Evidence Collection Approach: Difference between revisions
| Line 20: | Line 20: | ||
|colspan="2"|'''AC.L2-3.1.1''' Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). | |colspan="2"|'''AC.L2-3.1.1''' Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). | ||
|- | |- | ||
|[a] authorized users are identified. || Document | | [a] authorized users are identified. || Document | ||
|[b] processes acting on behalf of authorized users are identified. || Document | |- | ||
|[c] devices (and other systems) authorized to connect to the system are identified. || Document | | [b] processes acting on behalf of authorized users are identified. || Document | ||
|[d] system access is limited to authorized users. || Screen Share | |- | ||
|[e] system access is limited to processes acting on behalf of authorized users. || Screen Share | | [c] devices (and other systems) authorized to connect to the system are identified. || Document | ||
|[f] system access is limited to authorized devices (including other systems). || Screen Share | |- | ||
| [d] system access is limited to authorized users. || Screen Share | |||
|- | |||
| [e] system access is limited to processes acting on behalf of authorized users. || Screen Share | |||
|- | |||
| [f] system access is limited to authorized devices (including other systems). || Screen Share | |||
|- | |- | ||
|[[Practice_AC.L2-3.1.1_Details|More Practice Details...]] | |[[Practice_AC.L2-3.1.1_Details|More Practice Details...]] | ||
Revision as of 03:55, 28 March 2025
For inquiries and reporting errors on this wiki, please contact us. Thank you.
Evidence Collection Approach for CMMC Practices Levels 1 and 2
The following table contains the DIBCAC Evidence collection approach for the CMMC Levels 1 and 2 practices and their Assessment Objectives.
The following tables provide a general approach between Assessment Objectives (AOs) and Assessment Methods that may be used. These are not to be construed as directive. The Assessor has the right to replace any Assessment Method with a different one based on what the OSC has provided in other requirements, previously gathered Evidence, or the lack therein.
The definition of the Evidence approaches are as follows:
- Artifacts: Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person, or persons performing a role in that practice, control, or process. (See CAP Glossary for additional details.)
- Document: Any tangible thing which constitutes or contains information and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writing of every kind and description over which an agency has authority. (See CAP Glossary for additional details.)
- Physical Review: An on-premise observation of Evidence.
- Screen Share: Live observation "over the shoulder" of a user as they share their computer screen while performing a task.
Access Control (AC)
AC.L2-3.1.1 – Authorized Access Control [CUI Data]
| Practice and Assessment Objectives | Evidence |
|---|---|
| AC.L2-3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). | |
| [a] authorized users are identified. | Document |
| [b] processes acting on behalf of authorized users are identified. | Document |
| [c] devices (and other systems) authorized to connect to the system are identified. | Document |
| [d] system access is limited to authorized users. | Screen Share |
| [e] system access is limited to processes acting on behalf of authorized users. | Screen Share |
| [f] system access is limited to authorized devices (including other systems). | Screen Share |
| More Practice Details... | |
AC.L2-3.1.2 – Transaction & Function Control [CUI Data]
| SECURITY REQUIREMENT
Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.3 – Control CUI Flow
| SECURITY REQUIREMENT
Control the flow of CUI in accordance with approved authorizations. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.4 – Separation of Duties
| SECURITY REQUIREMENT
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.5 – Least Privilege
| SECURITY REQUIREMENT
Employ the principle of least privilege, including for specific security functions and privileged accounts. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.6 – Non-Privileged Account Use
| SECURITY REQUIREMENT
Use non-privileged accounts or roles when accessing nonsecurity functions. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.7 – Privileged Functions
| SECURITY REQUIREMENT
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.8 – Unsuccessful Logon Attempts
| SECURITY REQUIREMENT
Limit unsuccessful logon attempts. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.9 – Privacy & Security Notices
| SECURITY REQUIREMENT
Provide privacy and security notices consistent with applicable CUI rules. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.10 – Session Lock
| SECURITY REQUIREMENT
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.11 – Session Termination
| SECURITY REQUIREMENT
Terminate (automatically) a user session after a defined condition. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.12 – Control Remote Access
| SECURITY REQUIREMENT
Monitor and control remote access sessions. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.13 – Remote Access Confidentiality
| SECURITY REQUIREMENT
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.14 – Remote Access Routing
| SECURITY REQUIREMENT
Route remote access via managed access control points. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.15 – Privileged Remote Access
| SECURITY REQUIREMENT
Authorize remote execution of privileged commands and remote access to security-relevant information. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.16 – Wireless Access Authorization
| SECURITY REQUIREMENT
Authorize wireless access prior to allowing such connections. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.17 – Wireless Access Protection
| SECURITY REQUIREMENT
Protect wireless access using authentication and encryption. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.18 – Mobile Device Connection
| SECURITY REQUIREMENT
Control connection of mobile devices. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.19 – Encrypt CUI on Mobile
| SECURITY REQUIREMENT
Encrypt CUI on mobile devices and mobile computing platforms. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.20 – External Connections [CUI Data]
| SECURITY REQUIREMENT
Verify and control/limit connections to and use of external information systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.21 – Portable Storage Use
| SECURITY REQUIREMENT
Limit use of portable storage devices on external systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L2-3.1.22 – Control Public Information [CUI Data]
| SECURITY REQUIREMENT
Control information posted or processed on publicly accessible information systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
Awareness and Training (AT)
AT.L2-3.2.1 – Role-Based Risk Awareness
| SECURITY REQUIREMENT
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AT.L2-3.2.2 – Role-Based Training
| SECURITY REQUIREMENT
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|- |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AT.L2-3.2.3 – Insider Threat Awareness
| SECURITY REQUIREMENT
Provide security awareness training on recognizing and reporting potential indicators of insider threat. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
Audit and Accountability (AU)
AU.L2-3.3.1 – System Auditing
| SECURITY REQUIREMENT
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AU.L2-3.3.2 – User Accountability
| SECURITY REQUIREMENT
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AU.L2-3.3.3 – Event Review
| SECURITY REQUIREMENT
Review and update logged events. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AU.L2-3.3.4 – Audit Failure Alerting
| SECURITY REQUIREMENT
Alert in the event of an audit logging process failure. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AU.L2-3.3.5 – Audit Correlation
| SECURITY REQUIREMENT
Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AU.L2-3.3.6 – Reduction & Reporting
| SECURITY REQUIREMENT
Provide audit record reduction and report generation to support on-demand analysis and reporting. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AU.L2-3.3.7 – Authoritative Time Source
| SECURITY REQUIREMENT
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AU.L2-3.3.8 – Audit Protection
| SECURITY REQUIREMENT
Protect audit information and audit logging tools from unauthorized access, modification, and deletion. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AU.L2-3.3.9 – Audit Management
| SECURITY REQUIREMENT
Limit management of audit logging functionality to a subset of privileged users. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
Configuration Management (CM)
CM.L2-3.4.1 – System Baselining
| SECURITY REQUIREMENT
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
CM.L2-3.4.2 – Security Configuration Enforcement
| SECURITY REQUIREMENT
Establish and enforce security configuration settings for information technology products employed in organizational systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
CM.L2-3.4.3 – System Change Management
| SECURITY REQUIREMENT
Track, review, approve or disapprove, and log changes to organizational systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
CM.L2-3.4.4 – Security Impact Analysis
| SECURITY REQUIREMENT
Analyze the security impact of changes prior to implementation. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
CM.L2-3.4.5 – Access Restrictions for Change
| SECURITY REQUIREMENT
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
CM.L2-3.4.6 – Least Functionality
| SECURITY REQUIREMENT
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
CM.L2-3.4.7 – Nonessential Functionality
| SECURITY REQUIREMENT
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
CM.L2-3.4.8 – Application Execution Policy
| SECURITY REQUIREMENT
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
CM.L2-3.4.9 – User-Installed Software
| SECURITY REQUIREMENT
Control and monitor user-installed software. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
Identification and Authentication (IA)
IA.L2-3.5.1 – Identification [CUI Data]
| SECURITY REQUIREMENT
Identify information system users, processes acting on behalf of users, or devices. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
IA.L2-3.5.2 – Authentication [CUI Data]
| SECURITY REQUIREMENT
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
IA.L2-3.5.3 – Multifactor Authentication
| SECURITY REQUIREMENT
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
IA.L2-3.5.4 – Replay-Resistant Authentication
| SECURITY REQUIREMENT
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
IA.L2-3.5.5 – Identifier Reuse
| SECURITY REQUIREMENT
Prevent reuse of identifiers for a defined period. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
IA.L2-3.5.6 – Identifier Handling
| SECURITY REQUIREMENT
Disable identifiers after a defined period of inactivity. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
IA.L2-3.5.7 – Password Complexity
| SECURITY REQUIREMENT
Enforce a minimum password complexity and change of characters when new passwords are created. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
IA.L2-3.5.8 – Password Reuse
| SECURITY REQUIREMENT
Prohibit password reuse for a specified number of generations. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
IA.L2-3.5.9 – Temporary Passwords
| SECURITY REQUIREMENT
Allow temporary password use for system logons with an immediate change to a permanent password. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
IA.L2-3.5.10 – Cryptographically-Protected Passwords
| SECURITY REQUIREMENT
Store and transmit only cryptographically-protected passwords. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
IA.L2-3.5.11 – Obscure Feedback
| SECURITY REQUIREMENT
Obscure feedback of authentication information. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
Incident Response (IR)
IR.L2-3.6.1 – Incident Handling
| SECURITY REQUIREMENT
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
IR.L2-3.6.2 – Incident Reporting
| SECURITY REQUIREMENT
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
IR.L2-3.6.3 – Incident Response Testing
| SECURITY REQUIREMENT
Test the organizational incident response capability. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
Maintenance (MA)
MA.L2-3.7.1 – Perform Maintenance
| SECURITY REQUIREMENT
Perform maintenance on organizational systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
MA.L2-3.7.2 – System Maintenance Control
| SECURITY REQUIREMENT
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
MA.L2-3.7.3 – Equipment Sanitization
| SECURITY REQUIREMENT
Ensure equipment removed for off-site maintenance is sanitized of any CUI. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
MA.L2-3.7.4 – Media Inspection
| SECURITY REQUIREMENT
Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
MA.L2-3.7.5 – Nonlocal Maintenance
| SECURITY REQUIREMENT
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
MA.L2-3.7.6 – Maintenance Personnel
| SECURITY REQUIREMENT
Supervise the maintenance activities of maintenance personnel without required access authorization. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
Media Protection (MP)
MP.L2-3.8.1 – Media Protection
| SECURITY REQUIREMENT
Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
MP.L2-3.8.2 – Media Access
| SECURITY REQUIREMENT
Limit access to CUI on system media to authorized users. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
MP.L2-3.8.3 – Media Disposal [CUI Data]
| SECURITY REQUIREMENT
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
MP.L2-3.8.4 – Media Markings
| SECURITY REQUIREMENT
Mark media with necessary CUI markings and distribution limitations. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
MP.L2-3.8.5 – Media Accountability
| SECURITY REQUIREMENT
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
MP.L2-3.8.6 – Portable Storage Encryption
| SECURITY REQUIREMENT
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
MP.L2-3.8.7 – Removable Media
| SECURITY REQUIREMENT
Control the use of removable media on system components. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
| SECURITY REQUIREMENT
Prohibit the use of portable storage devices when such devices have no identifiable owner.ASSESSMENT OBJECTIVES |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
MP.L2-3.8.9 – Protect Backups
| SECURITY REQUIREMENT
Protect the confidentiality of backup CUI at storage locations. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
Personnel Security (PS)
PS.L2-3.9.1 – Screen Individuals
| SECURITY REQUIREMENT
Screen individuals prior to authorizing access to organizational systems containing CUI. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
PS.L2-3.9.2 – Personnel Actions
| SECURITY REQUIREMENT
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
Physical Protection (PE)
PE.L2-3.10.1 – Limit Physical Access [CUI Data]
| SECURITY REQUIREMENT
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
PE.L2-3.10.2 – Monitor Facility
| SECURITY REQUIREMENT
Protect and monitor the physical facility and support infrastructure for organizational systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
PE.L2-3.10.3 – Escort Visitors [CUI Data]
| SECURITY REQUIREMENT
Escort visitors and monitor visitor activity. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
PE.L2-3.10.4 – Physical Access Logs [CUI Data]
| SECURITY REQUIREMENT
Maintain audit logs of physical access. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
PE.L2-3.10.5 – Manage Physical Access [CUI Data]
| SECURITY REQUIREMENT
Control and manage physical access devices. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
PE.L2-3.10.6 – Alternative Work Sites
| SECURITY REQUIREMENT
Enforce safeguarding measures for CUI at alternate work sites. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
Risk Assessment (RA)
RA.L2-3.11.1 – Risk Assessments
| SECURITY REQUIREMENT
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
RA.L2-3.11.2 – Vulnerability Scan
| SECURITY REQUIREMENT
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |
ASSESSMENT OBJECTIVES
identified. |
| More Practice Details... |
RA.L2-3.11.3 – Vulnerability Remediation
| SECURITY REQUIREMENT
Remediate vulnerabilities in accordance with risk assessments. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
Security Assessment (CA)
CA.L2-3.12.1 – Security Control Assessment
| SECURITY REQUIREMENT
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
CA.L2-3.12.2 – Operational Plan of Action
| SECURITY REQUIREMENT
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
CA.L2-3.12.3 – Security Control Monitoring
| SECURITY REQUIREMENT
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
CA.L2-3.12.4 – System Security Plan =
| SECURITY REQUIREMENT
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
System and Communications Protection (SC)
SC.L2-3.13.1 – Boundary Protection [CUI Data]
| SECURITY REQUIREMENT
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SC.L2-3.13.2 – Security Engineering
| SECURITY REQUIREMENT
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SC.L2-3.13.3 – Role Separation
| SECURITY REQUIREMENT
Separate user functionality from system management functionality. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
| SECURITY REQUIREMENT
Prevent unauthorized and unintended information transfer via shared system resources. |
ASSESSMENT OBJECTIVES
prevented. |
| More Practice Details... |
SC.L2-3.13.5 – Public-Access System Separation [CUI Data]
| SECURITY REQUIREMENT
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SC.L2-3.13.6 – Network Communication by Exception
| SECURITY REQUIREMENT
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SC.L2-3.13.7 – Split Tunneling
| SECURITY REQUIREMENT
Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SC.L2-3.13.8 – Data in Transit
| SECURITY REQUIREMENT
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SC.L2-3.13.9 – Connections Termination
| SECURITY REQUIREMENT
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SC.L2-3.13.10 – Key Management
| SECURITY REQUIREMENT
Establish and manage cryptographic keys for cryptography employed in organizational systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SC.L2-3.13.11 – CUI Encryption
| SECURITY REQUIREMENT
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SC.L2-3.13.12 – Collaborative Device Control
| SECURITY REQUIREMENT
Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SC.L2-3.13.13 – Mobile Code
| SECURITY REQUIREMENT
Control and monitor the use of mobile code. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SC.L2-3.13.14 – Voice over Internet Protocol
| SECURITY REQUIREMENT
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SC.L2-3.13.15 – Communications Authenticity
| SECURITY REQUIREMENT
Protect the authenticity of communications sessions. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SC.L2-3.13.16 – Data at Rest
| SECURITY REQUIREMENT
Protect the confidentiality of CUI at rest. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
System and Information Integrity (SI)
SI.L2-3.14.1 – Flaw Remediation [CUI Data]
| SECURITY REQUIREMENT
Identify, report, and correct information and information system flaws in a timely manner. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SI.L2-3.14.2 – Malicious Code ProTection [CUI Data]
| SECURITY REQUIREMENT
Provide protection from malicious code at appropriate locations within organizational information systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SI.L2-3.14.3 – Security Alerts & Advisories
| SECURITY REQUIREMENT
Monitor system security alerts and advisories and take action in response. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data]
| SECURITY REQUIREMENT
Update malicious code protection mechanisms when new releases are available. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SI.L2-3.14.5 – System & File Scanning [CUI Data]
| SECURITY REQUIREMENT
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SI.L2-3.14.6 – Monitor Communications for Attacks
| SECURITY REQUIREMENT
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
SI.L2-3.14.7 – Identify Unauthorized Use
| SECURITY REQUIREMENT
Identify unauthorized use of organizational systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L1-3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). [c] devices (and other systems) authorized to connect to the Document system are identified. [e] system access is limited to processes acting on behalf of Screen Share authorized users. [f] system access is limited to authorized devices (including other Screen Share systems).
[a] information flow control policies are defined. Document
| Certified CMMC Assessor (CCA)
[d] authorizations for controlling the flow of CUI are defined. Document AC.L1-3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. [a] the types of transactions and functions that authorized users Document [a] the duties of individuals requiring separation are defined. Document are permitted to execute are defined. [b] system access is limited to the defined types of transactions Screen Share and functions for authorized users. Additional: HR policy or procedure discussing account creation Document process. AC.L3-3.1.3 Control the flow of CUI in accordance with approved authorizations. [a] privileged accounts are identified. Document [b] methods and enforcement mechanisms for controlling the Document flow of CUI are defined. [c] designated sources and destinations (e.g., networks, Artifact [c] security functions are identified. Document individuals, and devices) for CUI within the system and between interconnected systems are identified. [e] approved authorizations for controlling the flow of CUI are Screen Share enforced. AC.L2-3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. [b] responsibilities for duties that require separation are assigned Screen Share to separate individuals. [c] access privileges that enable individuals to exercise the duties Screen Share that require separation are granted to separate individuals. AC.L2-3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts. [b] access to privileged accounts is authorized in accordance Artifact with the principle of least privilege. [d] access to security functions is authorized in accordance with Artifact the principle of least privilege. Additional: Policy or procedure showing the separation of duties Document for general users and admin users.
Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2 | [a] nonsecurity functions are identified. Document [a] privileged functions are defined. Document [b] non-privileged users are defined. Document CertifiedCMMCAssessor(CCA) | AC.L2-3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions. [b] users are required to use non-privileged accounts or roles Screen Share when accessing nonsecurity functions. [b] privacy and security notices are displayed. Artifact AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. [c] non-privileged users are prevented from executing privileged Screen Share functions. [d] the execution of privileged functions is captured in audit Screen Share logs. AC.L2-3.1.8 Limit unsuccessful logon attempts. [a] the means of limiting unsuccessful logon attempts are Document defined. [a] conditions requiring a user session to terminate are defined. Document [b] the defined means of limiting unsuccessful logon attempts is Artifact implemented. AC.L2-3.1.9 Provide privacy and security notices consistent with applicable CUI rules. [a] privacy and security notices required by CUI-specified rules Document are identified, consistent, and associated with the specific CUI category. AC.L2-3.1.10 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. [a] the period of inactivity after which the system initiates a Document session lock is defined. [b] access to the system and viewing of data is prevented by Artifact initiating a session lock after the defined period of inactivity.
[c] previously visible information is concealed via a pattern Document
hiding display after the defined period of inactivity. AC.L2-3.1.11 Terminate (automatically) a user session after a defined condition. [b] a user session is automatically terminated after any of the Screen Share defined conditions occur.
Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2 |
[a] remote access sessions are permitted. Document [b] the types of permitted remote access are identified. Document [c] remote access sessions are controlled. Screen Share [d] remote access sessions are monitored. Screen Share Additional: Policy or procedure for setting up remote access. Document
| Certified CMMC Assessor (CCA)
AC.L2-3.1.12 Monitor and control remote access sessions. AC.L2-3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. [a] cryptographic mechanisms to protect the confidentiality of Document remote access sessions are identified. [b] cryptographic mechanisms to protect the confidentiality of Screen Share remote access sessions are implemented. [a] wireless access points are identified. Document AC.L2-3.1.14 Route remote access via managed access control points. [a] managed access control points are identified and Screen Share implemented. [b] remote access is routed through managed network access Screen Share control points. AC.L2-3.1.15 Authorize remote execution of privileged commands and remote access to security-relevant information. [a] privileged commands authorized for remote execution are Document identified. [b] security-relevant information authorized to be accessed Document remotely is identified. [c] the execution of the identified privileged commands via Artifact remote access is authorized. [d] access to the identified security-relevant information via Artifact remote access is authorized. AC.L2-3.1.16 Authorize wireless access prior to allowing such connections. [b] wireless access is authorized prior to allowing such Screen Share connections. AC.L2-3.1.17 Protect wireless access using authentication and encryption. Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2 | [b] wireless access to the system is protected using encryption. Screen Share [b] mobile device connections are authorized. Artifact [c] mobile device connections are monitored and logged. Screen Share CertifiedCMMCAssessor(CCA) | [a] connections to external systems are identified. Document [a] wireless access to the system is protected using Screen Share [b] the use of external systems is identified. Document authentication. [c] connections to external systems are verified. Artifact [d] the use of external systems is verified. Artifact [e] connections to external systems are controlled/limited. Screen Share AC.L2-3.1.18 Control connection of mobile devices. [f] the use of external systems is controlled/limited. Screen Share [a] mobile devices that process, store, or transmit CUI are Document identified. AC.L2-3.1.19 Encrypt CUI on mobile devices and mobile computing platforms. [a] mobile devices and mobile computing platforms that process, Document store, or transmit CUI are identified. [b] encryption is employed to protect CUI on identified mobile Screen Share devices and mobile computing platforms. AC.L1-3.1.20 Verify and control/limit connections to and use of external information systems. AC.L2-3.1.21 Limit use of portable storage devices on external systems. [a] the use of portable storage devices containing CUI on Document external systems is identified and documented. [b] limits on the use of portable storage devices containing CUI Document on external systems are defined. [c] the use of portable storage devices containing CUI on Document external systems is limited as defined. AC.L1-3.1.22 Control information posted or processed on publicly accessible information systems. [a] individuals authorized to post or process information on Document publicly accessible systems are identified. [b] procedures to ensure FCI is not posted or processed on Document publicly accessible systems are identified.
Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2 |
| Certified CMMC Assessor (CCA)
[c] a review process is in place prior to posting of any content to Artifact publicly accessible systems. [d] content on publicly accessible systems is reviewed to ensure Artifact that it does not include FCI. [e] mechanisms are in place to remove and address improper Artifact posting of FCI. AT.L2-3.2.1 Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. [a] security risks associated with organizational activities involving Document CUI are identified. [a] potential indicators associated with insider threats are identified. Document [b] policies, standards, and procedures related to the security of the Document system are identified. [c] managers, systems administrators, and users of the system are Artifact made aware of the security risks associated with their activities. [d] managers, systems administrators, and users of the system are Artifact made aware of the applicable policies, standards, and procedures related to the security of the system. AT.L2-3.2.2 Ensure that personnel are trained to carry out their assigned information security related duties and responsibilities. [a] information security-related duties, roles, and responsibilities are Document defined. [b] information security-related duties, roles, and responsibilities are Artifact assigned to designated personnel. [c] personnel are adequately trained to carry out their assigned Artifact information security-related duties, roles, and responsibilities. AT.L2-3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat. [b] security awareness training on recognizing and reporting potential Artifact indicators of insider threat is provided to managers and employees. AU.L2-3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2 |
[c] audit records are created (generated). Screen Share [d] audit records, once created, contain the defined content. Screen Share [e] retention requirements for audit records are defined. Document [f] audit records are retained as defined. Screen Share [b] audit records, once created, contain the defined content. Screen Share CertifiedCMMCAssessor(CCA) | [a] a process for determining when to review logged events is defined. Document [a] audit logs needed (i.e., event types to be logged) to enable the Document monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified. [c] event types being logged are updated based on the review. Artifact [b] the content of audit records needed to support monitoring, Document analysis, investigation, and reporting of unlawful or unauthorized system activity is defined. AU.L2-3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. [a] the content of the audit records needed to support the ability to Document uniquely trace users to their actions is defined. AU.L2-3.3.3 Review and update logged events. [b] event types being logged are reviewed in accordance with the Artifact defined review process. AU.L2-3.3.4 Alert in the event of an audit logging process failure. [a] personnel or roles to be alerted in the event of an audit logging Document process failure are identified. [b] types of audit logging process failures for which alert will be Document generated are defined. [c] identified personnel or roles are alerted in the event of an audit Artifact logging process failure. AU.L2-3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. [a] audit record review, analysis, and reporting processes for Document investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined. [b] defined audit record review, analysis, and reporting processes are Artifact correlated.
Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2 |
| Certified CMMC Assessor (CCA)
[a] audit information is protected from unauthorized access. Screen Share AU.L2-3.3.6 Provide audit record reduction and report generation to support on-demand analysis [b] audit information is protected from unauthorized modification. Screen Share and reporting. [c] audit information is protected from unauthorized deletion. Screen Share [a] an audit record reduction capability that supports on-demand Screen Share [d] audit logging tools are protected from unauthorized access. Screen Share analysis is provided. [e] audit logging tools are protected from unauthorized modification. Screen Share [b] a report generation capability that supports on-demand reporting is Screen Share provided. [f] audit logging tools are protected from unauthorized deletion. Screen Share AU.L2-3.3.7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. [a] internal system clocks are used to generate time stamps for audit Screen Share records. [b] an authoritative source with which to compare and synchronize Document internal system clocks is specified. [c] internal system clocks used to generate time stamps for audit Screen Share records are compared to and synchronized with the specified authoritative time source. AU.L2-3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion. [a] a baseline configuration is established. Document AU.L2-3.3.9 Limit management of audit logging functionality to a subset of privileged users. [a] a subset of privileged users granted access to manage audit logging Document functionality is defined. [b] management of audit logging functionality is limited to the defined Screen Share subset of privileged users. CM.L2-3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. [b] the baseline configuration includes hardware, software, firmware, Artifact and documentation.
Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2 |
[d] a system inventory is established. Document CertifiedCMMCAssessor(CCA) | [a] changes to the system are tracked. Artifact [b] changes to the system are reviewed. Artifact [c] changes to the system are approved or disapproved. Artifact [c] the baseline configuration is maintained (reviewed and updated) Artifact throughout the system development life cycle. [d] changes to the system are logged. Artifact [e] the system inventory includes hardware, software, firmware, and Artifact documentation. [f] the inventory is maintained (reviewed and updated) throughout the Artifact system development life cycle. CM.L2-3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems. [a] security configuration settings for information technology products Document employed in the system are established and included in the baseline configuration. [b] security configuration settings for information technology Artifact products employed in the system are enforced. CM.L2-3.4.3 Track, review, approve or disapprove, and log changes to organizational systems. CM.L2-3.4.4 Analyze the security impact of changes prior to implementation. [a] the security impact of changes to the system is analyzed prior to Artifact implementation. CM.L2-3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. [a] physical access restrictions associated with changes to the system Document are defined. [b] physical access restrictions associated with changes to the system Document are documented. [c] physical access restrictions associated with changes to the system Artifact are approved. [d] physical access restrictions associated with changes to the system Physical Review are enforced. [e] logical access restrictions associated with changes to the system are Document defined. [f] logical access restrictions associated with changes to the system are Document documented.
Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2 | [a] essential programs are defined. Document [b] the use of nonessential programs is defined. Document
| Certified CMMC Assessor (CCA)
[d] essential functions are defined. Document [e] the use of nonessential functions is defined. Document [g] logical access restrictions associated with changes to the system are Artifact approved. [h] logical access restrictions associated with changes to the system are Artifact enforced. [g] essential ports are defined. Document [h] the use of nonessential ports is defined. Document CM.L2-3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. [a] essential system capabilities are defined based on the principle of Document [j] essential protocols are defined. Document least functionality. [k] the use of nonessential protocols is defined. Document [b] the system is configured to provide only the defined essential Screen Share capabilities. [m] essential services are defined. Document CM.L2-3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, [n] the use of nonessential services is defined. Document protocols, and services. [c] the use of nonessential programs is restricted, disabled, or Screen Share prevented as defined. [f] the use of nonessential functions is restricted, disabled, or Screen Share prevented as defined. [i] the use of nonessential ports is restricted, disabled, or prevented as Screen Share defined. [l] the use of nonessential protocols is restricted, disabled, or Screen Share prevented as defined. [o] the use of nonessential services is restricted, disabled, or prevented Screen Share as defined. CM.L2-3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. [a] a policy specifying whether whitelisting or blacklisting is to be Document implemented is specified.
Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2 | [c] installation of software by users is monitored. Screen Share [a] system users are identified. Document CertifiedCMMCAssessor(CCA) | [b] processes acting on behalf of users are identified. Document [c] devices accessing the system are identified. Document [b] the software allowed to execute under whitelisting or denied use Document under blacklisting is specified. [c] whitelisting to allow the execution of authorized software or Screen Share blacklisting to prevent the use of unauthorized software is implemented as specified. CM.L2-3.4.9 Control and monitor user-installed software. [a] a policy for controlling the installation of software by users is Document established. [b] installation of software by users is controlled based on the Screen Share established policy. [a] privileged accounts are identified. Document IA.L1-3.5.1 Identify information system users, processes acting on behalf of users, or devices. IA.L1-3.5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. [a] the identity of each user is authenticated or verified as a Screen Share prerequisite to system access. [b] the identity of each process acting on behalf of a user is Screen Share authenticated or verified as a prerequisite to system access. [c] the identity of each device accessing or connecting to the system is Screen Share authenticated or verified as a prerequisite to system access. IA.L2-3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. [b] multifactor authentication is implemented for local access to Screen Share privileged accounts. [c] multifactor authentication is implemented for network access to Screen Share privileged accounts. [d] multifactor authentication is implemented for network access to Screen Share non-privileged accounts.
Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2 | [a] a period within which identifiers cannot be reused is defined. Document [b] reuse of identifiers is prevented within the defined period. Artifact [a] a period of inactivity after which an identifier is disabled is defined. Document [b] identifiers are disabled after the defined period of inactivity. Artifact [a] password complexity requirements are defined. Document
| Certified CMMC Assessor (CCA)
[b] password change of character requirements are defined. Document IA.L2-3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. [a] replay-resistant authentication mechanisms are implemented for Screen Share network account access to privileged and non-privileged accounts. IA.L2-3.5.5 Prevent reuse of identifiers for a defined period. IA.L2-3.5.6 Disable identifiers after a defined period of inactivity. IA.L2-3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. [a] passwords are cryptographically protected in storage. Screen Share [b] passwords are cryptographically protected in transit. Screen Share [c] minimum password complexity requirements as defined are Screen Share enforced when new passwords are created. [d] minimum password change of character requirements as defined Screen Share are enforced when new passwords are created. IA.L2-3.5.8 Prohibit password reuse for a specified number of generations. [a] the number of generations during which a password cannot be Document reused is specified. [b] reuse of passwords is prohibited during the specified number of Screen Share generations. IA.L2-3.5.9 Allow temporary password use for system logons with an immediate change to a permanent password. [a] an immediate change to a permanent password is required when a Screen Share temporary password is used for system logon. IA.L2-3.5.10 Store and transmit only cryptographically-protected passwords. IA.L2-3.5.11 Obscure feedback of authentication information.
Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2 | [a] an operational incident-handling capability is established. Document [b] the operational incident-handling capability includes preparation. Document [c] the operational incident-handling capability includes detection. Document [d] the operational incident-handling capability includes analysis. Document [e] the operational incident-handling capability includes containment. Document [f] the operational incident-handling capability includes recovery. Document CertifiedCMMCAssessor(CCA) | [a] incidents are tracked. Artifact [a] authentication information is obscured during the authentication Screen Share [b] incidents are documented. Artifact process. [c] authorities to whom incidents are to be reported are identified. Document [e] identified authorities are notified of incidents. Screen Share IR.L2-3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. [f] identified organizational officials are notified of incidents. Artifact [a] the incident response capability is tested. Artifact [g] the operational incident-handling capability includes user response Document activities. [a] system maintenance is performed. Artifact IR.L2-3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. [a] tools used to conduct system maintenance are controlled. Artifact [d] organizational officials to whom incidents are to be reported are Document identified. IR.L2-3.6.3 Test the organizational incident response capability. MA.L2-3.7.1 Perform maintenance on organizational systems. MA.L2-3.7.2 Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2 | [b] techniques used to conduct system maintenance are controlled. Artifact [c] mechanisms used to conduct system maintenance are controlled. Artifact [d] personnel used to conduct system maintenance are controlled. Physical Review
| Certified CMMC Assessor (CCA)
MA.L2-3.7.3 Ensure equipment removed for off-site maintenance is sanitized of any CUI. [a] equipment to be removed from organizational spaces for off-site Artifact maintenance is sanitized of any CUI. MA.L2-3.7.4 Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. [a] media containing diagnostic and test programs are checked for Artifact malicious code before being used in organizational systems that [a] paper media containing CUI is physically controlled. Document process, store, or transmit CUI. [b] digital media containing CUI is physically controlled. Document [c] paper media containing CUI is securely stored. Physical Review MA.L2-3.7.5 Require multifactor authentication to establish nonlocal maintenance sessions via [d] digital media containing CUI is securely stored. Physical Review external network connections and terminate such connections when nonlocal maintenance is complete. [a] multifactor authentication is used to establish nonlocal Screen Share [a] access to CUI on system media is limited to authorized users. Artifact maintenance sessions via external network connections. [b] nonlocal maintenance sessions established via external network Screen Share connections are terminated when nonlocal maintenance is complete. MA.L2-3.7.6 Supervise the maintenance activities of maintenance personnel without required access authorization. [a] maintenance personnel without required access authorization are Document supervised during maintenance activities. MP.L2-3.8.1 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. MP.L2-3.8.2 Limit access to CUI on system media to authorized users.
Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2 | [a] media containing CUI is marked with applicable CUI markings. Physical Review [b] media containing CUI is marked with distribution limitations. Physical Review [a] access to media containing CUI is controlled. Document CertifiedCMMCAssessor(CCA) | MP.L1-3.8.3 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. [a] system media containing FCI is sanitized or destroyed before Document disposal. [b] system media containing FCI is sanitized before it is released for Document reuse. [a] the use of removable media on system components is controlled. Artifact MP.L2-3.8.4 Mark media with necessary CUI markings and distribution limitations. MP.L2-3.8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. [a] the confidentiality of backup CUI is protected at storage locations. Artifact [b] accountability for media containing CUI is maintained during Artifact transport outside of controlled areas. MP.L2-3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. [a] the confidentiality of CUI stored on digital media is protected Artifact during transport using cryptographic mechanisms or alternative physical safeguards. MP.L2-3.8.7 Control the use of removable media on system components. MP.L2-3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner. [a] the use of portable storage devices is prohibited when such devices Artifact have no identifiable owner. MP.L2-3.8.9 Protect the confidentiality of backup CUI at storage locations.
PS.L2-3.9.1 Screen individuals prior to authorizing access to organizational systems containing CUI.
Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2 | [c] the system is protected during and after personnel transfer actions. Artifact [a] authorized individuals allowed physical access are identified. Artifact
| Certified CMMC Assessor (CCA)
[c] physical access to equipment is limited to authorized individuals. Physical Review [a] individuals are screened prior to authorizing access to Artifact organizational systems containing CUI. PS.L2-3.9.2 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. [a] a policy and/or process for terminating system access and any Document credentials coincident with personnel actions is established. [b] the support infrastructure for organizational systems is protected. Physical Review [b] system access and credentials are terminated consistent with Artifact personnel actions such as termination or transfer. [d] the support infrastructure for organizational systems is monitored. Physical Review PE.L1-3.10.1 Limit physical access to organizational information systems, equipment, and the [a] visitors are escorted. Physical Review respective operating environments to authorized individuals. [b] visitor activity is monitored. Physical Review [b] physical access to organizational systems is limited to authorized Physical Review individuals. [a] audit logs of physical access are maintained. Artifact [d] physical access to operating environments is limited to authorized Physical Review individuals. PE.L2-3.10.2 Protect and monitor the physical facility and support infrastructure for organizational systems. [a] the physical facility where organizational systems reside is Physical Review protected. [c] the physical facility where organizational systems reside is Physical Review monitored. PE.L1-3.10.3 Escort visitors and monitor visitor activity. PE.L1-3.10.4 Maintain audit logs of physical access. PE.L1-3.10.5 Control and manage physical access devices.
Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2 | [a] physical access devices are identified. Document [b] physical access devices are controlled. Physical Review [c] physical access devices are managed. Physical Review [a] safeguarding measures for CUI are defined for alternate work sites. Document CertifiedCMMCAssessor(CCA) | PE.L2-3.10.6 Enforce safeguarding measures for CUI at alternate work sites. [b] safeguarding measures for CUI are enforced for alternate work Artifact sites. RA.L2-3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. [a] the frequency to assess risk to organizational operations, Document organizational assets, and individuals is defined. [a] vulnerabilities are identified. Artifact [b] risk to organizational operations, organizational assets, and Artifact [b] vulnerabilities are remediated in accordance with risk assessments. Artifact individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency. RA.L2-3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. [a] the frequency to scan for vulnerabilities in organizational systems Document and applications is defined. [b] vulnerability scans are performed on organizational systems with Screen Share the defined frequency. [c] vulnerability scans are performed on applications with the defined Screen Share frequency. [d] vulnerability scans are performed on organizational systems when Screen Share new vulnerabilities are identified. [e] vulnerability scans are performed on applications when new Screen Share vulnerabilities are identified. RA.L2-3.11.3 Remediate vulnerabilities in accordance with risk assessments.
Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2 | [a] the frequency of security control assessments is defined. Document
| Certified CMMC Assessor (CCA)
CA.L2-3.12.1 Periodically assess the security controls in organizational systems to determine if thecontrols are effective in their application. [b] security controls are assessed with the defined frequency to Artifact [a] a system security plan is developed. Document determine if the controls are effective in their application. CA.L2-3.12.2 Develop and implement plans of action designed to correct deficiencies and reduceor eliminate vulnerabilities in organizational systems. [a] deficiencies and vulnerabilities to be addressed by the plan of Artifact action are identified. [b] a plan of action is developed to correct identified deficiencies and Artifact reduce or eliminate identified vulnerabilities. [c] the plan of action is implemented to correct identified deficiencies Artifact and reduce or eliminate identified vulnerabilities. [g] the frequency to update the system security plan is defined. Document CA.L2-3.12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness[h] system security plan is updated with the defined frequency. Document of the controls. [a] security controls are monitored on an ongoing basis to ensure the Artifact continued effectiveness of those controls. CA.L2-3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
[b] the system boundary is described and documented in the systemsecurity plan. Document
[c] the system environment of operation is described and documented Document in the system security plan. [d] the security requirements identified and approved by the Document designated authority as non-applicable are identified. [e] the method of security requirement implementation is described Document and documented in the system security plan. [f] the relationship with or connection to other systems is described Document and documented in the system security plan.
Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2 |
[a] the external system boundary is defined. Document [b] key internal system boundaries are defined. Document [c] communications are monitored at the external system boundary. Screen Share [d] communications are monitored at key internal boundaries. Screen Share [e] communications are controlled at the external system boundary. Screen Share [f] communications are controlled at key internal boundaries. Screen Share [g] communications are protected at the external system boundary. Screen Share [h] communications are protected at key internal boundaries. Screen Share CertifiedCMMCAssessor(CCA) | SC.L1-3.13.1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. [a] user functionality is identified. Document [b] system management functionality is identified. Document SC.L2-3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. [a] architectural designs that promote effective information security Document are identified. [b] software development techniques that promote effective Document information security are identified. [c] systems engineering principles that promote effective information Document security are identified. [d] identified architectural designs that promote effective information Artifact security are employed. [e] identified software development techniques that promote effective Artifact information security are employed. [f] identified systems engineering principles that promote effective Artifact information security are employed. SC.L2-3.13.3 Separate user functionality from system management functionality. [c] user functionality is separated from system management Screen Share functionality. SC.L2-3.13.4 Prevent unauthorized and unintended information transfer via shared system resources. [a] unauthorized and unintended information transfer via shared Screen Share system resources is prevented.
Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2 | [a] publicly accessible system components are identified. Document [a] network communications traffic is denied by default. Screen Share [b] network communications traffic is allowed by exception. Screen Share
| Certified CMMC Assessor (CCA)
SC.L1-3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. [b] subnetworks for publicly accessible system components are Artifact physically or logically separated from internal networks. SC.L2-3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). SC.L2-3.13.7 Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). [a] remote devices are prevented from simultaneously establishing Screen Share non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling). SC.L2-3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. [a] cryptographic mechanisms intended to prevent unauthorized Document disclosure of CUI are identified. [b] alternative physical safeguards intended to prevent unauthorized Document disclosure of CUI are identified. [c] either cryptographic mechanisms or alternative physical safeguards Artifact are implemented to prevent unauthorized disclosure of CUI during transmission. SC.L2-3.13.9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. [a] a period of inactivity to terminate network connections associated Document with communications sessions is defined. [b] network connections associated with communications sessions are Screen Share terminated at the end of the sessions. [c] network connections associated with communications sessions are Screen Share terminated after the defined period of inactivity. SC.L2-3.13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems.
Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2 | [a] collaborative computing devices are identified. Document [c] remote activation of collaborative computing devices is prohibited. Artifact CertifiedCMMCAssessor(CCA) | [a] use of mobile code is controlled. Screen Share [a] cryptographic keys are established whenever cryptography is Artifact [b] use of mobile code is monitored. Screen Share employed. [b] cryptographic keys are managed whenever cryptography is Artifact employed. SC.L2-3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. [a] FIPS-validated cryptography is employed to protect the Screen Share confidentiality of CUI. [a] the authenticity of communications sessions is protected. Screen Share SC.L2-3.13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. [b] collaborative computing devices provide indication to users of Physical Review [a] the confidentiality of CUI at rest is protected. Artifact devices in use SC.L2-3.13.13 Control and monitor the use of mobile code. [a] the time within which to identify system flaws is specified. Document SC.L2-3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. [a] use of Voice over Internet Protocol (VoIP) technologies is Artifact controlled. [b] use of Voice over Internet Protocol (VoIP) technologies is Artifact monitored. SC.L2-3.13.15 Protect the authenticity of communications sessions. SC.L2-3.13.16 Protect the confidentiality of CUI at rest. SI.L1-3.14.1 Identify, report, and correct information and information system flaws in a timely manner.
Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2 | [b] system flaws are identified within the specified time frame. Screen Share [c] the time within which to report system flaws is specified. Document [d] system flaws are reported within the specified time frame. Screen Share [e] the time within which to correct system flaws is specified. Document [f] system flaws are corrected within the specified time frame. Screen Share [a] designated locations for malicious code protection are identified. Document [b] protection from malicious code at designated locations is provided. Screen Share [b] system security alerts and advisories are monitored. Artifact
| Certified CMMC Assessor (CCA)
[a] the frequency for malicious code scans is defined. Document SI.L1-3.14.2 Provide protection from malicious code at appropriate locations within [b] malicious code scans are performed with the defined frequency. Screen Share organizational information systems. SI.L2-3.14.3 Monitor system security alerts and advisories and take action in response. [a] response actions to system security alerts and advisories are Document identified. [c] actions in response to system security alerts and advisories are Artifact taken. SI.L1-3.14.4 Update malicious code protection mechanisms when new releases are available.
[a] malicious code protection mechanisms are updated when newreleases are available. Screen Share
SI.L1-3.14.5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. [c] real-time malicious code scans of files from external sources as files Screen Share are downloaded, opened, or executed are performed. SI.L2-3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. [a] the system is monitored to detect attacks and indicators of Screen Share potential attacks. [b] inbound communications traffic is monitored to detect attacks and Screen Share indicators of potential attacks. [c] outbound communications traffic is monitored to detect attacks Screen Share and indicators of potential attacks.
Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2 |
[a] authorized use of the system is defined. Document [b] unauthorized use of the system is identified. Artifact CertifiedCMMCAssessor(CCA) | SI.L2-3.14.7 Identify unauthorized use of organizational systems.
Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2 |