisms to
-applicable assessment objectives defined in NIST SP 800–171A or NIST SP 800-172A.
+control the flow of information between designated sources and destinations within systems
-•
+and between connected systems. Flow control is based on the characteristics of the
-  '''Asset:''' Means an item of value to stakeholders. An asset may be tangible (e.g., a physical
+information and/or the information path. Enforcement occurs, for example, in boundary
-item such as hardware, firmware, computing platform, network device, or other
+protection devices that employ rule sets or establish configuration settings that restrict
-technology component) or intangible (e.g., humans, data, information, software,
+system services, provide a packet-filtering capability based on header information, or
-capability, function, service, trademark, copyright, patent, intellectual property, image,
+provide a message-filtering capability based on message content. Organizations also
-or reputation). The value of an asset is determined by stakeholders in consideration of
+consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware,
-loss concerns across the entire system life cycle. Such concerns include but are not
+firmware, and software components) that are critical to information flow enforcement. <br />
+Transferring information between systems in different security domains with different
-limited to business or mission concerns. Understanding ''assets'' is critical to identifying the
+security policies introduces the risk that the transfers violate one or more domain security
-''CMMC Assessment Scope''; for more information see ''CMMC Scoping Guide – Level 3''.''' '''
-•
-  '''CMMC Assessment Scope: '''As defined in 32 CFR''' '''§ 170.4 means the set of all ''assets'' in the
-OSC’s environment that will be assessed against CMMC security requirements.
-•
-  '''CMMC Status:''' The result of meeting or exceeding the minimum required score for the
-corresponding assessment. The CMMC Status of an OSA information system is officially
-stored in SPRS and additionally presented on a Certificate of CMMC Status, if the
-assessment was conducted by a C3PAO or DCMA DIBCAC. <br />
+AC.L3-3.1.3e – Secured Information Transfer
-o  '''Conditional Level 3 (DIBCAC):''''' ''Defined in 32 CFR § 170.18(a)(1)(ii). The OSC will
-achieve  CMMC Status of  Conditional Level 3 (DIBCAC)  if a  POA&amp;M exists upon
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-completion of the assessment and the POA&amp;M meets all Level 3 POA&amp;M requirements
-listed in 32 CFR § 170.21(a)(3).
+''' '''
+policies. In such situations, information owners or information stewards provide guidance
+at designated policy enforcement points between connected systems. Organizations
+mandate specific architectural solutions when required to enforce logical or physical
+separation between systems in different security domains. Enforcement includes prohibiting
+information transfers between connected systems, employing hardware mechanisms to
+enforce one-way information flows, verifying write permissions before accepting
+information from another security domain or connected system, and implementing
+trustworthy regrading mechanisms to reassign security attributes and labels. <br />
+Secure information transfer solutions often include one or more of the following properties:
-CMMC-Custom Terms
+use of cross-domain solutions when traversing security domains, mutual authentication of
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+the sender and recipient (using hardware-based cryptography), encryption of data in transit
+and at rest, isolation from other domains, and logging of information transfers (e.g., title of
-''' '''
+file, file size, cryptographic hash of file, sender, recipient, transfer time and Internet Protocol
-•
+[IP] address, receipt time, and IP address).
-  '''Final Level 3 (DIBCAC): '''Defined in''' '''32''' '''CFR § 170.18(a)(1)(iii).'' ''The OSC will achieve
+'''FURTHER DISCUSSION '''
-Final Level 3 (DIBCAC) CMMC Status for the information systems within the CMMC
+The organization implementing this requirement must decide on the secure information
-Assessment Scope upon implementation of all security requirements and, if
+transfer solutions they will use. The solutions must be configured to have strong protection
-applicable a POA&amp;M closeout assessment within 180 days. Additional guidance can
+mechanisms for information flow between security domains. Secure information transfer
-be found in 32 CFR §170.21.
+solutions control information flow between a Level 3 enclave and other CMMC or non-CMMC
-•
+enclaves. If CUI requiring Level 3 protection resides in one area of the environment or within
-  '''Enduring Exception:''' As defined 32 CFR § 170.4 means a special circumstance or
+a given enclave outside of the normal working environment, protection to prevent
-system where remediation and full compliance with CMMC ''s''ecurity ''r''equirements is not
+unauthorized personnel from accessing, disseminating, and sharing the protected
-feasible. Examples include systems required to replicate the configuration of ‘fielded’
+information is required. Physical and virtual methods can be employed to implement secure
-systems, medical devices, test equipment, OT, and IoT. No operational plan of action is
+information transfer solutions.
-required but the circumstance must be documented within a system security plan.
+'''Example <br />
+'''You are the administrator for an enterprise that stores and processes CUI requiring Level 3
-Specialized Assets and Government Furnished Equipment (GFE) may be Enduring
+protection. The files containing CUI information are tagged by the company as CUI. To ensure
-Exceptions.
+secure information transfer, you use an intermediary device to check the transfer of any CUI
-•
+files. The device sits at the boundary of the CUI enclave, is aware of all other CUI domains in
-  '''Event: '''Any observable occurrence in a system[[6198c0a322e23aa1e1020689fc487ef0dcad6945.html#10|3]]. As described in NIST SP 800-171A[[6198c0a322e23aa1e1020689fc487ef0dcad6945.html#10|4]], the
+the enterprise, and has the ability to examine the metadata in the encrypted payload. The
-terms “information system” and “system” can be used interchangeably. ''Events'' sometimes
+tool checks all outbound communications paths. It first checks the metadata for all data being
-provide indication that an ''incident'' is occurring.''' '''
+transferred. If that data is identified as CUI, the device checks the destination to see if the
-•
+transfer is to another, sufficiently certified CUI domain. If the destination is not a sufficient
+CUI domain, the tool blocks the communication path and does not allow the transfer to take
-  '''Incident:  '''An  occurrence that actually or potentially jeopardizes the confidentiality,
+place. If the destination is a sufficient CUI domain, the transfer is allowed. The intermediary
-integrity, or availability of a system or the information the system processes, stores, or
+device logs all blocks.
-transmits or that constitutes a violation or imminent threat of violation of security
+'''Potential Assessment Considerations <br />
+'''•
-policies, security procedures, or acceptable use policies.[[6198c0a322e23aa1e1020689fc487ef0dcad6945.html#10|5 ]]
+ Has the organization defined the secure information transfer solutions it is using [b]?
 •
-  '''Monitoring:  '''The act of continually checking, supervising, critically observing, or
+  Has the organization defined domains, boundaries, and flows between those domains
-determining the status in order to identify change from the performance level required
+that need to be controlled [a]?
-or expected at an ''organization-defined'' frequency and rate.[[6198c0a322e23aa1e1020689fc487ef0dcad6945.html#10|6''' ''']]
-•
-  '''Operational plan of action: '''As used in security requirement CA.L2-3.12.2, means the
-formal artifact which identifies temporary vulnerabilities and temporary deficiencies in
-implementation of requirements and documents how and when they will be mitigated,
-corrected, or eliminated.  The OSA defines the format (e.g., document, spreadsheet,
-database) and specific content of its operational plan of action. An operational plan of
-action is not the same as a POA&amp;M associated with an assessment.''' '''
-•
+AC.L3-3.1.3e – Secured Information Transfer
-  '''Organization-defined: '''As determined by the OSC being assessed except as defined in
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-the case of Organization-Defined Parameter (ODP). This can be applied to a frequency or
-rate at which something occurs within a given time period, or it could be associated with
+''' '''
-describing the configuration of a OSC’s solution.
 •
-  '''Organization-Defined Parameters (ODPs): '''Selected enhanced security requirements
+ Has the organization defined attributes to be associated with the CUI, and both source
-contain selection and assignment operations to give organizations[[6198c0a322e23aa1e1020689fc487ef0dcad6945.html#10|7 ]]flexibility in defining
+and destination objects [b]?
-variable parts of those requirements, as defined in NIST SP 800-172A. ODPs are used in
+•
-NIST SP 800-172 and NIST SP 800-172A to allow Federal agencies, in this case the DoD,
+ Has the organization defined metadata or some other tagging mechanism to be used as a
-to customize security requirements. Once specified, the values for the assignment and
+means of enforcing CUI flow control [b]?
-selection operations become part of the requirement and objectives, where applicable.
+•
+  Has the organization defined filters to be used as a basis for enforcing flow control
+decisions [b]?
- NIST SP 800-53 Rev. 5, p. 402
+•
+ Has the organization identified CUI flows for which flow control decisions are to be
- NIST SP 800-171A, June 2018, p. v
+applied and enforced [a,b]?
+'''KEY REFERENCES '''
- NIST SP 800-171 Rev. 2, Appendix B, p. 54 (adapted)
+•
+ NIST SP 800-172 3.1.3e
-  NIST SP 800-160 Vol. 1 R1, Engineering Trustworthy Secure Systems, 2022, Appendix B., p. 55
- The organization defining the parameters is the DoD.
@@ Line 471: / Line 541: @@
-CMMC-Custom Terms
+AT.L3-3.2.1e – Advanced Threat Awareness
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-The assignments and selections chosen for Level 3 are underlined in the requirement
+Awareness and Training (AT) <br />
+'''AT.L3-3.2.1E – ADVANCED THREAT AWARENESS '''
-statement and objectives. In some cases, further specificity of the assignment or selection
+Provide awareness training upon initial hire, following a significant cyber event, and at least
-will need to be made by the OSC. In those cases, the term and abbreviation ODPs is used
+annually, focused on recognizing and responding to threats from social engineering,
-in the assessment objectives to denote where additional definition is required.
+advanced persistent threat actors, breaches, and suspicious behaviors; update the training
-•
+at least annually or when there are significant changes to the threat.
-  '''Periodically: '''Means occurring at a regular interval as determined by the OSA that may
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-not exceed one year. As used in many requirements within CMMC, the interval length is
+Determine if: <br />
+[a] Threats from social engineering, advanced persistent threat actors, breaches, and
-''organization-defined'' to provide OSC flexibility, with an interval length of no more than
+suspicious behaviors are identified;
-one year.''' '''
+[b] Awareness training focused on recognizing and responding to threats from social
-•
+engineering, advanced persistent threat actors, breaches, and suspicious behaviors is
-  '''Security Protection Data: '''As defined 32 CFR § 170.4''' '''means data stored or processed by
+provided upon initial hire, following a significant cyber event, and at least annually;
-Security Protection Assets (SPA) that are used to protect an OSC's assessed environment.
+[c] Significant changes to the threats from social engineering, advanced persistent threat
-Security Protection Data is security relevant information and includes, but is not limited
+actors, breaches, and suspicious behaviors are identified; and
-to: configuration data required to operate an SPA, log files generated by or ingested by
+[d] Awareness training is updated at least annually or when there are significant changes to
-an SPA, data related to the configuration or vulnerability status of in-scope assets, and
+the threat.
-passwords that grant access to the in-scope environment.
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-•
+'''Examine <br />
+'''[SELECT FROM: Awareness training policy; procedures addressing awareness training
-  '''System Security Plan (SSP):''' Means the formal document that provides an overview of
+implementation; appropriate codes of federal regulations; awareness training curriculum;
-the security requirements for an information system or an information security program
+awareness training materials; security plan; training records; threat information on social
-and describes the security controls in place or planned for meeting those requirements.
+engineering, advanced persistent threat actors, suspicious behaviors, and breaches; other
-The system security plan describes the system components that are included within the
+relevant documents or records].
-system, the environment in which the system operates, how the security requirements
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for awareness training;
-are implemented, and the relationships with or connections to other systems.
+organizational personnel responsible for information security; organizational personnel
-•
+comprising the general system user community].
-  '''Temporary deficiency: '''As defined 32 CFR''' '''§ 170.4 means a condition where
+'''Test <br />
+'''[SELECT FROM: Mechanisms managing awareness training; mechanisms managing threat
-remediation of a discovered deficiency is feasible and a known fix is available or is in
+information].
-process. The deficiency must be documented in an operational plan of action. A
-temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC
-security requirement but arises after implementation. A temporary deficiency may
-apply during the initial implementation of a security requirement if, during roll-out,
-specific issues with a very limited subset of equipment is discovered that must be
-separately addressed. There is no standard duration for which a temporary deficiency
-may be active. For example, FIPS-validated cryptography that requires a patch and the
-patched version is no longer the validated version may be a temporary deficiency.
+AT.L3-3.2.1e – Advanced Threat Awareness
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+''' '''
+'''DISCUSSION [NIST SP 800-172] '''
+An effective method to detect APT activities and reduce the effectiveness of those activities
+is to provide specific awareness training for individuals. A well-trained and security-aware
+workforce provides another organizational safeguard that can be employed as part of a
-Assessment Criteria and Methodology
+defense-in-depth strategy to protect organizations against malicious code injections via
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+email or web applications. Threat awareness training includes educating individuals on the
+various ways that APTs can infiltrate organizations, including through websites, emails,
-''' '''
+advertisement pop-ups, articles, and social engineering. Training can include techniques for
-Assessment Criteria and Methodology <br />
+recognizing suspicious emails, the use of removable systems in non-secure settings, and the
-The  ''CMMC Assessment Guide  –  Level  3''  leverages the assessment procedure described in
-NIST SP 800-172A Section 2.1:
+potential targeting of individuals by adversaries outside the workplace. Awareness training
-''An assessment procedure consists of an assessment objective and a set of ''
+is assessed and updated periodically to ensure that the training is relevant and effective,
-''potential assessment methods and objects that can be used to conduct the ''
+particularly with respect to the threat since it is constantly, and often rapidly, evolving. <br />
+[NIST SP 800-50] provides guidance on security awareness and training programs.
-''assessment. Each assessment objective includes a set of determination ''
+'''FURTHER DISCUSSION '''
-''statements related to the CUI enhanced security requirement that is the subject ''
+All organizations, regardless of size, should have a cyber training program that helps
-''of the assessment. Organization-defined parameters (ODP) that are part of ''
+employees understand threats they will face on a daily basis. This training must include
-''selected enhanced security requirements are included in the initial ''
+knowledge about APT actors, breaches, and suspicious behaviors.
-''determination statements for the assessment procedure. ODPs are included since ''
+'''Example <br />
+'''You are the cyber training coordinator for a small business with eight employees. You do not
-''the specified parameter values are used in subsequent determination ''
+have your own in-house cyber training program. Instead, you use a third-party company to
-''statements. ODPs are numbered sequentially and noted in bold italics. <br />
+provide cyber training. New hires take the course when they start, and all current staff
-Determination statements reflect the content of the enhanced security ''
-''requirements to ensure traceability of the assessment results to the ''
+members receive refresher training at least once a year [b]. When significant changes to the
-''requirements. The application of an assessment procedure to an enhanced ''
+threat landscape take place, the company contacts you and informs you that an update to the
-''security requirement produces assessment findings. The findings are used to ''
+training has been completed [c,d] and everyone will need to receive training [b]. You keep a
-''determine if the enhanced security requirement has been satisfied. <br />
+log of all employees who have gone through the cyber training program and the dates of
-Assessment objects are associated with the specific items being assessed. These ''
-''objects can include specifications, mechanisms, activities, and individuals. <br />
+training.
-''•
-  ''Specifications are the document-based artifacts (e.g., policies, procedures, ''
+'''Potential Assessment Considerations <br />
+'''•
-''security plans, security requirements, functional specifications, architectural ''
+ Does the organization have evidence that employees participate in cyber awareness
-''designs) associated with a system. ''
+training at initial hire and at least annually thereafter or when there have been significant
-•
+changes to the threat [b]?
-  ''Mechanisms are the specific hardware, software, or firmware safeguards ''
+'''KEY REFERENCES '''
-''employed within a system. ''
 •
-  ''Activities are the protection-related actions supporting a system that involve ''
+ NIST SP 800-172 3.2.1e
-''people (e.g., conducting system backup operations, exercising a contingency ''
-''plan, and monitoring network traffic). ''
+''' '''
-•
-  ''Individuals, or groups of individuals, are people applying the specifications, ''
-''mechanisms, or activities described above. ''
-''Assessment methods define the nature and the extent of the assessor’s actions. ''
-''The methods include examine, interview, and test. <br />
-''•
-  ''The  examine  method is the process of reviewing, inspecting, observing, ''
-''studying, or analyzing assessment objects (i.e., specifications, mechanisms, ''
-''activities). ''
-•
+AT.L3-3.2.2e – Practical Training Exercises
-  ''The interview method is the process of holding discussions with individuals ''
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''or groups of individuals to facilitate understanding, achieve clarification, or ''
-''obtain evidence. ''
+''' '''
+'''AT.L3-3.2.2E – PRACTICAL TRAINING EXERCISES '''
+Include practical exercises in awareness training for all users, tailored by roles, to include
+general users, users with specialized roles, and privileged users, that are aligned with
+current threat scenarios and provide feedback to individuals involved in the training and
+their supervisors.
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
+Determine if: <br />
+[a] Practical exercises are identified; <br />
+[b] Current threat scenarios are identified; <br />
+[c] Individuals involved in training and their supervisors are identified; <br />
+[d] Practical exercises that are aligned with current threat scenarios are included in
+awareness training for all users, tailored by roles, to include general users, users with
-Assessment Criteria and Methodology
+specialized roles, and privileged users; and
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+[e] Feedback is provided to individuals involved in the training and their supervisors.
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-''' '''
+'''Examine <br />
+'''[SELECT FROM: Awareness training policy; procedures addressing awareness training
-•
+implementation; appropriate codes of federal regulations; awareness training curriculum;
-  ''The test method is the process of exercising assessment objects (i.e., activities, ''
+awareness training materials; security plan; training records; threat information on social
-''mechanisms) under specified conditions to compare actual with expected ''
+engineering, advanced persistent threat actors, suspicious behaviors, breaches, or other
-''behavior. ''
+relevant adversary tactics, techniques, or procedures; feedback on practical exercises and
-''The purpose of the assessment methods is to facilitate understanding, achieve ''
+awareness training; other relevant documents or records].
-''clarification, and obtain evidence. The results obtained from applying the ''
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for awareness training; organizational
-''methods are used for making the specific determinations called for in the ''
+personnel responsible for information security; organizational personnel with roles identified
-''determination statements and thereby achieving the objectives for the ''
+for practical exercises; supervisors of personnel with roles identified for practical exercises].
-''assessment procedure. ''
+'''Test <br />
+'''[SELECT FROM: Mechanisms managing awareness training; mechanisms managing threat
-Criteria
+information].
-Assessment objectives are provided for each requirement and are based on existing criteria
-from NIST SP 800-172A. The criteria are authoritative and provide a basis for the assessor
-to conduct an assessment of a requirement.
-Methodology
-During the CMMC certification assessment, the assessor will verify and validate that the OSC
-has met the requirements. Because an OSC can meet the assessment objectives in different
-ways (e.g., through documentation, computer configuration, network configuration, or
-training), the assessor may use a variety of techniques, including one or more of the three
-assessment methods described above from NIST SP 800-172A, to determine if the OSC meets
+AT.L3-3.2.2e – Practical Training Exercises
-the intent of the requirements. <br />
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-The assessor  will follow the guidance in NIST  SP  800-172A when determining which
-assessment methods to use:
-''Organizations [DoD] are not expected to use all of the assessment methods and ''
+''' '''
-''objects contained within the assessment procedures identified in this ''
+'''DISCUSSION [NIST SP 800-172] '''
-''publication. Rather, organizations have the flexibility to establish the level of ''
+Awareness training is most effective when it is complemented by practical exercises tailored
-''effort needed and the assurance required for an assessment (e.g., which ''
+to the tactics, techniques, and procedures (TTP) of the threat. Examples of practical exercises
-''assessment methods and objects are deemed to be the most useful in obtaining ''
+include unannounced social engineering attempts to gain unauthorized access, collect
-''the desired results). The decision on level of effort is made based on how the ''
+information, or simulate the adverse impact of opening malicious email attachments or
-''organization can accomplish the assessment objectives in the most cost-effective ''
+invoking, via spear phishing attacks, malicious web links. Rapid feedback is essential to
-''and efficient manner and with sufficient confidence to support the determination ''
+reinforce desired user behavior. Training results, especially failures of personnel in critical
-''that the CUI enhanced security requirements have been satisfied. ''
+roles, can be indicative of a potentially serious problem. It is important that senior
-The primary deliverable of an assessment is a compliance score and accompanying report
+management are made aware of such situations so that they can take appropriate
-that contains the findings associated with each requirement. For more detailed information
+remediating actions. <br />
+[NIST SP 800-181] provides guidance on role-based security training, including a lexicon and
-on assessment methods, see Appendix C of NIST SP 800-172A. <br />
+taxonomy that describes cybersecurity work via work roles.
-Figure 1 illustrates an example of an assessment procedure for requirement AC.L3-3.1.3e.
+'''FURTHER DISCUSSION '''
+This requirement can be performed by the organization or by a third-party company.
+Training exercises (including unannounced exercises, such as phishing training) should be
+performed at various times throughout the year to encourage employee readiness. After
+each exercise session has been completed, the results should be recorded (date, time, what
+and who the training tested, and the percent of successful and unsuccessful responses). The
+purpose of training is to help employees in all roles act appropriately for any given training
+situation, which should reflect real-life scenarios. Collected results will help identify
-Assessment Criteria and Methodology
+shortcomings in the cyber training and/or whether additional instructional training may be
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+needed. <br />
+General exercises can be included for all users, but exercises tailored for specific roles are
+important, too. Training tailored for specific roles helps make sure individuals are ready for
-''' '''
+actions and events specific to their positions in a company. Privileged users receive training
+that emphasizes what permissions their privileged account has in a given environment and
-Who Is Interviewed
+what extra care is required when using their privileged account.
-The assessor  has discussions with OSC  staff to understand if a requirement has been
+'''Example <br />
+'''You are the cyber training coordinator for a medium-sized business. You and a coworker
-addressed. Interviews with  applicable staff (possibly at different organizational levels)
+have developed a specialized awareness training to increase cybersecurity awareness
-determine if CMMC security  requirements are implemented and  if adequate resourcing,
+around your organization. Your training includes social media campaigns, social engineering
-training, and planning have occurred for individuals to perform the requirements.
+phone calls, and phishing emails with disguised links to staff to train them beyond the
-What Is Examined
+standard cybersecurity training [a,b]. <br />
+To send simulated phishing emails to staff, you subscribe to a third-party service that
-Examination includes reviewing, inspecting, observing, studying, or analyzing assessment
+specializes in this area [a]. The service sets up fictitious websites with disguised links to help
-objects. The objects can be documents, mechanisms, or activities. The primary focus will be
+train general staff against this TTP used by APTs [d]. The third-party company tracks the
-to examine through demonstrations during interviews. <br />
+individuals who were sent phishing emails and whether they click on any of the of the links
-For some requirements, the assessor reviews documentation to determine if assessment
-objectives are met. Interviews with OSC staff may identify the documents uses. Documents
+within the emails. After the training action is completed, you receive a report from the third-
-need to be in their final forms; working papers (e.g., drafts) of documentation are not eligible
+party company. The results show that 20% of the staff clicked on one or more phishing email
-to be submitted as evidence because they are not yet official and are still subject to change.
+links, demonstrating a significant risk to your company. As the cyber training coordinator,
-Common types of documents that can be used as evidence include: <br />
-•
-  policy, process, and procedure documents;
-•
-  training materials;
-•
-  plans and planning documents; and
-•
-  system-level, network, and data flow diagrams.
+AT.L3-3.2.2e – Practical Training Exercises
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+''' '''
+you notify the individuals, informing them they failed the training and identifying the area(s)
+of concern [e]. You send an email to the supervisors informing them who in their
+organization has received training. You also send an email out to the entire company
+explaining the training that just took place and the overall results [e].
-Assessment Criteria and Methodology
+'''Potential Assessment Considerations <br />
+'''•
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+ Are the individuals being trained and the results recorded [e]?
+•
-''' '''
+ Are the training exercises performed [c]?
-This list of documents is not exhaustive or prescriptive. An OSC may not have these specific
+•
-documents, and other documents may be used to provide evidence of compliance. <br />
+ Are the exercises set up for all users? Are there tailored exercises based on roles within
-In other cases, the requirement is best assessed by observing that safeguards are in place by
-viewing  hardware or associated configuration information or observe  staff  exercising  a
+the organization (general users, users with specialized roles, and privileged users) [d]?
-process.
+•
-What Is Tested
+ Does the organization have documentation recording the training exercises, who
-Testing is an important part of the assessment process. Interviews tell the assessor what the
+participated, and feedback provided to those who participated in a training session [c,e]?
-OSC staff believe to be true, documentation provides evidence of intent, and testing
+'''KEY REFERENCES '''
-demonstrates what has or has not been done and is the preferred assessment method when
+•
-possible. For example, staff may talk about how users are identified and documentation may
+ NIST SP 800-172 3.2.2e
-provide details on how users are identified, but seeing a demonstration of user identification
-provides evidence that the requirement is met. The assessor will determine which
-requirements or objectives within a requirement need demonstration or testing. Most
-objectives will require testing.
-Assessment Findings
-The assessment of a CMMC security requirement results in one of three possible findings:
-MET, NOT MET, or NOT APPLICABLE as defined in 32 CFR § 170.24. To achieve CMMC Status
-of Final Level 3 (DIBCAC) as described in 32 CFR § 170.18, the OSC will need a finding of MET
-or NOT APPLICABLE on all Level 3 security requirements.  <br />
+CM.L3-3.4.1e – Authoritative Repository
-•
-  '''MET:'''  All applicable  assessment  objectives  for the security requirement are  satisfied
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-based on evidence. All evidence must be in final form and a not draft. Unacceptable forms
-of evidence include working papers, drafts, and unofficial or unapproved policies. For
+''' '''
-each security requirement marked MET, it is best practice to record statements that
+Configuration Management (CM) <br />
+'''CM.L3-3.4.1E – AUTHORITATIVE REPOSITORY '''
-indicate the response conforms to all objectives and document the appropriate evidence
+Establish and maintain an authoritative source and repository to provide a trusted source
-to support the response.
+and accountability for approved and implemented system components.
-•
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-  Enduring Exceptions when described, along with any mitigations, in the system
+Determine if: <br />
+[a] Approved system components are identified; <br />
+[b] Implemented system components are identified; <br />
+[c] An authoritative source and repository are established to provide a trusted source and
-security plan shall be assessed as MET.
+accountability for approved and implemented system components; and
-•
+[d] An authoritative source and repository are maintained to provide a trusted source and
-  Temporary deficiencies that are appropriately addressed in operational plans of
+accountability for approved and implemented system components.
-action (i.e., include deficiency reviews, milestones, and show progress towards
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-the implementation of corrections to reduce or eliminate identified
+'''Examine <br />
+'''[SELECT FROM: Configuration management policy; procedures addressing the baseline
-vulnerabilities) shall be assessed as MET.
+configuration of the system; configuration management plan; enterprise architecture
-•
+documentation; system design documentation; system architecture and configuration
-  '''NOT MET: '''One or more objectives for the security requirement is not satisfied. During a
+documentation; system configuration settings and associated documentation; change
-Level 3 certification assessment, for each requirement objective marked NOT MET, the
+control records; system and system component inventory records; inventory reviews and
-assessor will document why the evidence provided by the OSC does not conform.
+update records; security plan; system audit records; change control audit and review
-•
+reports; other relevant documents or records].
-  '''NOT APPLICABLE (N/A): '''A security requirement and/or objective does not apply at the
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for configuration management;
-time of the assessment. For example, SI.L3-3.14.3e might be N/A if there are no Internet of
+organizational personnel responsible for system component inventory; organizational
-Things (IoT),  Industrial Internet of Things (IIoT),  Operational Technology (OT),
+personnel responsible for configuration change control; organizational personnel
+responsible for information security; system/network administrators; members of a change
+control board or similar].
+'''Test <br />
+'''[SELECT FROM: Mechanisms that implement configuration change control; mechanisms
+supporting configuration control of the baseline configuration; mechanisms supporting
+and/or implementing the system component inventory].
-Assessment Criteria and Methodology
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''' '''
-Government Furnished Equipment (GFE), Restricted Information Systems, or  test
-equipment included in the Level 3 CMMC Assessment Scope. <br />
+CM.L3-3.4.1e – Authoritative Repository
-If an OSC previously received a favorable adjudication from the DoD CIO indicating that
-a requirement is not applicable or that an alternative security measure is equally
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-effective, the DoD CIO  adjudication must be included in the system security plan to
-receive consideration during an assessment. Implemented security measures
+''' '''
-adjudicated by the DoD CIO as equally effective are assessed as MET if there have been
+'''DISCUSSION [NIST SP 800-172] '''
-no changes in the environment. <br />
+The establishment and maintenance of an authoritative source and repository includes a
-Each assessment  objective in NIST SP 800-171A  and NIST SP 800-172A  must yield a
-finding of MET or NOT APPLICABLE in order for the overall security requirement to be
+system component inventory of approved hardware, software, and firmware; approved
-scored as MET. Assessors exercise judgment in determining when sufficient and
+system baseline configurations and configuration changes; and verified system software and
-adequate evidence has been presented to make an assessment finding. <br />
+firmware, as well as images and/or scripts. The authoritative source implements integrity
-CMMC  certification  assessments are conducted and results are captured at the
-assessment objective level. One NOT MET assessment objective results in a failure of the
+controls to log changes or attempts to change software, configurations, or data in the
-entire security requirement. <br />
+repository. Additionally, changes to the repository are subject to change management
-A security requirement can be applicable even when assessment objectives included in
-the security requirements are scored as N/A. The security requirement is NOT MET when
+procedures and require authentication of the user requesting the change. In certain
-one or more applicable assessment objectives is NOT MET. <br />
+situations, organizations may also require dual authorization for such changes. Software
-Satisfaction of security requirements may be accomplished by other parts of the enterprise
-or an External Service Provider (ESP), as defined in 32 CFR § 170.4. A security requirement
+changes are routinely checked for integrity and authenticity to ensure that the changes are
-is considered MET if adequate evidence is provided that the enterprise or ESP, implements
+legitimate when updating the repository and when refreshing a system from the known,
-the requirement objectives. An ESP may be external people, technology, or facilities that
+trusted source. The information in the repository is used to demonstrate adherence to or
-the  OSC  uses, including cloud service providers, managed service providers, managed
+identify deviation from the established configuration baselines and to restore system
-security service providers, or cybersecurity-as-a-service providers.
+components from a trusted source. From an automated assessment perspective, the system
+description provided by the authoritative source is referred to as the desired state. The
+desired state is compared to the actual state to check for compliance or deviations. [NIST SP
+-128] provides guidance on security configuration management, including security
+configuration settings and configuration change control. <br />
+[NIST IR 8011-1] provides guidance on automation support to assess system and system
+component configurations.
+'''FURTHER DISCUSSION '''
+Trusted software, whether securely developed in house or obtained from a trusted source,
+should have baseline data integrity established when first created or obtained, such as by
-Requirement Descriptions
+using hash algorithms to obtain a hash value that would be used to validate the source prior
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+to use of the software in a given system. Hardware in the repository should be stored in boxes
+or containers with tamper-evident seals. Hashes and seals should be checked on a regular
-''' '''
+basis employing the principle of separation of duties.
-Requirement Descriptions <br />
+'''Example <br />
-This section provides detailed information and guidance for assessing each Level 3 security
+'''You are the primary system build technician at a medium-sized company. You have been put
-requirement. The section is organized first  by domain and  then  by individual security
+in charge of creating, documenting, and implementing a baseline configuration for all user
-requirement. Each security  requirement description contains the following elements  as
+systems [c]. You have identified a minimum set of software that is needed by all employees
-described in 32 CFR § 170.14(c): <br />
+to complete their work (e.g., office automation software). You acquire trusted versions of the
-•
-  '''Requirement Number, Name, and Statement:''' Headed by the requirement identification
+software and build one or more baselines of all system software, firmware, and applications
-number in the format DD.L#-REQ (e.g., AC.L3-3.1.2e); followed by the requirement short
+required by the organization. The gold version of each baseline is stored in a secure
-name identifier, meant to be used for quick reference only; and finally followed by the
+configuration management system repository and updated as required to maintain integrity
-complete CMMC security requirement statement. In the case where the original NIST SP
+and security. Access to the build repository for updates and use is carefully controlled using
--172 requirement requires  an assignment and/or selection statement, the Level 3
+access control mechanisms that limit access to you and your staff. All interactions with the
-assignment (and any necessary selection)  text  is  emphasized  using  underlining.  See
+repository are logged. Using an automated build tool, your team builds each organizational
-Section 2.2 in NIST SP 800-172 for the discussion on assignments and selections.
+system using the standard baseline
-•
-  '''Assessment Objectives [NIST SP 800-172A]: '''Identifies the specific list of objectives
-that must be met to receive MET for the requirement as defined in NIST SP 800-172A and
-includes the Level 3 assignment/selection text (as appropriate). In cases where a Level 3
-assignment  fully satisfies the definition(s)  required in an  organization-defined
-parameter (ODP) in NIST SP 800-172A, the ODP statement is not included as an objective,
-since that objective has been met by the assignment itself.  However, when the
-assignment does not fully contain all required aspects of a NIST SP 800-172A ODP, the
-ODP is included as its own objective, using the original NIST SP 800-172A ODP number
+CM.L3-3.4.1e – Authoritative Repository
-(e.g., “[ODP4]”). See the breakout box ''ORGANIZATION-DEFINED PARAMETERS'' in Section
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-.1 of NIST  SP  800-172A for additional details on an  ODP.  In all cases where an
-assignment is used within an objective, it also emphasized using underlining.
+''' '''
-•
+'''Potential Assessment Considerations <br />
+'''•
-  '''Potential Assessment Methods and Objects [NIST SP 800-172A]: '''Defines the nature
+ Does an authoritative source and repository exist to provide a trusted source and
-and extent of the assessor’s actions. Potential assessment methods and objects are as
+accountability for approved and implemented system components [c,d]?
-defined in NIST  SP  800-172A. The methods include ''examine'',  ''interview'', and ''test''.
+'''KEY REFERENCES '''
-Assessment objects identify the items being assessed and can include specifications,
-mechanisms, activities, and individuals.
 •
-  '''Discussion [NIST SP 800-172]: '''Contains discussion from the associated NIST SP 800-172
+ NIST SP 800-172 3.4.1e
-security requirement.
-•
+''' '''
-  '''Further Discussion: '''
-•
-  Expands upon the NIST content to provide supplemental information on the
-requirement intent.
-•
-  Contains examples illustrating how the OSC might apply the requirement. These
-examples provide insight but are not intended to be prescriptive of how the
-requirement must be implemented, nor comprehensive of all assessment
-objectives necessary to achieve the requirement. The assessment objectives met
+CM.L3-3.4.2e – Automated Detection &amp; Remediation
-within the example are referenced by letter in brackets (e.g., [a,d] for objectives
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-“a” and “d”) within the text. Note that some of the examples contain company
-names; all company names used in this document are fictitious.
+''' '''
+'''CM.L3-3.4.2E – AUTOMATED DETECTION &amp; REMEDIATION '''
+Employ automated mechanisms to detect misconfigured or unauthorized system
+components; after detection, remove the components or place the components in a
+quarantine or remediation network to facilitate patching, re-configuration, or other
+mitigations.
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
+Determine if: <br />
+[a] Automated mechanisms to detect misconfigured or unauthorized system components
+are identified;
-Requirement Descriptions
+[b] Automated mechanisms are employed to detect misconfigured or unauthorized system
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+components;
+[c] Misconfigured or unauthorized system components are detected; and <br />
+[d] After detection, system components are removed or placed in a quarantine or
-''' '''
+remediation network to facilitate patching, re-configuration, or other mitigations.
-•
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-  Provides potential assessment considerations. These may include common
+'''Examine <br />
+'''[SELECT FROM: Configuration management policy; procedures addressing the baseline
-considerations for assessing the requirement and potential questions the assessor
+configuration of the system; configuration management plan; authoritative source or
-may ask when assessing the objectives.
+repository; enterprise architecture documentation; system design documentation; system
-•
+architecture and configuration documentation; system procedures addressing system
-  '''Key References: '''Lists the security requirement from NIST SP 800-172.
+configuration change control; configuration settings and associated documentation; change
+control records; change control audit and review reports; agenda/minutes from
+configuration change control oversight meetings; alerts/notifications of unauthorized
+baseline configuration changes; security plan; system audit records; other relevant
+documents or records].
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for configuration management;
+organizational personnel responsible for information security; organizational personnel
+responsible for configuration change control; system developers; system/network
+administrators; members of a change control board or similar roles].
-AC.L3-3.1.2e – Organizationally Controlled Assets
+'''Test <br />
+'''[SELECT FROM: Automated mechanisms supporting configuration control of the baseline
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+configuration; automated mechanisms that implement security responses to changes to the
+baseline configurations; automated mechanisms that implement configuration change
-''' '''
+control; automated mechanisms that detect misconfigured or unauthorized system
-Access Control (AC) <br />
+components].
-'''AC.L3-3.1.2E – ORGANIZATIONALLY CONTROLLED ASSETS '''
-Restrict access to systems and system components to only those information resources that
-are owned, provisioned, or issued by the organization.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-Determine if: <br />
-[a] Information resources that are owned, provisioned, or issued by the organization are
-identified; and
-[b] Access to systems and system components is restricted to only those information
-resources that are owned, provisioned, or issued by the organization.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-'''Examine <br />
+CM.L3-3.4.2e – Automated Detection &amp; Remediation
-'''[SELECT FROM: Access control policy; procedures addressing the use of external systems;
-list of information resources owned, provisioned, or issued by the organization; security
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-plan; system design documentation; system configuration settings and associated
-documentation; system connection or processing agreements; system audit records; account
+''' '''
-management documents; other relevant documents or records].
+'''DISCUSSION [NIST SP 800-172] '''
-'''Interview <br />
+System components used to process, store, transmit, or protect CUI are monitored and
-'''[SELECT FROM: Organizational personnel responsible for restricting or prohibiting the use
-of non-organizationally owned systems, system components, or devices; system and
+checked against the authoritative source (i.e., hardware and software inventory and
-network administrators; organizational personnel responsible for system security].
+associated baseline configurations). From an automated assessment perspective, the system
-'''Test <br />
+description provided by the authoritative source is referred to as the desired state. Using
-'''[SELECT FROM: Mechanisms implementing restrictions on the use of non-organizationally
-owned systems, components, or devices].
+automated tools, the desired state is compared to the actual state to check for compliance or
-'''DISCUSSION [NIST SP 800-172] '''
+deviations. Security responses to system components that are unknown or that deviate from
-Information resources that are not owned, provisioned, or issued by the organization include
+approved configurations can include removing the components; halting system functions or
-systems or system components owned by other organizations and personally owned
+processing; placing the system components in a quarantine or remediation network that
-devices. Non-organizational information resources present significant risks to the
+facilitates patching, re-configuration, or other mitigations; or issuing alerts and/or
-organization and complicate the ability to employ a “comply-to-connect” policy or
+notifications to personnel when there is an unauthorized modification of an organization-
-implement component or device attestation techniques to ensure the integrity of the
+defined configuration item. Responses can be automated, manual, or procedural.
-organizational system.
+Components that are removed from the system are rebuilt from the trusted configuration
+baseline established by the authoritative source. <br />
+[NIST IR 8011-1] provides guidance on using automation support to assess system
+configurations
+'''FURTHER DISCUSSION '''
+For this requirement, the organization is required to implement automated tools to help
+identify misconfigured components. Once under an attacker’s control, the system may be
+modified in some manner and the automated tool should detect this. Or, if a user performs a
+manual configuration adjustment, the system will be viewed as misconfigured, and that
+change should be detected. Another common example is if a component has been offline and
+not updated, the tool should detect the incorrect configuration. If any of these scenarios
-AC.L3-3.1.2e – Organizationally Controlled Assets
+occurs, the automated configuration management system (ACMS) will notice a change and
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+can take the system offline, quarantine the system, or send an alert so the component(s) can
+be manually removed. Quarantining a misconfigured component does not require it to be
-''' '''
+removed from the network. Quarantining only requires that a temporary limitation be put
-'''FURTHER DISCUSSION '''
+in place eliminating the component’s ability to process, store, or transmit CUI until it is
-Implementing this requirement ensures that an organization has control over the systems
+properly configured. If a component has the potential of disrupting business operations then
-that can connect to organizational assets. This control will allow more effective and efficient
+the OSC should take extra care to ensure configuration updates are properly tested and that
-application of security policy. The terms “has control over” provides policy for systems that
+components are properly configured and tested before being added to the network. Once
-are not owned outright by the organization.  Control includes policies, regulations or
+one of these actions is accomplished, a system technician may need to manually inspect the
-standards that are enforced on the resource accessing contractor systems. Control may also
+system or rebuild it using the baseline configuration. Another option is for an ACMS to make
-be exercised through contracts or agreements with the external party. Provisioned includes
+adjustments while the system is running rather than performing an entire rebuild. These
-setting configuration, whether through direct technical means or by policy or agreement. For
+adjustments can include replacing configuration files, executable files, scripts, or library files
-purposes of this requirement, GFE can be considered provisioned by the OSA.
+on the fly.
 '''Example 1 <br />
-'''You are the chief network architect for your company.  Company policy states  that all
+'''As the system administrator, you implement company policy stating that every system
-company-owned assets  must  be separated from all non-company-owned  (i.e.,  guest or
+connecting to the company network via VPN will be checked for specific configuration
-employee) assets. You decide the best way forward is to modify the corporate wired and
+settings and software versioning before it is allowed to connect to the network, after it passes
-wireless networks to only allow company-owned devices to connect [b]. All other devices
+authentication [a,b]. If any deviations from the authoritative baseline are identified, the
-are connected to a second (untrusted) network that non-corporate devices may use to access
-the internet.  The two environments are physically separated and are not allowed to be
-connected.  You also decide to limit the virtual private network (VPN)  services of the
-company to devices owned by the corporation by installing certificate keys and have the VPN
-validate the configuration of connecting devices before they are allowed in [b].
-'''Example 2 <br />
-'''You are a small company that uses an External Service Provider (ESP) to provide your audit
-logging.  Access between the ESP and the organization is controlled by the agreement
-between the organization and the ESP. That agreement will include the policies, standards,
+CM.L3-3.4.2e – Automated Detection &amp; Remediation
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+''' '''
+system is placed in a VPN quarantine zone (remediation network) using a virtual local area
+network (VLAN) [b,c,d]. This VLAN is set up for system analysis, configuration changes, and
+rebuilding after forensic information is pulled from the system. Once the system updates are
+complete, the system will be removed from the quarantine zone and placed on the network
+through the VPN connection.
+'''Example 2 <br />
+'''As the system administrator, you have chosen to use a network access control (NAC) solution
+to validate system configurations before they are allowed to connect to the corporate
+network [a]. When a system plugs into or connects to a local network port or the VPN, the
+NAC solution checks the hash of installed system software [b,c]. If the system does not pass
-and configuration for the required access. Technical controls should be documented and in
+the configuration check, it is put in quarantine until an administrator can examine it or the
-place which limit the ESP’s access to the minimum required to perform the logging service.
+ACMS updates the system to pass the system checks [d].
 '''Potential Assessment Considerations <br />
 '''•
-  Can the organization demonstrate a non-company-owned device failing to access
+ Can the organization explain the automated process that identifies, quarantines, and
-information resources owned by the company [b]?
+remediates a system when a misconfiguration or unauthorized system component is
-•
+identified [a,b,c,d]?
-  How is this requirement met for organizational devices that are specialized assets (GFE,
-restricted information systems) [a,b]?
 •
-  Does the company allow employees to charge personal cell phones on organizational
+ Does the organization have a patching and rebuild process for all assets that may be taken
-systems [b]?
+offline [d]?
 '''KEY REFERENCES '''
@@ Line 1,252: / Line 1,344: @@
 •
-  NIST SP 800-172 3.1.2e
+ NIST SP 800-172 3.4.2e
+''' '''
@@ Line 1,267: / Line 1,359: @@
-AC.L3-3.1.3e – Secured Information Transfer
+CM.L3-3.4.3e – Automated Inventory
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-'''AC.L3-3.1.3E – SECURED INFORMATION TRANSFER '''
+'''CM.L3-3.4.3E – AUTOMATED INVENTORY '''
-Employ secure information transfer solutions to control information flows between security
+Employ automated discovery and management tools to maintain an up-to-date, complete,
-domains on connected systems.
+accurate, and readily available inventory of system components.
 '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
 Determine if: <br />
-[ODP1] Secure information transfer solutions are defined; <br />
+[a] Automated discovery and management tools for the inventory of system components are
-[a] Information flows between security domains on connected systems are identified; and <br />
-[b] Secure information transfer solutions  are employed to control information flows
+identified;
+[b] An up-to-date, complete, accurate, and readily available inventory of system components
+exists; and
+[c] Automated discovery and management tools are employed to maintain an up-to-date,
-between security domains on connected systems.
+complete, accurate, and readily available inventory of system components.
 '''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
 '''Examine <br />
-'''[SELECT FROM: Access control policy; information flow control policies; procedures
+'''[SELECT FROM: Configuration management policy; configuration management plan;
+procedures addressing system component inventory; procedures addressing the baseline
-addressing information flow enforcement; system design documentation; security plan;
+configuration of the system; configuration management plan; system design documentation;
-system configuration settings and associated documentation; system audit records; system
+system architecture and configuration documentation; security plan; system configuration
+settings and associated documentation; configuration change control records; system
-baseline configuration; list of information flow authorizations; other relevant documents or
+inventory records; change control records; system maintenance records; system audit
-records].
+records; other relevant documents or records].
 '''Interview <br />
-'''[SELECT FROM: System and network administrators; organizational personnel responsible
+'''[SELECT FROM: Organizational personnel responsible for information security;
+organizational personnel responsible for configuration management; organizational
+personnel responsible for managing the automated mechanisms implementing the system
-for information security; system developers].
+component inventory; system developers; system/network administrators].
 '''Test <br />
-'''[SELECT FROM: Mechanisms implementing information flow enforcement policy;
+'''[SELECT FROM: Automated mechanisms implementing baseline configuration maintenance;
-mechanisms implementing secure information transfer solutions].
+automated mechanisms implementing the system component inventory].
 '''DISCUSSION [NIST SP 800-172] '''
-Organizations employ information flow control policies and enforcement mechanisms to
+The system component inventory includes system-specific information required for
-control the flow of information between designated sources and destinations within systems
+component accountability and to provide support to identify, control, monitor, and verify
-and between connected systems. Flow control is based on the characteristics of the
+configuration items in accordance with the authoritative source. The information necessary
-information and/or the information path. Enforcement occurs, for example, in boundary
+for effective accountability of system components includes the system name, hardware and
-protection devices that employ rule sets or establish configuration settings that restrict
+software component owners, hardware inventory specifications, software license
-system services, provide a packet-filtering capability  based on header information, or
-provide a message-filtering capability based on message content. Organizations also
-consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware,
-firmware, and software components) that are critical to information flow enforcement. <br />
-Transferring information between systems in different security domains with different
-security policies introduces the risk that the transfers violate one or more domain security
+CM.L3-3.4.3e – Automated Inventory
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+''' '''
+information, software version numbers, and— for networked components—the machine
-AC.L3-3.1.3e – Secured Information Transfer
+names and network addresses. Inventory specifications include the manufacturer, supplier
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+information, component type, date of receipt, cost, model, serial number, and physical
+location. Organizations also use automated mechanisms to implement and maintain
-''' '''
+authoritative (i.e., up-to-date, complete, accurate, and available) baseline configurations for
-policies. In such situations, information owners or information stewards provide guidance
+systems that include hardware and software inventory tools, configuration management
-at designated policy enforcement points between connected systems. Organizations
+tools, and network management tools. Tools can be used to track version numbers on
-mandate specific architectural solutions when required to enforce logical or physical
+operating systems, applications, types of software installed, and current patch levels.
-separation between systems in different security domains. Enforcement includes prohibiting
+'''FURTHER DISCUSSION '''
-information transfers between connected systems, employing hardware mechanisms to
+Organizations use an automated capability to discover components connected to the
-enforce one-way information flows, verifying write permissions before accepting
+network and system software installed. The automated capability must also be able to
-information from another security domain or connected system, and implementing
+identify attributes associated with those components. For systems that have already been
-trustworthy regrading mechanisms to reassign security attributes and labels. <br />
+coupled to the environment, they should allow remote access for inspection of the system
-Secure information transfer solutions often include one or more of the following properties:
-use of cross-domain solutions when traversing security domains, mutual authentication of
+software configuration and components. Another option is to place an agent on systems that
-the sender and recipient (using hardware-based cryptography), encryption of data in transit
+performs internal system checks to identify system software configuration and components.
-and at rest, isolation from other domains, and logging of information transfers (e.g., title of
+Collection of switch and router data can also be used to identify systems on networks.
-file, file size, cryptographic hash of file, sender, recipient, transfer time and Internet Protocol
+'''Example <br />
+'''Within your organization, you are in charge of implementing an authoritative inventory of
-[IP] address, receipt time, and IP address).
+system components. You first create a list of the automated technologies you will use and
-'''FURTHER DISCUSSION '''
+what each technology will be responsible for identifying [a]. This includes gathering
-The organization implementing this requirement must decide on the secure information
+information from switches, routers, access points, primary domain controllers, and all
-transfer solutions they will use. The solutions must be configured to have strong protection
+connected systems or devices, whether wired or wireless (printers, IoT, IIoT, OT, IT, etc.) [b].
-mechanisms for information flow between security domains. Secure information transfer
+To keep the data up-to-date, you set a very short search frequency for identifying new
-solutions control information flow between a Level 3 enclave and other CMMC or non-CMMC
+components. To maximize availability of this data, all information will be placed in a central
-enclaves. If CUI requiring Level 3 protection resides in one area of the environment or within
+inventory/configuration management system, and automated reporting is performed every
-a given enclave outside of the normal working environment, protection to prevent
+day [c]. A user dashboard is set up that allows you and other administrators to run reports
-unauthorized personnel from accessing, disseminating,  and sharing the protected
+at any time.
-information is required. Physical and virtual methods can be employed to implement secure
+'''Potential Assessment Considerations <br />
+'''•
-information transfer solutions.
+ Can the organization explain the process by which current inventory information is
-'''Example <br />
+acquired [a]?
-'''You are the administrator for an enterprise that stores and processes CUI requiring Level 3
-protection. The files containing CUI information are tagged by the company as CUI. To ensure
+•
-secure information transfer, you use an intermediary device to check the transfer of any CUI
+ Is the organization able to produce an inventory of components on the network [b,c]?
-files. The device sits at the boundary of the CUI enclave, is aware of all other CUI domains in
+•
-the enterprise, and has the ability to examine the metadata in the encrypted payload. The
+ Has the organization implemented a valid frequency for the component discovery
-tool checks all outbound communications paths. It first checks the metadata for all data being
+solution [b,c]?
-transferred. If that data is identified as CUI, the device checks the destination to see if the
+•
-transfer is to another, sufficiently certified CUI domain. If the destination is not a sufficient
+ Can the organization demonstrate that the inventory is current and accurate [b]?
-CUI domain, the tool blocks the communication path and does not allow the transfer to take
+•
-place. If the destination is a sufficient CUI domain, the transfer is allowed. The intermediary
+ Has the organization developed a defined list of identifiable attributes for each
-device logs all blocks.
+component type, and is that list adequate to support component accountability [a]?
-'''Potential Assessment Considerations <br />
-'''•
-  Has the organization defined the secure information transfer solutions it is using [b]?
 •
-  Has the organization defined domains, boundaries, and flows between those domains
+ Is the organization able to track, monitor, and verify configuration items in accordance
-that need to be controlled [a]?
+with the organization’s authoritative list of components [b,c]?
@@ Line 1,443: / Line 1,543: @@
-AC.L3-3.1.3e – Secured Information Transfer
+CM.L3-3.4.3e – Automated Inventory
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-•
+'''KEY REFERENCES '''
-  Has the organization defined attributes to be associated with the CUI, and both source
-and destination objects [b]?
 •
-  Has the organization defined metadata or some other tagging mechanism to be used as a
+ NIST SP 800-172 3.4.3e
-means of enforcing CUI flow control [b]?
+''' '''
-•
-  Has the organization defined filters to be used as a basis for enforcing flow control
-decisions [b]?
-•
-  Has the organization identified  CUI  flows for which flow control decisions are to be
-applied and enforced [a,b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-172 3.1.3e
+IA.L3-3.5.1e – Bidirectional Authentication
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+''' '''
+Identification and Authentication (IA) <br />
+'''IA.L3-3.5.1E – BIDIRECTIONAL AUTHENTICATION '''
+Identify and authenticate systems and system components, where possible, before
+establishing a network connection using bidirectional authentication that is
+cryptographically based and replay resistant.
-AT.L3-3.2.1e – Advanced Threat Awareness
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+Determine if: <br />
+[ODP1] Systems and system components to identify and authenticate are defined; <br />
+[a] Bidirectional authentication that is cryptographically-based is implemented; <br />
+[b] Bidirectional authentication that is replay-resistant is implemented; and <br />
+[c] Systems and system components, where possible, are identified and authenticated before
+establishing a network connection using bidirectional authentication that is
-''' '''
+cryptographically-based and replay-resistant.
-Awareness and Training (AT) <br />
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-'''AT.L3-3.2.1E – ADVANCED THREAT AWARENESS '''
-Provide awareness training upon initial hire, following a significant cyber event, and at least
+'''Examine <br />
+'''[SELECT FROM: Identification and authentication policy; procedures addressing device
-annually, focused on recognizing and responding to threats from social engineering,
+identification and authentication; network connection policy; security plan; system
-advanced persistent threat actors, breaches, and suspicious behaviors; update the training
+configuration settings and associated documentation; system design documentation; list of
-at least annually or when there are significant changes to the threat.
+devices requiring unique identification and authentication; device connection reports;
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
+system audit records; list of privileged system accounts; other relevant documents or
-Determine if: <br />
+records].
-[a] Threats from social engineering, advanced persistent threat actors, breaches, and
-suspicious behaviors are identified;
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for system operations; organizational
-[b] Awareness training focused on recognizing and responding to threats from social
+personnel responsible for account management; organizational personnel responsible for
-engineering, advanced persistent threat actors, breaches, and suspicious behaviors is
+device identification and authentication; organizational personnel responsible for
-provided upon initial hire, following a significant cyber event, and at least annually;
+information security; system/network administrators; system developers].
-[c] Significant changes to the threats from social engineering, advanced persistent threat
+'''Test <br />
+'''[SELECT FROM: Cryptographically-based bidirectional authentication mechanisms;
-actors, breaches, and suspicious behaviors are identified; and
+mechanisms supporting and/or implementing network connection policy; mechanisms
-[d] Awareness training is updated at least annually or when there are significant changes to
+supporting and/or implementing replay-resistant authentication mechanisms; mechanisms
-the threat.
+supporting and/or implementing an identification and authentication capability;
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
+mechanisms supporting and/or implementing a device identification and authentication
-'''Examine <br />
+capability].
-'''[SELECT FROM: Awareness training policy; procedures addressing awareness training
-implementation; appropriate codes of federal regulations; awareness training curriculum;
-awareness training materials; security plan; training records; threat information on social
-engineering, advanced persistent threat actors, suspicious behaviors, and breaches; other
-relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Organizational personnel responsible for awareness training;
-organizational personnel responsible for information security; organizational personnel
-comprising the general system user community].
-'''Test <br />
-'''[SELECT FROM: Mechanisms managing awareness training; mechanisms managing threat
-information].
+IA.L3-3.5.1e – Bidirectional Authentication
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+''' '''
+'''DISCUSSION [NIST SP 800-172] '''
+Cryptographically-based and replay-resistant authentication between systems, components,
+and devices addresses the risk of unauthorized access from spoofing (i.e., claiming a false
+identity). The requirement applies to client-server authentication, server-server
+authentication, and device authentication (including mobile devices). The cryptographic key
-AT.L3-3.2.1e – Advanced Threat Awareness
+for authentication transactions is stored in suitably secure storage available to the
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+authenticator application (e.g., keychain storage, Trusted Platform Module [TPM], Trusted
+Execution Environment [TEE], or secure element). Mandating authentication requirements
-''' '''
+at every connection point may not be practical, and therefore, such requirements may only
-'''DISCUSSION [NIST SP 800-172] '''
+be applied periodically or at the initial point of network connection. <br />
+[NIST SP 800-63-3] provides guidance on identity and authenticator management.
-An effective method to detect APT activities and reduce the effectiveness of those activities
+'''FURTHER DISCUSSION '''
-is to provide specific awareness training for individuals. A well-trained and security-aware
+The intent of this practice is to prevent unauthorized devices from connecting to one
-workforce provides another organizational safeguard that can be employed as part of a
+another. One example satisfying this requirement is a web server configured with transport
-defense-in-depth strategy to protect organizations against malicious code injections via
+layer security (TLS) using mutual authentication. At a lower level in the OSI stack, IPsec
-email or web applications. Threat awareness training includes educating individuals on the
+provides application-transparent mutual authentication. Another example would be
-various ways that APTs can infiltrate organizations, including through websites, emails,
+implementing 802.1X technology to enforce port-based NAC. This is done by enabling 802.1X
-advertisement pop-ups, articles, and social engineering. Training can include techniques for
+on switches, wireless access points, and VPN connections for a given network. 802.1X defines
-recognizing suspicious emails, the use of removable systems in non-secure settings, and the
+authentication controls for devices trying to access a given network. NAC controls
-potential targeting of individuals by adversaries outside the workplace. Awareness training
+authorization and policy management. For this to be implemented, bidirectional
-is assessed and updated periodically to ensure that the training is relevant and effective,
+authentication must be turned on via 802.1X. Once successfully authenticated, the device
-particularly with respect to the threat since it is constantly, and often rapidly, evolving. <br />
+may communicate on the network. A final example, at the application-server level, involves
-[NIST SP 800-50] provides guidance on security awareness and training programs.
-'''FURTHER DISCUSSION '''
+the use of Kerberos to control 1) which files a client can access and 2) the transmission of
-All organizations, regardless of size,  should have a cyber training program that helps
+sensitive data from the client to the server.
-employees understand threats they will face on a daily basis. This training must include
+'''Example 1 <br />
+'''You are the network engineer in charge of implementing this requirement. You have been
-knowledge about APT actors, breaches, and suspicious behaviors.
+instructed to implement a technology that will provide mutual authentication for client
-'''Example <br />
+server connections. You implement Kerberos. <br />
-'''You are the cyber training coordinator for a small business with eight employees. You do not
+On the server side, client authentication is implemented by having the client establish a local
-have your own in-house cyber training program. Instead, you use a third-party company to
+security context. This is initially accomplished by having the client present credentials which
-provide cyber training.  New hires take the course when they start,  and all current staff
+are confirmed by the Active Directory Domain Controller (DC). After that, the client may
-members receive refresher training at least once a year [b]. When significant changes to the
+establish context via a session of a logged-in user. The service does not accept connections
-threat landscape take place, the company contacts you and informs you that an update to the
+from any unauthenticated client. <br />
+On the client side, server authentication requires registration, using administrator
-training has been completed [c,d] and everyone will need to receive training [b]. You keep a
+privileges, of unique Service Provider Names (SPNs) for each service instance offered. The
-log of all employees who have gone through the cyber training program and the dates of
+names are registered in the Active Directory Domain Controller. When a client requests a
-training.
+connection to a service, it composes an SPN for a service instance, using known data or data
-'''Potential Assessment Considerations <br />
+provided by the user. For authentication, the client presents its SPN to the Key Distribution
-'''•
-  Does the organization have evidence that employees participate in cyber awareness
+Center (KDC), and the KDC searches for computers with the registered SPN before allowing
-training at initial hire and at least annually thereafter or when there have been significant
-changes to the threat [b]?
+a connection via an encrypted message passed to the client for forwarding to the server.
-'''KEY REFERENCES '''
-•
-  NIST SP 800-172 3.2.1e
-''' '''
@@ Line 1,652: / Line 1,736: @@
-AT.L3-3.2.2e – Practical Training Exercises
+IA.L3-3.5.1e – Bidirectional Authentication
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-'''AT.L3-3.2.2E – PRACTICAL TRAINING EXERCISES '''
+'''Example 2 <br />
+'''You are the network engineer in charge of implementing this requirement. You have been
-Include practical exercises in awareness training for all users, tailored by roles, to include
+instructed to implement a technology that will provide authentication for each system prior
-general users, users with specialized roles, and privileged users,  that are aligned with
+to connecting to the environment. You implement the company-approved scheme that uses
-current threat scenarios and provide feedback to individuals involved in the training and
+cryptographic keys installed on each system for it to authenticate to the environment, as well
-their supervisors.
+as user-based cryptographic keys that are used in combination with a user’s password for
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
+user-level authentication [a,c]. Your authentication implementation is finalized on each
-Determine if: <br />
+system using an ACM solution. When a system connects to the network, the system uses the
-[a] Practical exercises are identified; <br />
-[b] Current threat scenarios are identified; <br />
-[c] Individuals involved in training and their supervisors are identified; <br />
-[d] Practical exercises that are aligned with current threat scenarios are included in
-awareness training for all users, tailored by roles, to include general users, users with
+system-level certificate to authenticate itself to the switch before the switch will allow it to
-specialized roles, and privileged users; and
+access the corporate network [a,c]. This is accomplished using 802.1x technology on the
-[e] Feedback is provided to individuals involved in the training and their supervisors.
+switch and by authenticating with a RADIUS server that authenticates itself with the system
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
+via cryptographic keys. If either system fails to authenticate to the other, the trust is broken,
-'''Examine <br />
+and the system will not be able to connect to or communicate on the network. You also set
-'''[SELECT FROM: Awareness training policy; procedures addressing awareness training
-implementation; appropriate codes of federal regulations; awareness training curriculum;
+up a similar implementation in your wireless access point.
-awareness training materials; security plan; training records; threat information on social
+'''Example 3 <br />
+'''You are the network engineer in charge of implementing the VPN solution used by the
-engineering, advanced persistent threat actors, suspicious behaviors, breaches, or other
+organization. To meet this requirement, you use a VPN gateway server and public key
-relevant adversary tactics, techniques, or procedures; feedback on practical exercises and
+infrastructure (PKI) certificates via a certification authority (CA) and a chain of trust. When
-awareness training; other relevant documents or records].
+a client starts a VPN connection, the server presents its certificate to the client and if the
-'''Interview <br />
+certificate is trusted, the client then presents its certificate to the server [a]. If the server
-'''[SELECT FROM: Organizational personnel responsible for awareness training; organizational
-personnel responsible for information security; organizational personnel with roles identified
+validates the client certificate, an established communications channel is opened for the
-for practical exercises; supervisors of personnel with roles identified for practical exercises].
+client to finish the authentication process and gain access to the network via the VPN
-'''Test <br />
+gateway server [c]. If the client fails final authentication, fails the certification validation, or
-'''[SELECT FROM: Mechanisms managing awareness training; mechanisms managing threat
-information].
+the VPN gateway fails the certificate check by the client, the communication channel will be
+denied.
+'''Potential Assessment Considerations <br />
+'''•
+ Are cryptographic keys stored securely [a]?
+•
+ Has the requirement been implemented for any of the three use cases, where applicable:
+client-server authentication, server-server authentication, and device authentication
+[b,c]?
+'''KEY REFERENCES '''
-AT.L3-3.2.2e – Practical Training Exercises
+•
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+ NIST SP 800-172 3.5.1e
-''' '''
-'''DISCUSSION [NIST SP 800-172] '''
-Awareness training is most effective when it is complemented by practical exercises tailored
-to the tactics, techniques, and procedures (TTP) of the threat. Examples of practical exercises
-include unannounced social engineering attempts to gain unauthorized access, collect
-information, or simulate the adverse impact of opening malicious email attachments or
-invoking, via spear phishing attacks, malicious web links. Rapid feedback is essential to
-reinforce desired user behavior. Training results, especially failures of personnel in critical
+IA.L3-3.5.3e – Block Untrusted Assets
-roles, can be indicative of a potentially serious problem. It is important that senior
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-management are made aware of such situations so that they can take appropriate
-remediating actions.  <br />
+''' '''
-[NIST SP 800-181] provides guidance on role-based security training, including a lexicon and
-taxonomy that describes cybersecurity work via work roles.
+'''IA.L3-3.5.3E – BLOCK UNTRUSTED ASSETS '''
-'''FURTHER DISCUSSION '''
+Employ automated or manual/procedural mechanisms to prohibit system components from
-This  requirement  can be performed by the organization or by a  third-party company.
+connecting to organizational systems unless the components are known, authenticated, in a
-Training exercises (including unannounced exercises, such as phishing training) should be
+properly configured state, or in a trust profile.
-performed at various times throughout the year to encourage employee readiness. After
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-each exercise session has been completed, the results should be recorded (date, time, what
+Determine if: <br />
+[a] System components that are known, authenticated, in a properly configured state, or in
-and who the training tested, and the percent of successful and unsuccessful responses). The
+a trust profile are identified;
-purpose of training is to help employees in all roles act appropriately for any given training
+[b] Automated or manual/procedural mechanisms to prohibit system components from
-situation, which should reflect real-life scenarios.  Collected results will help identify
+connecting to organizational systems are identified; and
-shortcomings in the cyber training and/or whether additional instructional training may be
+[c] Automated or manual/procedural mechanisms are employed to prohibit system
-needed. <br />
+components from connecting to organizational systems unless the components are
-General exercises can be included for all users, but exercises tailored for specific roles are
-important, too. Training tailored for specific roles helps make sure individuals are ready for
+known, authenticated, in a properly configured state, or in a trust profile.
-actions and events specific to their positions in a company. Privileged users receive training
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-that emphasizes what permissions their privileged account has in a given environment and
+'''Examine <br />
+'''[SELECT FROM: Configuration management policy; identification and authentication policy;
-what extra care is required when using their privileged account.
+system and information integrity policy; procedures addressing system component
-'''Example <br />
+inventory; procedures addressing device identification and authentication; procedures
-'''You are the cyber training coordinator for a medium-sized business. You and a coworker
+addressing device configuration management; procedures addressing system monitoring
+tools and techniques; configuration management plan; security plan; system design
+documentation; system configuration settings and associated documentation; system
-have developed a  specialized awareness training to increase  cybersecurity awareness
+inventory records; configuration management records; system monitoring records;
-around your organization. Your training includes social media campaigns, social engineering
+alerts/notifications of unauthorized components within the system; change control records;
-phone calls, and phishing emails with  disguised  links to staff to train them beyond the
+system audit records; system monitoring tools and techniques documentation; documented
-standard cybersecurity training [a,b]. <br />
+authorization/approval of network services; notifications or alerts of unauthorized network
-To send simulated  phishing emails to staff, you subscribe to  a  third-party  service  that
+services; system monitoring logs or records; other relevant documents or records].
-specializes in this area [a]. The service sets up fictitious websites with disguised links to help
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for managing the mechanisms
-train general staff against this TTP used by APTs [d]. The third-party company tracks the
+implementing unauthorized system component detection; organizational personnel
-individuals who were sent phishing emails and whether they click on any of the of the links
+responsible for device identification and authentication; organizational personnel
-within the emails. After the training action is completed, you receive a report from the third-
+responsible for information security; organizational personnel responsible for installing,
-party company. The results show that 20% of the staff clicked on one or more phishing email
+configuring, and/or maintaining the system; system/network administrators;
-links, demonstrating a significant risk to your company. As the cyber training coordinator,
+organizational personnel responsible for monitoring the system; system developers].
@@ Line 1,813: / Line 1,900: @@
-AT.L3-3.2.2e – Practical Training Exercises
+IA.L3-3.5.3e – Block Untrusted Assets
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-you notify the individuals, informing them they failed the training and identifying the area(s)
+'''Test <br />
+'''[SELECT FROM: Mechanisms implementing the detection of unauthorized system
-of concern  [e].  You send an email to the  supervisors informing them who in their
+components; mechanisms supporting and/or implementing a device identification and
-organization  has received training. You also send an email out to the entire company
+authentication capability; mechanisms for providing alerts; mechanisms supporting and/or
-explaining the training that just took place and the overall results [e].
+implementing configuration management; cryptographic mechanisms supporting device
-'''Potential Assessment Considerations <br />
+attestation; mechanisms supporting and/or implementing a system monitoring capability;
-'''•
-  Are the individuals being trained and the results recorded [e]?
+mechanisms for auditing network services].
-•
+'''DISCUSSION [NIST SP 800-172] '''
-  Are the training exercises performed [c]?
+Identification and authentication of system components and component configurations can
-•
+be determined, for example, via a cryptographic hash of the component. This is also known
-  Are the exercises set up for all users? Are there tailored exercises based on roles within
+as device attestation and known operating state or trust profile. A trust profile based on
-the organization (general users, users with specialized roles, and privileged users) [d]?
+factors such as the user, authentication method, device type, and physical location is used to
-•
+make dynamic decisions on authorizations to data of varying types. If device attestation is
-  Does the organization have documentation recording the training exercises, who
+the means of identification and authentication, then it is important that patches and updates
-participated, and feedback provided to those who participated in a training session [c,e]?
+to the device are handled via a configuration management process such that the patches and
-'''KEY REFERENCES '''
+updates are done securely and do not disrupt the identification and authentication of other
-•
+devices. <br />
+[NIST IR 8011-1] provides guidance on using automation support to assess system
-  NIST SP 800-172 3.2.2e
+configurations.
+'''FURTHER DISCUSSION '''
+This requirement can be achieved in several ways, such as blocking based on posture
+assessments, conditional access, or trust profiles. A posture assessment can be used to assess
+a given system’s posture to validate that it meets the standards set by the organization before
+allowing it to connect. Conditional access is the set of policies and configurations that control
+devices receiving access to services and data sources. Conditional access helps an organization
+build rules that manage security controls, perform blocking, and restrict components. A trust
+profile is a set of factors that are checked to inform a device that a system can be trusted.
-CM.L3-3.4.1e – Authoritative Repository
+'''Example 1 <br />
+'''In a Windows environment, you authorize devices to connect to systems by defining
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+configuration rules in one or more Group Policy Objects (GPO) that can be automatically
+applied to all relevant devices in a domain [a]. This provides you with a mechanism to apply
-''' '''
+rules for which devices are authorized to connect to any given system and prevent devices
-Configuration Management (CM) <br />
+that are not within the defined list from connecting [b,c]. For instance, universal serial bus
-'''CM.L3-3.4.1E – AUTHORITATIVE REPOSITORY '''
-Establish and maintain an authoritative source and repository to provide a trusted source
+(USB) device rules for authorization can be defined by using a USB device’s serial number,
-and accountability for approved and implemented system components.
+model number, and manufacturer information. This information can be used to build a trust
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
+profile for a device and authorize it for use by a given system. You use security policies to
-Determine if: <br />
+prevent unauthorized components from connecting to systems [c].
-[a] Approved system components are identified; <br />
-[b] Implemented system components are identified; <br />
-[c] An authoritative source and repository are established to provide a trusted source and
-accountability for approved and implemented system components; and
-[d] An authoritative source and repository are maintained to provide a trusted source and
-accountability for approved and implemented system components.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-'''Examine <br />
-'''[SELECT FROM: Configuration management policy; procedures addressing the baseline
-configuration of the system; configuration management plan; enterprise architecture
-documentation; system design documentation; system architecture and configuration
-documentation; system configuration settings and associated documentation; change
-control records; system and system component inventory records; inventory reviews and
+IA.L3-3.5.3e – Block Untrusted Assets
-update records; security plan; system audit records; change control audit and review
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-reports; other relevant documents or records].
-'''Interview <br />
+''' '''
-'''[SELECT FROM: Organizational personnel responsible for configuration management;
-organizational personnel responsible for system component inventory; organizational
+'''Example 2 <br />
+'''You have been assigned to build trust profiles for all devices allowed to connect to your
-personnel responsible for configuration change control; organizational personnel
+organization’s systems. You want to test the capability starting with printers. You talk to your
-responsible for information security; system/network administrators; members of a change
+purchasing department, and they tell you that policy states every printer must be from a
-control board or similar].
+specific manufacturer; they only purchase four different models. They also collect all serial
-'''Test <br />
+numbers from purchased printers. You gather this information and build trust profiles for
-'''[SELECT FROM: Mechanisms that implement configuration change control; mechanisms
-supporting configuration control of the baseline configuration; mechanisms supporting
+each device [a,b]. Because your organization shares printers, you push the trust profiles out
-and/or implementing the system component inventory].
+to organizational systems. Now, the systems are not allowed to connect to a network printer
+unless they are within the trust profiles you have provided [b,c].
+'''Example 3 <br />
+'''Your organization has implemented a network access control solution (NAC) to help ensure
+that only properly configured computers are allowed to connect to the corporate network
+[a,b]. The solution first checks for the presence of a certificate to indicate that the device is
+company-owned. It next reviews the patch state of the computer and forces the installation
+of any patches that are required by the organization. Finally, it reviews the computer’s
+configuration to ensure that the firewall is active and that the appropriate security policies
+have been applied. Once the computer has passed all of these requirements, it is allowed
-CM.L3-3.4.1e – Authoritative Repository
+access to network resources and defined as a trusted asset for the length of its session [a].
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+Devices that do not meet all of the requirements are automatically blocked from connecting
+to the network [c].
-''' '''
+'''Potential Assessment Considerations <br />
+'''•
-'''DISCUSSION [NIST SP 800-172] '''
+ If the organization is using a manual method, is the method outlined in detail so any user
-The establishment and maintenance of an authoritative source and repository includes a
+will be able to follow it without making an error [b,c]?
-system component inventory of approved hardware, software, and firmware; approved
+•
-system baseline configurations and configuration changes; and verified system software and
+ If the organization is using an automated method, can the organization explain how the
-firmware, as well as images and/or scripts. The authoritative source implements integrity
+technology performs the task? Can they explain the steps needed to implement [a,b,c]?
-controls to log changes or attempts to change software, configurations, or data in the
+•
-repository. Additionally, changes to the repository are subject to change management
+ Can the organization provide evidence showing they have trust profiles for specific
-procedures and require authentication of the user requesting the change. In certain
+devices [a,b,c]?
-situations, organizations may also require dual authorization for such changes. Software
+•
-changes are routinely checked for integrity and authenticity to ensure that the changes are
+ Can the organization explain how their system components authenticate to a system if
-legitimate when updating the repository and when refreshing a system from the known,
+they are not using trust profiles [b,c]?
-trusted source. The information in the repository is used to demonstrate adherence to or
+'''KEY REFERENCES '''
-identify deviation from the established configuration baselines and to restore system
+•
-components from a trusted source. From an automated assessment perspective, the system
+ NIST SP 800-172 3.5.3e
-description provided by the authoritative source is referred to as the desired state. The
-desired state is compared to the actual state to check for compliance or deviations. [NIST SP
--128] provides guidance on security configuration management, including security
-configuration settings and configuration change control. <br />
-[NIST IR 8011-1] provides guidance on automation support to assess system and system
-component configurations.
-'''FURTHER DISCUSSION '''
-Trusted software, whether securely developed in house or obtained from a trusted source,
-should have baseline data integrity established when first created or obtained, such as by
-using hash algorithms to obtain a hash value that would be used to validate the source prior
+IR.L3-3.6.1e – Security Operations Center
-to use of the software in a given system. Hardware in the repository should be stored in boxes
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-or containers with tamper-evident seals. Hashes and seals should be checked on a regular
-basis employing the principle of separation of duties.
+''' '''
-'''Example <br />
+Incident Response (IR) <br />
-'''You are the primary system build technician at a medium-sized company. You have been put
+'''IR.L3-3.6.1E – SECURITY OPERATIONS CENTER '''
-in charge of creating, documenting, and implementing a baseline configuration for all user
+Establish and maintain a security operations center capability that operates 24/7, with
-systems [c]. You have identified a minimum set of software that is needed by all employees
+allowance for remote/on-call staff.
-to complete their work (e.g., office automation software). You acquire trusted versions of the
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-software and build one or more baselines of all system software, firmware, and applications
+Determine if: <br />
+[a] A security operations center capability is established; <br />
+[b] The security operations center capability operates 24/7, with allowance for remote/on-
-required by the organization. The gold version of each baseline is stored in a secure
+call staff; and
-configuration management system repository and updated as required to maintain integrity
+[c] The security operations center capability is maintained.
-and security. Access to the build repository for updates and use is carefully controlled using
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-access control mechanisms that limit access to you and your staff. All interactions with the
+'''Examine <br />
+'''[SELECT FROM: Incident response policy; contingency planning policy; procedures
-repository are logged. Using an automated build tool, your team builds each organizational
+addressing incident handling; procedures addressing the security operations center
-system using the standard baseline
+operations; mechanisms supporting dynamic response capabilities; incident response plan;
+contingency plan; security plan; other relevant documents or records].
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for incident handling; organizational
+personnel responsible for contingency planning; security operations center personnel;
+organizational personnel responsible for information security].
+'''Test <br />
+'''[SELECT FROM: Mechanisms that support and/or implement the security operations center
+capability; mechanisms that support and/or implement the incident handling process].
+'''DISCUSSION [NIST SP 800-172] '''
+A security operations center (SOC) is the focal point for security operations and computer
-CM.L3-3.4.1e – Authoritative Repository
+network defense for an organization. The purpose of the SOC is to defend and monitor an
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+organization’s systems and networks (i.e., cyber infrastructure) on an ongoing basis. The SOC
+is also responsible for detecting, analyzing, and responding to cybersecurity incidents in a
-''' '''
+timely manner. The SOC is staffed with skilled technical and operational personnel (e.g.,
-'''Potential Assessment Considerations <br />
-'''•
-  Does an  authoritative  source  and repository exist  to provide a trusted source and
+security analysts, incident response personnel, systems security engineers); in some
-accountability for approved and implemented system components [c,d]?
+instances operates 24 hours per day, seven days per week; and implements technical,
-'''KEY REFERENCES '''
+management, and operational controls (e.g., monitoring, scanning, and forensics tools) to
-•
-  NIST SP 800-172 3.4.1e
-''' '''
@@ Line 2,064: / Line 2,149: @@
-CM.L3-3.4.2e – Automated Detection &amp; Remediation
+IR.L3-3.6.1e – Security Operations Center
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-'''CM.L3-3.4.2E – AUTOMATED DETECTION &amp; REMEDIATION '''
+monitor, fuse, correlate, analyze, and respond to security-relevant event data from multiple
-Employ automated mechanisms to detect misconfigured or unauthorized system
+sources. Sources of event data include perimeter defenses, network devices (e.g., gateways,
-components; after detection, remove the components or place the components in a
+routers, and switches), and endpoint agent data feeds. The SOC provides a holistic situational
-quarantine or remediation network  to facilitate patching, re-configuration, or other
+awareness capability to help organizations determine the security posture of the system and
-mitigations.
+organization. An SOC capability can be obtained in many ways. Larger organizations may
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
+implement a dedicated SOC while smaller organizations may employ third-party
-Determine if: <br />
+organizations to provide such a capability. <br />
-[a] Automated mechanisms to detect misconfigured or unauthorized system components
+[NIST SP 800-61] provides guidance on incident handling. [NIST SP 800-86] and [NIST SP
-are identified;
+-101] provide guidance on integrating forensic techniques into incident response. [NIST
-[b] Automated mechanisms are employed to detect misconfigured or unauthorized system
+SP 800-150] provides guidance on cyber threat information sharing. [NIST SP 800-184]
-components;
+provides guidance on cybersecurity event recovery.
-[c] Misconfigured or unauthorized system components are detected; and <br />
+'''FURTHER DISCUSSION '''
-[d] After detection, system components are removed  or placed  in a quarantine or
-remediation network to facilitate patching, re-configuration, or other mitigations.
+Security operations centers are created to monitor and respond to suspicious activities
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
+across an organization’s IT applications and infrastructure. A SOC may be implemented in a
-'''Examine <br />
+variety of physical, virtual, and geographic constructs. The organization may also opt to not
-'''[SELECT FROM: Configuration management policy; procedures addressing the baseline
-configuration of the system; configuration management plan; authoritative source or
+hire their own staff but to engage a third-party external service provider to serve as their
-repository; enterprise architecture documentation; system design documentation; system
+SOC. <br />
+The SOC is typically comprised of multiple levels of cybersecurity analysts. Each tier of
-architecture and configuration documentation; system procedures addressing system
+cybersecurity analysts works on increasingly complex aspects of Incident Response. The SOC
-configuration change control; configuration settings and associated documentation; change
+may also have dedicated cybersecurity engineers to support configuration and management
-control records; change control audit and review reports; agenda/minutes from
+of defensive cyber tools. The SOC may work with staff in IT operations who provide support
-configuration change control oversight meetings; alerts/notifications of unauthorized
+to the SOC. <br />
+SOC capabilities run 24/7, and while staff may not always be performing tasks for the SOC,
-baseline configuration changes; security plan; system audit records; other relevant
+the capability alerts staff members and directs them to go to a facility or perform SOC actions
-documents or records].
+from a remote location. Staff members should be scheduled or on call to ensure they are
-'''Interview <br />
+available when needed.
-'''[SELECT FROM: Organizational personnel responsible for configuration management;
-organizational personnel responsible for information security; organizational personnel
+'''Example <br />
+'''You are the Chief Information Security Officer (CISO) of a medium-sized organization. To
-responsible for configuration change control; system developers; system/network
+meet the goal of 24/7 SOC operation, you have decided to adjust the current SOC, which
-administrators; members of a change control board or similar roles].
+operates five days a week for 12 hours a day, by minimizing active staff members and hiring
-'''Test <br />
+trusted expert consultants to have on call at all times (i.e., seven days a week, 24 hours a day)
-'''[SELECT FROM: Automated mechanisms supporting configuration control of the baseline
-configuration; automated mechanisms that implement security responses to changes to the
+[a,b]. You design your SOC to be remotely accessible so your experts can access your
-baseline configurations; automated mechanisms that implement configuration change
+environment when needed. You also decide to set up a very strong automated capability that
-control; automated mechanisms that detect misconfigured or unauthorized system
+is good at identifying questionable activities and alerting the appropriate staff. You create a
+policy stating that after an alert goes out, two members of the SOC team must remotely
+connect to the environment within 15 minutes to address the problem. All staff members
+also have regular working hours during which they perform other SOC activities, such as
-components].
+updating information to help the automated tool perform its functions [c].
@@ Line 2,148: / Line 2,238: @@
-CM.L3-3.4.2e – Automated Detection &amp; Remediation
+IR.L3-3.6.1e – Security Operations Center
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-'''DISCUSSION [NIST SP 800-172] '''
+'''Potential Assessment Considerations <br />
+'''•
-System components used to process, store, transmit, or protect CUI are monitored and
+ How does the organization enable 24/7 SOC capabilities? Does the organization have
-checked against the authoritative source (i.e., hardware and software inventory and
+people in seats 24/7 or on-call members? If on-call members are used, what are the
-associated baseline configurations). From an automated assessment perspective, the system
+trigger and alerting mechanisms that allow for 24/7 coverage [a,b]?
-description provided by the authoritative source is referred to as the desired state. Using
+•
-automated tools, the desired state is compared to the actual state to check for compliance or
+ Does the organization have sufficient trained full-time equivalent staff to enable 24/7
-deviations. Security responses to system components that are unknown or that deviate from
+SOC services [a,b]?
-approved configurations can include removing the components; halting system functions or
+'''KEY REFERENCES '''
-processing; placing the system components in a quarantine or remediation network that
+•
-facilitates patching, re-configuration, or other mitigations; or issuing alerts and/or
+ NIST SP 800-172 3.6.1e
-notifications to personnel when there is an unauthorized modification of an organization-
-defined configuration item. Responses can be automated, manual, or procedural.
-Components that are removed from the system are rebuilt from the trusted configuration
-baseline established by the authoritative source. <br />
-[NIST  IR 8011-1] provides guidance on using automation support to assess system
-configurations
-'''FURTHER DISCUSSION '''
-For this requirement, the organization is required to implement automated tools to help
-identify misconfigured components. Once under an attacker’s control, the system may be
-modified in some manner and the automated tool should detect this. Or, if a user performs a
-manual configuration adjustment, the system will be viewed as misconfigured, and that
-change should be detected. Another common example is if a component has been offline and
+IR.L3-3.6.2e – Cyber Incident Response Team
-not updated, the tool should detect the incorrect configuration. If any of these scenarios
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-occurs, the automated configuration management system (ACMS) will notice a change and
-can take the system offline, quarantine the system, or send an alert so the component(s) can
+''' '''
-be manually removed. Quarantining a misconfigured component does not require it to be
+'''IR.L3-3.6.2E – CYBER INCIDENT RESPONSE TEAM '''
-removed from the network. Quarantining only requires that a temporary limitation be put
+Establish and maintain a cyber incident response team that can be deployed by the
-in place eliminating the component’s  ability to process, store, or transmit CUI until it is
+organization within 24 hours.
-properly configured. If a component has the potential of disrupting business operations then
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-the OSC should take extra care to ensure configuration updates are properly tested and that
+Determine if: <br />
+[a] A cyber incident response team is established; <br />
+[b] The cyber incident response team can be deployed by the organization within 24 hours;
-components are properly configured and tested before being added to the network. Once
+and
-one of these actions is accomplished, a system technician may need to manually inspect the
+[c] The cyber incident response team is maintained.
-system or rebuild it using the baseline configuration. Another option is for an ACMS to make
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-adjustments while the system is running rather than performing an entire rebuild. These
+'''Examine <br />
+'''[SELECT FROM: Incident response policy; procedures addressing incident response;
-adjustments can include replacing configuration files, executable files, scripts, or library files
+incident response plan; security plan; other relevant documents or records].
-on the fly.
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for incident response; organizational
-'''Example 1 <br />
+personnel from the incident response team; organizational personnel responsible for
-'''As the system administrator,  you implement company policy stating that every system
-connecting to the company network via VPN will be checked for specific configuration
+information security].
-settings and software versioning before it is allowed to connect to the network, after it passes
+'''Test <br />
+'''[SELECT FROM: Mechanisms supporting and/or implementing incident response].
-authentication  [a,b].  If any deviations from the authoritative baseline  are  identified, the
+'''DISCUSSION [NIST SP 800-172] '''
+A cyber incident response team (CIRT) is a team of experts that assesses, documents, and
+responds to cyber incidents so that organizational systems can recover quickly and
+implement the necessary controls to avoid future incidents. CIRT personnel include, for
+example, forensic analysts, malicious code analysts, systems security engineers, and real-
+time operations personnel. The incident handling capability includes performing rapid
+forensic preservation of evidence and analysis of and response to intrusions. The team
+members may or may not be full-time but need to be available to respond in the time period
+required. The size and specialties of the team are based on known and anticipated threats.
-CM.L3-3.4.2e – Automated Detection &amp; Remediation
+The team is typically pre-equipped with the software and hardware (e.g., forensic tools)
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+necessary for rapid identification, quarantine, mitigation, and recovery and is familiar with
+how to preserve evidence and maintain chain of custody for law enforcement or
-''' '''
+counterintelligence uses. For some organizations, the CIRT can be implemented as a cross
-system is placed in a VPN quarantine zone (remediation network) using a virtual local area
+organizational entity or as part of the Security Operations Center (SOC).
-network (VLAN) [b,c,d]. This VLAN is set up for system analysis, configuration changes, and
-rebuilding after forensic information is pulled from the system. Once the system updates are
-complete, the system will be removed from the quarantine zone and placed on the network
-through the VPN connection.
-'''Example 2 <br />
-'''As the system administrator, you have chosen to use a network access control (NAC) solution
-to validate system configurations before they are allowed to connect to the corporate
-network [a]. When a system plugs into or connects to a local network port or the VPN, the
-NAC solution checks the hash of installed system software [b,c]. If the system does not pass
-the configuration check, it is put in quarantine until an administrator can examine it or the
+IR.L3-3.6.2e – Cyber Incident Response Team
-ACMS updates the system to pass the system checks [d].
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-'''Potential Assessment Considerations <br />
-'''•
-  Can the organization explain  the automated process  that  identifies, quarantines, and
+''' '''
-remediates a system when a misconfiguration or unauthorized system component is
+[NIST SP 800-61] provides guidance on incident handling. [NIST SP 800-86] and [NIST SP
-identified [a,b,c,d]?
+-101] provide guidance on integrating forensic techniques into incident response. [NIST
-•
+SP 800-150] provides guidance on cyber threat information sharing. [NIST SP 800-184]
-  Does the organization have a patching and rebuild process for all assets that may be taken
+provides guidance on cybersecurity event recovery.
-offline [d]?
+'''FURTHER DISCUSSION '''
-'''KEY REFERENCES '''
+The CIRT’s primary function is to handle information security incident management and
-•
+response for the environments the SOC oversees. The primary goals of the CIRT are triage
-  NIST SP 800-172 3.4.2e
+and initial response to an incident. They also communicate with all the proper people to
+ensure understanding of an incident and the response actions, including collection of
-''' '''
+forensic evidence, have been conveyed. <br />
+If and when an incident is detected by the organization’s SOC, the IR team is responsible for
+handling the incident and communicating what has happened to the appropriate people
+within the organization, as well to the authorities (as needed). <br />
+The deployment of a team does not necessarily mean they are “physically deployed.”
+Deployment may simply mean connecting to a remote system in a manner that is equivalent
+to being on the system’s keyboard. Remote access can provide just as much capability as local
+access in many cases. <br />
+Some situations require physical access. For instance, if the company has a physically
+isolated environment located at a remote location, a team must be physically present at the
+remote facility to perform the duties required.
+'''Example <br />
+'''You are the lead for an IR team within your organization. Your manager is the SOC lead, and
-CM.L3-3.4.3e – Automated Inventory
+she reports to the chief information officer (CIO). As the SOC is alerted and/or identifies
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+incidents within the organization’s environments, you lead and deploy teams to resolve the
+issues, including incidents involving cloud-based systems. You use a custom dashboard that
-''' '''
+was created for your team members to view and manage incidents, perform response
-'''CM.L3-3.4.3E – AUTOMATED INVENTORY '''
+actions, and record actions and notes for each case. You also have your team create an after
+action report for all incidents to which they respond; this information is used to determine
+if a given incident requires additional action and reporting [a]. <br />
+One day, you receive a message from the SOC that your website has become corrupted.
-Employ automated discovery and management tools to maintain an up-to-date, complete,
+Within minutes, you have a team on the system inspecting logs, analyzing applications,
-accurate, and readily available inventory of system components.
+preserving key information, and looking for evidence of tampering/attack [b]. Your team
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
+runs through a procedure set for this specific incident type based on a handbook the
-Determine if: <br />
+organization has created and maintains [c]. It is found that a cyberattack caused the
-[a] Automated discovery and management tools for the inventory of system components are
-identified;
+corruption, but the corruption caused a crash, which prevented the attack from continuing.
-[b] An up-to-date, complete, accurate, and readily available inventory of system components
+Your team takes note of all actions they perform, and at the end of the incident analysis, you
-exists; and
+send a message to the website lead to inform them of the issue, case number, and notes
-[c] Automated discovery and management tools are employed to maintain an up-to-date,
+created by the team. The website lead has their team rebuild the system and validate that
-complete, accurate, and readily available inventory of system components.
+the attack no longer works. At the end of the incident, the CISO and CIO are informed of the
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
+issue.
-'''Examine <br />
-'''[SELECT FROM: Configuration management policy; configuration management plan;
-procedures addressing system component inventory; procedures addressing the baseline
-configuration of the system; configuration management plan; system design documentation;
-system architecture and configuration documentation; security plan; system configuration
-settings and associated documentation; configuration change control records; system
-inventory records; change control records; system maintenance records; system audit
-records; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Organizational personnel responsible for information security;
-organizational personnel responsible for configuration management; organizational
+IR.L3-3.6.2e – Cyber Incident Response Team
-personnel responsible for managing the automated mechanisms implementing the system
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-component inventory; system developers; system/network administrators].
-'''Test <br />
+''' '''
-'''[SELECT FROM: Automated mechanisms implementing baseline configuration maintenance;
-automated mechanisms implementing the system component inventory].
+'''Potential Assessment Considerations <br />
+'''•
-'''DISCUSSION [NIST SP 800-172] '''
+ Does the organization have a response capability that has remote access to the
-The system component inventory includes system-specific information required for
+organization’s systems and system components within 24 hours in place of physical
-component accountability and to provide support to identify, control, monitor, and verify
+access [a,b]?
-configuration items in accordance with the authoritative source. The information necessary
+'''KEY REFERENCES '''
-for effective accountability of system components includes the system name, hardware and
+•
-software component owners, hardware inventory specifications, software license
+ NIST SP 800-172 3.6.2e
@@ Line 2,391: / Line 2,482: @@
-CM.L3-3.4.3e – Automated Inventory
+PS.L3-3.9.2e – Adverse Information
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-information, software version numbers, and—  for networked components—the machine
+Personnel Security (PS) <br />
+'''PS.L3-3.9.2E – ADVERSE INFORMATION '''
-names and network addresses. Inventory specifications include the manufacturer, supplier
+Ensure that organizational systems are protected if adverse information develops or is
-information, component type, date of receipt, cost, model, serial number, and physical
+obtained about individuals with access to CUI.
-location. Organizations also use automated mechanisms to implement and maintain
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-authoritative (i.e., up-to-date, complete, accurate, and available) baseline configurations for
+Determine if: <br />
+[a] Individuals with access to CUI are identified; <br />
+[b] Adverse information about individuals with access to CUI is defined; <br />
+[c] Organizational systems to which individuals have access are identified; and <br />
+[d] Mechanisms are in place to protect organizational systems if adverse information
-systems that include hardware and software inventory tools, configuration management
+develops or is obtained about individuals with access to CUI.
-tools, and network management tools. Tools can be used to track version numbers on
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-operating systems, applications, types of software installed, and current patch levels.
+'''Examine <br />
+'''[SELECT FROM: Personnel security policy; system and services acquisition policy;
-'''FURTHER DISCUSSION '''
+procedures addressing personnel screening; records of screened personnel; enterprise
-Organizations  use  an  automated  capability to discover components connected to the
+architecture documentation; system design documentation; system architecture and
-network  and  system software  installed.  The  automated capability  must also be able to
+configuration documentation; security plan; list of individuals who have been identified as
-identify attributes associated with those components. For systems that have already been
+posing an increased level of risk; list of appropriate access authorizations required for
-coupled to the environment, they should allow remote access for inspection of the system
+system personnel; personnel screening criteria and associated documentation; other
-software configuration and components. Another option is to place an agent on systems that
+relevant documents or records].
-performs internal system checks to identify system software configuration and components.
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for personnel security; organizational
-Collection of switch and router data can also be used to identify systems on networks.
+personnel responsible for information security; organizational personnel responsible for
-'''Example <br />
+system and services acquisition; organizational personnel responsible for personnel
-'''Within your organization, you are in charge of implementing an authoritative inventory of
-system components. You first create a list of the automated technologies you will use and
+screening].
-what each technology will be responsible for identifying  [a].  This includes  gathering
+'''Test <br />
+'''[SELECT FROM: Organizational processes for personnel screening; mechanisms supporting
-information from switches, routers, access points, primary domain controllers, and all
+personnel screening].
-connected systems or devices, whether wired or wireless (printers, IoT, IIoT, OT, IT, etc.) [b].
-To keep the data up-to-date,  you set a very short search  frequency for identifying new
-components. To maximize availability of this data, all information will be placed in a central
-inventory/configuration management system, and automated reporting is performed every
-day [c]. A user dashboard is set up that allows you and other administrators to run reports
-at any time.
-'''Potential Assessment Considerations <br />
-'''•
-  Can the organization explain the process by which current  inventory  information is
-acquired [a]?
+PS.L3-3.9.2e – Adverse Information
-•
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-  Is the organization able to produce an inventory of components on the network [b,c]?
-•
+''' '''
-  Has the organization implemented  a valid  frequency  for  the component discovery
+'''DISCUSSION [NIST SP 800-172] '''
-solution [b,c]?
+If adverse information develops or is obtained about an individual with access to CUI which
-•
+calls into question whether the individual should have continued access to systems
-  Can the organization demonstrate that the inventory is current and accurate [b]?
+containing CUI, actions are taken (e.g., preclude or limit further access by the individual,
-•
+audit actions taken by the individual) to protect the CUI while the adverse information is
-  Has the organization developed a defined list of identifiable attributes for each
+resolved.
-component type, and is that list adequate to support component accountability [a]?
+'''FURTHER DISCUSSION '''
-•
+According to Defense Counterintelligence and Security Agency, or DCSA (Industrial Security
-  Is the organization able to track, monitor, and verify configuration items in accordance
+Letter ISL 2011-04, revised July 15, 2020), adverse information consists of any information
-with the organization’s authoritative list of components [b,c]?
+that negatively reflects the integrity or character of an individual. This pertains to an
+individual’s ability to safeguard sensitive information, such as CUI. Adverse information may
+simply be a report showing someone has sent sensitive information outside the organization
+or used unapproved software, against company policy. An organization may receive adverse
+information about an individual through police reports, reported violations of company
+policies (including social media posts that directly violate company policies), and revocation
+or suspension of DoD clearance. <br />
+When adverse information is identified about a given individual, the organization should
+take action to validate that information resources accessible by the individual have been
+identified and appropriate protection mechanisms are in place to safeguard information and
-CM.L3-3.4.3e – Automated Inventory
+system configurations. Based on organizational policy, an individual’s access to resources
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+may be more closely monitored or restricted until further review. Logs should be examined
+to identify any attempt to perform unauthorized actions.
-''' '''
+'''Example <br />
+'''You learn that one of your employees has been convicted on shoplifting charges. Based on
-'''KEY REFERENCES '''
+organizational policy, you report this information to human resources (HR), which verifies
-•
+the information with a criminal background check [a,b,c]. Per policy, you increase the
-  NIST SP 800-172 3.4.3e
+monitoring of the employee’s access to ensure that the employee does not exhibit patterns
-''' '''
+of behavior consistent with an insider threat [d]. You maintain contact with HR as they
+investigate the adverse information so that you can take stronger actions if required, such as
+removing access to organizational systems.
+'''Potential Assessment Considerations <br />
+'''•
+ Does the organization define the protection mechanisms for organizational systems if
+adverse information develops or is obtained about an individual with access to CUI [d]?
+'''KEY REFERENCES '''
+•
+ NIST SP 800-172 3.9.2e
@@ Line 2,519: / Line 2,635: @@
-IA.L3-3.5.1e – Bidirectional Authentication
+RA.L3-3.11.1e – Threat-Informed Risk Assessment
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-Identification and Authentication (IA) <br />
+Risk Assessment (RA) <br />
-'''IA.L3-3.5.1E – BIDIRECTIONAL AUTHENTICATION '''
+'''RA.L3-3.11.1E – THREAT-INFORMED RISK ASSESSMENT '''
+Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-
-Identify and authenticate systems and system components, where possible,  before
+provided sources, as part of a risk assessment to guide and inform the development of
-establishing a network connection using bidirectional authentication that is
+organizational systems, security architectures, selection of security solutions, monitoring,
-cryptographically based and replay resistant.
+threat hunting, and response and recovery activities.
 '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
 Determine if: <br />
-[ODP1] Systems and system components to identify and authenticate are defined; <br />
+[ODP1] Sources of threat intelligence are defined;'' <br />
-[a] Bidirectional authentication that is cryptographically-based is implemented; <br />
+''[a] A risk assessment methodology is identified; <br />
-[b] Bidirectional authentication that is replay-resistant is implemented; and <br />
+[b] Threat intelligence, at a minimum from open or commercial sources, and any
-[c] Systems and system components, where possible, are identified and authenticated before
-establishing a network connection using bidirectional authentication that is
+DoD-provided sources, are employed as part of a risk assessment to guide and inform the
-cryptographically-based and replay-resistant.
+development of organizational systems and security architectures;
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
+[c] Threat intelligence, at a minimum from open or commercial sources, and any
-'''Examine <br />
+DoD-provided sources, are employed as part of a risk assessment to guide and inform the
-'''[SELECT FROM: Identification and authentication policy; procedures addressing device
-identification and authentication; network connection policy; security plan; system
+selection of security solutions;
-configuration settings and associated documentation; system design documentation; list of
+[d] Threat intelligence, at a minimum from open or commercial sources, and any
-devices requiring unique identification and authentication; device connection reports;
+DoD-provided sources, are employed as part of a risk assessment to guide and inform
-system audit records; list of privileged system accounts; other relevant documents or
+system monitoring activities;
-records].
+[e] Threat intelligence, at a minimum from open or commercial sources, and any
-'''Interview <br />
+DoD-provided sources, are employed as part of a risk assessment to guide and inform
-'''[SELECT FROM: Organizational personnel responsible for system operations; organizational
-personnel responsible for account management; organizational personnel responsible for
+threat hunting activities; and
+[f] Threat intelligence, at a minimum from open or commercial sources, and any
+DoD-provided sources, are employed as part of a risk assessment to guide and inform
+response and recovery activities.
-device identification and authentication; organizational personnel responsible for
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-information security; system/network administrators; system developers].
+'''Examine <br />
+'''[SELECT FROM: Information security program plan; risk assessment policy; threat
-'''Test <br />
+awareness program documentation; procedures for the threat awareness program; security
-'''[SELECT FROM: Cryptographically-based bidirectional authentication mechanisms;
-mechanisms supporting and/or implementing network connection policy; mechanisms
+planning policy and procedures; procedures addressing organizational assessments of risk;
-supporting and/or implementing replay-resistant authentication mechanisms; mechanisms
+threat hunting program documentation; procedures for the threat hunting program; risk
-supporting and/or implementing an identification and authentication capability;
+assessment results relevant to threat awareness; threat hunting results; list or other
-mechanisms supporting and/or implementing a device identification and authentication
+documentation on the cross-organization, information-sharing capability; security plan; risk
-capability].
+assessment; risk assessment results; risk assessment reviews; risk assessment updates;
@@ Line 2,594: / Line 2,715: @@
-IA.L3-3.5.1e – Bidirectional Authentication
+RA.L3-3.11.1e – Threat-Informed Risk Assessment
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-'''DISCUSSION [NIST SP 800-172] '''
+contingency planning policy; contingency plan; incident response policy; incident response
-Cryptographically-based and replay-resistant authentication between systems, components,
+plan; other relevant documents or records].
-and devices addresses the risk of unauthorized access from spoofing (i.e., claiming a false
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for information security program
-identity). The requirement applies to client-server authentication, server-server
+planning and plan implementation; organizational personnel responsible for the threat
-authentication, and device authentication (including mobile devices). The cryptographic key
+awareness and threat hunting programs; organizational personnel responsible for risk
-for authentication transactions is stored in suitably secure storage available to the
+assessments; organizational personnel responsible for the cross-organization, information-
-authenticator application (e.g., keychain storage, Trusted Platform Module [TPM], Trusted
+sharing capability; organizational personnel responsible for information security;
-Execution Environment [TEE], or secure element). Mandating authentication requirements
+organizational personnel responsible for contingency planning; organizational personnel
-at every connection point may not be practical, and therefore, such requirements may only
+responsible for incident response; personnel with whom threat awareness information is
-be applied periodically or at the initial point of network connection. <br />
+shared by the organization].
-[NIST SP 800-63-3] provides guidance on identity and authenticator management.
-'''FURTHER DISCUSSION '''
+'''Test <br />
+'''[SELECT FROM: Mechanisms supporting and/or implementing the threat awareness
-The intent of this practice is to prevent unauthorized devices from connecting to one
+program; mechanisms supporting and/or implementing the cross-organization,
-another. One example satisfying this requirement is a web server configured with transport
+information-sharing capability; mechanisms supporting and/or implementing the threat
-layer security (TLS) using mutual authentication. At a lower level in the OSI stack, IPsec
+hunting program; mechanisms for conducting, documenting, reviewing, disseminating, and
-provides application-transparent mutual authentication. Another example would be
+updating risk assessments; mechanisms supporting and/or implementing contingency
-implementing 802.1X technology to enforce port-based NAC. This is done by enabling 802.1X
+plans; mechanisms supporting and/or implementing incident response plans].
-on switches, wireless access points, and VPN connections for a given network. 802.1X defines
+'''DISCUSSION [NIST SP 800-172] '''
-authentication controls for devices trying to access a given network. NAC controls
+The constant evolution and increased sophistication of adversaries, especially the APT,
-authorization and policy management. For this to be implemented, bidirectional
+makes it more likely that adversaries can successfully compromise or breach organizational
-authentication must be turned on via 802.1X. Once successfully authenticated, the device
+systems. Accordingly, threat intelligence can be integrated into each step of the risk
-may communicate on the network. A final example, at the application-server level, involves
+management process throughout the system development life cycle. This risk management
-the use of Kerberos to control 1) which files a client can access and 2) the transmission of
+process includes defining system security requirements, developing system and security
-sensitive data from the client to the server.
+architectures, selecting security solutions, monitoring (including threat hunting), and
-'''Example 1 <br />
+remediation efforts. <br />
-'''You are the network engineer in charge of implementing this requirement. You have been
+[NIST SP 800-30] provides guidance on risk assessments. [NIST SP 800-39] provides
-instructed to  implement a technology that will provide mutual authentication for client
+guidance on the risk management process. [NIST SP 800-160-1] provides guidance on
-server connections. You implement Kerberos. <br />
-On the server side, client authentication is implemented by having the client establish a local
-security context. This is initially accomplished by having the client present credentials which
+security architectures and systems security engineering. [NIST SP 800-150] provides
-are confirmed by the Active Directory Domain Controller (DC). After that, the client may
+guidance on cyber threat information sharing.
-establish context via a session of a logged-in user. The service does not accept connections
+'''FURTHER DISCUSSION '''
-from any unauthenticated client. <br />
+An organization consumes threat intelligence and improves their security posture based on
-On the client side, server authentication requires registration, using administrator
-privileges, of unique Service Provider Names (SPNs) for each service instance offered. The
+the intelligence relevant to that organization and/or a system(s). The organization can
-names are registered in the Active Directory Domain Controller. When a client requests a
+obtain threat intelligence from open or commercial sources but must also use any
-connection to a service, it composes an SPN for a service instance, using known data or data
+DoD-provided sources. Threat information can be received in high volumes from various
-provided by the user. For authentication, the client presents its SPN to the Key Distribution
+providers and must be processed and analyzed by the organization. It is the responsibility of
-Center (KDC), and the KDC searches for computers with the registered SPN before allowing
+the organization to process the threat information in a manner that is useful and actionable
-a connection via an encrypted message passed to the client for forwarding to the server.
+to their needs. Processing, analyzing, and extracting the intelligence from the threat feeds
@@ Line 2,687: / Line 2,805: @@
-IA.L3-3.5.1e – Bidirectional Authentication
+RA.L3-3.11.1e – Threat-Informed Risk Assessment
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-'''Example 2 <br />
+and applying it to all organizational security engineering needs is the primary benefit of this
-'''You are the network engineer in charge of implementing this requirement. You have been
-instructed to implement a technology that will provide authentication for each system prior
+requirement. Note that more than one source is required to meet assessment objectives.
+'''Example <br />
+'''Your organization receives a commercial threat intelligence feed from FIRST and
+government threat intelligence feeds from both USCERT and DoD/DC3 to help learn about
+recent threats and any additional information the threat feeds provide [b,c,d,e,f]. Your
+organization uses the threat intelligence for multiple purposes: <br />
+•
+ To perform up-to-date risk assessments for the organization [a];
-to connecting to the environment. You implement the company-approved scheme that uses
+•
-cryptographic keys installed on each system for it to authenticate to the environment, as well
+ To add rules to the automated system put in place to identify threats (indicators of
-as user-based cryptographic keys that are used in combination with a user’s password for
+compromise, or IOCs) on the organization’s network [e];
-user-level authentication [a,c].  Your authentication implementation is finalized on each
+•
-system using an ACM solution. When a system connects to the network, the system uses the
+ To guide the organization in making informed selections of security solutions [c];
-system-level certificate to authenticate itself to the switch before the switch will allow it to
+•
-access the corporate network [a,c]. This is accomplished using 802.1x technology on the
+ To shape the way the organization performs system monitoring activities [d];
-switch and by authenticating with a RADIUS server that authenticates itself with the system
+•
-via cryptographic keys. If either system fails to authenticate to the other, the trust is broken,
+ To manage the escalation process for identified incidents, handling specific events, and
-and the system will not be able to connect to or communicate on the network. You also set
+performing recovery actions [f];
-up a similar implementation in your wireless access point.
+•
-'''Example 3 <br />
+ To provide additional information to the hunt team to identify threat activities [e];
-'''You are the network engineer in charge of implementing the VPN solution used by the
-organization.  To meet this requirement,  you  use  a VPN gateway server and public key
+•
-infrastructure (PKI) certificates via a certification authority (CA) and a chain of trust. When
+ To inform the development and design decisions for organizational systems and the
-a client starts a VPN connection, the server presents its certificate to the client and if the
+overall security architecture, as well as the network architecture [b,c];
-certificate is trusted, the client then presents its certificate to the server [a]. If the server
+•
-validates the client certificate,  an established communications channel is opened for the
+  To assist in decision-making regarding systems that are part of the primary network and
-client to finish the authentication process and gain access to the network via the VPN
+systems that are placed in special enclaves for additional protections [b]; and
-gateway server [c]. If the client fails final authentication, fails the certification validation, or
+•
-the VPN gateway fails the certificate check by the client, the communication channel will be
+ To determine additional security measures based on current threat activities taking place
-denied.
+in similar industry networks [c,d,e,f].
 '''Potential Assessment Considerations <br />
 '''•
-  Are cryptographic keys stored securely [a]?
+ Does the organization detail how threat feed information is to be ingested, analyzed, and
+used [a]?
 •
-  Has the requirement been implemented for any of the three use cases, where applicable:
+ Can the organization’s SOC or hunt teams discuss how they use the threat feed
-client-server authentication, server-server authentication, and device authentication
+information after it is processed [e,f]?
-[b,c]?
 '''KEY REFERENCES '''
@@ Line 2,760: / Line 2,888: @@
 •
-  NIST SP 800-172 3.5.1e
+ NIST SP 800-172 3.11.1e
@@ Line 2,771: / Line 2,903: @@
-IA.L3-3.5.3e – Block Untrusted Assets
+RA.L3-3.11.2e – Threat Hunting
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-'''IA.L3-3.5.3E – BLOCK UNTRUSTED ASSETS '''
+'''RA.L3-3.11.2E – THREAT HUNTING '''
-Employ automated or manual/procedural mechanisms to prohibit system components from
+Conduct cyber threat hunting activities on an on-going aperiodic basis or when indications
-connecting to organizational systems unless the components are known, authenticated, in a
+warrant, to search for indicators of compromise in organizational systems and detect, track,
-properly configured state, or in a trust profile.
+and disrupt threats that evade existing controls.
 '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
 Determine if: <br />
-[a] System components that are known, authenticated, in a properly configured state, or in
+[ODP4] Organizational systems to search for indicators of compromise are defined;'' <br />
+''[a] Indicators of compromise are identified; <br />
+[b] Cyber threat hunting activities are conducted on an on-going aperiodic basis or when
-a trust profile are identified;
+indications warrant, to search for indicators of compromise in organizational systems;
-[b] Automated or manual/procedural mechanisms to prohibit system components from
+and
-connecting to organizational systems are identified; and
+[c] Cyber threat hunting activities are conducted on an on-going aperiodic basis or when
-[c] Automated or manual/procedural mechanisms are employed to prohibit system
+indications warrant, to detect, track, and disrupt threats that evade existing controls.
-components from connecting to organizational systems unless the components are
-known, authenticated, in a properly configured state, or in a trust profile.
 '''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
 '''Examine <br />
-'''[SELECT FROM: Configuration management policy; identification and authentication policy;
+'''[SELECT FROM: System and information integrity policy; policy and procedures addressing
-system and information integrity policy; procedures addressing system component
+system monitoring; threat hunting program documentation; procedures for the threat
-inventory; procedures addressing device identification and authentication; procedures
+hunting program; threat hunting results; system design documentation; security plan;
-addressing device configuration management; procedures addressing system monitoring
+system monitoring tools and techniques documentation; security planning policy and
-tools and techniques; configuration management plan; security plan; system design
+procedures; system configuration settings and associated documentation; system
-documentation; system configuration settings and associated documentation; system
+monitoring logs or records; system audit records; other relevant documents or records].
-inventory records; configuration management records; system monitoring records;
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for threat hunting program;
-alerts/notifications of unauthorized components within the system; change control records;
+system/network administrators; organizational personnel responsible for information
-system audit records; system monitoring tools and techniques documentation; documented
+security; system developers; organizational personnel installing, configuring, and/or
-authorization/approval of network services; notifications or alerts of unauthorized network
+maintaining the system; organizational personnel responsible for monitoring the system
-services; system monitoring logs or records; other relevant documents or records].
+and/or network].
-'''Interview <br />
+'''Test <br />
-'''[SELECT FROM: Organizational personnel responsible for managing the mechanisms
+'''[SELECT FROM: Mechanisms supporting and/or implementing a threat hunting program;
-implementing unauthorized system component detection; organizational personnel
+mechanisms supporting and/or implementing a system monitoring capability; mechanisms
-responsible for device identification and authentication; organizational personnel
+supporting and/or supporting and/or implementing incident response plans].
-responsible for information security; organizational personnel responsible for installing,
+'''DISCUSSION [NIST SP 800-172] '''
-configuring, and/or maintaining the system; system/network administrators;
+Threat hunting is an active means of defense that contrasts with traditional protection
-organizational personnel responsible for monitoring the system; system developers].
+measures, such as firewalls, intrusion detection and prevention systems, quarantining
@@ Line 2,851: / Line 2,982: @@
-IA.L3-3.5.3e – Block Untrusted Assets
+RA.L3-3.11.2e – Threat Hunting
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-'''Test <br />
+malicious code in sandboxes, and Security Information and Event Management (SIEM)
-'''[SELECT FROM: Mechanisms implementing the detection of unauthorized system
-components; mechanisms supporting and/or implementing a device identification and
+technologies and systems. Cyber threat hunting involves proactively searching
-authentication capability; mechanisms for providing alerts; mechanisms supporting and/or
+organizational systems, networks, and infrastructure for advanced threats. The objective is
-implementing configuration management; cryptographic mechanisms supporting device
+to track and disrupt cyber adversaries as early as possible in the attack sequence and to
-attestation; mechanisms supporting and/or implementing a system monitoring capability;
+measurably improve the speed and accuracy of organizational responses. Indicators of
-mechanisms for auditing network services].
+compromise are forensic artifacts from intrusions that are identified on organizational
-'''DISCUSSION [NIST SP 800-172] '''
+systems at the host or network level and can include unusual network traffic, unusual file
-Identification and authentication of system components and component configurations can
+changes, and the presence of malicious code. <br />
+Threat hunting teams use existing threat intelligence and may create new threat information,
-be determined, for example, via a cryptographic hash of the component. This is also known
+which may be shared with peer organizations, Information Sharing and Analysis
-as device attestation and known operating state or trust profile. A trust profile based on
+Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant
-factors such as the user, authentication method, device type, and physical location is used to
+government departments and agencies. Threat indicators, signatures, tactics, techniques,
-make dynamic decisions on authorizations to data of varying types. If device attestation is
+procedures, and other indicators of compromise may be available via government and non-
-the means of identification and authentication, then it is important that patches and updates
+government cooperatives, including Forum of Incident Response and Security Teams, United
-to the device are handled via a configuration management process such that the patches and
+States Computer Emergency Response Team, Defense Industrial Base Cybersecurity
-updates are done securely and do not disrupt the identification and authentication of other
+Information Sharing Program, and CERT Coordination Center. <br />
+[NIST SP 800-30] provides guidance on threat and risk assessments, risk analyses, and risk
-devices. <br />
+modeling. [NIST SP 800-160-2] provides guidance on systems security engineering and
-[NIST  IR 8011-1] provides guidance on using automation support to assess system
-configurations.
+cyber resiliency. [NIST SP 800-150] provides guidance on cyber threat information sharing.
 '''FURTHER DISCUSSION '''
-This  requirement  can be achieved  in  several  ways, such as blocking based on posture
+For this requirement, threat hunting is conducted on an on-going aperiodic basis. On-going
-assessments, conditional access, or trust profiles. A posture assessment can be used to assess
+aperiodic refers to activities that happen over and over but without an identifiable repeating
-a given system’s posture to validate that it meets the standards set by the organization before
+pattern over time. For threat hunting, on-going activities take place in an automated manner
-allowing it to connect. Conditional access is the set of policies and configurations that control
+(e.g., collecting logs, automated analysis, and alerts). Aperiodicity includes humans
-devices receiving access to services and data sources. Conditional access helps an organization
+performing the hunt activities, which take place on an as-needed or as-planned basis. <br />
+APTs can penetrate an environment by means that defeat or avoid conventional monitoring
-build rules that manage security controls, perform blocking, and restrict components. A trust
+methods and alert triggers—for example, by using zero-day attacks. Zero-day attacks
-profile is a set of factors that are checked to inform a device that a system can be trusted.
+become known only after the attack has happened and alerts are sent via threat intelligence
+feeds based on expert analysis. Because of the nature of zero-day attacks, automated alerts
+do not generally trigger when the event occurs but the activity is captured in system logs and
+forwarded for analysis and retention by the SIEM. Threat intelligence information is typically
-'''Example 1 <br />
+used by hunt teams to search SIEM systems, system event and security logs, and other
-'''In a Windows environment,  you authorize devices to connect to systems by defining
-configuration rules in one or more Group Policy Objects (GPO) that can be automatically
+components to identify activity that has already taken place on an environment. The hunt
-applied to all relevant devices in a domain [a]. This provides you with a mechanism to apply
+team will identify systems related to the event(s) and pass the case to Incident Response
-rules for which devices are authorized to connect to any given system and prevent devices
+team for action on the event(s). The hunt team will also use indicators to identify smaller
-that are not within the defined list from connecting [b,c]. For instance, universal serial bus
+components of an attack and search for that activity, which may help uncover a broader
-(USB) device rules for authorization can be defined by using a USB device’s serial number,
+attack on the environment. <br />
+Threat hunting can also look for anomalous behavior or activity based on an organization’s
-model number, and manufacturer information. This information can be used to build a trust
+normal pattern of activity. Understanding the roles and information flows within an
-profile for a device and authorize it for use by a given system. You use security policies to
+organization can help identify activity that might be indicative of adversary behavior before
-prevent unauthorized components from connecting to systems [c].
+the adversary completes their attack or mission.
@@ Line 2,939: / Line 3,077: @@
-IA.L3-3.5.3e – Block Untrusted Assets
+RA.L3-3.11.2e – Threat Hunting
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-'''Example 2 <br />
+'''Example <br />
-'''You have been assigned to build trust profiles for all devices allowed to connect to your
+'''You are the lead for your organization’s cyber threat hunting team. You have local and
-organization’s systems. You want to test the capability starting with printers. You talk to your
+remote staff on the team to process threat intelligence. Your team is tied closely with the SOC
-purchasing department, and they tell you that policy states every printer must be from a
+and IR teams. Through a DoD (DC3) intelligence feed, you receive knowledge of a recent
-specific manufacturer; they only purchase four different models. They also collect all serial
+APT’s attacks on defense contractors. The intelligence feed provided the indicators of
-numbers from purchased printers. You gather this information and build trust profiles for
+compromise for a zero-day attack that most likely started within the past month. After
-each device [a,b]. Because your organization shares printers, you push the trust profiles out
+receiving the IOCs, you use a template for your organization to place the information in a
-to organizational systems. Now, the systems are not allowed to connect to a network printer
+standard format your team understands. You then email the information to your team
-unless they are within the trust profiles you have provided [b,c].
+members and place the information in your hunt team’s dashboard, which tracks all IOCs [a]. <br />
+Your team starts by using the information to hunt for IOCs on the environment [b]. One of
-'''Example 3 <br />
+your team members quickly responds, providing information from the SIEM that an HR
-'''Your organization has implemented a network access control solution (NAC) to help ensure
-that only properly configured computers are allowed to connect to the corporate network
+system’s logs show evidence that IOCs related to this threat occurred three days ago. The
-[a,b]. The solution first checks for the presence of a certificate to indicate that the device is
+team contacts the owner of the system as they take the system offline into a quarantined
-company-owned. It next reviews the patch state of the computer and forces the installation
+environment. Your team pulls all logs from the system and clones the storage on the system.
-of any patches that are required by the organization. Finally, it reviews the computer’s
+Members go through the logs to look for other systems that may be part of the APT’s attack
-configuration to ensure that the firewall is active and that the appropriate security policies
+[c]. While the team is cloning the storage system for evidence, you alert the IR team about
-have been applied. Once the computer has passed all of these requirements, it is allowed
+the issue. After full forensics of the system, your team has verified your company has been
-access to network resources and defined as a trusted asset for the length of its session [a].
+hit by the APT, but nothing was taken and no additional attacks happened. You also alert DoD
-Devices that do not meet all of the requirements are automatically blocked from connecting
+(DC3) about the finding and discuss the matter with them. There is an after action report and
-to the network [c].
+a briefing given to management to make them aware of the issue.
 '''Potential Assessment Considerations <br />
 '''•
-  If the organization is using a manual method, is the method outlined in detail so any user
+ Does the organization have a methodology for performing cyber threat hunting actions
-will be able to follow it without making an error [b,c]?
+[b,c]?
 •
-  If the organization is using an automated method, can the organization explain how the
+ Has the organization defined all organizational systems within scope of cyber threat
-technology performs the task? Can they explain the steps needed to implement [a,b,c]?
+hunting, including valid and approved documentation for any organization systems that
+are not within scope [b,c]?
 •
-  Can  the organization provide evidence showing they have trust profiles for specific
+  Has the organization identified a specific set of individuals to perform cyber threat
-devices [a,b,c]?
+hunting [b,c]?
 •
-  Can the organization explain how their system components authenticate to a system if
+ Does the threat hunting team have qualified staff members using the threat feed
-they are not using trust profiles [b,c]?
+information [b,c]?
-'''KEY REFERENCES '''
 •
-  NIST SP 800-172 3.5.3e
+ Does the threat hunting team use combinations of events to determine suspicious
+behaviors [b,c]?
+•
+ Does the organization have a documented list of trusted threat feeds that are used by
+their cyber hunt teams as the latest indicators of compromise during their efforts [a]?
+•
+ Does the organization have a clear methodology for processing threat feed information
+and turning it into actionable information they can use for their threat hunting approach
+[a]?
-IR.L3-3.6.1e – Security Operations Center
+'''KEY REFERENCES '''
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+•
+ NIST SP 800-172 3.11.2e
-''' '''
-Incident Response (IR) <br />
-'''IR.L3-3.6.1E – SECURITY OPERATIONS CENTER '''
-Establish and maintain a security operations center capability that operates 24/7, with
-allowance for remote/on-call staff.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-Determine if: <br />
-[a] A security operations center capability is established; <br />
-[b] The security operations center capability operates 24/7, with allowance for remote/on-
-call staff; and
-[c] The security operations center capability is maintained.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-'''Examine <br />
+RA.L3-3.11.3e – Advanced Risk Identification
-'''[SELECT FROM: Incident response policy; contingency planning policy; procedures
-addressing incident handling; procedures addressing the security operations center
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-operations; mechanisms supporting dynamic response capabilities; incident response plan;
-contingency plan; security plan; other relevant documents or records].
+''' '''
-'''Interview <br />
+'''RA.L3-3.11.3E – ADVANCED RISK IDENTIFICATION '''
-'''[SELECT FROM: Organizational personnel responsible for incident handling; organizational
-personnel responsible for contingency planning; security operations center personnel;
+Employ advanced automation and analytics capabilities in support of analysts to predict and
-organizational personnel responsible for information security].
+identify risks to organizations, systems, and system components.
-'''Test <br />
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-'''[SELECT FROM: Mechanisms that support and/or implement the security operations center
-capability; mechanisms that support and/or implement the incident handling process].
+Determine if: <br />
+[a] Advanced automation and analytics capabilities to predict and identify risks to
-'''DISCUSSION [NIST SP 800-172] '''
+organizations, systems, and system components are identified;
-A security operations center (SOC) is the focal point for security operations and computer
+[b] Analysts to predict and identify risks to organizations, systems, and system components
-network defense for an organization. The purpose of the SOC is to defend and monitor an
+are identified; and
-organization’s systems and networks (i.e., cyber infrastructure) on an ongoing basis. The SOC
+[c] Advanced automation and analytics capabilities are employed in support of analysts to
-is also responsible for detecting, analyzing, and responding to cybersecurity incidents in a
+predict and identify risks to organizations, systems, and system components.
-timely manner. The SOC is staffed with skilled technical and operational personnel (e.g.,
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-security analysts, incident response personnel, systems security engineers);  in some
+'''Examine <br />
+'''[SELECT FROM: System and information integrity policy; risk assessment policy; security
-instances operates 24 hours per day, seven days per week; and implements technical,
+planning policy and procedures; procedures addressing organizational assessments of risk;
-management, and operational controls (e.g., monitoring, scanning, and forensics tools) to
+procedures addressing system monitoring; enterprise architecture documentation; system
+design documentation; system architecture and configuration documentation; system
+monitoring tools and techniques documentation; system configuration settings and
+associated documentation; system monitoring logs or records; system audit records;
+security plan; risk assessment artifacts; risk assessment results; risk assessment reviews;
+risk assessment updates; other relevant documents or records].
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for information security;
+organizational personnel responsible for risk assessments; risk analysts; system developers;
+organizational personnel installing, configuring, and/or maintaining the system;
-IR.L3-3.6.1e – Security Operations Center
+organizational personnel responsible for monitoring; system/network administrators].
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+'''Test <br />
+'''[SELECT FROM: Automated mechanisms supporting and/or implementing risk analytics
+capabilities; automated mechanisms supporting and/or implementing system monitoring
-''' '''
+capability; automated mechanisms supporting and/or implementing the discovery,
-monitor, fuse, correlate, analyze, and respond to security-relevant event data from multiple
+collection, distribution, and use of indicators of compromise; automated mechanisms for
-sources. Sources of event data include perimeter defenses, network devices (e.g., gateways,
+conducting, documenting, reviewing, disseminating, and updating risk assessments].
-routers, and switches), and endpoint agent data feeds. The SOC provides a holistic situational
-awareness capability to help organizations determine the security posture of the system and
-organization. An SOC capability can be obtained in many ways. Larger organizations may
-implement a dedicated SOC while smaller organizations may employ third-party
-organizations to provide such a capability. <br />
-[NIST SP 800-61] provides guidance on incident handling. [NIST SP 800-86] and [NIST SP
--101] provide guidance on integrating forensic techniques into incident response. [NIST
-SP  800-150] provides guidance on cyber threat information sharing. [NIST SP  800-184]
-provides guidance on cybersecurity event recovery.
-'''FURTHER DISCUSSION '''
+RA.L3-3.11.3e – Advanced Risk Identification
-Security operations  centers are created to monitor and respond to suspicious activities
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-across an organization’s IT applications and infrastructure. A SOC may be implemented in a
-variety of physical, virtual, and geographic constructs. The organization may also opt to not
+''' '''
-hire their own staff but to engage a third-party external service provider to serve as their
+'''DISCUSSION [NIST SP 800-172] '''
-SOC. <br />
+A properly resourced Security Operations Center (SOC) or Computer Incident Response
-The SOC is typically comprised of multiple levels of cybersecurity analysts.  Each tier of
-cybersecurity analysts works on increasingly complex aspects of Incident Response. The SOC
+Team (CIRT) may be overwhelmed by the volume of information generated by the
-may also have dedicated cybersecurity engineers to support configuration and management
+proliferation of security tools and appliances unless it employs advanced automation and
-of defensive cyber tools. The SOC may work with staff in IT operations who provide support
+analytics to analyze the data. Advanced automation and predictive analytics capabilities are
-to the SOC. <br />
+typically supported by artificial intelligence concepts and machine learning. Examples
-SOC capabilities run 24/7, and while staff may not always be performing tasks for the SOC,
-the capability alerts staff members and directs them to go to a facility or perform SOC actions
+include Automated Workflow Operations, Automated Threat Discovery and Response
-from a remote location. Staff members should be scheduled or on call to ensure they are
+(which includes broad-based collection, context-based analysis, and adaptive response
-available when needed.
+capabilities), and machine-assisted decision tools. <br />
+[NIST SP 800-30] provides guidance on risk assessments and risk analyses.
-'''Example <br />
+'''FURTHER DISCUSSION '''
-'''You are the Chief Information Security Officer (CISO) of a medium-sized organization. To
-meet the goal of 24/7 SOC operation, you have decided to adjust the current SOC, which
+Advanced automation includes tools to correlate and reduce the cyber data overload created
-operates five days a week for 12 hours a day, by minimizing active staff members and hiring
+by defensive tools, making the data understandable to the analyst. Automation also allows
-trusted expert consultants to have on call at all times (i.e., seven days a week, 24 hours a day)
+the defensive mechanisms to respond rapidly when adversary events are identified.
-[a,b].  You  design  your SOC to be remotely accessible so your experts can access your
+Examples of such capabilities are SIEM; Security Orchestration, Automation, and Response
-environment when needed. You also decide to set up a very strong automated capability that
+(SOAR); and Extended Detection and Response (XDR) tools. An example of an automated
-is good at identifying questionable activities and alerting the appropriate staff. You create a
+rapid response action is a security alert being pushed to the SIEM while the organization’s
-policy stating that after an alert goes out, two members of the SOC team must  remotely
+SOAR solution communicates to the network firewall to block communications to the remote
-connect to the environment within 15 minutes to address the problem. All staff members
+system identified in the security alert. <br />
+SIEM is primarily a log collection tool intended to support data storage and analysis. It
-also have regular working hours during which they perform other SOC activities, such as
+collects and sends alerts to security personnel for further investigation. SOAR is a software
-updating information to help the automated tool perform its functions [c].
+stack that enables an organization to collect data about security threats and respond to
+security events without human assistance in order to improve security operations.
+Orchestration connects and integrates disparate internal and external tools. Automation, fed
+by the data and alerts collected from security orchestration, ingests and analyzes data and
+creates repeated, automated responses. SOAR incorporates these capabilities based on the
+SIEM data and enables disparate security tools to coordinate with one another. SOAR can use
+artificial intelligence to predict and respond to similar future threats, if such tools are
+employed. <br />
+XDR streamlines security data ingestion, analysis, prevention, and remediation workflows
+across an organization’s entire security stack, providing a single console to view and act on
-IR.L3-3.6.1e – Security Operations Center
+threat data. However, the presence of these tools by themselves does not necessarily provide
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+an advanced capability. It is essential that the security team employ critical thinking in
+support of the intrusion detection and threat hunting processes.
-''' '''
+'''Example <br />
+'''You are responsible for information security in your organization. The organization holds
-'''Potential Assessment Considerations <br />
+and processes CUI in an enterprise. To protect that data, you want to minimize phishing
-'''•
-  How does the organization enable 24/7 SOC capabilities? Does the organization have
+attacks through the use of Security Orchestration and Automated Response (SOAR). Rather
-people in seats 24/7 or on-call members?  If on-call members are used, what are the
+than relying on analysts to manually inspect each inbound item, emails containing links
-trigger and alerting mechanisms that allow for 24/7 coverage [a,b]?
+and/or attachments are processed by your automation playbook. Implementation of these
-•
-  Does the organization have sufficient trained full-time equivalent staff to enable 24/7
-SOC services [a,b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-172 3.6.1e
+RA.L3-3.11.3e – Advanced Risk Identification
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+''' '''
+processes involves sending all email links and attachments to detonation chambers or
+sandboxes prior to delivery to the recipient. When the email is received, SOAR extracts all
+URL links and attachments from the content and sends them for analysis and testing [a]. The
+domains in the URLs and the full URLs are processed against bad domain and URL lists. Next,
-IR.L3-3.6.2e – Cyber Incident Response Team
+a browser in a sandbox downloads the URLs for malware testing. Lastly, any attachments are
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+sent to detonation chambers to identify if they attempt malicious activities. The hash of the
+attachments is sent to services to identify if it is known malware [b]. If any one of the items
-''' '''
+triggers a malware warning from the sandbox, detonation chamber, domain/URL validation
-'''IR.L3-3.6.2E – CYBER INCIDENT RESPONSE TEAM '''
+service, attachment hash check services, or AV software, an alert about the original email is
-Establish and maintain a cyber incident response team that can be deployed by the
+sent to team members with the recommendation to quarantine it. The team is given the
-organization within 24 hours.
+opportunity to select a “take action” button, which would have the SOAR solution take
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
+actions to block that email and similar emails from being received by the organization [c].
-Determine if: <br />
+'''Potential Assessment Considerations <br />
-[a] A cyber incident response team is established; <br />
+'''•
-[b] The cyber incident response team can be deployed by the organization within 24 hours;
-and
+ Has the organization implemented a security information and event management system
-[c] The cyber incident response team is maintained.
+[a,c]?
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
+•
-'''Examine <br />
+ Has the organization implemented security orchestration, automation, and response
-'''[SELECT FROM: Incident response policy; procedures addressing incident response;
-incident response plan; security plan; other relevant documents or records].
+tools [a,b,c]?
-'''Interview <br />
+•
-'''[SELECT FROM: Organizational personnel responsible for incident response; organizational
-personnel from the incident response team; organizational personnel responsible for
+ Does the organization use automated processing integrated with the SIEM system to
-information security].
+perform analytics [c]?
-'''Test <br />
+•
-'''[SELECT FROM: Mechanisms supporting and/or implementing incident response].
-'''DISCUSSION [NIST SP 800-172] '''
+ Can the organization demonstrate use of relevant threat data to inform detection
-A cyber incident response team (CIRT) is a team of experts that assesses, documents, and
+methods that in turn provide automated alerts/recommendations [c]?
-responds to cyber incidents so that organizational systems can recover quickly and
+•
-implement the necessary controls to avoid future incidents. CIRT personnel include, for
+ Has the organization implemented an extended detection capability [c]?
-example, forensic analysts, malicious code analysts, systems security engineers, and real-
+•
-time operations personnel. The incident handling capability includes performing rapid
+ Does the organization have the ability to merge traditional cyber data, such as network
-forensic preservation of evidence and analysis of and response to intrusions. The team
+packet captures (e.g., PCAP), or process logs with enrichment data, such as reputation or
-members may or may not be full-time but need to be available to respond in the time period
+categorization data [c]?
-required. The size and specialties of the team are based on known and anticipated threats.
+•
-The team is typically pre-equipped with the software and hardware (e.g., forensic tools)
+ Can the organization provide examples of both basic and emerging analytics used to
-necessary for rapid identification, quarantine, mitigation, and recovery and is familiar with
+analyze alert anomalies, e.g., both simple queries and unsupervised machine learning
-how to preserve evidence and maintain chain of custody for law enforcement or
+algorithms that both improve their effectiveness and automatically filter, reduce, or
-counterintelligence uses. For some organizations, the CIRT can be implemented as a cross
+enrich alerting capabilities [c]?
-organizational entity or as part of the Security Operations Center (SOC).
+'''KEY REFERENCES '''
+•
+ NIST SP 800-172 3.11.3e
+''' '''
@@ Line 3,309: / Line 3,455: @@
-IR.L3-3.6.2e – Cyber Incident Response Team
+RA.L3-3.11.4e – Security Solution Rationale
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-[NIST SP 800-61] provides guidance on incident handling. [NIST SP 800-86] and [NIST SP
+'''RA.L3-3.11.4E – SECURITY SOLUTION RATIONALE '''
--101] provide guidance on integrating forensic techniques into incident response. [NIST
+Document or reference in the system security plan the security solution selected, the
-SP  800-150] provides guidance on cyber threat information sharing. [NIST SP  800-184]
+rationale for the security solution, and the risk determination.
-provides guidance on cybersecurity event recovery.
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-'''FURTHER DISCUSSION '''
+Determine if: <br />
+[a] The system security plan documents or references the security solution selected; <br />
+[b] The system security plan documents or references the rationale for the security solution;
-The CIRT’s primary function is to handle information security incident management and
+and
-response for the environments the SOC oversees. The primary goals of the CIRT are triage
+[c] The system security plan documents or references the risk determination.
-and initial response to an incident. They also communicate with all the proper people to
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-ensure understanding of an incident and the response actions, including  collection of
+'''Examine <br />
+'''[SELECT FROM: system security plan; records of security plan reviews and updates; system
-forensic evidence, have been conveyed. <br />
+design documentation; security planning policy; procedures addressing security plan
-If and when an incident is detected by the organization’s SOC, the IR team is responsible for
-handling the incident and communicating  what has happened to the appropriate people
+development; procedures addressing security plan reviews and updates; enterprise
-within the organization, as well to the authorities (as needed). <br />
+architecture documentation; enterprise security architecture documentation; system
-The deployment of a team does not necessarily mean they are “physically deployed.”
-Deployment may simply mean connecting to a remote system in a manner that is equivalent
+interconnection security agreements and other information exchange agreements; other
-to being on the system’s keyboard. Remote access can provide just as much capability as local
+relevant documents or records].
-access in many cases. <br />
+'''Interview <br />
-Some situations require physical access.  For instance, if the company has a physically
+'''[SELECT FROM: Organizational personnel responsible for information security;
-isolated environment located at a remote location, a team must be physically present at the
+organizational personnel responsible for developing, implementing, or approving system
-remote facility to perform the duties required.
+interconnection and information exchange agreements; personnel managing the systems to
-'''Example <br />
+which the Interconnection Security Agreement/Information Exchange Agreement applies;
-'''You are the lead for an IR team within your organization. Your manager is the SOC lead, and
-she reports to the chief information officer (CIO). As the SOC is alerted and/or identifies
+system developers; organizational personnel responsible for security planning and plan
-incidents within the organization’s environments, you lead and deploy teams to resolve the
+implementation; organizational personnel responsible for boundary protection; system
-issues, including incidents involving cloud-based systems. You use a custom dashboard that
+developers; system/network administrators].
-was created for your team members  to  view and manage  incidents, perform response
+'''Test <br />
+'''[SELECT FROM: Organizational processes for security plan development, review, update,
-actions, and record actions and notes for each case. You also have your team create an after
+and approval].
-action report for all incidents to which they respond; this information is used to determine
+'''DISCUSSION [NIST SP 800-172] '''
-if a given incident requires additional action and reporting [a]. <br />
+System security plans relate security requirements to a set of security controls and solutions.
-One  day,  you receive a message from the SOC that your website has become corrupted.
-Within  minutes,  you have a team on the system inspecting logs, analyzing applications,
+The plans describe how the controls and solutions meet the security requirements. For the
-preserving key information, and looking for evidence of tampering/attack [b]. Your team
+enhanced security requirements selected when the APT is a concern, the security plan
-runs through a procedure  set for this specific incident type  based on a handbook the
+provides traceability between threat and risk assessments and the risk-based selection of a
-organization has created  and maintains [c].  It is found that a cyberattack caused the
+security solution, including discussion of relevant analyses of alternatives and rationale for
-corruption, but the corruption caused a crash, which prevented the attack from continuing.
-Your team takes note of all actions they perform, and at the end of the incident analysis, you
-send a message to the website lead to inform them of the issue, case number, and notes
-created by the team. The website lead has their team rebuild the system and validate that
-the attack no longer works. At the end of the incident, the CISO and CIO are informed of the
-issue.
@@ Line 3,401: / Line 3,535: @@
-IR.L3-3.6.2e – Cyber Incident Response Team
+RA.L3-3.11.4e – Security Solution Rationale
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-'''Potential Assessment Considerations <br />
+key security-relevant architectural and design decisions. This level of detail is important as
-'''•
-  Does the organization have a response capability that has remote  access to the
+the threat changes, requiring reassessment of the risk and the basis for previous security
-organization’s systems and system components within 24 hours in place of physical
+decisions. <br />
+When incorporating external service providers into the system security plan, organizations
-access [a,b]?
+state the type of service provided (e.g., software as a service, platform as a service), the point
-'''KEY REFERENCES '''
+and type of connections (including ports and protocols), the nature and type of the
-•
+information flows to and from the service provider, and the security controls implemented
-  NIST SP 800-172 3.6.2e
+by the service provider. For safety critical systems, organizations document situations for
+which safety is the primary reason for not implementing a security solution (i.e., the solution
+is appropriate to address the threat but causes a safety concern). <br />
+[NIST SP 800-18] provides guidance on the development of system security plans.
+'''FURTHER DISCUSSION '''
+The System Security Plan (SSP) is a fundamental component of an organization’s security
+posture. When solutions for implementing a requirement have differing levels of capabilities
+associated with their implementation, it is essential that the plan specifically document the
+rationale for the selected solution and what was acquired for the implementation. This
+information allows the organization to monitor the environment for threat changes and
-PS.L3-3.9.2e – Adverse Information
+identify which solutions may no longer be applicable. While not required, it may also be
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+useful to document alternative solutions reviewed and differing levels of risk associated with
+each alternative, as that information may facilitate future analyses when the threat changes.
-''' '''
+In addition to the implementations required for Level 2 certification, which may not be risk
-Personnel Security (PS) <br />
+based, at Level 3, the SSP must carefully document the link between the assessed threat and
-'''PS.L3-3.9.2E – ADVERSE INFORMATION '''
-Ensure that organizational systems are protected if adverse information develops or is
+the risk-based selection of a security solution for the enhanced security requirements (i.e.,
-obtained about individuals with access to CUI.
+all CMMC L3 requirements derived from NIST SP 800-172).
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
+'''Example <br />
+'''You are responsible for information security in your organization. Following CMMC
-Determine if: <br />
+requirement RA.L3-3.11.1e – ''Threat Informed Risk Assessment'', your team uses threat
-[a] Individuals with access to CUI are identified; <br />
-[b] Adverse information about individuals with access to CUI is defined; <br />
-[c] Organizational systems to which individuals have access are identified; and <br />
-[d] Mechanisms are in place to protect organizational systems if adverse information
-develops or is obtained about individuals with access to CUI.
+intelligence to complete a risk assessment and make a risk determination for all elements of
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
+your enterprise. Based on that view of risk, your team decides that requirement
-'''Examine <br />
+RA.L3-3.11.2e – ''Threat Hunting'' is a requirement that is very important in protecting your
-'''[SELECT FROM: Personnel security policy; system and services acquisition policy;
-procedures addressing personnel screening; records of screened personnel; enterprise
+organization’s use of CUI, and you have determined the solution selected could potentially
-architecture documentation; system design documentation; system architecture and
+add risk. You want to detect an adversary as soon as possible when they breach the network
-configuration documentation; security plan; list of individuals who have been identified as
+before any CUI can be exfiltrated. However, there are multiple threat hunting solutions, and
-posing an increased level of risk; list of appropriate access authorizations required for
+each solution has a different set of features that will provide different success rates in
-system personnel; personnel screening criteria and associated documentation; other
+identifying IOCs. <br />
+As a result, some solutions increase the risk to the organization by being less capable in
-relevant documents or records].
+detecting and tracking an adversary in your networks. To reduce risk, you evaluate five
-'''Interview <br />
+threat hunting solutions and in each case determine the number of IOCs for which there is a
-'''[SELECT FROM: Organizational personnel responsible for personnel security; organizational
-personnel responsible for information security; organizational personnel responsible for
+monitoring mechanism. You pick the solution that is cost effective, easy to operate, and
-system and services acquisition; organizational personnel responsible for personnel
+optimizes IOC detection for your enterprise; purchase, install, and train SOC personnel on its
-screening].
+use; and document the risk-based analysis of alternatives in the SSP. In creating that
-'''Test <br />
-'''[SELECT FROM: Organizational processes for personnel screening; mechanisms supporting
-personnel screening].
@@ Line 3,494: / Line 3,628: @@
+RA.L3-3.11.4e – Security Solution Rationale
-PS.L3-3.9.2e – Adverse Information
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-'''DISCUSSION [NIST SP 800-172] '''
+documentation in the SSP, you follow the guidance found in NIST SP 800-18, ''Guide for ''
-If adverse information develops or is obtained about an individual with access to CUI which
+''Developing Security Plans for Federal Information Systems'' [a,b,c].
-calls into question whether the individual should have continued access to systems
+'''Potential Assessment Considerations <br />
+'''•
-containing CUI, actions are taken (e.g., preclude or limit further access by the individual,
+ Has the organization completed a risk assessment and made a risk determinations for
-audit actions taken by the individual) to protect the CUI while the adverse information is
+enterprise components that need to be protected [c]?
-resolved.
+•
-'''FURTHER DISCUSSION '''
+ Can the organization identify what is being protected and explain why specific protection
-According to Defense Counterintelligence and Security Agency, or DCSA (Industrial Security
+solutions were selected [a,b]?
-Letter ISL 2011-04, revised July 15, 2020), adverse information consists of any information
+•
-that negatively reflects the integrity or character of an  individual.  This pertains to an
+ Have all the decisions been documented in the SSP [a,b,c]?
-individual’s ability to safeguard sensitive information, such as CUI. Adverse information may
+'''KEY REFERENCES '''
-simply be a report showing someone has sent sensitive information outside the organization
+•
-or used unapproved software, against company policy. An organization may receive adverse
+ NIST SP 800-172 3.11.4e
-information about an individual  through  police reports, reported  violations  of company
-policies (including social media posts that directly violate company policies), and revocation
+''' '''
-or suspension of DoD clearance. <br />
-When adverse information is identified about a given individual, the organization should
-take action to validate that information resources accessible by the individual have been
-identified and appropriate protection mechanisms are in place to safeguard information and
-system configurations. Based on organizational policy, an individual’s access to resources
-may be more closely monitored or restricted until further review. Logs should be examined
-to identify any attempt to perform unauthorized actions.
-'''Example <br />
-'''You learn that one of your employees has been convicted on shoplifting charges. Based on
-organizational policy, you report this information to human resources (HR), which verifies
-the information with a criminal background check [a,b,c].  Per policy, you increase the
+RA.L3-3.11.5e – Security Solution Effectiveness
-monitoring of the employee’s access to ensure that the employee does not exhibit patterns
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-of behavior consistent with an insider threat [d]. You maintain contact with HR as they
-investigate the adverse information so that you can take stronger actions if required, such as
+''' '''
-removing access to organizational systems.
+'''RA.L3-3.11.5E – SECURITY SOLUTION EFFECTIVENESS '''
-'''Potential Assessment Considerations <br />
+Assess the effectiveness of security solutions at least annually or upon receipt of relevant
-'''•
-  Does the organization define the protection mechanisms for organizational systems if
+cyber threat information, or in response to a relevant cyber incident, to address anticipated
-adverse information develops or is obtained about an individual with access to CUI [d]?
+risk to organizational systems and the organization based on current and accumulated threat
-'''KEY REFERENCES '''
+intelligence.
-•
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-  NIST SP 800-172 3.9.2e
+Determine if: <br />
+[a] Security solutions are identified; <br />
+[b] Current and accumulated threat intelligence is identified; <br />
+[c] Anticipated risk to organizational systems and the organization based on current and
+accumulated threat intelligence is identified; and
+[d] The effectiveness of security solutions is assessed at least annually or upon receipt of
+relevant cyber threat information, or in response to a relevant cyber incident, to address
+anticipated risk to organizational systems and the organization based on current and
+accumulated threat intelligence.
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
+'''Examine <br />
+'''[SELECT FROM: Risk assessment policy; security planning policy and procedures; security
+assessment policy and procedures; security assessment plans; security assessment results;
-RA.L3-3.11.1e – Threat-Informed Risk Assessment
+procedures addressing organizational assessments of risk; security plan; risk assessment;
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+risk assessment results; risk assessment reviews; risk assessment updates; threat
+intelligence information; other relevant documents or records].
-''' '''
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for security assessments;
-Risk Assessment (RA) <br />
+organizational personnel responsible for risk assessments; organizational personnel
-'''RA.L3-3.11.1E – THREAT-INFORMED RISK ASSESSMENT '''
-Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-
+responsible for threat analysis; organizational personnel responsible for information
-provided sources,  as part of a risk assessment to guide and inform the development of
+security].
-organizational systems, security architectures, selection of security solutions, monitoring,
+'''Test <br />
+'''[SELECT FROM: Mechanisms supporting, conducting, documenting, reviewing,
-threat hunting, and response and recovery activities.
+disseminating, and updating risk assessments; mechanisms supporting and/or
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
+implementing security assessments].
-Determine if: <br />
-[ODP1] Sources of threat intelligence are defined;'' <br />
-''[a] A risk assessment methodology is identified; <br />
-[b] Threat intelligence, at a minimum from open or commercial sources, and any
-DoD-provided sources, are employed as part of a risk assessment to guide and inform the
-development of organizational systems and security architectures;
-[c] Threat intelligence, at a minimum from open or commercial sources, and any
-DoD-provided sources, are employed as part of a risk assessment to guide and inform the
-selection of security solutions;
-[d] Threat intelligence, at a minimum from open or commercial sources, and any
-DoD-provided sources, are employed as part of a risk assessment to guide and inform
-system monitoring activities;
+RA.L3-3.11.5e – Security Solution Effectiveness
-[e] Threat intelligence, at a minimum from open or commercial sources, and any
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-DoD-provided sources, are employed as part of a risk assessment to guide and inform
-threat hunting activities; and
+''' '''
-[f]  Threat intelligence, at a minimum from open or commercial sources, and any
+'''DISCUSSION [NIST SP 800-172] '''
-DoD-provided sources, are employed as part of a risk assessment to guide and inform
+Threat awareness and risk assessment of the organization are dynamic, continuous, and
-response and recovery activities.
+inform system operations, security requirements for the system, and the security solutions
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
+employed to meet those requirements. Threat intelligence (i.e., threat information that has
-'''Examine <br />
+been aggregated, transformed, analyzed, interpreted, or enriched to help provide the
-'''[SELECT FROM: Information security program  plan; risk assessment policy; threat
-awareness program documentation; procedures for the threat awareness program; security
+necessary context for decision making) is infused into the risk assessment processes and
-planning policy and procedures; procedures addressing organizational assessments of risk;
+information security operations of the organization to identify any changes required to
-threat hunting program documentation; procedures for the threat hunting program; risk
+address the dynamic threat environment. <br />
+[NIST SP 800-30] provides guidance on risk assessments, threat assessments, and risk
-assessment results relevant to threat awareness; threat hunting results; list or other
+analyses.
-documentation on the cross-organization, information-sharing capability; security plan; risk
+'''FURTHER DISCUSSION '''
-assessment; risk assessment results; risk assessment reviews; risk assessment updates;
+This requirement requires the organization to analyze threat intelligence and consider the
+effectiveness of currently deployed cybersecurity solutions against existing, new, and
+emerging threats. The goal is to understand the risk to the systems and the organization
+based on threat intelligence and to make adjustments to security solutions to reduce the risk
+to an acceptable level. Analysis of solutions should include analysis of operational system
+settings of the deployed systems and not be solely a conceptual capability analysis. This
+analysis includes verifying configuration settings are configured as desired by the
+organization and have not been changed over time. <br />
+Threat information can be thought of as raw data that may be limited in terms of evaluating
+the effectiveness of controls across the enterprise. For example, knowledge of a threat that
-RA.L3-3.11.1e – Threat-Informed Risk Assessment
+has not been correlated with other threats may result in evaluation of an implementation
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+that only provides partial protection for one set of systems when, in fact, the emerging threat
+is applicable to the entire enterprise. Large organizations may also have the resources to
-''' '''
+aggregate, transform, analyze, correlate, interpret, and enrich information to support
-contingency planning policy; contingency plan; incident response policy; incident response
+decision-making about adequacy of existing security mechanisms and methods.
-plan; other relevant documents or records].
+'''Example <br />
+'''You are responsible for information security in your organization, which holds and
-'''Interview <br />
+processes CUI. The organization subscribes to multiple threat intelligence sources [b]. In
-'''[SELECT FROM: Organizational personnel responsible for information security program
-planning and plan implementation; organizational personnel responsible for the threat
+order to assess the effectiveness of current security solutions, the security team analyzes any
-awareness and threat hunting programs; organizational personnel responsible for risk
+new incidents reported in the threat feed. They identify weaknesses that were leveraged by
-assessments; organizational personnel responsible for the cross-organization, information-
+malicious actors and subsequently look for similar weaknesses in their own security
-sharing capability; organizational personnel responsible for information security;
+architecture[a,c]. This analysis is passed to the architecture team for engineering change
-organizational personnel responsible for contingency planning; organizational personnel
+recommendations, including system patching guidance, new sensors, and associated alerts
-responsible for incident response; personnel with whom threat awareness information is
+that should be generated, and to identify ways to mitigate, transfer, or accept the risk
-shared by the organization].
+necessary to respond to events if they occur within their own organization [d].
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting and/or implementing the threat awareness
-program; mechanisms supporting and/or implementing the cross-organization,
-information-sharing capability; mechanisms supporting and/or implementing the threat
-hunting program; mechanisms for conducting, documenting, reviewing, disseminating, and
-updating risk assessments; mechanisms supporting and/or implementing contingency
-plans; mechanisms supporting and/or implementing incident response plans].
-'''DISCUSSION [NIST SP 800-172] '''
-The constant evolution and increased sophistication of adversaries, especially the APT,
-makes it more likely that adversaries can successfully compromise or breach organizational
+RA.L3-3.11.5e – Security Solution Effectiveness
-systems. Accordingly, threat intelligence can be integrated into each step of the risk
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-management process throughout the system development life cycle. This risk management
-process includes defining system security requirements, developing system and security
+''' '''
-architectures, selecting security solutions, monitoring (including threat hunting), and
+'''Potential Assessment Considerations <br />
+'''•
-remediation efforts. <br />
+  Does the organization make adjustments during an incident or operational
-[NIST SP  800-30] provides guidance on risk assessments. [NIST SP  800-39] provides
-guidance on the risk management process. [NIST SP  800-160-1] provides guidance on
+improvements after an incident has occurred [d]?
-security architectures and systems security engineering. [NIST SP  800-150] provides
+•
-guidance on cyber threat information sharing.
+ Has the organization implemented an analytical process to assess the effectiveness of
-'''FURTHER DISCUSSION '''
+security solutions against new or compiled threat intelligence [b,c,d]?
-An organization consumes threat intelligence and improves their security posture based on
+•
-the intelligence relevant to that  organization and/or a  system(s).  The organization can
+ Has the organization implemented a process to identify if an operational security
-obtain threat intelligence from open or commercial sources  but must also use  any
+solution fails to contribute to the protections needed against specific adversarial actions
-DoD-provided sources. Threat information can be received in high volumes from various
+based on new threat intelligence [a,b,c,d]?
-providers and must be processed and analyzed by the organization. It is the responsibility of
+'''KEY REFERENCES '''
+•
+ NIST SP 800-172 3.11.5e
-the organization to process the threat information in a manner that is useful and actionable
-to their needs. Processing, analyzing, and extracting the intelligence from the threat feeds
+''' '''
@@ Line 3,756: / Line 3,885: @@
-RA.L3-3.11.1e – Threat-Informed Risk Assessment
+RA.L3-3.11.6e – Supply Chain Risk Response
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-and applying it to all organizational security engineering needs is the primary benefit of this
+'''RA.L3-3.11.6E – SUPPLY CHAIN RISK RESPONSE '''
-requirement. Note that more than one source is required to meet assessment objectives.
+Assess, respond to, and monitor supply chain risks associated with organizational systems
-'''Example <br />
+and system components.
-'''Your organization receives a commercial threat  intelligence feed from  FIRST and
-government threat intelligence feeds from both USCERT and DoD/DC3 to help learn about
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-recent threats and any additional information the threat feeds provide  [b,c,d,e,f].  Your
+Determine if: <br />
+[a] Supply chain risks associated with organizational systems and system components are
-organization uses the threat intelligence for multiple purposes: <br />
+identified;
-•
-  To perform up-to-date risk assessments for the organization [a];
+[b] Supply chain risks associated with organizational systems and system components are
-•
+assessed;
-  To add rules to the automated system put in place to identify threats (indicators of
+[c] Supply chain risks associated with organizational systems and system components are
-compromise, or IOCs) on the organization’s network [e];
+responded to; and
-•
+[d] Supply chain risks associated with organizational systems and system components are
-  To guide the organization in making informed selections of security solutions [c];
+monitored.
-•
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-  To shape the way the organization performs system monitoring activities [d];
+'''Examine <br />
+'''[SELECT FROM: Risk assessment policy; procedures addressing organizational assessments
-•
+of risk; security planning policy and procedures; supply chain risk management plan;
-  To manage the escalation process for identified incidents, handling specific events, and
+security plan; risk assessment; risk assessment results; risk assessment reviews; risk
-performing recovery actions [f];
+assessment updates; threat intelligence information; other relevant documents or records].
-•
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for information security;
-  To provide additional information to the hunt team to identify threat activities [e];
+organizational personnel responsible for risk assessments; organizational personnel
-•
+responsible for supply chain risk management].
-  To inform  the development and design decisions for organizational systems and the
+'''Test <br />
+'''[SELECT FROM: Mechanisms supporting, conducting, documenting, reviewing,
-overall security architecture, as well as the network architecture [b,c];
+disseminating, and updating risk assessments].
-•
+'''DISCUSSION [NIST SP 800-172] '''
-  To assist in decision-making regarding systems that are part of the primary network and
+Supply chain events include disruption, use of defective components, insertion of
-systems that are placed in special enclaves for additional protections [b]; and
+counterfeits, theft, malicious development practices, improper delivery practices, and
-•
+insertion of malicious code. These events can have a significant impact on a system and its
-  To determine additional security measures based on current threat activities taking place
+information and, therefore, can also adversely impact organizational operations (i.e.,
-in similar industry networks [c,d,e,f].
+mission, functions, image, or reputation), organizational assets, individuals, other
-'''Potential Assessment Considerations <br />
+organizations, and the Nation. The supply chain-related events may be unintentional or
-'''•
-  Does the organization detail how threat feed information is to be ingested, analyzed, and
+malicious and can occur at any point during the system life cycle. An analysis of supply chain
-used [a]?
-•
-  Can the organization’s SOC or hunt teams discuss how they use the threat feed
-information after it is processed [e,f]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-172 3.11.1e
+RA.L3-3.11.6e – Supply Chain Risk Response
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+''' '''
+risk can help an organization identify systems or components for which additional supply
+chain risk mitigations are required. <br />
+[NIST SP 800-30] provides guidance on risk assessments, threat assessments, and risk
+analyses. [NIST SP 800-161 Rev. 1] provides guidance on supply chain risk management.
+'''FURTHER DISCUSSION '''
+Organizations will have varying policies, definitions, and actions for this requirement. It is
-RA.L3-3.11.2e – Threat Hunting
+important for a single organization to be consistent and to build a process that makes sense
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+for their organization, strategy, unique supply chain, and the technologies available to them.
+'''Example ''' <br />
+You are responsible for information security in your organization, which holds and
-''' '''
+processes CUI. One of your responsibilities is to manage risk associated with your supply
-'''RA.L3-3.11.2E – THREAT HUNTING '''
+chain that may provide an entry point for the adversary. First, you acquire threat information
-Conduct cyber threat hunting activities on an on-going aperiodic basis or when indications
+by subscribing to reports that identify supply chain attacks in enough detail that you are able
-warrant, to search for indicators of compromise in organizational systems and detect, track,
+to identify the risk points in your organization’s supply chain [a]. You create an organization-
-and disrupt threats that evade existing controls.
+defined prioritized list of risks the organization may encounter and determine the responses
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
+to be implemented to mitigate those risks [b,c]. <br />
+In addition to incident information, the intelligence provider also makes recommendations
-Determine if: <br />
+for monitoring and auditing your supply chain. You assess, integrate, correlate, and analyze
-[ODP4] Organizational systems to search for indicators of compromise are defined;'' <br />
-''[a] Indicators of compromise are identified; <br />
-[b] Cyber threat hunting activities are conducted on an on-going aperiodic basis or when
-indications warrant, to search for indicators of compromise in organizational systems;
+this information so you can use it to acquire monitoring tools to help identify supply chain
-and
+events that could be an indicator of an incident. This monitoring tool provides visibility of
-[c] Cyber threat hunting activities are conducted on an on-going aperiodic basis or when
+the entire attack surface, including your vendors’ security posture [d]. Second, you analyze
-indications warrant, to detect, track, and disrupt threats that evade existing controls.
+the incident information in the intelligence report to help identify defensive tools that will
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
+help respond to each of those known supply chain attack techniques as soon as possible after
-'''Examine <br />
+such an incident is detected, thus mitigating risk associated with known techniques.
-'''[SELECT FROM: System and information integrity policy; policy and procedures addressing
-system monitoring; threat hunting program documentation; procedures for the threat
+'''Potential Assessment Considerations <br />
+'''•
-hunting program; threat hunting results; system design documentation; security plan;
+ Has the organization prioritized risks to the supply chain [a,b]?
-system monitoring tools and techniques documentation; security planning policy and
+•
-procedures; system configuration settings and associated documentation; system
+ Does the organization have viable service-level agreements that describe and enable
-monitoring logs or records; system audit records; other relevant documents or records].
+responses to supply chain incidents [c,d]?
-'''Interview <br />
+'''KEY REFERENCES '''
-'''[SELECT FROM: Organizational personnel responsible for threat hunting program;
-system/network administrators; organizational personnel responsible for information
+•
-security; system developers; organizational personnel installing, configuring, and/or
+ NIST SP 800-172 3.11.6e
-maintaining the system; organizational personnel responsible for monitoring the system
-and/or network].
+''' '''
-'''Test <br />
-'''[SELECT FROM: Mechanisms supporting and/or implementing a threat hunting program;
-mechanisms supporting and/or implementing a system monitoring capability; mechanisms
-supporting and/or supporting and/or implementing incident response plans].
-'''DISCUSSION [NIST SP 800-172] '''
-Threat hunting is an active means of defense that contrasts with traditional protection
-measures, such as firewalls, intrusion detection and prevention systems, quarantining
+RA.L3-3.11.7e – Supply Chain Risk Plan
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+''' '''
+'''RA.L3-3.11.7E – SUPPLY CHAIN RISK PLAN '''
+Develop a plan for managing supply chain risks associated with organizational systems and
-RA.L3-3.11.2e – Threat Hunting
+system components; update the plan at least annually, and upon receipt of relevant cyber
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+threat information, or in response to a relevant cyber incident.
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-''' '''
+Determine if: <br />
+[a] Supply chain risks associated with organizational systems and system components are
-malicious code in sandboxes, and Security Information and Event Management (SIEM)
+identified;
-technologies and systems. Cyber threat hunting involves proactively searching
+[b] Organizational systems and system components to include in a supply chain risk
-organizational systems, networks, and infrastructure for advanced threats. The objective is
+management plan are identified;
-to track and disrupt cyber adversaries as early as possible in the attack sequence and to
+[c] A plan for managing supply chain risks associated with organizational systems and
-measurably improve the speed and accuracy of organizational responses. Indicators of
+system components is developed; and
-compromise are forensic artifacts from intrusions that are identified on organizational
+[d] The plan for managing supply chain risks is updated at least annually, and upon receipt
-systems at the host or network level and can include unusual network traffic, unusual file
+of relevant cyber threat information, or in response to a relevant cyber incident.
-changes, and the presence of malicious code. <br />
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-Threat hunting teams use existing threat intelligence and may create new threat information,
-which may be shared with peer organizations, Information Sharing and Analysis
+'''Examine <br />
+'''[SELECT FROM: Risk assessment policy; supply chain risk management plan; security
-Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant
+planning policy and procedures; procedures addressing organizational assessments of risk;
-government departments  and agencies. Threat indicators, signatures, tactics, techniques,
+security plan; risk assessment; risk assessment results; risk assessment reviews; risk
-procedures, and other indicators of compromise may be available via government and non-
+assessment updates; threat intelligence information; other relevant documents or records].
-government cooperatives, including Forum of Incident Response and Security Teams, United
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for information security;
-States Computer Emergency Response Team, Defense Industrial Base Cybersecurity
+organizational personnel responsible for risk assessments; organizational personnel
-Information Sharing Program, and CERT Coordination Center. <br />
+responsible for supply chain risk management].
-[NIST SP 800-30] provides guidance on threat and risk assessments, risk analyses, and risk
-modeling.  [NIST SP  800-160-2] provides guidance on systems security engineering and
+'''Test <br />
+'''[SELECT FROM: Automated mechanisms supporting, conducting, documenting, reviewing,
-cyber resiliency. [NIST SP 800-150] provides guidance on cyber threat information sharing.
+disseminating, and updating risk assessments].
-'''FURTHER DISCUSSION '''
+'''DISCUSSION [NIST SP 800-172] '''
-For this requirement, threat hunting is conducted on an on-going aperiodic basis. On-going
+The growing dependence on products, systems, and services from external providers, along
-aperiodic refers to activities that happen over and over but without an identifiable repeating
+with the nature of the relationships with those providers, present an increasing level of risk
-pattern over time. For threat hunting, on-going activities take place in an automated manner
+to an organization. Threat actions that may increase risk include the insertion or use of
-(e.g.,  collecting logs, automated analysis,  and  alerts).  Aperiodicity  includes humans
+counterfeits, unauthorized production, tampering, theft, insertion of malicious software and
-performing the hunt activities, which take place on an as-needed or as-planned basis. <br />
+hardware, and poor manufacturing and development practices in the supply chain. Supply
-APTs can penetrate an environment by means that defeat or avoid conventional monitoring
-methods  and  alert triggers—for example,  by using zero-day attacks.  Zero-day attacks
+chain risks can be endemic or systemic within a system element or component, a system, an
-become known only after the attack has happened and alerts are sent via threat intelligence
-feeds based on expert analysis. Because of the nature of zero-day attacks, automated alerts
-do not generally trigger when the event occurs but the activity is captured in system logs and
-forwarded for analysis and retention by the SIEM. Threat intelligence information is typically
-used by hunt teams to search SIEM systems, system event  and security logs, and other
-components to identify activity that has already taken place on an environment. The hunt
-team will identify systems related to the event(s) and pass the case to Incident Response
-team for action on the event(s). The hunt team will also use indicators to identify smaller
-components of an attack and search for that activity, which may help uncover a broader
+RA.L3-3.11.7e – Supply Chain Risk Plan
-attack on the environment. <br />
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-Threat hunting can also look for anomalous behavior or activity based on an organization’s
-normal pattern of activity.  Understanding  the roles and information flows within an
-organization can help identify activity that might be indicative of adversary behavior before
+''' '''
-the adversary completes their attack or mission.
+organization, a sector, or the Nation. Managing supply chain risk is a multifaceted
+undertaking that requires a coordinated effort across an organization to build trust
+relationships and communicate with both internal and external stakeholders. Supply chain
+risk management (SCRM) activities involve identifying and assessing risks, determining
+appropriate mitigating actions, developing SCRM plans to document selected mitigating
+actions, and monitoring performance against plans. SCRM plans address requirements for
+developing trustworthy, secure, and resilient systems and system components, including the
+application of the security design principles implemented as part of life cycle-based systems
+security engineering processes. <br />
+[NIST SP 800-161 Rev. 1] provides guidance on supply chain risk management.
-RA.L3-3.11.2e – Threat Hunting
+'''FURTHER DISCUSSION '''
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+An organization is required to have a supply chain risk management plan that assesses and
+responds to the identified risks from those organizations that provide IT products or
-''' '''
+services, including any cloud or other third-party services with a role in the operation of the
-'''Example <br />
+system. The organization should be cognizant of services outside the scope of the system but
-'''You are the lead for your organization’s cyber threat hunting team.  You have local and
-remote staff on the team to process threat intelligence. Your team is tied closely with the SOC
+required for the operation of the system as part of their plan. Since the cyber environment
-and IR teams. Through a DoD (DC3) intelligence feed, you receive knowledge of a recent
+changes rapidly and continuously, it is equally important for the organization to update the
-APT’s attacks  on  defense  contractors.  The intelligence feed provided the indicators of
+plan in response to supply chain cyber incidents or emerging information.
-compromise for a zero-day attack that most likely started within the past month.  After
+'''Example <br />
+'''You are responsible for information security in your organization, and you have created a
-receiving the IOCs, you use a template for your organization to place the information in a
+supply chain risk management plan [a,b,c]. One of the organization’s suppliers determines
-standard format your team understands.  You  then  email the information to your team
+that it has been the victim of a cyberattack. Your security team meets with the supplier to
-members and place the information in your hunt team’s dashboard, which tracks all IOCs [a]. <br />
+determine the nature of the attack and to understand the adversary, the attack, the potential
-Your team starts by using the information to hunt for IOCs on the environment [b]. One of
-your team members quickly responds,  providing information  from the SIEM that an HR
+for corruption of delivered goods or services, and current as well as future risks. The
-system’s logs show evidence that IOCs related to this threat occurred three days ago. The
+understanding of the supply chain will help protect the local environment. Subsequently, you
-team contacts the owner of the system as they take the system offline into a quarantined
+update the risk management plan to include a description of the necessary configuration
-environment. Your team pulls all logs from the system and clones the storage on the system.
+changes or upgrades to monitoring tools to improve the ability to identify the new risks, and
-Members go through the logs to look for other systems that may be part of the APT’s attack
+when improved tools are available, you document the acquisition of defensive tools and
-[c]. While the team is cloning the storage system for evidence, you alert the IR team about
+associated functionality to help mitigate any of the identified techniques [d].
-the issue. After full forensics of the system, your team has verified your company has been
-hit by the APT, but nothing was taken and no additional attacks happened. You also alert DoD
-(DC3) about the finding and discuss the matter with them. There is an after action report and
-a briefing given to management to make them aware of the issue.
 '''Potential Assessment Considerations <br />
 '''•
-  Does the organization have a methodology for performing cyber threat hunting actions
+ Does the organization’s current supply chain risk management plan apply across the
+enterprise, or does it only apply to a limited portion of the supply chain [b]?
-[b,c]?
+'''KEY REFERENCES '''
 •
-  Has the organization defined all organizational  systems within scope of cyber threat
+  NIST SP 800-172 3.11.7e
-hunting, including valid and approved documentation for any organization systems that
-are not within scope [b,c]?
-•
-  Has  the organization identified a specific set of  individuals  to perform cyber threat
-hunting [b,c]?
-•
-  Does the threat hunting team have qualified staff members using the threat feed
-information [b,c]?
-•
+CA.L3-3.12.1e – Penetration Testing
-  Does the threat hunting team use  combinations of events to determine suspicious
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-behaviors [b,c]?
-•
+''' '''
-  Does the organization have a documented list of trusted threat feeds that are used by
+Security Assessment (CA) <br />
+'''CA.L3-3.12.1E – PENETRATION TESTING '''
-their cyber hunt teams as the latest indicators of compromise during their efforts [a]?
+Conduct penetration testing at least annually or when significant security changes are made
-•
+to the system, leveraging automated scanning tools and ad hoc tests using subject matter
-  Does the organization have a clear methodology for processing threat feed information
+experts.
-and turning it into actionable information they can use for their threat hunting approach
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-[a]?
+Determine if: <br />
+[a] Automated scanning tools are identified; <br />
+[b] Ad hoc tests using subject matter experts are identified; and <br />
+[c] Penetration testing is conducted at least annually or when significant security changes
-'''KEY REFERENCES '''
+are made to the system, leveraging automated scanning tools and ad hoc tests using
-•
+subject matter experts.
-  NIST SP 800-172 3.11.2e
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
+'''Examine <br />
+'''[SELECT FROM: Security assessment policy; procedures addressing penetration testing;
+security plan; security assessment plan; penetration test report; security assessment report;
+security assessment evidence; other relevant documents or records].
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for security assessments; penetration
+testing team; system/network administrators; organizational personnel responsible for
+information security].
+'''Test <br />
+'''[SELECT FROM: Automated mechanisms supporting security assessments; automated
+mechanisms supporting penetration testing].
+'''DISCUSSION [NIST SP 800-172] '''
-RA.L3-3.11.3e – Advanced Risk Identification
+Penetration testing is a specialized type of assessment conducted on systems or individual
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+system components to identify vulnerabilities that could be exploited by adversaries.
+Penetration testing goes beyond automated vulnerability scanning. It is conducted by
-''' '''
+penetration testing agents and teams with particular skills and experience that include
-'''RA.L3-3.11.3E – ADVANCED RISK IDENTIFICATION '''
+technical expertise in network, operating system, and application-level security. Penetration
-Employ advanced automation and analytics capabilities in support of analysts to predict and
+testing can be used to validate vulnerabilities or determine a system’s penetration resistance
-identify risks to organizations, systems, and system components.
+to adversaries within specified constraints. Such constraints include time, resources, and
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-Determine if: <br />
-[a] Advanced automation and analytics capabilities to predict and identify risks to
-organizations, systems, and system components are identified;
-[b] Analysts to predict and identify risks to organizations, systems, and system components
-are identified; and
-[c] Advanced automation and analytics capabilities are employed in support of analysts to
-predict and identify risks to organizations, systems, and system components.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-'''Examine <br />
+CA.L3-3.12.1e – Penetration Testing
-'''[SELECT FROM: System and information integrity policy; risk assessment policy; security
-planning policy and procedures; procedures addressing organizational assessments of risk;
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-procedures addressing system monitoring; enterprise architecture documentation; system
-design documentation; system architecture and configuration documentation; system
+''' '''
-monitoring tools and techniques documentation; system configuration settings and
+skills. Organizations may also supplement penetration testing with red team exercises. Red
-associated documentation; system monitoring logs or records; system audit records;
+teams attempt to duplicate the actions of adversaries in carrying out attacks against
-security plan; risk assessment artifacts; risk assessment results; risk assessment reviews;
+organizations and provide an in-depth analysis of security-related weaknesses or
-risk assessment updates; other relevant documents or records].
+deficiencies. <br />
+Organizations can use the results of vulnerability analyses to support penetration testing
-'''Interview <br />
+activities. Penetration testing can be conducted internally or externally on the hardware,
-'''[SELECT FROM: Organizational personnel responsible for information security;
-organizational personnel responsible for risk assessments; risk analysts; system developers;
+software, or firmware components of a system and can exercise both physical and technical
-organizational personnel installing, configuring, and/or maintaining the system;
+controls. A standard method for penetration testing includes pretest analysis based on full
-organizational personnel responsible for monitoring; system/network administrators].
+knowledge of the system, pretest identification of potential vulnerabilities based on the
-'''Test <br />
+pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All
-'''[SELECT FROM: Automated mechanisms supporting and/or implementing risk analytics
-capabilities; automated mechanisms supporting and/or implementing system monitoring
+parties agree to the specified rules of engagement before the commencement of penetration
-capability; automated mechanisms supporting and/or implementing the discovery,
+testing. Organizations correlate the rules of engagement for penetration tests and red
-collection, distribution, and use of indicators of compromise; automated mechanisms for
+teaming exercises (if used) with the tools, techniques, and procedures that they anticipate
-conducting, documenting, reviewing, disseminating, and updating risk assessments].
+adversaries may employ. The penetration testing or red team exercises may be organization-
+based or external to the organization. In either case, it is important that the team possesses
+the necessary skills and resources to do the job and is objective in its assessment. <br />
+[NIST SP 800-53A] provides guidance on conducting security assessments.
+'''FURTHER DISCUSSION '''
+It is important that the organization has a repeatable penetration testing capability,
+regardless of who performs the penetration testing. This requirement entails performing
+tests against components of the organization’s architecture to identify cyber weaknesses and
+vulnerabilities. It does not mean everything in the architecture requires penetration testing.
+This requirement provides findings and mitigation strategies that benefit the organization
-RA.L3-3.11.3e – Advanced Risk Identification
+and help create a stronger environment against adversary efforts. It may be beneficial for
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+the organization to define the scope of penetration testing. The organization’s approach may
+involve hiring an expert penetration testing team to perform testing on behalf of the
-''' '''
+organization. When an organization has penetration testing performed, either by an internal
-'''DISCUSSION [NIST SP 800-172] '''
+team or external firm, they should establish rules of engagement and impose limits on what
-A properly resourced Security Operations Center (SOC) or Computer Incident Response
+can be performed by the penetration test team(s). <br />
+Ensuring the objectivity of the test team is important as well. Potential conflicts of interest,
-Team (CIRT) may be overwhelmed by the volume of information generated by the
+such as having internal testers report directly or indirectly to network defenders or an
-proliferation of security tools and appliances unless it employs advanced automation and
+external test team contracted by network defense leadership, must be carefully managed by
-analytics to analyze the data. Advanced automation and predictive analytics capabilities are
+organizational leadership. <br />
+Reports on the findings should be used by the organization to determine where to focus
-typically supported by artificial intelligence concepts and machine learning. Examples
+funding, staffing, training, or technical improvements for future mitigation strategies.
-include Automated Workflow Operations, Automated Threat Discovery and Response
-(which includes broad-based collection, context-based analysis, and adaptive response
-capabilities), and machine-assisted decision tools. <br />
-[NIST SP 800-30] provides guidance on risk assessments and risk analyses.
-'''FURTHER DISCUSSION '''
-Advanced automation includes tools to correlate and reduce the cyber data overload created
-by defensive tools, making the data understandable to the analyst. Automation also allows
-the defensive mechanisms to respond rapidly when adversary events are identified.
-Examples of such capabilities are SIEM; Security Orchestration, Automation, and Response
-(SOAR); and Extended Detection and Response (XDR) tools. An example of an automated
+CA.L3-3.12.1e – Penetration Testing
-rapid response action is a security alert being pushed to the SIEM while the organization’s
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+''' '''
+'''Example <br />
+'''You are responsible for information security in your organization. Leveraging a contract
-SOAR solution communicates to the network firewall to block communications to the remote
+managed by the CIO, you hire an external expert penetration team annually to test the
-system identified in the security alert. <br />
+security of the organization’s enclave that stores and processes CUI [a,c]. You hire the same
-SIEM is  primarily a log collection tool intended to support data storage and analysis. It
-collects and sends alerts to security personnel for further investigation. SOAR is a software
+firm annually or on an ad hoc basis when significant changes are made to the architecture or
-stack that enables an organization to collect data about security threats and respond to
+components that affect security [b,c].
-security events without human assistance in order to improve security operations.
+'''Potential Assessment Considerations <br />
+'''•
-Orchestration connects and integrates disparate internal and external tools. Automation, fed
+ Does the organization have internal team members who possess the proper level of
-by the data and alerts collected from security orchestration, ingests and analyzes data and
+expertise to perform a valued penetration testing effort [b]?
-creates repeated, automated responses. SOAR incorporates these capabilities based on the
+•
-SIEM data and enables disparate security tools to coordinate with one another. SOAR can use
+ If the penetration testing is performed by an internal team, are the individuals
-artificial intelligence to predict and respond to similar future threats,  if such tools are
+performing the testing objectively [b]?
-employed. <br />
+•
-XDR streamlines security data ingestion, analysis, prevention, and remediation workflows
-across an organization’s entire security stack, providing a single console to view and act on
+ Is a penetration testing final report provided to the internal team responsible for
-threat data. However, the presence of these tools by themselves does not necessarily provide
+organizational defense?
-an advanced capability.  It is essential that the security team employ  critical thinking in
+•
-support of the intrusion detection and threat hunting processes.
+ If previous penetration tests have been conducted, can the organization provide samples
-'''Example <br />
+of penetration test plans, findings reports, and mitigation guidance based on the findings
-'''You are responsible for information security in your organization. The organization holds
-and processes CUI in an enterprise. To protect that data, you want to minimize phishing
+[a,b,c]?
-attacks through the use of Security Orchestration and Automated Response (SOAR). Rather
+'''KEY REFERENCES '''
-than relying on analysts to manually inspect each inbound item, emails containing links
+•
-and/or attachments are processed by your automation playbook. Implementation of these
+ NIST SP 800-172 3.12.1e
@@ Line 4,308: / Line 4,434: @@
-RA.L3-3.11.3e – Advanced Risk Identification
+SC.L3-3.13.4e – isolation
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-processes involves sending all email links and attachments to detonation chambers or
+System and Communications Protection (SC) <br />
+'''SC.L3-3.13.4E – ISOLATION '''
-sandboxes prior to delivery to the recipient. When the email is received, SOAR extracts all
+Employ physical isolation techniques or logical isolation techniques or both in organizational
-URL links and attachments from the content and sends them for analysis and testing [a]. The
+systems and system components.
-domains in the URLs and the full URLs are processed against bad domain and URL lists. Next,
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-a browser in a sandbox downloads the URLs for malware testing. Lastly, any attachments are
+Determine if: <br />
+[ODP1] One or more of the following is/are selected: physical isolation techniques;
-sent to detonation chambers to identify if they attempt malicious activities. The hash of the
+logical isolation techniques; <br />
+[ODP2] Physical isolation techniques are defined (if selected); <br />
+[ODP3] Logical isolation techniques are defined (if selected); <br />
+[a] Physical isolation techniques or logical isolation techniques or both are employed in
-attachments is sent to services to identify if it is known malware [b]. If any one of the items
+organizational systems and system components.
-triggers a malware warning from the sandbox, detonation chamber, domain/URL validation
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-service, attachment hash check services, or AV software, an alert about the original email is
+'''Examine <br />
+'''[SELECT FROM: System and communications protection policy; procedures addressing
-sent to team members with the recommendation to quarantine it. The team is given the
+boundary protection; system design documentation; procedures addressing the use of thin
-opportunity to select a  “take action” button,  which would have the SOAR solution take
+nodes; list of key internal boundaries of the system; security plan; boundary protection
-actions to block that email and similar emails from being received by the organization [c].
+hardware and software; system configuration settings and associated documentation;
-'''Potential Assessment Considerations <br />
+enterprise architecture documentation; system architecture; security architecture
-'''•
-  Has the organization implemented a security information and event management system
+documentation; system audit records; system component inventory; list of security tools and
-[a,c]?
+support components to be isolated from other system components; other relevant
-•
+documents or records].
-  Has the organization implemented security orchestration, automation,  and response
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for information security;
-tools [a,b,c]?
+system/network administrators; system developers; organizational personnel responsible
-•
+for boundary protection].
-  Does the organization use automated  processing  integrated with the  SIEM system  to
+'''Test <br />
+'''[SELECT FROM: Mechanisms implementing the boundary protection capability; mechanisms
-perform analytics [c]?
+implementing physical isolation techniques; mechanisms supporting and/or implementing
-•
+the isolation of information security tools, mechanisms, and support components;
-  Can the organization demonstrate use  of relevant threat data to inform detection
+mechanisms supporting and/or implementing the capability to separate system components
-methods that in turn provide automated alerts/recommendations [c]?
+supporting organizational missions and business functions; mechanisms implementing
-•
-  Has the organization implemented an extended detection capability [c]?
-•
-  Does the organization have the ability to merge traditional cyber data, such as network
-packet captures (e.g., PCAP), or process logs with enrichment data, such as reputation or
-categorization data [c]?
-•
-  Can the organization provide examples of both basic and emerging  analytics used to
-analyze alert anomalies, e.g., both simple queries and unsupervised machine learning
+SC.L3-3.13.4e – isolation
-algorithms  that  both improve their effectiveness and automatically filter, reduce, or
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-enrich alerting capabilities [c]?
-'''KEY REFERENCES '''
+''' '''
-•
+logical isolation techniques; mechanisms supporting or implementing separate network
-  NIST SP 800-172 3.11.3e
+addresses/different subnets; mechanisms supporting and/or implementing thin nodes].
+'''DISCUSSION [NIST SP 800-172] '''
-''' '''
+A mix of physical and logical isolation techniques (described below) implemented as part of
+the system architecture can limit the unauthorized flow of CUI, reduce the system attack
+surface, constrain the number of system components that must be secure, and impede the
+movement of an adversary. When implemented with a set of managed interfaces, physical
+and logical isolation techniques for organizational systems and components can isolate CUI
+into separate security domains where additional protections can be implemented. Any
+communications across the managed interfaces (i.e., across security domains), including for
+management or administrative purposes, constitutes remote access even if the
+communications remain within the organization. Separating system components with
-RA.L3-3.11.4e – Security Solution Rationale
+boundary protection mechanisms allows for the increased protection of individual
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+components and more effective control of information flows between those components.
+This enhanced protection limits the potential harm from and susceptibility to hostile cyber-
-''' '''
+attacks and errors. The degree of isolation can vary depending on the boundary protection
-'''RA.L3-3.11.4E – SECURITY SOLUTION RATIONALE '''
+mechanisms selected. Boundary protection mechanisms include routers, gateways, and
-Document or reference in the system security plan the security solution selected, the
+firewalls separating system components into physically separate networks or subnetworks;
-rationale for the security solution, and the risk determination.
+virtualization and micro-virtualization techniques; encrypting information flows among
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
+system components using distinct encryption keys; cross-domain devices separating
-Determine if: <br />
+subnetworks; and complete physical separation (i.e., air gaps). <br />
-[a] The system security plan documents or references the security solution selected; <br />
+System architectures include logical isolation, partial physical and logical isolation, or
-[b] The system security plan documents or references the rationale for the security solution;
-and
+complete physical isolation between subsystems and at system boundaries between
-[c] The system security plan documents or references the risk determination.
+resources that store, process, transmit, or protect CUI and other resources. Examples
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
+include: <br />
+•
-'''Examine <br />
+ Logical isolation: Data tagging, digital rights management (DRM), and data loss
-'''[SELECT FROM: system security plan; records of security plan reviews and updates; system
-design documentation; security planning policy; procedures addressing security plan
+prevention (DLP) that tags, monitors, and restricts the flow of CUI; virtual machines or
-development; procedures addressing security plan reviews and updates; enterprise
+containers that separate CUI and other information on hosts; and virtual local area
-architecture documentation; enterprise  security architecture documentation; system
+networks (VLAN) that keep CUI and other information separate on networks.
-interconnection security agreements and other information exchange agreements; other
+•
-relevant documents or records].
+ Partial physical and logical isolation: Physically or cryptographically isolated networks,
-'''Interview <br />
+dedicated hardware in data centers, and secure clients that (a) may not directly access
-'''[SELECT FROM: Organizational personnel responsible for information security;
-organizational personnel responsible for developing, implementing, or approving system
+resources outside of the domain (i.e., all applications with cross-enclave connectivity
-interconnection and information exchange agreements; personnel managing the systems to
+execute as remote virtual applications hosted in a demilitarized zone [DMZ] or internal
-which the Interconnection Security Agreement/Information Exchange Agreement applies;
+and protected enclave), (b) access via remote virtualized applications or virtual desktop
-system developers; organizational personnel responsible for security planning and plan
+with no file transfer capability other than with dual authorization, or (c) employ
-implementation; organizational personnel responsible for boundary protection; system
+dedicated client hardware (e.g., a zero or thin client) or hardware approved for multi-
-developers; system/network administrators].
+level secure (MLS) usage.
-'''Test <br />
+•
-'''[SELECT FROM: Organizational processes for security plan development, review, update,
-and approval].
+ Complete physical isolation: Dedicated (not shared) client and server hardware;
-'''DISCUSSION [NIST SP 800-172] '''
+physically isolated, stand-alone enclaves for clients and servers; and (a) logically
-System security plans relate security requirements to a set of security controls and solutions.
+separate network traffic (e.g., using a VLAN) with end-to-end encryption using Public Key
-The plans describe how the controls and solutions meet the security requirements. For the
-enhanced security requirements selected when the APT is a concern,  the security plan
-provides traceability between threat and risk assessments and the risk-based selection of a
-security solution, including discussion of relevant analyses of alternatives and rationale for
+Infrastructure (PKI)-based cryptography or (b) physical isolation from other networks.
@@ Line 4,486: / Line 4,610: @@
-RA.L3-3.11.4e – Security Solution Rationale
+SC.L3-3.13.4e – isolation
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-key security-relevant architectural and design decisions. This level of detail is important as
+Isolation techniques are selected based on a risk management perspective that balances the
-the threat changes, requiring reassessment of the risk and the basis for previous security
+threat, the information being protected, and the cost of the options for protection.
-decisions. <br />
+Architectural and design decisions are guided and informed by the security requirements
-When incorporating external service providers into the system security plan, organizations
-state the type of service provided (e.g., software as a service, platform as a service), the point
+and selected solutions. Organizations consider the trustworthiness of the isolation
-and type of connections  (including ports and protocols), the nature and type of the
+techniques employed (e.g., the logical isolation relies on information technology that could
-information flows to and from the service provider, and the security controls implemented
+be considered a high value target because of the function being performed), introducing its
-by the service provider. For safety critical systems, organizations document situations for
+own set of vulnerabilities. <br />
+[NIST SP 800-160-1] provides guidance on developing trustworthy, secure, and cyber
-which safety is the primary reason for not implementing a security solution (i.e., the solution
+resilient systems using systems security engineering practices and security design concepts.
-is appropriate to address the threat but causes a safety concern). <br />
+'''FURTHER DISCUSSION '''
-[NIST SP 800-18] provides guidance on the development of system security plans.
-'''FURTHER DISCUSSION '''
+For this requirement, organizations must identify the systems or enclaves that need to be
-The System Security Plan (SSP) is a fundamental component of an organization’s security
+isolated, then design and implement the isolation. The resulting isolation solutions are
-posture. When solutions for implementing a requirement have differing levels of capabilities
+documented or referenced in the SSP. Documentation will be dependent on the design
-associated with their implementation, it is essential that the plan specifically document the
+selected and may include a high-level diagram, but specific details that may change on some
-rationale for the selected solution and what was acquired for the implementation.  This
+frequency would be omitted. During an assessment, providing details such as subnet and
-information allows the organization to monitor the environment for threat changes and
+VLAN implementation identifiers, internal boundary protection hardware and software,
-identify which solutions may no longer be applicable. While not required, it may also be
+interface device functionality, and system configuration and Access Control List (ACL)
-useful to document alternative solutions reviewed and differing levels of risk associated with
+settings will be useful.
-each alternative, as that information may facilitate future analyses when the threat changes.
+'''Example <br />
+'''You are responsible for information security in your organization, which holds and
-In addition to the implementations required for Level 2 certification, which may not be risk
+processes CUI. You have decided to isolate the systems processing CUI by limiting all
-based, at Level 3, the SSP must carefully document the link between the assessed threat and
+communications in and out that enclave with cross-domain interface devices that implement
-the risk-based selection of a security solution for the enhanced security requirements (i.e.,
+access control [a]. Your security team has identified all the systems containing such CUI,
-all CMMC L3 requirements derived from NIST SP 800-172).
+documented network design details, developed network diagrams showing access control
-'''Example <br />
+points, documented the logic for the access control enforcement decisions, described the
-'''You are responsible for information security in your organization. Following CMMC
-requirement  RA.L3-3.11.1e  –  ''Threat Informed Risk Assessment'',  your team uses threat
+interface and protocol to the identification and authentication mechanisms, and documented
-intelligence to complete a risk assessment and make a risk determination for all elements of
+all details associated with the ACLs, including review, updates, and credential revocation
-your enterprise.  Based on that view of risk, your team decides that requirement
+procedures.
-RA.L3-3.11.2e – ''Threat Hunting'' is a requirement that is very important in protecting your
+'''Potential Assessment Considerations <br />
+'''•
-organization’s use of CUI, and you have determined the solution selected could potentially
+ Has the organization clearly identified where they use physical, logical, or both isolation
-add risk. You want to detect an adversary as soon as possible when they breach the network
+techniques [a]?
-before any CUI can be exfiltrated. However, there are multiple threat hunting solutions, and
+•
-each solution has a different set of features that will provide different success rates in
+ Can the organization describe the isolation techniques they have employed [a]?
-identifying IOCs. <br />
+•
-As a result, some solutions increase the risk to the organization by being less capable in
-detecting and tracking an adversary in your networks. To reduce risk, you evaluate five
+ Has the organization deployed subnetting, internal firewalls, and VLANs to control
-threat hunting solutions and in each case determine the number of IOCs for which there is a
+packet flow between internal segments [a]?
-monitoring mechanism. You pick the solution that is cost effective, easy to operate, and
+•
-optimizes IOC detection for your enterprise; purchase, install, and train SOC personnel on its
+ Does the organization employ metadata to inform isolation techniques [a]?
-use; and document the risk-based analysis  of  alternatives in the SSP. In creating that
+'''KEY REFERENCES '''
+•
+ NIST SP 800-172 3.13.4e
@@ Line 4,581: / Line 4,708: @@
-RA.L3-3.11.4e – Security Solution Rationale
+SI.L3-3.14.1e – Integrity Verification
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-documentation in the SSP, you follow the guidance found in NIST  SP 800-18,  ''Guide for ''
+System and Information Integrity (SI) <br />
+'''SI.L3-3.14.1E – INTEGRITY VERIFICATION '''
-''Developing Security Plans for Federal Information Systems'' [a,b,c].
+Verify the integrity of security critical and essential software using root of trust mechanisms
-'''Potential Assessment Considerations <br />
+or cryptographic signatures.
-'''•
-  Has the organization completed a risk assessment and made a risk determinations for
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-enterprise components that need to be protected [c]?
+Determine if: <br />
+[ODP1] Security critical or essential software is defined; <br />
+[a] Root of trust mechanisms or cryptographic signatures are identified; and <br />
+[b] The integrity of security critical and essential software is verified using root of trust
-•
+mechanisms or cryptographic signatures.
-  Can the organization identify what is being protected and explain why specific protection
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-solutions were selected [a,b]?
+'''Examine <br />
+'''[SELECT FROM: System and information integrity policy; procedures addressing software,
-•
+firmware, and information integrity; system design documentation; security plan; system
-  Have all the decisions been documented in the SSP [a,b,c]?
+configuration settings and associated documentation; system component inventory;
-'''KEY REFERENCES '''
+integrity verification tools and associated documentation; records of integrity verification
-•
+scans; system audit records; cryptographic mechanisms and associated documentation;
-  NIST SP 800-172 3.11.4e
+records of detected unauthorized changes to software, firmware, and information; other
+relevant documents or records].
-''' '''
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for information security;
+organizational personnel responsible for software, firmware, and/or information integrity;
+system developers; system/network administrators].
+'''Test <br />
+'''[SELECT FROM: Software, firmware, and information integrity verification tools;
+mechanisms supporting and/or implementing integrity verification of the boot process;
+mechanisms supporting and/or implementing protection of the integrity of boot firmware;
+cryptographic mechanisms implementing software, firmware, and information integrity;
+safeguards implementing protection of the integrity of boot firmware].
-RA.L3-3.11.5e – Security Solution Effectiveness
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''' '''
-'''RA.L3-3.11.5E – SECURITY SOLUTION EFFECTIVENESS '''
-Assess the effectiveness of security solutions at least annually or upon receipt of relevant
-cyber threat information, or in response to a relevant cyber incident, to address anticipated
-risk to organizational systems and the organization based on current and accumulated threat
+SI.L3-3.14.1e – Integrity Verification
-intelligence.
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-Determine if: <br />
+''' '''
-[a] Security solutions are identified; <br />
-[b] Current and accumulated threat intelligence is identified; <br />
-[c] Anticipated risk to organizational systems and the organization based on current and
-accumulated threat intelligence is identified; and
+'''DISCUSSION [NIST SP 800-172] '''
-[d] The effectiveness of security solutions is assessed at least annually or upon receipt of
+Verifying the integrity of the organization’s security-critical or essential software is an
-relevant cyber threat information, or in response to a relevant cyber incident, to address
+important capability since corrupted software is the primary attack vector used by
-anticipated risk to organizational systems and the organization based on current and
+adversaries to undermine or disrupt the proper functioning of organizational systems. There
-accumulated threat intelligence.
+are many ways to verify software integrity throughout the system development life cycle.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
+Root of trust mechanisms (e.g., secure boot, trusted platform modules, Unified Extensible
-'''Examine <br />
+Firmware Interface [UEFI]), verify that only trusted code is executed during boot processes.
-'''[SELECT FROM: Risk assessment policy; security planning policy and procedures; security
-assessment policy and procedures; security assessment plans; security assessment results;
+This capability helps system components protect the integrity of boot firmware in
-procedures addressing organizational assessments of risk; security plan; risk assessment;
+organizational systems by verifying the integrity and authenticity of updates to the firmware
-risk assessment results; risk assessment reviews; risk assessment updates; threat
+prior to applying changes to the system component and preventing unauthorized processes
-intelligence information; other relevant documents or records].
+from modifying the boot firmware. The employment of cryptographic signatures ensures the
-'''Interview <br />
+integrity and authenticity of critical and essential software that stores, processes, or
-'''[SELECT FROM: Organizational personnel responsible for security assessments;
-organizational personnel responsible for risk assessments; organizational personnel
+transmits, CUI. Cryptographic signatures include digital signatures and the computation and
-responsible for threat analysis; organizational personnel responsible for information
+application of signed hashes using asymmetric cryptography, protecting the confidentiality
-security].
+of the key used to generate the hash, and using the public key to verify the hash information.
-'''Test <br />
+Hardware roots of trust are considered to be more secure. This requirement supports 3.4.1e
-'''[SELECT FROM: Mechanisms supporting, conducting, documenting, reviewing,
-disseminating, and updating risk assessments; mechanisms supporting and/or
+and 3.4.3.e. <br />
+[FIPS 140-3] provides security requirements for cryptographic modules. [FIPS 180-4] and
-implementing security assessments].
+[FIPS 202] provide secure hash standards. [FIPS 186-4] provides a digital signature
+standard. [NIST SP 800-147] provides BIOS protection guidance. [NIST TRUST] provides
+guidance on the roots of trust project.
+'''FURTHER DISCUSSION '''
+Organizations verify the integrity of security critical and essential software every time that
+software is executed. Secure boot mechanisms for firmware and a cryptographically
+protected boot chain ensure the integrity of the operating system (OS) and security critical
+software, and cryptographic techniques ensure the essential software has not been
+tampered with after development prior to execution. If software is itself considered to be
-RA.L3-3.11.5e – Security Solution Effectiveness
+CUI or if it uses CUI, this requirement ensures it has not been compromised. <br />
+Software and information integrity verification tools can help check the integrity during the
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+development process for those organizations developing software. As critical software is
+updated, the integrity of any configuration data and the software must result in updated
-''' '''
+signatures and an ongoing verification process. <br />
+Operating systems include mechanisms to validate digital signatures for installed software.
-'''DISCUSSION [NIST SP 800-172] '''
+Most software packages use signatures to prove the integrity of the provided software, and
-Threat awareness and risk assessment of the organization are dynamic, continuous, and
+the organization should leverage these capabilities. Similarly, most hardware appliance
-inform system operations, security requirements for the system, and the security solutions
+vendors have secure boot checks in place for their devices and built-in features that check
-employed to meet those requirements. Threat intelligence (i.e., threat information that has
+the digital signature of an upgrade/update package before they allow an upgrade to take
-been aggregated, transformed, analyzed, interpreted, or enriched to help provide the
+place. For locally developed software, the organization should sign the software to ensure its
-necessary context for decision making) is infused into the risk assessment processes and
+integrity.
-information security operations of the organization to identify any changes required to
-address the dynamic threat environment. <br />
-[NIST SP  800-30] provides guidance on risk assessments, threat assessments, and risk
-analyses.
-'''FURTHER DISCUSSION '''
-This requirement requires the organization to analyze threat intelligence and consider the
-effectiveness of currently deployed cybersecurity solutions against existing, new, and
-emerging threats. The goal is to understand the risk to the systems and the organization
-based on threat intelligence and to make adjustments to security solutions to reduce the risk
-to an acceptable level. Analysis of solutions should include analysis of operational system
+SI.L3-3.14.1e – Integrity Verification
-settings of the deployed systems and not be solely a conceptual capability analysis. This
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-analysis includes verifying configuration settings are configured as desired by the
-organization and have not been changed over time. <br />
+''' '''
-Threat information can be thought of as raw data that may be limited in terms of evaluating
-the effectiveness of controls across the enterprise. For example, knowledge of a threat that
+'''Example 1 <br />
+'''You are responsible for information security in your organization. Your security team has
-has not been correlated with other threats may result in evaluation of an implementation
+identified the software used to process CUI, and the organization has decided it is mission-
-that only provides partial protection for one set of systems when, in fact, the emerging threat
+critical software that must be protected. You take three actions. First, you ensure all of the
-is applicable to the entire enterprise. Large organizations may also have the resources to
+platform’s configuration information used at boot is hashed and stored in a TPM [a]. Second,
-aggregate, transform, analyze, correlate, interpret, and enrich information to support
+you ensure that the platforms used to execute the software are started with a digitally signed
-decision-making about adequacy of existing security mechanisms and methods.
+software chain to a secure boot process using the TPM. Finally, you ensure the essential
-'''Example <br />
+applications are cryptographically protected with a digital signature when stored and the
-'''You are responsible for information security in your organization, which holds and
-processes CUI. The organization subscribes to multiple threat intelligence sources [b]. In
+signature is verified prior to execution [b].
-order to assess the effectiveness of current security solutions, the security team analyzes any
+'''Example 2 <br />
+'''Your organization has a software security team, and they are required to validate unsigned
-new incidents reported in the threat feed. They identify weaknesses that were leveraged by
+essential software provided to systems that do not have TPM modules. The organization has
-malicious actors and subsequently look for similar weaknesses in their own security
+a policy stating no software can be executed on a system unless its hash value matches that
-architecture[a,c]. This analysis is passed to the architecture team for engineering change
+of a hash stored in the approved software library kept by the software security team [a]. This
-recommendations, including system patching guidance, new sensors, and associated alerts
+action is performed by implementing software restriction policies on systems. The team
-that should be generated, and to identify ways to mitigate, transfer, or accept the risk
+tests the software on a sandbox system, and once it is proven safe, they run a hashing
-necessary to respond to events if they occur within their own organization [d].
+function on the software to create a hash value. This hash value is placed in a software library
+so the system will know it can execute the software [b]. Any changes to the software without
+the software security team’s approval will result in the software failing the security tests,
+and it will be prevented from executing.
+'''Potential Assessment Considerations <br />
+'''•
+ Does the organization use cryptographic signatures to ensure the integrity and
+authenticity of critical and essential software and data [b]?
+•
+ Has the organization identified those devices that require integrity verification of the
+boot process [a]?
-RA.L3-3.11.5e – Security Solution Effectiveness
+•
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+ Does the organization use a TPM to store hashes of pre-run time configuration
+parameters for those systems [b]?
-''' '''
+•
-'''Potential Assessment Considerations <br />
+ Does the organization leverage the TPM configuration hash to verify the hardware and
-'''•
-  Does the organization make adjustments during an incident or operational
+software configuration is unchanged in order to determine that a system is trustworthy
-improvements after an incident has occurred [d]?
+before running mission-essential applications [b,c]?
 •
-  Has the organization implemented an analytical process to assess the effectiveness of
+ Does the organization use the TPM for remote attestation to determine to which extent
-security solutions against new or compiled threat intelligence [b,c,d]?
+information can be trusted from another system [b,c]?
 •
-  Has the organization implemented  a process to identify if an operational security
+ Has the organization identified devices requiring organization-defined security
-solution fails to contribute to the protections needed against specific adversarial actions
+safeguards that must be implemented to protect the integrity of boot firmware [a]?
+•
-based on new threat intelligence [a,b,c,d]?
+ Has the organization defined security safeguards that will be implemented to protect the
-'''KEY REFERENCES '''
+integrity of boot firmware in mission-essential devices [a]?
 •
-  NIST SP 800-172 3.11.5e
+ Has the organization implemented organization-defined security safeguards to protect
+the integrity of boot firmware in organization-defined essential devices [b]?
-''' '''
@@ Line 4,836: / Line 4,974: @@
-RA.L3-3.11.6e – Supply Chain Risk Response
+SI.L3-3.14.1e – Integrity Verification
 '''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
 ''' '''
-'''RA.L3-3.11.6E – SUPPLY CHAIN RISK RESPONSE '''
+'''KEY REFERENCES '''
-Assess, respond to, and monitor supply chain risks associated with organizational systems
+•
-and system components.
+ NIST SP 800-172 3.14.1e
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-Determine if: <br />
+''' '''
-[a] Supply chain risks associated with organizational systems and system components are
-identified;
-[b] Supply chain risks associated with organizational systems and system components are
-assessed;
-[c] Supply chain risks associated with organizational systems and system components are
-responded to; and
-[d] Supply chain risks associated with organizational systems and system components are
-monitored.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-'''Examine <br />
+SI.L3-3.14.3e – Specialized Asset Security
-'''[SELECT FROM: Risk assessment policy; procedures addressing organizational assessments
-of risk; security planning policy and procedures; supply chain risk management plan;
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-security plan; risk assessment; risk assessment results; risk assessment reviews; risk
-assessment updates; threat intelligence information; other relevant documents or records].
+''' '''
-'''Interview <br />
+'''SI.L3-3.14.3E – SPECIALIZED ASSET SECURITY '''
-'''[SELECT FROM: Organizational personnel responsible for information security;
-organizational personnel responsible for risk assessments; organizational personnel
+Ensure that specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems
-responsible for supply chain risk management].
+and test equipment are included in the scope of the specified enhanced security
-'''Test <br />
+requirements or are segregated in purpose-specific networks.
-'''[SELECT FROM: Mechanisms supporting, conducting, documenting, reviewing,
-disseminating, and updating risk assessments].
+'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-'''DISCUSSION [NIST SP 800-172] '''
+Determine if: <br />
+[a] Specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems and test
-Supply chain events include disruption, use of defective components, insertion of
+equipment are included in the scope of the specified enhanced security requirements;
-counterfeits, theft, malicious development practices, improper delivery practices, and
+and
-insertion of malicious code. These events can have a significant impact on a system and its
+[b] Systems and system components that are not included in specialized assets including IoT,
-information and, therefore, can also adversely impact organizational operations (i.e.,
+IIoT, OT, GFE, Restricted Information Systems and test equipment are segregated in
-mission, functions, image, or reputation), organizational assets, individuals, other
+purpose-specific networks.
-organizations, and the Nation. The supply chain-related events may be unintentional or
+'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-malicious and can occur at any point during the system life cycle. An analysis of supply chain
+'''Examine <br />
+'''[SELECT FROM: Access control policy; information flow control policies; system and services
+acquisition policy; system and communications protection policy; procedures addressing
+security function isolation; procedures addressing application partitioning; procedures
+addressing security engineering principles used in the specification, design, development,
+implementation, and modification of the system; procedures addressing information flow
+enforcement; procedures addressing access enforcement; system architecture; system
+design documentation; security plan; system component inventory; system configuration
+settings and associated documentation; system baseline configuration; list of security
+functions to be isolated from non-security functions; system audit records; security
-RA.L3-3.11.6e – Supply Chain Risk Response
+requirements and specifications for the system; list of approved authorizations (user
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+privileges); list of information flow authorizations; other relevant documents or records].
+'''Interview <br />
+'''[SELECT FROM: Organizational personnel responsible for access enforcement;
-''' '''
+system/network administrators; organizational personnel responsible for information
-risk can help an organization identify systems or components for which additional supply
+security; system developers; system integrators; organizational personnel responsible for
-chain risk mitigations are required. <br />
+acquisition/contracting; organizational personnel responsible for determining system
-[NIST SP  800-30] provides guidance on risk assessments, threat assessments, and risk
-analyses. [NIST SP 800-161 Rev. 1] provides guidance on supply chain risk management.
+security requirements; system security architects; enterprise architects; organizational
-'''FURTHER DISCUSSION '''
+personnel responsible for system specification, design, development, implementation, and
-Organizations will have varying policies, definitions, and actions for this requirement. It is
+modification].
-important for a single organization to be consistent and to build a process that makes sense
+'''Test <br />
+'''[SELECT FROM: Mechanisms implementing the access control policy; mechanisms
-for their organization, strategy, unique supply chain, and the technologies available to them.
+implementing the information flow enforcement policy; mechanisms supporting the
-'''Example ''' <br />
-You are responsible for information security in your organization,  which holds and
-processes CUI. One of your responsibilities is to manage risk associated with your supply
-chain that may provide an entry point for the adversary. First, you acquire threat information
-by subscribing to reports that identify supply chain attacks in enough detail that you are able
-to identify the risk points in your organization’s supply chain [a]. You create an organization-
-defined prioritized list of risks the organization may encounter and determine the responses
-to be implemented to mitigate those risks [b,c]. <br />
-In addition to incident information, the intelligence provider also makes recommendations
-for monitoring and auditing your supply chain. You assess, integrate, correlate, and analyze
-this information so you can use it to acquire monitoring tools to help identify supply chain
+SI.L3-3.14.3e – Specialized Asset Security
-events that could be an indicator of an incident. This monitoring tool provides visibility of
+'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-the entire attack surface, including your vendors’ security posture [d]. Second, you analyze
-the incident information in the intelligence report to help identify defensive tools that will
+''' '''
-help respond to each of those known supply chain attack techniques as soon as possible after
+application of security engineering principles in system specification, design, development,
-such an incident is detected, thus mitigating risk associated with known techniques.
+implementation, and modification].
-'''Potential Assessment Considerations <br />
+'''DISCUSSION [NIST SP 800-172] '''
-'''•
-  Has the organization prioritized risks to the supply chain [a,b]?
+Organizations may have a variety of systems and system components in their inventory,
-•
+including Information Technology (IT), Internet of Things (IoT), Operational Technology
-  Does the organization have viable service-level agreements that describe and enable
+(OT), and Industrial Internet of Things (IIoT). The convergence of IT, OT, IoT, and IIoT
-responses to supply chain incidents [c,d]?
+significantly increases the attack surface of organizations and provides attack vectors that
-'''KEY REFERENCES '''
+are challenging to address. Compromised IoT, OT, and IIoT system components can serve as
-•
+launching points for attacks on organizational IT systems that handle CUI. Some IoT, OT, and
-  NIST SP 800-172 3.11.6e
+IIoT system components can store, transmit, or process CUI (e.g., specifications or
+parameters for objects manufactured in support of critical programs). Most of the current
-''' '''
+generation of IoT, OT, and IIoT system components are not designed with security as a
+foundational property and may not be able to be configured to support security functionality.
+Connections to and from such system components are generally not encrypted, do not
+provide the necessary authentication, are not monitored, and are not logged. Therefore,
+these components pose a significant cyber threat. Gaps in IoT, OT, and IIoT security
+capabilities may be addressed by employing intermediary system components that can
+provide encryption, authentication, security scanning, and logging capabilities—thus,
+preventing the components from being accessible from the Internet. However, such
+mitigation options are not always available or practicable. The situation is further
-RA.L3-3.11.7e – Supply Chain Risk Plan
+complicated because some of the IoT, OT, and IIoT devices may be needed for essential
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
+missions and business functions. In those instances, it is necessary for such devices to be
+isolated from the Internet to reduce the susceptibility to cyber-attacks. <br />
+[NIST SP 800-160-1] provides guidance on security engineering practices and security
-''' '''
+design concepts.
-'''RA.L3-3.11.7E – SUPPLY CHAIN RISK PLAN '''
+'''FURTHER DISCUSSION '''
-Develop a plan for managing supply chain risks associated with organizational systems and
-system components; update the plan at least annually, and upon receipt of relevant cyber
-threat information, or in response to a relevant cyber incident.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-Determine if: <br />
-[a] Supply chain risks associated with organizational systems and system components are
-identified;
-[b] Organizational systems and system components to include in a supply chain risk
-management plan are identified;
-[c] A plan for managing supply chain risks associated with organizational systems and
-system components is developed; and
-[d] The plan for managing supply chain risks is updated at least annually, and upon receipt
-of relevant cyber threat information, or in response to a relevant cyber incident.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-'''Examine <br />
-'''[SELECT FROM: Risk assessment policy; supply chain risk management plan; security
-planning policy and procedures; procedures addressing organizational assessments of risk;
-security plan; risk assessment; risk assessment results; risk assessment reviews; risk
-assessment updates; threat intelligence information; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Organizational personnel responsible for information security;
-organizational personnel responsible for risk assessments; organizational personnel
-responsible for supply chain risk management].
-'''Test <br />
-'''[SELECT FROM: Automated mechanisms supporting, conducting, documenting, reviewing,
-disseminating, and updating risk assessments].
-'''DISCUSSION [NIST SP 800-172] '''
-The growing dependence on products, systems, and services from external providers, along
-with the nature of the relationships with those providers, present an increasing level of risk
-to an organization. Threat actions that  may increase risk include the insertion or use of
-counterfeits, unauthorized production, tampering, theft, insertion of malicious software and
-hardware, and poor manufacturing and development practices in the supply chain. Supply
-chain risks can be endemic or systemic within a system element or component, a system, an
-RA.L3-3.11.7e – Supply Chain Risk Plan
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''' '''
-organization, a sector, or the Nation. Managing supply chain risk is a multifaceted
-undertaking that requires a coordinated effort across an organization to build trust
-relationships and communicate with both internal and external stakeholders. Supply chain
-risk management (SCRM) activities involve identifying and assessing risks, determining
-appropriate mitigating actions, developing SCRM plans to document selected mitigating
-actions, and monitoring performance against plans. SCRM plans address requirements for
-developing trustworthy, secure, and resilient systems and system components, including the
-application of the security design principles implemented as part of life cycle-based systems
-security engineering processes. <br />
-[NIST SP 800-161 Rev. 1] provides guidance on supply chain risk management.
-'''FURTHER DISCUSSION '''
-An organization is required to have a supply chain risk management plan that assesses and
-responds to the identified risks from those organizations that provide IT products or
-services, including any cloud or other third-party services with a role in the operation of the
-system. The organization should be cognizant of services outside the scope of the system but
-required for the operation of the system as part of their plan. Since the cyber environment
-changes rapidly and continuously, it is equally important for the organization to update the
-plan in response to supply chain cyber incidents or emerging information.
-'''Example <br />
-'''You are responsible for information security in your organization, and you have created a
-supply chain risk management plan [a,b,c]. One of the organization’s suppliers determines
-that it has been the victim of a cyberattack. Your security team meets with the supplier to
-determine the nature of the attack and to understand the adversary, the attack, the potential
-for corruption of delivered goods or services, and  current as well as future risks.  The
-understanding of the supply chain will help protect the local environment. Subsequently, you
-update the risk management plan to include a description of the necessary configuration
-changes or upgrades to monitoring tools to improve the ability to identify the new risks, and
-when  improved tools are available, you document the acquisition of defensive tools  and
-associated functionality to help mitigate any of the identified techniques [d].
-'''Potential Assessment Considerations <br />
-'''•
-  Does the organization’s current supply chain risk management plan apply across the
-enterprise, or does it only apply to a limited portion of the supply chain [b]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-172 3.11.7e
-CA.L3-3.12.1e – Penetration Testing
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''' '''
-Security Assessment (CA) <br />
-'''CA.L3-3.12.1E – PENETRATION TESTING '''
-Conduct penetration testing at least annually or when significant security changes are made
-to the system, leveraging automated scanning tools and ad hoc tests using subject matter
-experts.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-Determine if: <br />
-[a] Automated scanning tools are identified; <br />
-[b] Ad hoc tests using subject matter experts are identified; and <br />
-[c] Penetration testing is conducted at least annually or when significant security changes
-are made to the system,  leveraging automated scanning tools and ad hoc tests using
-subject matter experts.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-'''Examine <br />
-'''[SELECT FROM: Security assessment policy; procedures addressing penetration testing;
-security plan; security assessment plan; penetration test report; security assessment report;
-security assessment evidence; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Organizational personnel responsible for security assessments; penetration
-testing team; system/network administrators; organizational personnel responsible for
-information security].
-'''Test <br />
-'''[SELECT FROM: Automated mechanisms supporting security assessments; automated
-mechanisms supporting penetration testing].
-'''DISCUSSION [NIST SP 800-172] '''
-Penetration testing is a specialized type of assessment conducted on systems or individual
-system components to identify vulnerabilities that could be exploited by adversaries.
-Penetration testing goes beyond automated vulnerability scanning. It is conducted by
-penetration testing agents and teams with particular skills and experience that include
-technical expertise in network, operating system, and application-level security. Penetration
-testing can be used to validate vulnerabilities or determine a system’s penetration resistance
-to adversaries within specified constraints. Such constraints include time, resources, and
-CA.L3-3.12.1e – Penetration Testing
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''' '''
-skills. Organizations may also supplement penetration testing with red team exercises. Red
-teams attempt to duplicate the actions of adversaries in carrying out attacks against
-organizations and provide an in-depth analysis of security-related weaknesses or
-deficiencies. <br />
-Organizations can use the results of vulnerability analyses to support penetration testing
-activities. Penetration testing can be conducted internally or externally on the hardware,
-software, or firmware components of a system and can exercise both physical and technical
-controls. A standard method for penetration testing includes pretest analysis based on full
-knowledge of the system, pretest identification of potential vulnerabilities based on the
-pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All
-parties agree to the specified rules of engagement before the commencement of penetration
-testing. Organizations correlate the rules of engagement for penetration tests and red
-teaming exercises (if used) with the tools, techniques, and procedures that they anticipate
-adversaries may employ. The penetration testing or red team exercises may be organization-
-based or external to the organization. In either case, it is important that the team possesses
-the necessary skills and resources to do the job and is objective in its assessment. <br />
-[NIST SP 800-53A] provides guidance on conducting security assessments.
-'''FURTHER DISCUSSION '''
-It is important  that the organization has a repeatable penetration testing capability,
-regardless of who performs the penetration testing. This requirement entails performing
-tests against components of the organization’s architecture to identify cyber weaknesses and
-vulnerabilities. It does not mean everything in the architecture requires penetration testing.
-This requirement provides findings and mitigation strategies that benefit the organization
-and help create a stronger environment against adversary efforts. It may be beneficial for
-the organization to define the scope of penetration testing. The organization’s approach may
-involve  hiring an expert penetration testing team to perform testing on behalf of the
-organization. When an organization has penetration testing performed, either by an internal
-team or external firm, they should establish rules of engagement and impose limits on what
-can be performed by the penetration test team(s). <br />
-Ensuring the objectivity of the test team is important as well. Potential conflicts of interest,
-such as having internal testers report directly or indirectly to network defenders or an
-external test team contracted by network defense leadership, must be carefully managed by
-organizational leadership. <br />
-Reports on the findings should be used by the organization to determine where to focus
-funding, staffing, training, or technical improvements for future mitigation strategies.
-CA.L3-3.12.1e – Penetration Testing
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''' '''
-'''Example <br />
-'''You are responsible for information security in your organization. Leveraging  a contract
-managed by the CIO,  you hire  an external expert penetration team  annually  to test the
-security of the organization’s enclave that stores and processes CUI [a,c]. You hire the same
-firm annually or on an ad hoc basis when significant changes are made to the architecture or
-components that affect security [b,c].
-'''Potential Assessment Considerations <br />
-'''•
-  Does the organization have internal team members who  possess the proper level of
-expertise to perform a valued penetration testing effort [b]?
-•
-  If the penetration  testing  is  performed  by an internal team, are the individuals
-performing the testing objectively [b]?
-•
-  Is  a  penetration  testing final report  provided  to the internal  team  responsible for
-organizational defense?
-•
-  If previous penetration tests have been conducted, can the organization provide samples
-of penetration test plans, findings reports, and mitigation guidance based on the findings
-[a,b,c]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-172 3.12.1e
-SC.L3-3.13.4e – isolation
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''' '''
-System and Communications Protection (SC) <br />
-'''SC.L3-3.13.4E – ISOLATION '''
-Employ physical isolation techniques or logical isolation techniques or both in organizational
-systems and system components.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-Determine if: <br />
-[ODP1] One or more of the following is/are selected: physical isolation techniques;
-logical isolation techniques; <br />
-[ODP2] Physical isolation techniques are defined (if selected); <br />
-[ODP3] Logical isolation techniques are defined (if selected); <br />
-[a] Physical isolation techniques or logical isolation techniques or both  are employed in
-organizational systems and system components.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-'''Examine <br />
-'''[SELECT FROM: System and communications protection policy; procedures addressing
-boundary protection; system design documentation; procedures addressing the use of thin
-nodes; list of key internal boundaries of the system; security plan; boundary protection
-hardware and software; system configuration settings and associated documentation;
-enterprise architecture documentation; system architecture; security architecture
-documentation; system audit records; system component inventory; list of security tools and
-support components to be isolated from other system components; other relevant
-documents or records].
-'''Interview <br />
-'''[SELECT FROM: Organizational personnel responsible for information security;
-system/network administrators; system developers; organizational personnel responsible
-for boundary protection].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing the boundary protection capability; mechanisms
-implementing physical isolation techniques; mechanisms supporting and/or implementing
-the isolation of information security tools, mechanisms, and support components;
-mechanisms supporting and/or implementing the capability to separate system components
-supporting organizational missions and business functions; mechanisms implementing
-SC.L3-3.13.4e – isolation
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''' '''
-logical isolation techniques; mechanisms supporting or implementing separate network
-addresses/different subnets; mechanisms supporting and/or implementing thin nodes].
-'''DISCUSSION [NIST SP 800-172] '''
-A mix of physical and logical isolation techniques (described below) implemented as part of
-the system architecture can limit the unauthorized flow of CUI, reduce the system attack
-surface, constrain the number of system components that must be secure, and impede the
-movement of an adversary. When implemented with a set of managed interfaces, physical
-and logical isolation techniques for organizational systems and components can isolate CUI
-into separate security domains where additional protections can be implemented. Any
-communications across the managed interfaces (i.e., across security domains), including for
-management or administrative purposes, constitutes remote access even if the
-communications remain within the organization. Separating system components with
-boundary protection mechanisms allows for the increased protection of individual
-components and more effective control of information flows between those components.
-This enhanced protection limits the potential harm from and susceptibility to hostile cyber-
-attacks and errors. The degree of isolation can vary depending on the boundary protection
-mechanisms selected. Boundary protection mechanisms include routers, gateways, and
-firewalls separating system components into physically separate networks or subnetworks;
-virtualization and micro-virtualization techniques; encrypting information flows among
-system components using distinct encryption keys; cross-domain devices separating
-subnetworks; and complete physical separation (i.e., air gaps). <br />
-System architectures include logical isolation, partial physical and logical isolation, or
-complete physical isolation between subsystems and at system boundaries between
-resources that store, process, transmit, or protect CUI and other resources. Examples
-include: <br />
-•
-  Logical isolation: Data tagging, digital rights  management (DRM), and data loss
-prevention (DLP) that tags, monitors, and restricts the flow of CUI; virtual machines or
-containers that separate CUI and other information on hosts; and virtual local area
-networks (VLAN) that keep CUI and other information separate on networks.
-•
-  Partial physical and logical isolation: Physically or cryptographically isolated networks,
-dedicated hardware in data centers, and secure clients that (a) may not directly access
-resources outside of the domain (i.e., all applications with cross-enclave connectivity
-execute as remote virtual applications hosted in a demilitarized zone [DMZ] or internal
-and protected enclave), (b) access via remote virtualized applications or virtual desktop
-with no file transfer capability other than  with dual authorization, or (c) employ
-dedicated client hardware (e.g., a zero or thin client) or hardware approved for multi-
-level secure (MLS) usage.
-•
-  Complete physical isolation: Dedicated (not shared) client and server hardware;
-physically isolated, stand-alone enclaves for clients and servers; and (a) logically
-separate network traffic (e.g., using a VLAN) with end-to-end encryption using Public Key
-Infrastructure (PKI)-based cryptography or (b) physical isolation from other networks.
-SC.L3-3.13.4e – isolation
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''' '''
-Isolation techniques are selected based on a risk management perspective that balances the
-threat, the information being protected, and the cost of the options for protection.
-Architectural and design decisions are guided and informed by the security requirements
-and selected solutions. Organizations consider the trustworthiness of the isolation
-techniques employed (e.g., the logical isolation relies on information technology that could
-be considered a high value target because of the function being performed), introducing its
-own set of vulnerabilities. <br />
-[NIST SP  800-160-1] provides guidance on developing trustworthy, secure, and cyber
-resilient systems using systems security engineering practices and security design concepts.
-'''FURTHER DISCUSSION '''
-For this requirement, organizations must identify the systems or enclaves that need to be
-isolated,  then design and implement the isolation.  The resulting isolation solutions are
-documented  or referenced in the SSP.  Documentation will be dependent on the design
-selected and may include a high-level diagram, but specific details that may change on some
-frequency would be omitted. During an assessment, providing details such as subnet and
-VLAN implementation identifiers, internal boundary protection hardware and software,
-interface device functionality, and system configuration and  Access Control List (ACL)
-settings will be useful.
-'''Example <br />
-'''You are responsible for information security in your organization,  which holds and
-processes CUI. You have decided  to isolate the  systems processing  CUI  by limiting all
-communications in and out that enclave with cross-domain interface devices that implement
-access control [a]. Your security team has identified all the systems containing such CUI,
-documented network design details, developed network diagrams showing access control
-points, documented the logic for the access control enforcement decisions, described the
-interface and protocol to the identification and authentication mechanisms, and documented
-all details associated with the ACLs, including review, updates, and credential revocation
-procedures.
-'''Potential Assessment Considerations <br />
-'''•
-  Has the organization clearly identified where they use physical, logical, or both isolation
-techniques [a]?
-•
-  Can the organization describe the isolation techniques they have employed [a]?
-•
-  Has the organization deployed subnetting, internal firewalls, and VLANs  to control
-packet flow between internal segments [a]?
-•
-  Does the organization employ metadata to inform isolation techniques [a]?
-'''KEY REFERENCES '''
-•
-  NIST SP 800-172 3.13.4e
-SI.L3-3.14.1e – Integrity Verification
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''' '''
-System and Information Integrity (SI) <br />
-'''SI.L3-3.14.1E – INTEGRITY VERIFICATION '''
-Verify the integrity of security critical and essential software using root of trust mechanisms
-or cryptographic signatures.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-Determine if: <br />
-[ODP1] Security critical or essential software is defined; <br />
-[a] Root of trust mechanisms or cryptographic signatures are identified; and <br />
-[b] The integrity of security critical and essential software  is verified using root of trust
-mechanisms or cryptographic signatures.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-'''Examine <br />
-'''[SELECT FROM: System and information integrity policy; procedures addressing software,
-firmware, and information integrity; system design documentation; security plan; system
-configuration settings and associated documentation; system component inventory;
-integrity verification tools and associated documentation; records of integrity verification
-scans; system audit records; cryptographic mechanisms and associated documentation;
-records of detected unauthorized changes to software, firmware, and information; other
-relevant documents or records].
-'''Interview <br />
-'''[SELECT  FROM:  Organizational personnel responsible for information security;
-organizational personnel responsible for software, firmware, and/or information integrity;
-system developers; system/network administrators].
-'''Test <br />
-'''[SELECT FROM: Software, firmware, and information integrity verification tools;
-mechanisms supporting and/or implementing integrity verification of the boot process;
-mechanisms supporting and/or implementing protection of the integrity of boot firmware;
-cryptographic mechanisms implementing software, firmware, and information integrity;
-safeguards implementing protection of the integrity of boot firmware].
-SI.L3-3.14.1e – Integrity Verification
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''' '''
-'''DISCUSSION [NIST SP 800-172] '''
-Verifying the integrity of the organization’s security-critical or essential software is an
-important capability since corrupted software is the primary attack vector used by
-adversaries to undermine or disrupt the proper functioning of organizational systems. There
-are many ways to verify software integrity throughout the system development life cycle.
-Root of trust mechanisms (e.g., secure boot, trusted platform modules, Unified Extensible
-Firmware Interface [UEFI]), verify that only trusted code is executed during boot processes.
-This capability helps system components protect the integrity of boot firmware in
-organizational systems by verifying the integrity and authenticity of updates to the firmware
-prior to applying changes to the system component and preventing unauthorized processes
-from modifying the boot firmware. The employment of cryptographic signatures ensures the
-integrity and authenticity of critical and essential software that stores, processes, or
-transmits, CUI. Cryptographic signatures include digital signatures and the computation and
-application of signed hashes using asymmetric cryptography, protecting the confidentiality
-of the key used to generate the hash, and using the public key to verify the hash information.
-Hardware roots of trust are considered to be more secure. This requirement supports 3.4.1e
-and 3.4.3.e. <br />
-[FIPS 140-3] provides security requirements for cryptographic modules. [FIPS 180-4] and
-[FIPS 202] provide secure hash standards. [FIPS 186-4] provides a digital signature
-standard.  [NIST SP  800-147] provides BIOS protection guidance. [NIST TRUST] provides
-guidance on the roots of trust project.
-'''FURTHER DISCUSSION '''
-Organizations verify the integrity of security critical and essential software every time that
-software  is executed.  Secure boot mechanisms for firmware and a cryptographically
-protected boot chain ensure the integrity of the operating system (OS) and security critical
-software, and cryptographic techniques ensure  the  essential  software has not been
-tampered with after development prior to execution. If software is itself considered to be
-CUI or if it uses CUI, this requirement ensures it has not been compromised. <br />
-Software and information integrity verification tools can help check the integrity during the
-development process for those organizations developing software. As critical software is
-updated, the integrity of any configuration data and the software must result in updated
-signatures and an ongoing verification process. <br />
-Operating systems include mechanisms to validate digital signatures for installed software.
-Most software packages use signatures to prove the integrity of the provided software, and
-the organization should leverage these capabilities.  Similarly, most hardware appliance
-vendors have secure boot checks in place for their devices and built-in features that check
-the digital signature of an upgrade/update package before they allow an upgrade to take
-place. For locally developed software, the organization should sign the software to ensure its
-integrity.
-SI.L3-3.14.1e – Integrity Verification
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''' '''
-'''Example 1 <br />
-'''You are responsible for information security in your organization. Your security team has
-identified the software used to process CUI, and the organization has decided it is mission-
-critical software that must be protected. You take three actions. First, you ensure all of the
-platform’s configuration information used at boot is hashed and stored in a TPM [a]. Second,
-you ensure that the platforms used to execute the software are started with a digitally signed
-software chain to a secure boot process using the TPM. Finally, you ensure the essential
-applications are cryptographically protected with a digital signature when stored and the
-signature is verified prior to execution [b].
-'''Example 2 <br />
-'''Your organization has a software security team, and they are required to validate unsigned
-essential software provided to systems that do not have TPM modules. The organization has
-a policy stating no software can be executed on a system unless its hash value matches that
-of a hash stored in the approved software library kept by the software security team [a]. This
-action is performed by implementing software restriction policies on systems.  The team
-tests the software on a sandbox system,  and once it is proven safe, they run a hashing
-function on the software to create a hash value. This hash value is placed in a software library
-so the system will know it can execute the software [b]. Any changes to the software without
-the software security team’s approval will result in the software failing the security tests,
-and it will be prevented from executing.
-'''Potential Assessment Considerations <br />
-'''•
-  Does the organization use cryptographic signatures to ensure the integrity and
-authenticity of critical and essential software and data [b]?
-•
-  Has the organization identified those devices that require integrity verification of the
-boot process [a]?
-•
-  Does the organization use a TPM to store  hashes  of  pre-run time configuration
-parameters for those systems [b]?
-•
-  Does the organization leverage the TPM configuration hash to verify the hardware and
-software configuration is unchanged in order to determine that a system is trustworthy
-before running mission-essential applications [b,c]?
-•
-  Does the organization use the TPM for remote attestation to determine to which extent
-information can be trusted from another system [b,c]?
-•
-  Has the organization identified devices requiring organization-defined security
-safeguards that must be implemented to protect the integrity of boot firmware [a]?
-•
-  Has the organization defined security safeguards that will be implemented to protect the
-integrity of boot firmware in mission-essential devices [a]?
-•
-  Has the organization implemented organization-defined security safeguards to protect
-the integrity of boot firmware in organization-defined essential devices [b]?
-SI.L3-3.14.1e – Integrity Verification
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''' '''
-'''KEY REFERENCES '''
-•
-  NIST SP 800-172 3.14.1e
-''' '''
-SI.L3-3.14.3e – Specialized Asset Security
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''' '''
-'''SI.L3-3.14.3E – SPECIALIZED ASSET SECURITY '''
-Ensure that specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems
-and test equipment  are included in the scope of the specified enhanced security
-requirements or are segregated in purpose-specific networks.
-'''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
-Determine if: <br />
-[a] Specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems and test
-equipment are included in the scope of the specified enhanced security requirements;
-and
-[b] Systems and system components that are not included in specialized assets including IoT,
-IIoT, OT, GFE, Restricted Information Systems and test equipment  are segregated in
-purpose-specific networks.
-'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
-'''Examine <br />
-'''[SELECT FROM: Access control policy; information flow control policies; system and services
-acquisition policy; system and communications protection policy; procedures addressing
-security function isolation; procedures addressing application partitioning; procedures
-addressing security engineering principles used in the specification, design, development,
-implementation, and modification of the system; procedures addressing information flow
-enforcement; procedures addressing access enforcement; system architecture; system
-design documentation; security plan; system component inventory; system configuration
-settings and associated documentation; system baseline configuration; list of security
-functions to be isolated from non-security functions; system audit records; security
-requirements and specifications for the system; list of approved authorizations (user
-privileges); list of information flow authorizations; other relevant documents or records].
-'''Interview <br />
-'''[SELECT FROM: Organizational personnel responsible for access enforcement;
-system/network administrators; organizational personnel responsible for information
-security; system developers; system integrators; organizational personnel responsible for
-acquisition/contracting; organizational personnel responsible for determining system
-security requirements; system security architects; enterprise architects; organizational
-personnel responsible for system specification, design, development, implementation, and
-modification].
-'''Test <br />
-'''[SELECT FROM: Mechanisms implementing the access control policy; mechanisms
-implementing the information flow enforcement policy; mechanisms supporting the
-SI.L3-3.14.3e – Specialized Asset Security
-'''CMMC Assessment Guide – Level 3 '''|''' Version 2.13 '''
-''' '''
-application of security engineering principles in system specification, design, development,
-implementation, and modification].
-'''DISCUSSION [NIST SP 800-172] '''
-Organizations may have a variety of systems and system components in their inventory,
-including Information Technology (IT), Internet of Things (IoT), Operational Technology
-(OT), and Industrial Internet of Things (IIoT). The convergence of IT, OT, IoT, and IIoT
-significantly increases the attack surface of organizations and provides attack vectors that
-are challenging to address. Compromised IoT, OT, and IIoT system components can serve as
-launching points for attacks on organizational IT systems that handle CUI. Some IoT, OT, and
-IIoT system components can store, transmit, or process CUI (e.g., specifications or
-parameters for objects manufactured in support of critical programs). Most of the current
-generation of IoT, OT, and IIoT system components are not designed with security as a
-foundational property and may not be able to be configured to support security functionality.
-Connections to and from such system components are generally not encrypted, do not
-provide the necessary authentication, are not monitored, and are not logged. Therefore,
-these components pose a significant cyber threat. Gaps in IoT, OT, and IIoT security
-capabilities may be addressed by employing intermediary system components that can
-provide encryption, authentication, security scanning, and logging capabilities—thus,
-preventing the components from being accessible from the Internet. However, such
-mitigation options are not always available or practicable. The situation is further
-complicated because some of the IoT, OT, and IIoT devices may be needed for essential
-missions and business functions. In those instances, it is necessary for such devices to be
-isolated from the Internet to reduce the susceptibility to cyber-attacks.  <br />
-[NIST SP  800-160-1] provides guidance on security engineering practices and security
-design concepts.
-'''FURTHER DISCUSSION  '''
 Specialized Assets are addressed in the scoping guidance, which should be overlaid on this
@@ Line 6,107: / Line 5,156: @@
 implemented, and the relationships with or connections to other systems. <br />
-Specialized Assets within the Level  3  CMMC  assessment  scope  must  be  either  assessed
+Specialized Assets within the Level 3 CMMC assessment scope must be either assessed
-against all CMMC security  requirements  or  separated  into purpose-specific networks.
+against all CMMC security requirements or separated into purpose-specific networks.
 Specialized Assets may have limitations on the application of certain security requirements.
 To accommodate such issues, the SSP should describe any mitigations. <br />
@@ Line 6,119: / Line 5,168: @@
 with a specialized asset is a boundary device or a proxy. <br />
 The high-level list of Specialized Assets includes:
@@ Line 6,140: / Line 5,189: @@
 •
-  Government Furnished Equipment;
+ Government Furnished Equipment;
 •
-  IoT and IIoT devices (physical or virtual) with sensing/actuation capability and
+ IoT and IIoT devices (physical or virtual) with sensing/actuation capability and
 programmability features;
 •
-  OT  used  in manufacturing systems, industrial control systems (ICS), or supervisory
+ OT used in manufacturing systems, industrial control systems (ICS), or supervisory
 control and data acquisition (SCADA) systems;
 •
-  Restricted Information Systems, which can include systems and IT components that are
+ Restricted Information Systems, which can include systems and IT components that are
 configured based on government requirements; and
@@ Line 6,162: / Line 5,211: @@
 •
-  Test equipment.
+ Test equipment.
 '''Example <br />
@@ Line 6,181: / Line 5,230: @@
 isolation mechanism, and a description of how your organization manages risk associated
 with that GFE [a].
 '''Potential Assessment Considerations <br />
 '''•
-  Has the organization documented all specialized assets in asset inventory [a]?
+ Has the organization documented all specialized assets in asset inventory [a]?
 •
-  Has the organization documented all specialized assets in the SSP to show how risk is
+ Has the organization documented all specialized assets in the SSP to show how risk is
 managed [b]?
@@ Line 6,196: / Line 5,245: @@
 •
-  Has the organization provided a network diagram for specialized assets [a,b]?
+ Has the organization provided a network diagram for specialized assets [a,b]?
 '''KEY REFERENCES '''
@@ Line 6,202: / Line 5,251: @@
 •
-  NIST SP 800-172 3.14.3e
+ NIST SP 800-172 3.14.3e
@@ Line 6,227: / Line 5,276: @@
 '''SI.L3-3.14.6E – THREAT-GUIDED INTRUSION DETECTION '''
-Use threat indicator information and effective mitigations obtained from,  at a minimum,
+Use threat indicator information and effective mitigations obtained from, at a minimum,
 open or commercial sources, and any DoD-provided sources, to guide and inform intrusion
 detection and threat hunting.
 '''ASSESSMENT OBJECTIVES [NIST SP 800-172A] '''
@@ Line 6,243: / Line 5,292: @@
 [c] Intrusion detection approaches are identified; <br />
 [d] Threat hunting activities are identified; and <br />
-[e] Threat indicator information and effective mitigations obtained from,  at a minimum,
+[e] Threat indicator information and effective mitigations obtained from, at a minimum,
 open or commercial sources and any DoD-provided sources, are used to guide and inform
 intrusion detection and threat hunting.
 '''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] '''
 '''Examine <br />
 '''[SELECT FROM: System and information integrity policy; information security program plan;
 procedures addressing security alerts, advisories, and directives; threat awareness program
@@ Line 6,264: / Line 5,313: @@
 monitoring tools and techniques documentation; system configuration settings and
 associated documentation; system monitoring logs or records; system audit records;
 documentation on the cross-organization information-sharing capability; other relevant
 documents or records].
 '''Interview <br />
@@ Line 6,281: / Line 5,330: @@
 personnel responsible for information security; organizational personnel responsible for
-installing, configuring, and/or maintaining the system; organizational personnel  security
+installing, configuring, and/or maintaining the system; organizational personnel security
-alerts and advisories; organizational personnel responsible for  implementing, operating,
+alerts and advisories; organizational personnel responsible for implementing, operating,
 maintaining, and using the system; organizational personnel, organizational elements,
@@ Line 6,308: / Line 5,357: @@
 disseminated; personnel with whom threat awareness information is shared by the
 organization; system developers].
 '''Test <br />
@@ Line 6,321: / Line 5,370: @@
 and dissemination of security alerts, advisories, and directives; mechanisms supporting
-and/or implementing security  directives; mechanisms supporting and/or implementing
+and/or implementing security directives; mechanisms supporting and/or implementing
 threat hunting; mechanisms supporting and/or implementing intrusion detection;
 mechanisms supporting and/or implementing the discovery, collection, distribution, and use
 of indicators of compromise].
 '''DISCUSSION [NIST SP 800-172] '''
@@ Line 6,347: / Line 5,396: @@
 sharing consortia, government-commercial cooperatives, and government-government
-cooperatives (e.g., CERTCC, CISA/US-CERT,  FIRST, ISAO, DIB CS Program). Unclassified
+cooperatives (e.g., CERTCC, CISA/US-CERT, FIRST, ISAO, DIB CS Program). Unclassified
 indicators, based on classified information but which can be readily incorporated into
@@ Line 6,353: / Line 5,402: @@
 organizational intrusion detection systems, are available to qualified nonfederal
 organizations from government sources.
 '''FURTHER DISCUSSION '''
@@ Line 6,363: / Line 5,412: @@
 TTPs in support of operational requirements, which will typically include defensive cyber
-tools supporting incident detection,  alerts, incident response, and threat hunting.  It is
+tools supporting incident detection, alerts, incident response, and threat hunting. It is
-possible that this requirement  will be implemented by a  third-party managed service
+possible that this requirement will be implemented by a third-party managed service
-provider, and in that  case,  it  will  be necessary to carefully define the boundary and
+provider, and in that case, it will be necessary to carefully define the boundary and
 responsibilities between the OSC and the ESP to guarantee a robust implementation. It is also
@@ Line 6,373: / Line 5,422: @@
 important that the OSC validate threat indicator integration into the defensive cyber toolset
-by  being able to (1)  implement  mitigations for sample industry relevant indicators  of
+by being able to (1) implement mitigations for sample industry relevant indicators of
 compromise (e.g., IP address, file hash), (2) identify sample indicators of compromise across
-sample endpoints, and  (3) identify sample indicators  of compromise using analytical
+sample endpoints, and (3) identify sample indicators of compromise using analytical
 processes on a system data repository.
@@ Line 6,408: / Line 5,457: @@
 •
-  analyze logs, data sources, and alerts;
+ analyze logs, data sources, and alerts;
 •
-  query data to identify anomalies;
+ query data to identify anomalies;
 •
-  identify variations from baseline threat levels;
+ identify variations from baseline threat levels;
 •
-  provide machine learning capabilities associated with the correlation of anomalous data
+ provide machine learning capabilities associated with the correlation of anomalous data
 characteristics across the enterprise; and
@@ Line 6,426: / Line 5,475: @@
 •
-  categorize data sets based on expected data values.
+ categorize data sets based on expected data values.
 Your team also manages an internal mitigation plan (playbook) for all known threats for your
@@ Line 6,434: / Line 5,483: @@
 environment [b]. Some of the mitigation strategies are developed by team members, and
 others are obtained by threat feed services.
 '''Potential Assessment Considerations <br />
 '''•
-  Which external sources has the organization identified as threat information sources [a]?
+ Which external sources has the organization identified as threat information sources [a]?
 •
-  Does the organization understand the TTPs of key attackers [c,d]?
+ Does the organization understand the TTPs of key attackers [c,d]?
 •
-  Does the organization deploy threat indicators to EDR systems, network  intrusion
+ Does the organization deploy threat indicators to EDR systems, network intrusion
 detection systems, or both [c,d,e]?
@@ Line 6,453: / Line 5,502: @@
 •
-  What actions does the organization implement when a threat alert/indicator is signaled
+ What actions does the organization implement when a threat alert/indicator is signaled
 [c,d,e]?
@@ Line 6,459: / Line 5,508: @@
 •
-  Does the organization use internal threat capabilities within their existing security tools
+ Does the organization use internal threat capabilities within their existing security tools
 [e]?
@@ Line 6,465: / Line 5,514: @@
 •
-  How does the organization respond to a third-party notification of a threat indicator [e]?
+ How does the organization respond to a third-party notification of a threat indicator [e]?
 '''KEY REFERENCES '''
@@ Line 6,471: / Line 5,520: @@
 •
-  NIST SP 800-172 3.14.6e
+ NIST SP 800-172 3.14.6e

Level 3 Assessment Guide: Difference between revisions

Revision as of 03:53, 24 March 2025

NOTICES

Introduction

Level 3 Description

Purpose and Audience

Document Organization

Assessment and Certification

Assessment Scope

CMMC-Custom Terms

Assessment Criteria and Methodology

Criteria

Methodology

Who Is Interviewed

What Is Examined

What Is Tested

Assessment Findings

Requirement Descriptions

Access Control (AC)

Document Outline

Navigation menu

Search