Evidence Collection Approach: Difference between revisions

Revision as of 03:07, 29 March 2025

CMMC assessments and certification require substantial evidence and documentation. The following tables outline general guidelines for collecting evidence to assess control requirements and objectives. While these guidelines provide a structured approach, they are not the only means of conducting an accurate assessment. Assessors should exercise professional judgment and may employ alternative methods appropriate to the specific organizational context and circumstances.

Evidence collection approaches are defined as:

Documentation: Tangible materials containing information over which an organization has authority, including all types of written records and their copies.
Artifacts: Tangible, reviewable records directly resulting from a practice or process being performed by a system or by personnel executing their role within that practice, control, or process.
Physical Review: Direct on-site observation and examination of evidence.
Screen Share: Real-time remote observation of a user demonstrating a task or process via shared computer screen, sometimes called "over-the-shoulder" review.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

Access Control (AC)

AC.L2-3.1.1 – Authorized Access Control [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
[a] authorized users are identified.	Document	Example
[b] processes acting on behalf of authorized users are identified.	Document	Example
[c] devices (and other systems) authorized to connect to the system are identified.	Document	Example
[d] system access is limited to authorized users.	Screen Share	Example
[e] system access is limited to processes acting on behalf of authorized users.	Screen Share	Example
[f] system access is limited to authorized devices (including other systems).	Screen Share	Example

AC.L2-3.1.2 – Transaction & Function Control [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
[a] the types of transactions and functions that authorized users are permitted to execute are defined.	Document	Example
[b] system access is limited to the defined types of transactions and functions for authorized users.	Screen Share	Example

AC.L2-3.1.3 – Control CUI Flow

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Control the flow of CUI in accordance with approved authorizations.
[a] information flow control policies are defined.	Document	Example
[b] methods and enforcement mechanisms for controlling the flow of CUI are defined.	Document	Example
[c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified.	Document	Example
[d] authorizations for controlling the flow of CUI are defined.	Document	Example
[e] approved authorizations for controlling the flow of CUI are enforced

AC.L2-3.1.4 – Separation of Duties

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
[a] the duties of individuals requiring separation are defined.	Document	Example
[b] responsibilities for duties that require separation are assigned to separate individuals.	Document	Example
[c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals

AC.L2-3.1.5 – Least Privilege

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Employ the principle of least privilege, including for specific security functions and privileged accounts.
[a] privileged accounts are identified.	Document	Example
[b] access to privileged accounts is authorized in accordance with the principle of least privilege.	Document	Example
[c] security functions are identified.	Document	Example
[d] access to security functions is authorized in accordance with the principle of least privilege.	Document	Example

AC.L2-3.1.6 – Non-Privileged Account Use

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Use non-privileged accounts or roles when accessing nonsecurity functions.
[a] nonsecurity functions are identified.	Document	Example
[b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions.	Document	Example

AC.L2-3.1.7 – Privileged Functions

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
[a] privileged functions are defined.	Document	Example
[b] non-privileged users are defined.	Document	Example
[c] non-privileged users are prevented from executing privileged functions.	Document	Example
[d] the execution of privileged functions is captured in audit logs.	Document	Example

AC.L2-3.1.8 – Unsuccessful Logon Attempts

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Limit unsuccessful logon attempts.
[a] the means of limiting unsuccessful logon attempts is defined.	Document	Example
[b] the defined means of limiting unsuccessful logon attempts is implemented.	Document	Example

AC.L2-3.1.9 – Privacy & Security Notices

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Provide privacy and security notices consistent with applicable CUI rules.
[a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category.	Document	Example
[b] privacy and security notices are displayed.	Document	Example

AC.L2-3.1.10 – Session Lock

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
[a] the period of inactivity after which the system initiates a session lock is defined.	Document	Example
[b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity.	Document	Example
[c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.	Document	Example

AC.L2-3.1.11 – Session Termination

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Terminate (automatically) a user session after a defined condition.
[a] conditions requiring a user session to terminate are defined.	Document	Example
[b] a user session is automatically terminated after any of the defined conditions.	Document	Example

AC.L2-3.1.12 – Control Remote Access

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Monitor and control remote access sessions.
[a] remote access sessions are permitted.	Document	Example
[b] the types of permitted remote access are identified.	Document	Example
[c] remote access sessions are controlled.	Document	Example
[d] remote access sessions are monitored.	Document	Example

AC.L2-3.1.13 – Remote Access Confidentiality

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
[a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified.	Document	Example
[b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.	Document	Example

AC.L2-3.1.14 – Remote Access Routing

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Route remote access via managed access control points.
[a] managed access control points are identified and implemented.	Document	Example
[b] remote access is routed through managed network access control points.	Document	Example

AC.L2-3.1.15 – Privileged Remote Access

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Authorize remote execution of privileged commands and remote access to security-relevant information.
[a] privileged commands authorized for remote execution are identified.	Document	Example
[b] security-relevant information authorized to be accessed remotely is identified.	Document	Example
[c] the execution of the identified privileged commands via remote access is authorized.	Document	Example
[d] access to the identified security-relevant information via remote access is authorized.	Document	Example

AC.L2-3.1.16 – Wireless Access Authorization

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Authorize wireless access prior to allowing such connections.
[a] wireless access points are identified.	Document	Example
[b] wireless access is authorized prior to allowing such connections.	Document	Example

AC.L2-3.1.17 – Wireless Access Protection

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Protect wireless access using authentication and encryption.
[a] wireless access to the system is protected using authentication.	Document	Example
[b] wireless access to the system is protected using encryption.	Document	Example

AC.L2-3.1.18 – Mobile Device Connection

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Control connection of mobile devices.
[a] mobile devices that process, store, or transmit CUI are identified.	Document	Example
[b] mobile device connections are authorized.	Document	Example
[c] mobile device connections are monitored and logged.	Document	Example

AC.L2-3.1.19 – Encrypt CUI on Mobile

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Encrypt CUI on mobile devices and mobile computing platforms.
[a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified.	Document	Example
[b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.	Document	Example

AC.L2-3.1.20 – External Connections [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Verify and control/limit connections to and use of external information systems.
[a] connections to external systems are identified.	Document	Example
[b] the use of external systems is identified.	Document	Example
[c] connections to external systems are verified.	Document	Example
[d] the use of external systems is verified.	Document	Example
[e] connections to external systems are controlled/limited.	Document	Example
[f] the use of external systems is controlled/limited.	Document	Example

AC.L2-3.1.21 – Portable Storage Use

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Limit use of portable storage devices on external systems.
[a] the use of portable storage devices containing CUI on external systems is identified and documented.	Document	Example
[b] limits on the use of portable storage devices containing CUI on external systems are defined.	Document	Example
[c] the use of portable storage devices containing CUI on external systems is limited as defined.	Document	Example

AC.L2-3.1.22 – Control Public Information [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Control information posted or processed on publicly accessible information systems.
[a] individuals authorized to post or process information on publicly accessible systems are identified.	Document	Example
[b] procedures to ensure CUI is not posted or processed on publicly accessible systems are identified.	Document	Example
[c] a review process is in place prior to posting of any content to publicly accessible systems.	Document	Example
[d] content on publicly accessible systems is reviewed to ensure that it does not include CUI.	Document	Example
[e] mechanisms are in place to remove and address improper posting of CUI.	Document	Example

Awareness and Training (AT)

AT.L2-3.2.1 – Role-Based Risk Awareness

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
[a] security risks associated with organizational activities involving CUI are identified.	Document	Example
[b] policies, standards, and procedures related to the security of the system are identified.	Document	Example
[c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities.	Document	Example
[d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.	Document	Example

AT.L2-3.2.2 – Role-Based Training

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.\|-
[a] information security-related duties, roles, and responsibilities are defined.	Document	Example
[b] information security-related duties, roles, and responsibilities are assigned to designated personnel.	Document	Example
[c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.	Document	Example

AT.L2-3.2.3 – Insider Threat Awareness

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Provide security awareness training on recognizing and reporting potential indicators of insider threat.
[a] potential indicators associated with insider threats are identified.	Document	Example
[b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.	Document	Example

Audit and Accountability (AU)

AU.L2-3.3.1 – System Auditing

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
[a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified.	Document	Example
[b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined.	Document	Example
[c] audit records are created (generated).	Document	Example
[d] audit records, once created, contain the defined content.	Document	Example
[e] retention requirements for audit records are defined.	Document	Example
[f] audit records are retained as defined.	Document	Example

AU.L2-3.3.2 – User Accountability

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
[a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined.	Document	Example
[b] audit records, once created, contain the defined content.	Document	Example

AU.L2-3.3.3 – Event Review

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Review and update logged events.
[a] a process for determining when to review logged events is defined.	Document	Example
[b] event types being logged are reviewed in accordance with the defined review process.	Document	Example
[c] event types being logged are updated based on the review.	Document	Example

AU.L2-3.3.4 – Audit Failure Alerting

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Alert in the event of an audit logging process failure.
[a] personnel or roles to be alerted in the event of an audit logging process failure are identified.	Document	Example
[b] types of audit logging process failures for which alert will be generated are defined.	Document	Example
[c] identified personnel or roles are alerted in the event of an audit logging process failure.	Document	Example

AU.L2-3.3.5 – Audit Correlation

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
[a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined.	Document	Example
[b] defined audit record review, analysis, and reporting processes are correlated.	Document	Example

AU.L2-3.3.6 – Reduction & Reporting

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Provide audit record reduction and report generation to support on-demand analysis and reporting.
[a] an audit record reduction capability that supports on-demand analysis is provided.	Document	Example
[b] a report generation capability that supports on-demand reporting is provided.	Document	Example

AU.L2-3.3.7 – Authoritative Time Source

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
[a] internal system clocks are used to generate time stamps for audit records.	Document	Example
[b] an authoritative source with which to compare and synchronize internal system clocks is specified.	Document	Example
[c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.	Document	Example

AU.L2-3.3.8 – Audit Protection

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
[a] audit information is protected from unauthorized access.	Document	Example
[b] audit information is protected from unauthorized modification.	Document	Example
[c] audit information is protected from unauthorized deletion.	Document	Example
[d] audit logging tools are protected from unauthorized access.	Document	Example
[e] audit logging tools are protected from unauthorized modification.	Document	Example
[f] audit logging tools are protected from unauthorized deletion.	Document	Example

AU.L2-3.3.9 – Audit Management

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Limit management of audit logging functionality to a subset of privileged users.
[a] a subset of privileged users granted access to manage audit logging functionality is defined.	Document	Example
[b] management of audit logging functionality is limited to the defined subset of privileged users.	Document	Example

Configuration Management (CM)

CM.L2-3.4.1 – System Baselining

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
[a] a baseline configuration is established.	Document	Example
[b] the baseline configuration includes hardware, software, firmware, and documentation.	Document	Example
[c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle.	Document	Example
[d] a system inventory is established.	Document	Example
[e] the system inventory includes hardware, software, firmware, and documentation.	Document	Example
[f] the inventory is maintained (reviewed and updated) throughout the system development life cycle.	Document	Example

CM.L2-3.4.2 – Security Configuration Enforcement

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Establish and enforce security configuration settings for information technology products employed in organizational systems.
[a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration.	Document	Example
[b] security configuration settings for information technology products employed in the system are enforced.	Document	Example

CM.L2-3.4.3 – System Change Management

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Track, review, approve or disapprove, and log changes to organizational systems.
[a] changes to the system are tracked.	Document	Example
[b] changes to the system are reviewed.	Document	Example
[c] changes to the system are approved or disapproved.	Document	Example
[d] changes to the system are logged.	Document	Example

CM.L2-3.4.4 – Security Impact Analysis

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Analyze the security impact of changes prior to implementation.
[a] the security impact of changes to the system is analyzed prior to implementation.	Document	Example

CM.L2-3.4.5 – Access Restrictions for Change

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
[a] physical access restrictions associated with changes to the system are defined.	Document	Example
[b] physical access restrictions associated with changes to the system are documented.	Document	Example
[c] physical access restrictions associated with changes to the system are approved.	Document	Example
[d] physical access restrictions associated with changes to the system are enforced.	Document	Example
[e] logical access restrictions associated with changes to the system are defined.	Document	Example
[f] logical access restrictions associated with changes to the system are documented.	Document	Example
[g] logical access restrictions associated with changes to the system are approved.	Document	Example
[h] logical access restrictions associated with changes to the system are enforced.	Document	Example

CM.L2-3.4.6 – Least Functionality

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
[a] essential system capabilities are defined based on the principle of least functionality.	Document	Example
[b] the system is configured to provide only the defined essential capabilities.	Document	Example

CM.L2-3.4.7 – Nonessential Functionality

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
[a] essential programs are defined.	Document	Example
[b] the use of nonessential programs is defined.	Document	Example
[c] the use of nonessential programs is restricted, disabled, or prevented as defined.	Document	Example
[d] essential functions are defined.	Document	Example
[e] the use of nonessential functions is defined.	Document	Example
[f] the use of nonessential functions is restricted, disabled, or prevented as defined.	Document	Example
[g] essential ports are defined.	Document	Example
[h] the use of nonessential ports is defined.	Document	Example
[i] the use of nonessential ports is restricted, disabled, or prevented as defined.	Document	Example
[j] essential protocols are defined.	Document	Example
[k] the use of nonessential protocols is defined.	Document	Example
[l] the use of nonessential protocols is restricted, disabled, or prevented as defined.	Document	Example
[m] essential services are defined.	Document	Example
[n] the use of nonessential services is defined.	Document	Example
[o] the use of nonessential services is restricted, disabled, or prevented as defined.	Document	Example

CM.L2-3.4.8 – Application Execution Policy

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
[a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified.	Document	Example
[b] the software allowed to execute under whitelisting or denied use under blacklisting is specified.	Document	Example
[c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.	Document	Example

CM.L2-3.4.9 – User-Installed Software

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Control and monitor user-installed software.
[a] a policy for controlling the installation of software by users is established.	Document	Example
[b] installation of software by users is controlled based on the established policy.	Document	Example
[c] installation of software by users is monitored.	Document	Example

Identification and Authentication (IA)

IA.L2-3.5.1 – Identification [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Identify information system users, processes acting on behalf of users, or devices.
[a] system users are identified.	Document	Example
[b] processes acting on behalf of users are identified.	Document	Example
[c] devices accessing the system are identified.	Document	Example

IA.L2-3.5.2 – Authentication [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
[a] the identity of each user is authenticated or verified as a prerequisite to system access.	Document	Example
[b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access.	Document	Example
[c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.	Document	Example

IA.L2-3.5.3 – Multifactor Authentication

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
[a] privileged accounts are identified.	Document	Example
[b] multifactor authentication is implemented for local access to privileged accounts.	Document	Example
[c] multifactor authentication is implemented for network access to privileged accounts.	Document	Example
[d] multifactor authentication is implemented for network access to non-privileged accounts.	Document	Example

IA.L2-3.5.4 – Replay-Resistant Authentication

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
[a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.	Document	Example

IA.L2-3.5.5 – Identifier Reuse

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Prevent reuse of identifiers for a defined period.
[a] a period within which identifiers cannot be reused is defined.	Document	Example
[b] reuse of identifiers is prevented within the defined period.	Document	Example

IA.L2-3.5.6 – Identifier Handling

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Disable identifiers after a defined period of inactivity.
[a] a period of inactivity after which an identifier is disabled is defined.	Document	Example
[b] identifiers are disabled after the defined period of inactivity.	Document	Example

IA.L2-3.5.7 – Password Complexity

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Enforce a minimum password complexity and change of characters when new passwords are created.
[a] password complexity requirements are defined.	Document	Example
[b] password change of character requirements are defined.	Document	Example
[c] minimum password complexity requirements as defined are enforced when new passwords are created.	Document	Example
[d] minimum password change of character requirements as defined are enforced when new passwords are created.	Document	Example

IA.L2-3.5.8 – Password Reuse

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Prohibit password reuse for a specified number of generations.
[a] the number of generations during which a password cannot be reused is specified and [b] reuse of passwords is prohibited during the specified number of generations.	Document	Example

IA.L2-3.5.9 – Temporary Passwords

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Allow temporary password use for system logons with an immediate change to a permanent password.
[a] an immediate change to a permanent password is required when a temporary password is used for system logon.	Document	Example

IA.L2-3.5.10 – Cryptographically-Protected Passwords

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Store and transmit only cryptographically-protected passwords.
[a] passwords are cryptographically protected in storage.	Document	Example
[b] passwords are cryptographically protected in transit.	Document	Example

IA.L2-3.5.11 – Obscure Feedback

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Obscure feedback of authentication information.
[a] authentication information is obscured during the authentication process.	Document	Example

Incident Response (IR)

IR.L2-3.6.1 – Incident Handling

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
[a] an operational incident-handling capability is established.	Document	Example
[b] the operational incident-handling capability includes preparation.	Document	Example
[c] the operational incident-handling capability includes detection.	Document	Example
[d] the operational incident-handling capability includes analysis.	Document	Example
[e] the operational incident-handling capability includes containment.	Document	Example
[f] the operational incident-handling capability includes recovery.	Document	Example
[g] the operational incident-handling capability includes user response.	Document	Example

IR.L2-3.6.2 – Incident Reporting

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
[a] incidents are tracked.	Document	Example
[b] incidents are documented.	Document	Example
[c] authorities to whom incidents are to be reported are identified.	Document	Example
[d] organizational officials to whom incidents are to be reported are identified.	Document	Example
[e] identified authorities are notified of incidents.	Document	Example
[f] identified organizational officials are notified of incidents.	Document	Example

IR.L2-3.6.3 – Incident Response Testing

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Test the organizational incident response capability.
[a] the incident response capability is tested.	Document	Example

Maintenance (MA)

MA.L2-3.7.1 – Perform Maintenance

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Perform maintenance on organizational systems.
[a] system maintenance is performed.	Document	Example

MA.L2-3.7.2 – System Maintenance Control

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
[a] tools used to conduct system maintenance are controlled.	Document	Example
[b] techniques used to conduct system maintenance are controlled.	Document	Example
[c] mechanisms used to conduct system maintenance are controlled.	Document	Example
[d] personnel used to conduct system maintenance are controlled.	Document	Example

MA.L2-3.7.3 – Equipment Sanitization

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Ensure equipment removed for off-site maintenance is sanitized of any CUI.
[a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.	Document	Example

MA.L2-3.7.4 – Media Inspection

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
[a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.	Document	Example

MA.L2-3.7.5 – Nonlocal Maintenance

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
[a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections.	Document	Example
[b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.	Document	Example

MA.L2-3.7.6 – Maintenance Personnel

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Supervise the maintenance activities of maintenance personnel without required access authorization.
[a] maintenance personnel without required access authorization are supervised during maintenance activities.	Document	Example

Media Protection (MP)

MP.L2-3.8.1 – Media Protection

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
[a] paper media containing CUI is physically controlled.	Document	Example
[b] digital media containing CUI is physically controlled.	Document	Example
[c] paper media containing CUI is securely stored.	Document	Example
[d] digital media containing CUI is securely stored.	Document	Example

MP.L2-3.8.2 – Media Access

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Limit access to CUI on system media to authorized users.
[a] access to CUI on system media is limited to authorized users.	Document	Example

MP.L2-3.8.3 – Media Disposal [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
[a] system media containing CUI is sanitized or destroyed before disposal.	Document	Example
[b] system media containing CUI is sanitized before it is released for reuse.	Document	Example

MP.L2-3.8.4 – Media Markings

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Mark media with necessary CUI markings and distribution limitations.
[a] media containing CUI is marked with applicable CUI markings.	Document	Example
[b] media containing CUI is marked with distribution limitations.	Document	Example

MP.L2-3.8.5 – Media Accountability

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
[a] access to media containing CUI is controlled.	Document	Example
[b] accountability for media containing CUI is maintained during transport outside of controlled areas.	Document	Example

MP.L2-3.8.6 – Portable Storage Encryption

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
[a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.	Document	Example

MP.L2-3.8.7 – Removable Media

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Control the use of removable media on system components.
[a] the use of removable media on system components is controlled.	Document	Example

MP.L2-3.8.8 – Shared Media

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Prohibit the use of portable storage devices when such devices have no identifiable owner.ASSESSMENT OBJECTIVES
[a] the use of portable storage devices is prohibited when such devices have no identifiable owner.	Document	Example

MP.L2-3.8.9 – Protect Backups

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Protect the confidentiality of backup CUI at storage locations.
[a] the confidentiality of backup CUI is protected at storage locations.	Document	Example

Personnel Security (PS)

PS.L2-3.9.1 – Screen Individuals

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Screen individuals prior to authorizing access to organizational systems containing CUI.
[a] individuals are screened prior to authorizing access to organizational systems containing CUI.	Document	Example

PS.L2-3.9.2 – Personnel Actions

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
[a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established.	Document	Example
[b] system access and credentials are terminated consistent with personnel actions such as termination or transfer.	Document	Example
[c] the system is protected during and after personnel transfer actions.	Document	Example

Physical Protection (PE)

PE.L2-3.10.1 – Limit Physical Access [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
[a] authorized individuals allowed physical access are identified.	Document	Example
[b] physical access to organizational systems is limited to authorized individuals.	Document	Example
[c] physical access to equipment is limited to authorized individuals.	Document	Example
[d] physical access to operating environments is limited to authorized.	Document	Example

PE.L2-3.10.2 – Monitor Facility

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Protect and monitor the physical facility and support infrastructure for organizational systems.
[a] the physical facility where organizational systems reside is protected.	Document	Example
[b] the support infrastructure for organizational systems is protected.	Document	Example
[c] the physical facility where organizational systems reside is monitored.	Document	Example
[d] the support infrastructure for organizational systems is monitored.	Document	Example

PE.L2-3.10.3 – Escort Visitors [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Escort visitors and monitor visitor activity.
[a] visitors are escorted.	Document	Example
[b] visitor activity is monitored.	Document	Example

PE.L2-3.10.4 – Physical Access Logs [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Maintain audit logs of physical access.
[a] audit logs of physical access are maintained.	Document	Example

PE.L2-3.10.5 – Manage Physical Access [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Control and manage physical access devices.
[a] physical access devices are identified.	Document	Example
[b] physical access devices are controlled.	Document	Example
[c] physical access devices are managed.	Document	Example

PE.L2-3.10.6 – Alternative Work Sites

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Enforce safeguarding measures for CUI at alternate work sites.
[a] safeguarding measures for CUI are defined for alternate work sites.	Document	Example
[b] safeguarding measures for CUI are enforced for alternate work sites.	Document	Example

Risk Assessment (RA)

RA.L2-3.11.1 – Risk Assessments

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
[a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined.	Document	Example
[b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.	Document	Example

RA.L2-3.11.2 – Vulnerability Scan

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
[a] the frequency to scan for vulnerabilities in organizational systems and applications is defined.	Document	Example
[b] vulnerability scans are performed on organizational systems with the defined frequency.	Document	Example
[c] vulnerability scans are performed on applications with the defined frequency.	Document	Example
[d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified.	Document	Example
[e] vulnerability scans are performed on applications when new vulnerabilities are identified. \|\| Document \|\| Example

RA.L2-3.11.3 – Vulnerability Remediation

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Remediate vulnerabilities in accordance with risk assessments.
[a] vulnerabilities are identified.	Document	Example
[b] vulnerabilities are remediated in accordance with risk assessments.	Document	Example

Security Assessment (CA)

CA.L2-3.12.1 – Security Control Assessment

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
[a] the frequency of security control assessments is defined.	Document	Example
[b] security controls are assessed with the defined frequency to determine if the controls are effective in their application.	Document	Example

CA.L2-3.12.2 – Operational Plan of Action

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
[a] deficiencies and vulnerabilities to be addressed by the plan of action are identified.	Document	Example
[b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities.	Document	Example
[c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.	Document	Example

CA.L2-3.12.3 – Security Control Monitoring

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
[a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.	Document	Example

CA.L2-3.12.4 – System Security Plan =

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
[a] a system security plan is developed.	Document	Example
[b] the system boundary is described and documented in the system security plan.	Document	Example
[c] the system environment of operation is described and documented in the system security plan.	Document	Example
[d] the security requirements identified and approved by the designated authority as non-applicable are identified.	Document	Example
[e] the method of security requirement implementation is described and documented in the system security plan.	Document	Example
[f] the relationship with or connection to other systems is described and documented in the system security plan.	Document	Example
[g] the frequency to update the system security plan is defined.	Document	Example
[h] system security plan is updated with the defined frequency.	Document	Example

System and Communications Protection (SC)

SC.L2-3.13.1 – Boundary Protection [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
[a] the external system boundary is defined.	Document	Example
[b] key internal system boundaries are defined.	Document	Example
[c] communications are monitored at the external system boundary.	Document	Example
[d] communications are monitored at key internal boundaries.	Document	Example
[e] communications are controlled at the external system boundary.	Document	Example
[f] communications are controlled at key internal boundaries.	Document	Example
[g] communications are protected at the external system boundary.	Document	Example
[h] communications are protected at key internal boundaries.	Document	Example

SC.L2-3.13.2 – Security Engineering

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
[a] architectural designs that promote effective information security are identified.	Document	Example
[b] software development techniques that promote effective information security are identified.	Document	Example
[c] systems engineering principles that promote effective information security are identified.	Document	Example
[d] identified architectural designs that promote effective information security are employed.	Document	Example
[e] identified software development techniques that promote effective information security are employed.	Document	Example
[f] identified systems engineering principles that promote effective information security are employed.	Document	Example

SC.L2-3.13.3 – Role Separation

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Separate user functionality from system management functionality.
[a] user functionality is identified.	Document	Example
[b] system management functionality is identified.	Document	Example
[c] user functionality is separated from system management functionality.	Document	Example

SC.L2-3.13.4 – Shared Resource Control

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Prevent unauthorized and unintended information transfer via shared system resources.
[a] unauthorized and unintended information transfer via shared system resources is prevented.	Document	Example

SC.L2-3.13.5 – Public-Access System Separation [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
[a] publicly accessible system components are identified.	Document	Example
[b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.	Document	Example

SC.L2-3.13.6 – Network Communication by Exception

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
[a] network communications traffic is denied by default.	Document	Example
[b] network communications traffic is allowed by exception.	Document	Example

SC.L2-3.13.7 – Split Tunneling

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
[a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).	Document	Example

SC.L2-3.13.8 – Data in Transit

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
[a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified.	Document	Example
[b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified.	Document	Example
[c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.	Document	Example

SC.L2-3.13.9 – Connections Termination

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
[a] a period of inactivity to terminate network connections associated with communications sessions is defined.	Document	Example
[b] network connections associated with communications sessions are terminated at the end of the sessions.	Document	Example
[c] network connections associated with communications sessions are terminated after the defined period of inactivity.	Document	Example

SC.L2-3.13.10 – Key Management

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Establish and manage cryptographic keys for cryptography employed in organizational systems.
[a] cryptographic keys are established whenever cryptography is employed.	Document	Example
[b] cryptographic keys are managed whenever cryptography is employed.	Document	Example

SC.L2-3.13.11 – CUI Encryption

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
[a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.	Document	Example

SC.L2-3.13.12 – Collaborative Device Control

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
[a] collaborative computing devices are identified.	Document	Example
[b] collaborative computing devices provide indication to users of devices in use.	Document	Example
[c] remote activation of collaborative computing devices is prohibited.	Document	Example

SC.L2-3.13.13 – Mobile Code

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Control and monitor the use of mobile code.
[a] use of mobile code is controlled.	Document	Example
[b] use of mobile code is monitored.	Document	Example

SC.L2-3.13.14 – Voice over Internet Protocol

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
[a] use of Voice over Internet Protocol (VoIP) technologies is controlled.	Document	Example
[b] use of Voice over Internet Protocol (VoIP) technologies is monitored.	Document	Example

SC.L2-3.13.15 – Communications Authenticity

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Protect the authenticity of communications sessions.
[a] the authenticity of communications sessions is protected.	Document	Example

SC.L2-3.13.16 – Data at Rest

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Protect the confidentiality of CUI at rest.
[a] the confidentiality of CUI at rest is protected.	Document	Example

System and Information Integrity (SI)

SI.L2-3.14.1 – Flaw Remediation [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Identify, report, and correct information and information system flaws in a timely manner.
[a] the time within which to identify system flaws is specified.	Document	Example
[b] system flaws are identified within the specified time frame.	Document	Example
[c] the time within which to report system flaws is specified.	Document	Example
[d] system flaws are reported within the specified time frame.	Document	Example
[e] the time within which to correct system flaws is specified.	Document	Example
[f] system flaws are corrected within the specified time frame.	Document	Example

SI.L2-3.14.2 – Malicious Code ProTection [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Provide protection from malicious code at appropriate locations within organizational information systems.
[a] designated locations for malicious code protection are identified.	Document	Example
[b] protection from malicious code at designated locations is provided.	Document	Example

SI.L2-3.14.3 – Security Alerts & Advisories

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Monitor system security alerts and advisories and take action in response.
[a] response actions to system security alerts and advisories are identified.	Document	Example
[b] system security alerts and advisories are monitored.	Document	Example
[c] actions in response to system security alerts and advisories are taken.	Document	Example

SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Update malicious code protection mechanisms when new releases are available.
[a] malicious code protection mechanisms are updated when new releases are available.	Document	Example

SI.L2-3.14.5 – System & File Scanning [CUI Data]

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
[a] the frequency for malicious code scans is defined.	Document	Example
[b] malicious code scans are performed with the defined frequency.	Document	Example
[c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.	Document	Example

SI.L2-3.14.6 – Monitor Communications for Attacks

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
[a] the system is monitored to detect attacks and indicators of potential attacks.	Document	Example
[b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks.	Document	Example
[c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks.	Document	Example

SI.L2-3.14.7 – Identify Unauthorized Use

Assessment Objectives	Collection Approach	Evidence Examples
AC.L2-3.x.1 Identify unauthorized use of organizational systems.
[a] authorized use of the system is defined.	Document	Example
[b] unauthorized use of the system is identified.	Document	Example

@@ Line 16: / Line 16: @@
 ! style="width: 50%"| '''Evidence Examples'''
 |-
-| colspan="3" | [[ Practice_AC.L2-3.1.1_Details | '''AC.L2-3.1.1''' ]] Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
+| colspan="3" | [[Practice_AC.L2-3.1.1_Details|'''AC.L2-3.1.1''']] Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
 |-
 | [a] authorized users are identified. || Document || Example
@@ Line 37: / Line 37: @@
 ! style="width: 50%"| '''Evidence Examples'''
 |-
-| colspan="3" | [[ Practice_AC.L2-3.1.2_Details | '''AC.L2-3.1.2''' ]] Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
+| colspan="3" | [[Practice_AC.L2-3.1.2_Details|'''AC.L2-3.1.2''']] Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
 |-
 | [a] the types of transactions and functions that authorized users are permitted to execute are defined. || Document || Example
@@ Line 46: / Line 46: @@
 === AC.L2-3.1.3 – Control CUI Flow ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control the flow of CUI in accordance with approved authorizations.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Control the flow of CUI in accordance with approved authorizations.
-: [a] information flow control policies are defined;
-: [b] methods and enforcement mechanisms for controlling the flow of CUI are defined;
-: [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;
-: [d] authorizations for controlling the flow of CUI are defined; and
-: [e] approved authorizations for controlling the flow of CUI are enforced.
 |-
-|[[Practice_AC.L2-3.1.3_Details|More Practice Details...]]
+| [a] information flow control policies are defined. || Document || Example
+|-
+| [b] methods and enforcement mechanisms for controlling the flow of CUI are defined. || Document || Example
+|-
+| [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified. || Document || Example
+|-
+| [d] authorizations for controlling the flow of CUI are defined. || Document || Example
+|-
+| [e] approved authorizations for controlling the flow of CUI are enforced
 |}
 === AC.L2-3.1.4 – Separation of Duties ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
-: [a] the duties of individuals requiring separation are defined;
-: [b] responsibilities for duties that require separation are assigned to separate individuals; and
-: [c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
 |-
-|[[Practice_AC.L2-3.1.4_Details|More Practice Details...]]
+| [a] the duties of individuals requiring separation are defined. || Document || Example
+|-
+| [b] responsibilities for duties that require separation are assigned to separate individuals. || Document || Example
+|-
+| [c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals
 |}
 === AC.L2-3.1.5 – Least Privilege ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Employ the principle of least privilege, including for specific security functions and privileged accounts.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Employ the principle of least privilege, including for specific security functions and privileged accounts.
+|-
+| [a] privileged accounts are identified. || Document || Example
+|-
+| [b] access to privileged accounts is authorized in accordance with the principle of least privilege. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] security functions are identified. || Document || Example
-: [a] privileged accounts are identified;
-: [b] access to privileged accounts is authorized in accordance with the principle of least privilege;
-: [c] security functions are identified; and
-: [d] access to security functions is authorized in accordance with the principle of least privilege.
 |-
-|[[Practice_AC.L2-3.1.5_Details|More Practice Details...]]
+| [d] access to security functions is authorized in accordance with the principle of least privilege. || Document || Example
 |}
 === AC.L2-3.1.6 – Non-Privileged Account Use ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Use non-privileged accounts or roles when accessing nonsecurity functions.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Use non-privileged accounts or roles when accessing nonsecurity functions.
-: [a] nonsecurity functions are identified; and
-: [b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions.
 |-
-|[[Practice_AC.L2-3.1.6_Details|More Practice Details...]]
+| [a] nonsecurity functions are identified. || Document || Example
+|-
+| [b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions. || Document || Example
 |}
 === AC.L2-3.1.7 – Privileged Functions ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
+|-
+| [a] privileged functions are defined. || Document || Example
+|-
+| [b] non-privileged users are defined. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] non-privileged users are prevented from executing privileged functions. || Document || Example
-: [a] privileged functions are defined;
-: [b] non-privileged users are defined;
-: [c] non-privileged users are prevented from executing privileged functions; and
-: [d] the execution of privileged functions is captured in audit logs.
 |-
-|[[Practice_AC.L2-3.1.7_Details|More Practice Details...]]
+| [d] the execution of privileged functions is captured in audit logs. || Document || Example
 |}
 === AC.L2-3.1.8 – Unsuccessful Logon Attempts ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Limit unsuccessful logon attempts.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Limit unsuccessful logon attempts.
-: [a] the means of limiting unsuccessful logon attempts is defined; and
-: [b] the defined means of limiting unsuccessful logon attempts is implemented.
 |-
-|[[Practice_AC.L2-3.1.8_Details|More Practice Details...]]
+| [a] the means of limiting unsuccessful logon attempts is defined. || Document || Example
+|-
+| [b] the defined means of limiting unsuccessful logon attempts is implemented. || Document || Example
 |}
 === AC.L2-3.1.9 – Privacy & Security Notices ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Provide privacy and security notices consistent with applicable CUI rules.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Provide privacy and security notices consistent with applicable CUI rules.
-: [a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and
-: [b] privacy and security notices are displayed.
 |-
-|[[Practice_AC.L2-3.1.9_Details|More Practice Details...]]
+| [a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category. || Document || Example
+|-
+| [b] privacy and security notices are displayed. || Document || Example
 |}
 === AC.L2-3.1.10 – Session Lock ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
-: [a] the period of inactivity after which the system initiates a session lock is defined;
-: [b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and
-: [c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.
 |-
-|[[Practice_AC.L2-3.1.10_Details|More Practice Details...]]
+| [a] the period of inactivity after which the system initiates a session lock is defined. || Document || Example
+|-
+| [b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity. || Document || Example
+|-
+| [c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity. || Document || Example
 |}
 === AC.L2-3.1.11 – Session Termination ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Terminate (automatically) a user session after a defined condition.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Terminate (automatically) a user session after a defined condition.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] conditions requiring a user session to terminate are defined. || Document || Example
-: [a] conditions requiring a user session to terminate are defined; and
-: [b] a user session is automatically terminated after any of the defined conditions
 |-
-|[[Practice_AC.L2-3.1.11_Details|More Practice Details...]]
+| [b] a user session is automatically terminated after any of the defined conditions. || Document || Example
 |}
 === AC.L2-3.1.12 – Control Remote Access ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Monitor and control remote access sessions.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Monitor and control remote access sessions.
-: [a] remote access sessions are permitted;
-: [b] the types of permitted remote access are identified;
-: [c] remote access sessions are controlled; and
-: [d] remote access sessions are monitored.
 |-
-|[[Practice_AC.L2-3.1.12_Details|More Practice Details...]]
+| [a] remote access sessions are permitted. || Document || Example
+|-
+| [b] the types of permitted remote access are identified. || Document || Example
+|-
+| [c] remote access sessions are controlled. || Document || Example
+|-
+| [d] remote access sessions are monitored. || Document || Example
 |}
 === AC.L2-3.1.13 – Remote Access Confidentiality ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
-: [a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and
-: [b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
 |-
-|[[Practice_AC.L2-3.1.13_Details|More Practice Details...]]
+| [a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified. || Document || Example
+|-
+| [b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented. || Document || Example
 |}
 === AC.L2-3.1.14 – Remote Access Routing ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Route remote access via managed access control points.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Route remote access via managed access control points.
-: [a] managed access control points are identified and implemented; and
-: [b] remote access is routed through managed network access control points.
 |-
-|[[Practice_AC.L2-3.1.14_Details|More Practice Details...]]
+| [a] managed access control points are identified and implemented. || Document || Example
+|-
+| [b] remote access is routed through managed network access control points. || Document || Example
 |}
 === AC.L2-3.1.15 – Privileged Remote Access ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Authorize remote execution of privileged commands and remote access to security-relevant information.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Authorize remote execution of privileged commands and remote access to security-relevant information.
-: [a] privileged commands authorized for remote execution are identified;
-: [b] security-relevant information authorized to be accessed remotely is identified;
-: [c] the execution of the identified privileged commands via remote access is authorized; and
-: [d] access to the identified security-relevant information via remote access is authorized.
 |-
-|[[Practice_AC.L2-3.1.15_Details|More Practice Details...]]
+| [a] privileged commands authorized for remote execution are identified. || Document || Example
+|-
+| [b] security-relevant information authorized to be accessed remotely is identified. || Document || Example
+|-
+| [c] the execution of the identified privileged commands via remote access is authorized. || Document || Example
+|-
+| [d] access to the identified security-relevant information via remote access is authorized. || Document || Example
 |}
 === AC.L2-3.1.16 – Wireless Access Authorization ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Authorize wireless access prior to allowing such connections.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Authorize wireless access prior to allowing such connections.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] wireless access points are identified. || Document || Example
-: [a] wireless access points are identified; and
-: [b] wireless access is authorized prior to allowing such connections.
 |-
-|[[Practice_AC.L2-3.1.16_Details|More Practice Details...]]
+| [b] wireless access is authorized prior to allowing such connections. || Document || Example
 |}
 === AC.L2-3.1.17 – Wireless Access Protection ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Protect wireless access using authentication and encryption.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Protect wireless access using authentication and encryption.
-: [a] wireless access to the system is protected using authentication; and
-: [b] wireless access to the system is protected using encryption.
 |-
-|[[Practice_AC.L2-3.1.17_Details|More Practice Details...]]
+| [a] wireless access to the system is protected using authentication. || Document || Example
+|-
+| [b] wireless access to the system is protected using encryption. || Document || Example
 |}
 === AC.L2-3.1.18 – Mobile Device Connection ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control connection of mobile devices.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Control connection of mobile devices.
-: [a] mobile devices that process, store, or transmit CUI are identified;
-: [b] mobile device connections are authorized; and
-: [c] mobile device connections are monitored and logged.
 |-
-|[[Practice_AC.L2-3.1.18_Details|More Practice Details...]]
+| [a] mobile devices that process, store, or transmit CUI are identified. || Document || Example
+|-
+| [b] mobile device connections are authorized. || Document || Example
+|-
+| [c] mobile device connections are monitored and logged. || Document || Example
 |}
 === AC.L2-3.1.19 – Encrypt CUI on Mobile ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Encrypt CUI on mobile devices and mobile computing platforms.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Encrypt CUI on mobile devices and mobile computing platforms.
-: [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and
-: [b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
 |-
-|[[Practice_AC.L2-3.1.19_Details|More Practice Details...]]
+| [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified. || Document || Example
+|-
+| [b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms. || Document || Example
 |}
 === AC.L2-3.1.20 – External Connections [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Verify and control/limit connections to and use of external information systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Verify and control/limit connections to and use of external information systems.
+|-
+| [a] connections to external systems are identified. || Document || Example
+|-
+| [b] the use of external systems is identified. || Document || Example
+|-
+| [c] connections to external systems are verified. || Document || Example
+|-
+| [d] the use of external systems is verified. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [e] connections to external systems are controlled/limited. || Document || Example
-: [a] connections to external systems are identified;
-: [b] the use of external systems is identified;
-: [c] connections to external systems are verified;
-: [d] the use of external systems is verified;
-: [e] connections to external systems are controlled/limited; and
-: [f] the use of external systems is controlled/limited.
 |-
-|[[Practice_AC.L2-3.1.20_Details|More Practice Details...]]
+| [f] the use of external systems is controlled/limited. || Document || Example
 |}
 === AC.L2-3.1.21 – Portable Storage Use ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Limit use of portable storage devices on external systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Limit use of portable storage devices on external systems.
-: [a] the use of portable storage devices containing CUI on external systems is identified and documented;
-: [b] limits on the use of portable storage devices containing CUI on external systems are defined; and
-: [c] the use of portable storage devices containing CUI on external systems is limited as defined.
 |-
-|[[Practice_AC.L2-3.1.21_Details|More Practice Details...]]
+| [a] the use of portable storage devices containing CUI on external systems is identified and documented. || Document || Example
+|-
+| [b] limits on the use of portable storage devices containing CUI on external systems are defined. || Document || Example
+|-
+| [c] the use of portable storage devices containing CUI on external systems is limited as defined. || Document || Example
 |}
 === AC.L2-3.1.22 – Control Public Information [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control information posted or processed on publicly accessible information systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Control information posted or processed on publicly accessible information systems.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] individuals authorized to post or process information on publicly accessible systems are identified. || Document || Example
-: [a] individuals authorized to post or process information on publicly accessible systems are identified;
-: [b] procedures to ensure CUI is not posted or processed on publicly accessible systems are identified;
-: [c] a review process is in place prior to posting of any content to publicly accessible systems;
-: [d] content on publicly accessible systems is reviewed to ensure that it does not include CUI; and
-: [e] mechanisms are in place to remove and address improper posting of CUI.
 |-
-|[[Practice_AC.L2-3.1.22_Details|More Practice Details...]]
+| [b] procedures to ensure CUI is not posted or processed on publicly accessible systems are identified. || Document || Example
+|-
+| [c] a review process is in place prior to posting of any content to publicly accessible systems. || Document || Example
+|-
+| [d] content on publicly accessible systems is reviewed to ensure that it does not include CUI. || Document || Example
+|-
+| [e] mechanisms are in place to remove and address improper posting of CUI. || Document || Example
 |}
@@ Line 309: / Line 351: @@
 === AT.L2-3.2.1 – Role-Based Risk Awareness ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] security risks associated with organizational activities involving CUI are identified. || Document || Example
-: [a] security risks associated with organizational activities involving CUI are identified;
-: [b] policies, standards, and procedures related to the security of the system are identified;
-: [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
-: [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
 |-
-|[[Practice_AT.L2-3.2.1_Details|More Practice Details...]]
+| [b] policies, standards, and procedures related to the security of the system are identified. || Document || Example
+|-
+| [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities. || Document || Example
+|-
+| [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system. || Document || Example
 |}
 === AT.L2-3.2.2 – Role-Based Training ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|-
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|-
-: [a] information security-related duties, roles, and responsibilities are defined;
-: [b] information security-related duties, roles, and responsibilities are assigned to designated personnel; and
-: [c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.
 |-
-|[[Practice_AT.L2-3.2.2_Details|More Practice Details...]]
+| [a] information security-related duties, roles, and responsibilities are defined. || Document || Example
+|-
+| [b] information security-related duties, roles, and responsibilities are assigned to designated personnel. || Document || Example
+|-
+| [c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities. || Document || Example
 |}
 === AT.L2-3.2.3 – Insider Threat Awareness ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Provide security awareness training on recognizing and reporting potential indicators of insider threat.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Provide security awareness training on recognizing and reporting potential indicators of insider threat.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] potential indicators associated with insider threats are identified. || Document || Example
-: [a] potential indicators associated with insider threats are identified; and
-: [b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
 |-
-|[[Practice_AT.L2-3.2.3_Details|More Practice Details...]]
+| [b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees. || Document || Example
 |}
@@ Line 349: / Line 397: @@
 === AU.L2-3.3.1 – System Auditing ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
-: [a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified;
-: [b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined;
-: [c] audit records are created (generated);
-: [d] audit records, once created, contain the defined content;
-: [e] retention requirements for audit records are defined; and
-: [f] audit records are retained as defined.
 |-
-|[[Practice_AU.L2-3.3.1_Details|More Practice Details...]]
+| [a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified. || Document || Example
+|-
+| [b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined. || Document || Example
+|-
+| [c] audit records are created (generated). || Document || Example
+|-
+| [d] audit records, once created, contain the defined content. || Document || Example
+|-
+| [e] retention requirements for audit records are defined. || Document || Example
+|-
+| [f] audit records are retained as defined. || Document || Example
 |}
 === AU.L2-3.3.2 – User Accountability ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
-: [a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined; and
-: [b] audit records, once created, contain the defined content.
 |-
-|[[Practice_AU.L2-3.3.2_Details|More Practice Details...]]
+| [a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined. || Document || Example
+|-
+| [b] audit records, once created, contain the defined content. || Document || Example
 |}
 === AU.L2-3.3.3 – Event Review ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Review and update logged events.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Review and update logged events.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] a process for determining when to review logged events is defined. || Document || Example
-: [a] a process for determining when to review logged events is defined;
-: [b] event types being logged are reviewed in accordance with the defined review process; and
-: [c] event types being logged are updated based on the review.
 |-
-|[[Practice_AU.L2-3.3.3_Details|More Practice Details...]]
+| [b] event types being logged are reviewed in accordance with the defined review process. || Document || Example
+|-
+| [c] event types being logged are updated based on the review. || Document || Example
 |}
 === AU.L2-3.3.4 – Audit Failure Alerting ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Alert in the event of an audit logging process failure.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Alert in the event of an audit logging process failure.
+|-
+| [a] personnel or roles to be alerted in the event of an audit logging process failure are identified. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] types of audit logging process failures for which alert will be generated are defined. || Document || Example
-: [a] personnel or roles to be alerted in the event of an audit logging process failure are identified;
-: [b] types of audit logging process failures for which alert will be generated are defined; and
-: [c] identified personnel or roles are alerted in the event of an audit logging process failure.
 |-
-|[[Practice_AU.L2-3.3.4_Details|More Practice Details...]]
+| [c] identified personnel or roles are alerted in the event of an audit logging process failure. || Document || Example
 |}
 === AU.L2-3.3.5 – Audit Correlation ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined. || Document || Example
-: [a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and
-: [b] defined audit record review, analysis, and reporting processes are correlated.
 |-
-|[[Practice_AU.L2-3.3.5_Details|More Practice Details...]]
+| [b] defined audit record review, analysis, and reporting processes are correlated. || Document || Example
 |}
 === AU.L2-3.3.6 – Reduction & Reporting ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Provide audit record reduction and report generation to support on-demand analysis and reporting.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Provide audit record reduction and report generation to support on-demand analysis and reporting.
-: [a] an audit record reduction capability that supports on-demand analysis is provided; and
-: [b] a report generation capability that supports on-demand reporting is provided.
 |-
-|[[Practice_AU.L2-3.3.6_Details|More Practice Details...]]
+| [a] an audit record reduction capability that supports on-demand analysis is provided. || Document || Example
+|-
+| [b] a report generation capability that supports on-demand reporting is provided. || Document || Example
 |}
 === AU.L2-3.3.7 – Authoritative Time Source ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
+|-
+| [a] internal system clocks are used to generate time stamps for audit records. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] an authoritative source with which to compare and synchronize internal system clocks is specified. || Document || Example
-: [a] internal system clocks are used to generate time stamps for audit records;
-: [b] an authoritative source with which to compare and synchronize internal system clocks is specified; and
-: [c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.
 |-
-|[[Practice_AU.L2-3.3.7_Details|More Practice Details...]]
+| [c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source. || Document || Example
 |}
 === AU.L2-3.3.8 – Audit Protection ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
+|-
+| [a] audit information is protected from unauthorized access. || Document || Example
+|-
+| [b] audit information is protected from unauthorized modification. || Document || Example
+|-
+| [c] audit information is protected from unauthorized deletion. || Document || Example
+|-
+| [d] audit logging tools are protected from unauthorized access. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [e] audit logging tools are protected from unauthorized modification. || Document || Example
-: [a] audit information is protected from unauthorized access;
-: [b] audit information is protected from unauthorized modification;
-: [c] audit information is protected from unauthorized deletion;
-: [d] audit logging tools are protected from unauthorized access;
-: [e] audit logging tools are protected from unauthorized modification; and
-: [f] audit logging tools are protected from unauthorized deletion.
 |-
-|[[Practice_AU.L2-3.3.8_Details|More Practice Details...]]
+| [f] audit logging tools are protected from unauthorized deletion. || Document || Example
 |}
 === AU.L2-3.3.9 – Audit Management ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Limit management of audit logging functionality to a subset of privileged users.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Limit management of audit logging functionality to a subset of privileged users.
-: [a] a subset of privileged users granted access to manage audit logging functionality is defined; and
-: [b] management of audit logging functionality is limited to the defined subset of privileged users.
 |-
-|[[Practice_AU.L2-3.3.9_Details|More Practice Details...]]
+| [a] a subset of privileged users granted access to manage audit logging functionality is defined. || Document || Example
+|-
+| [b] management of audit logging functionality is limited to the defined subset of privileged users. || Document || Example
 |}
@@ Line 469: / Line 537: @@
 === CM.L2-3.4.1 – System Baselining ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
+|-
+| [a] a baseline configuration is established. || Document || Example
+|-
+| [b] the baseline configuration includes hardware, software, firmware, and documentation. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle. || Document || Example
-: [a] a baseline configuration is established;
-: [b] the baseline configuration includes hardware, software, firmware, and documentation;
-: [c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle;
-: [d] a system inventory is established;
-: [e] the system inventory includes hardware, software, firmware, and documentation; and
-: [f] the inventory is maintained (reviewed and updated) throughout the system development life cycle.
 |-
-|[[Practice_CM.L2-3.4.1_Details|More Practice Details...]]
+| [d] a system inventory is established. || Document || Example
+|-
+| [e] the system inventory includes hardware, software, firmware, and documentation. || Document || Example
+|-
+| [f] the inventory is maintained (reviewed and updated) throughout the system development life cycle. || Document || Example
 |}
 === CM.L2-3.4.2 – Security Configuration Enforcement ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Establish and enforce security configuration settings for information technology products employed in organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Establish and enforce security configuration settings for information technology products employed in organizational systems.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration. || Document || Example
-: [a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration; and
-: [b] security configuration settings for information technology products employed in the system are enforced.
 |-
-|[[Practice_CM.L2-3.4.2_Details|More Practice Details...]]
+| [b] security configuration settings for information technology products employed in the system are enforced. || Document || Example
 |}
 === CM.L2-3.4.3 – System Change Management ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Track, review, approve or disapprove, and log changes to organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Track, review, approve or disapprove, and log changes to organizational systems.
-: [a] changes to the system are tracked;
-: [b] changes to the system are reviewed;
-: [c] changes to the system are approved or disapproved; and
-: [d] changes to the system are logged.
 |-
-|[[Practice_CM.L2-3.4.3_Details|More Practice Details...]]
+| [a] changes to the system are tracked. || Document || Example
+|-
+| [b] changes to the system are reviewed. || Document || Example
+|-
+| [c] changes to the system are approved or disapproved. || Document || Example
+|-
+| [d] changes to the system are logged. || Document || Example
 |}
 === CM.L2-3.4.4 – Security Impact Analysis ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Analyze the security impact of changes prior to implementation.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Analyze the security impact of changes prior to implementation.
-: [a] the security impact of changes to the system is analyzed prior to implementation.
 |-
-|[[Practice_CM.L2-3.4.4_Details|More Practice Details...]]
+| [a] the security impact of changes to the system is analyzed prior to implementation. || Document || Example
 |}
 === CM.L2-3.4.5 – Access Restrictions for Change ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
-: [a] physical access restrictions associated with changes to the system are defined;
-: [b] physical access restrictions associated with changes to the system are documented;
-: [c] physical access restrictions associated with changes to the system are approved;
-: [d] physical access restrictions associated with changes to the system are enforced;
-: [e] logical access restrictions associated with changes to the system are defined;
-: [f] logical access restrictions associated with changes to the system are documented;
-: [g] logical access restrictions associated with changes to the system are approved; and
-: [h] logical access restrictions associated with changes to the system are enforced.
 |-
-|[[Practice_CM.L2-3.4.5_Details|More Practice Details...]]
+| [a] physical access restrictions associated with changes to the system are defined. || Document || Example
+|-
+| [b] physical access restrictions associated with changes to the system are documented. || Document || Example
+|-
+| [c] physical access restrictions associated with changes to the system are approved. || Document || Example
+|-
+| [d] physical access restrictions associated with changes to the system are enforced. || Document || Example
+|-
+| [e] logical access restrictions associated with changes to the system are defined. || Document || Example
+|-
+| [f] logical access restrictions associated with changes to the system are documented. || Document || Example
+|-
+| [g] logical access restrictions associated with changes to the system are approved. || Document || Example
+|-
+| [h] logical access restrictions associated with changes to the system are enforced. || Document || Example
 |}
 === CM.L2-3.4.6 – Least Functionality ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
-: [a] essential system capabilities are defined based on the principle of least functionality; and
-: [b] the system is configured to provide only the defined essential capabilities.
 |-
-|[[Practice_CM.L2-3.4.6_Details|More Practice Details...]]
+| [a] essential system capabilities are defined based on the principle of least functionality. || Document || Example
+|-
+| [b] the system is configured to provide only the defined essential capabilities. || Document || Example
 |}
 === CM.L2-3.4.7 – Nonessential Functionality ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
+|-
+| [a] essential programs are defined. || Document || Example
+|-
+| [b] the use of nonessential programs is defined. || Document || Example
+|-
+| [c] the use of nonessential programs is restricted, disabled, or prevented as defined. || Document || Example
+|-
+| [d] essential functions are defined. || Document || Example
+|-
+| [e] the use of nonessential functions is defined. || Document || Example
+|-
+| [f] the use of nonessential functions is restricted, disabled, or prevented as defined. || Document || Example
+|-
+| [g] essential ports are defined. || Document || Example
+|-
+| [h] the use of nonessential ports is defined. || Document || Example
+|-
+| [i] the use of nonessential ports is restricted, disabled, or prevented as defined. || Document || Example
+|-
+| [j] essential protocols are defined. || Document || Example
+|-
+| [k] the use of nonessential protocols is defined. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [l] the use of nonessential protocols is restricted, disabled, or prevented as defined. || Document || Example
-: [a] essential programs are defined;
-: [b] the use of nonessential programs is defined;
-: [c] the use of nonessential programs is restricted, disabled, or prevented as defined;
-: [d] essential functions are defined;
-: [e] the use of nonessential functions is defined;
-: [f] the use of nonessential functions is restricted, disabled, or prevented as defined;
-: [g] essential ports are defined;
-: [h] the use of nonessential ports is defined;
-: [i] the use of nonessential ports is restricted, disabled, or prevented as defined;
-: [j] essential protocols are defined;
-: [k] the use of nonessential protocols is defined;
-: [l] the use of nonessential protocols is restricted, disabled, or prevented as defined;
-: [m] essential services are defined;
-: [n] the use of nonessential services is defined; and
-: [o] the use of nonessential services is restricted, disabled, or prevented as defined.
 |-
-|[[Practice_CM.L2-3.4.7_Details|More Practice Details...]]
+| [m] essential services are defined. || Document || Example
+|-
+| [n] the use of nonessential services is defined. || Document || Example
+|-
+| [o] the use of nonessential services is restricted, disabled, or prevented as defined. || Document || Example
 |}
 === CM.L2-3.4.8 – Application Execution Policy ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
+|-
+| [a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] the software allowed to execute under whitelisting or denied use under blacklisting is specified. || Document || Example
-: [a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified;
-: [b] the software allowed to execute under whitelisting or denied use under blacklisting is specified; and
-: [c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
 |-
-|[[Practice_CM.L2-3.4.8_Details|More Practice Details...]]
+| [c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified. || Document || Example
 |}
 === CM.L2-3.4.9 – User-Installed Software ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control and monitor user-installed software.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Control and monitor user-installed software.
-: [a] a policy for controlling the installation of software by users is established;
-: [b] installation of software by users is controlled based on the established policy; and
-: [c] installation of software by users is monitored.
 |-
-|[[Practice_CM.L2-3.4.9_Details|More Practice Details...]]
+| [a] a policy for controlling the installation of software by users is established. || Document || Example
+|-
+| [b] installation of software by users is controlled based on the established policy. || Document || Example
+|-
+| [c] installation of software by users is monitored. || Document || Example
 |}
@@ Line 604: / Line 707: @@
 === IA.L2-3.5.1 – Identification [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Identify information system users, processes acting on behalf of users, or devices.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Identify information system users, processes acting on behalf of users, or devices.
+|-
+| [a] system users are identified. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] processes acting on behalf of users are identified. || Document || Example
-: [a] system users are identified;
-: [b] processes acting on behalf of users are identified; and
-: [c] devices accessing the system are identified.
 |-
-|[[Practice_IA.L2-3.5.1_Details|More Practice Details...]]
+| [c] devices accessing the system are identified. || Document || Example
 |}
 === IA.L2-3.5.2 – Authentication [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
-: [a] the identity of each user is authenticated or verified as a prerequisite to system access;
-: [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and
-: [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
 |-
-|[[Practice_IA.L2-3.5.2_Details|More Practice Details...]]
+| [a] the identity of each user is authenticated or verified as a prerequisite to system access. || Document || Example
+|-
+| [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access. || Document || Example
+|-
+| [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access. || Document || Example
 |}
 === IA.L2-3.5.3 – Multifactor Authentication ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
+|-
+| [a] privileged accounts are identified. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] multifactor authentication is implemented for local access to privileged accounts. || Document || Example
-: [a] privileged accounts are identified;
-: [b] multifactor authentication is implemented for local access to privileged accounts;
-: [c] multifactor authentication is implemented for network access to privileged accounts; and
-: [d] multifactor authentication is implemented for network access to non-privileged accounts.
 |-
-|[[Practice_IA.L2-3.5.3_Details|More Practice Details...]]
+| [c] multifactor authentication is implemented for network access to privileged accounts. || Document || Example
+|-
+| [d] multifactor authentication is implemented for network access to non-privileged accounts. || Document || Example
 |}
 === IA.L2-3.5.4 – Replay-Resistant Authentication ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
-: [a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.
 |-
-|[[Practice_IA.L2-3.5.4_Details|More Practice Details...]]
+| [a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts. || Document || Example
 |}
 === IA.L2-3.5.5 – Identifier Reuse ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Prevent reuse of identifiers for a defined period.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Prevent reuse of identifiers for a defined period.
-: [a] a period within which identifiers cannot be reused is defined; and
-: [b] reuse of identifiers is prevented within the defined period.
 |-
-|[[Practice_IA.L2-3.5.5_Details|More Practice Details...]]
+| [a] a period within which identifiers cannot be reused is defined. || Document || Example
+|-
+| [b] reuse of identifiers is prevented within the defined period. || Document || Example
 |}
 === IA.L2-3.5.6 – Identifier Handling ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Disable identifiers after a defined period of inactivity.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Disable identifiers after a defined period of inactivity.
-: [a] a period of inactivity after which an identifier is disabled is defined; and
-: [b] identifiers are disabled after the defined period of inactivity.
 |-
-|[[Practice_IA.L2-3.5.6_Details|More Practice Details...]]
+| [a] a period of inactivity after which an identifier is disabled is defined. || Document || Example
+|-
+| [b] identifiers are disabled after the defined period of inactivity. || Document || Example
 |}
 === IA.L2-3.5.7 – Password Complexity ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Enforce a minimum password complexity and change of characters when new passwords are created.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Enforce a minimum password complexity and change of characters when new passwords are created.
+|-
+| [a] password complexity requirements are defined. || Document || Example
+|-
+| [b] password change of character requirements are defined. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] minimum password complexity requirements as defined are enforced when new passwords are created. || Document || Example
-: [a] password complexity requirements are defined;
-: [b] password change of character requirements are defined;
-: [c] minimum password complexity requirements as defined are enforced when new passwords are created; and
-: [d] minimum password change of character requirements as defined are enforced when new passwords are created.
 |-
-|[[Practice_IA.L2-3.5.7_Details|More Practice Details...]]
+| [d] minimum password change of character requirements as defined are enforced when new passwords are created. || Document || Example
 |}
 === IA.L2-3.5.8 – Password Reuse ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Prohibit password reuse for a specified number of generations.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Prohibit password reuse for a specified number of generations.
-: [a] the number of generations during which a password cannot be reused is specified and [b] reuse of passwords is prohibited during the specified number of generations.
 |-
-|[[Practice_IA.L2-3.5.8_Details|More Practice Details...]]
+| [a] the number of generations during which a password cannot be reused is specified and [b] reuse of passwords is prohibited during the specified number of generations. || Document || Example
 |}
 === IA.L2-3.5.9 – Temporary Passwords ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Allow temporary password use for system logons with an immediate change to a permanent password.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Allow temporary password use for system logons with an immediate change to a permanent password.
-: [a] an immediate change to a permanent password is required when a temporary password is used for system logon.
 |-
-|[[Practice_IA.L2-3.5.9_Details|More Practice Details...]]
+| [a] an immediate change to a permanent password is required when a temporary password is used for system logon. || Document || Example
 |}
 === IA.L2-3.5.10 – Cryptographically-Protected Passwords ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Store and transmit only cryptographically-protected passwords.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Store and transmit only cryptographically-protected passwords.
-: [a] passwords are cryptographically protected in storage; and
-: [b] passwords are cryptographically protected in transit.
 |-
-|[[Practice_IA.L2-3.5.10_Details|More Practice Details...]]
+| [a] passwords are cryptographically protected in storage. || Document || Example
+|-
+| [b] passwords are cryptographically protected in transit. || Document || Example
 |}
 === IA.L2-3.5.11 – Obscure Feedback ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Obscure feedback of authentication information.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Obscure feedback of authentication information.
-: [a] authentication information is obscured during the authentication process.
 |-
-|[[Practice_IA.L2-3.5.11_Details|More Practice Details...]]
+| [a] authentication information is obscured during the authentication process. || Document || Example
 |}
@@ Line 739: / Line 855: @@
 === IR.L2-3.6.1 – Incident Handling ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
-: [a] an operational incident-handling capability is established;
-: [b] the operational incident-handling capability includes preparation;
-: [c] the operational incident-handling capability includes detection;
-: [d] the operational incident-handling capability includes analysis;
-: [e] the operational incident-handling capability includes containment;
-: [f] the operational incident-handling capability includes recovery; and
-: [g] the operational incident-handling capability includes user response
 |-
-|[[Practice_IR.L2-3.6.1_Details|More Practice Details...]]
+| [a] an operational incident-handling capability is established. || Document || Example
+|-
+| [b] the operational incident-handling capability includes preparation. || Document || Example
+|-
+| [c] the operational incident-handling capability includes detection. || Document || Example
+|-
+| [d] the operational incident-handling capability includes analysis. || Document || Example
+|-
+| [e] the operational incident-handling capability includes containment. || Document || Example
+|-
+| [f] the operational incident-handling capability includes recovery. || Document || Example
+|-
+| [g] the operational incident-handling capability includes user response. || Document || Example
 |}
 === IR.L2-3.6.2 – Incident Reporting ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] incidents are tracked. || Document || Example
-: [a] incidents are tracked;
-: [b] incidents are documented;
-: [c] authorities to whom incidents are to be reported are identified;
-: [d] organizational officials to whom incidents are to be reported are identified;
-: [e] identified authorities are notified of incidents; and
-: [f] identified organizational officials are notified of incidents.
 |-
-|[[Practice_IR.L2-3.6.2_Details|More Practice Details...]]
+| [b] incidents are documented. || Document || Example
+|-
+| [c] authorities to whom incidents are to be reported are identified. || Document || Example
+|-
+| [d] organizational officials to whom incidents are to be reported are identified. || Document || Example
+|-
+| [e] identified authorities are notified of incidents. || Document || Example
+|-
+| [f] identified organizational officials are notified of incidents. || Document || Example
 |}
 === IR.L2-3.6.3 – Incident Response Testing ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Test the organizational incident response capability.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Test the organizational incident response capability.
-: [a] the incident response capability is tested.
 |-
-|[[Practice_IR.L2-3.6.3_Details|More Practice Details...]]
+| [a] the incident response capability is tested. || Document || Example
 |}
@@ Line 784: / Line 911: @@
 === MA.L2-3.7.1 – Perform Maintenance ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Perform maintenance on organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Perform maintenance on organizational systems.
-: [a] system maintenance is performed.
 |-
-|[[Practice_MA.L2-3.7.1_Details|More Practice Details...]]
+| [a] system maintenance is performed. || Document || Example
 |}
 === MA.L2-3.7.2 – System Maintenance Control ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
-: [a] tools used to conduct system maintenance are controlled;
-: [b] techniques used to conduct system maintenance are controlled;
-: [c] mechanisms used to conduct system maintenance are controlled; and
-: [d] personnel used to conduct system maintenance are controlled.
 |-
-|[[Practice_MA.L2-3.7.2_Details|More Practice Details...]]
+| [a] tools used to conduct system maintenance are controlled. || Document || Example
+|-
+| [b] techniques used to conduct system maintenance are controlled. || Document || Example
+|-
+| [c] mechanisms used to conduct system maintenance are controlled. || Document || Example
+|-
+| [d] personnel used to conduct system maintenance are controlled. || Document || Example
 |}
 === MA.L2-3.7.3 – Equipment Sanitization ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Ensure equipment removed for off-site maintenance is sanitized of any CUI.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Ensure equipment removed for off-site maintenance is sanitized of any CUI.
-: [a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.
 |-
-|[[Practice_MA.L2-3.7.3_Details|More Practice Details...]]
+| [a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI. || Document || Example
 |}
 === MA.L2-3.7.4 – Media Inspection ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
-: [a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.
 |-
-|[[Practice_MA.L2-3.7.4_Details|More Practice Details...]]
+| [a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI. || Document || Example
 |}
 === MA.L2-3.7.5 – Nonlocal Maintenance ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections. || Document || Example
-: [a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections; and
-: [b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.
 |-
-|[[Practice_MA.L2-3.7.5_Details|More Practice Details...]]
+| [b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete. || Document || Example
 |}
 === MA.L2-3.7.6 – Maintenance Personnel ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Supervise the maintenance activities of maintenance personnel without required access authorization.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Supervise the maintenance activities of maintenance personnel without required access authorization.
-: [a] maintenance personnel without required access authorization are supervised during maintenance activities.
 |-
-|[[Practice_MA.L2-3.7.6_Details|More Practice Details...]]
+| [a] maintenance personnel without required access authorization are supervised during maintenance activities. || Document || Example
 |}
@@ Line 855: / Line 986: @@
 === MP.L2-3.8.1 – Media Protection ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
+|-
+| [a] paper media containing CUI is physically controlled. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] digital media containing CUI is physically controlled. || Document || Example
-: [a] paper media containing CUI is physically controlled;
-: [b] digital media containing CUI is physically controlled;
-: [c] paper media containing CUI is securely stored; and
-: [d] digital media containing CUI is securely stored.
 |-
-|[[Practice_MP.L2-3.8.1_Details|More Practice Details...]]
+| [c] paper media containing CUI is securely stored. || Document || Example
+|-
+| [d] digital media containing CUI is securely stored. || Document || Example
 |}
 === MP.L2-3.8.2 – Media Access ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Limit access to CUI on system media to authorized users.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Limit access to CUI on system media to authorized users.
-: [a] access to CUI on system media is limited to authorized users.
 |-
-|[[Practice_MP.L2-3.8.2_Details|More Practice Details...]]
+| [a] access to CUI on system media is limited to authorized users. || Document || Example
 |}
 === MP.L2-3.8.3 – Media Disposal [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] system media containing CUI is sanitized or destroyed before disposal. || Document || Example
-: [a] system media containing CUI is sanitized or destroyed before disposal; and
-: [b] system media containing CUI is sanitized before it is released for reuse.
 |-
-|[[Practice_MP.L2-3.8.3_Details|More Practice Details...]]
+| [b] system media containing CUI is sanitized before it is released for reuse. || Document || Example
 |}
 === MP.L2-3.8.4 – Media Markings ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Mark media with necessary CUI markings and distribution limitations.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Mark media with necessary CUI markings and distribution limitations.
-: [a] media containing CUI is marked with applicable CUI markings; and
-: [b] media containing CUI is marked with distribution limitations.
 |-
-|[[Practice_MP.L2-3.8.4_Details|More Practice Details...]]
+| [a] media containing CUI is marked with applicable CUI markings. || Document || Example
+|-
+| [b] media containing CUI is marked with distribution limitations. || Document || Example
 |}
 === MP.L2-3.8.5 – Media Accountability ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
-: [a] access to media containing CUI is controlled; and
-: [b] accountability for media containing CUI is maintained during transport outside of controlled areas.
 |-
-|[[Practice_MP.L2-3.8.5_Details|More Practice Details...]]
+| [a] access to media containing CUI is controlled. || Document || Example
+|-
+| [b] accountability for media containing CUI is maintained during transport outside of controlled areas. || Document || Example
 |}
 === MP.L2-3.8.6 – Portable Storage Encryption ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
-: [a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.
 |-
-|[[Practice_MP.L2-3.8.6_Details|More Practice Details...]]
+| [a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards. || Document || Example
 |}
 === MP.L2-3.8.7 – Removable Media ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control the use of removable media on system components.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Control the use of removable media on system components.
-: [a] the use of removable media on system components is controlled.
 |-
-|[[Practice_MP.L2-3.8.7_Details|More Practice Details...]]
+| [a] the use of removable media on system components is controlled. || Document || Example
 |}
 === MP.L2-3.8.8 – Shared Media ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Prohibit the use of portable storage devices when such devices have no identifiable owner.ASSESSMENT OBJECTIVES'''
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Prohibit the use of portable storage devices when such devices have no identifiable owner.ASSESSMENT OBJECTIVES'''
-: [a] the use of portable storage devices is prohibited when such devices have no identifiable owner.
 |-
-|[[Practice_MP.L2-3.8.8_Details|More Practice Details...]]
+| [a] the use of portable storage devices is prohibited when such devices have no identifiable owner. || Document || Example
 |}
 === MP.L2-3.8.9 – Protect Backups ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Protect the confidentiality of backup CUI at storage locations.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Protect the confidentiality of backup CUI at storage locations.
-: [a] the confidentiality of backup CUI is protected at storage locations.
 |-
-|[[Practice_MP.L2-3.8.9_Details|More Practice Details...]]
+| [a] the confidentiality of backup CUI is protected at storage locations. || Document || Example
 |}
@@ Line 961: / Line 1,098: @@
 === PS.L2-3.9.1 – Screen Individuals ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Screen individuals prior to authorizing access to organizational systems containing CUI.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Screen individuals prior to authorizing access to organizational systems containing CUI.
-: [a] individuals are screened prior to authorizing access to organizational systems containing CUI.
 |-
-|[[Practice_PS.L2-3.9.1_Details|More Practice Details...]]
+| [a] individuals are screened prior to authorizing access to organizational systems containing CUI. || Document || Example
 |}
 === PS.L2-3.9.2 – Personnel Actions ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
+|-
+| [a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] system access and credentials are terminated consistent with personnel actions such as termination or transfer. || Document || Example
-: [a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established;
-: [b] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and
-: [c] the system is protected during and after personnel transfer actions.
 |-
-|[[Practice_PS.L2-3.9.2_Details|More Practice Details...]]
+| [c] the system is protected during and after personnel transfer actions. || Document || Example
 |}
@@ Line 986: / Line 1,125: @@
 === PE.L2-3.10.1 – Limit Physical Access [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
-: [a] authorized individuals allowed physical access are identified;
-: [b] physical access to organizational systems is limited to authorized individuals;
-: [c] physical access to equipment is limited to authorized individuals; and
-: [d] physical access to operating environments is limited to authorized.
 |-
-|[[Practice_PE.L2-3.10.1_Details|More Practice Details...]]
+| [a] authorized individuals allowed physical access are identified. || Document || Example
+|-
+| [b] physical access to organizational systems is limited to authorized individuals. || Document || Example
+|-
+| [c] physical access to equipment is limited to authorized individuals. || Document || Example
+|-
+| [d] physical access to operating environments is limited to authorized. || Document || Example
 |}
 === PE.L2-3.10.2 – Monitor Facility ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Protect and monitor the physical facility and support infrastructure for organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Protect and monitor the physical facility and support infrastructure for organizational systems.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] the physical facility where organizational systems reside is protected. || Document || Example
-: [a] the physical facility where organizational systems reside is protected;
-: [b] the support infrastructure for organizational systems is protected;
-: [c] the physical facility where organizational systems reside is monitored; and
-: [d] the support infrastructure for organizational systems is monitored.
 |-
-|[[Practice_PE.L2-3.10.2_Details|More Practice Details...]]
+| [b] the support infrastructure for organizational systems is protected. || Document || Example
+|-
+| [c] the physical facility where organizational systems reside is monitored. || Document || Example
+|-
+| [d] the support infrastructure for organizational systems is monitored. || Document || Example
 |}
 === PE.L2-3.10.3 – Escort Visitors [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Escort visitors and monitor visitor activity.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Escort visitors and monitor visitor activity.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] visitors are escorted. || Document || Example
-: [a] visitors are escorted; and
-: [b] visitor activity is monitored.
 |-
-|[[Practice_PE.L2-3.10.3_Details|More Practice Details...]]
+| [b] visitor activity is monitored. || Document || Example
 |}
 === PE.L2-3.10.4 – Physical Access Logs [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Maintain audit logs of physical access.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Maintain audit logs of physical access.
-: [a] audit logs of physical access are maintained.
 |-
-|[[Practice_PE.L2-3.10.4_Details|More Practice Details...]]
+| [a] audit logs of physical access are maintained. || Document || Example
 |}
 === PE.L2-3.10.5 – Manage Physical Access [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control and manage physical access devices.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Control and manage physical access devices.
-: [a] physical access devices are identified;
-: [b] physical access devices are controlled; and
-: [c] physical access devices are managed.
 |-
-|[[Practice_PE.L2-3.10.5_Details|More Practice Details...]]
+| [a] physical access devices are identified. || Document || Example
+|-
+| [b] physical access devices are controlled. || Document || Example
+|-
+| [c] physical access devices are managed. || Document || Example
 |}
 === PE.L2-3.10.6 – Alternative Work Sites ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Enforce safeguarding measures for CUI at alternate work sites.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Enforce safeguarding measures for CUI at alternate work sites.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] safeguarding measures for CUI are defined for alternate work sites. || Document || Example
-: [a] safeguarding measures for CUI are defined for alternate work sites; and
-: [b] safeguarding measures for CUI are enforced for alternate work sites.
 |-
-|[[Practice_PE.L2-3.10.6_Details|More Practice Details...]]
+| [b] safeguarding measures for CUI are enforced for alternate work sites. || Document || Example
 |}
@@ Line 1,063: / Line 1,212: @@
 === RA.L2-3.11.1 – Risk Assessments ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
-: [a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined; and
-: [b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
 |-
-|[[Practice_RA.L2-3.11.1_Details|More Practice Details...]]
+| [a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined. || Document || Example
+|-
+| [b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency. || Document || Example
 |}
 === RA.L2-3.11.2 – Vulnerability Scan ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
-: [a] the frequency to scan for vulnerabilities in organizational systems and applications is defined;
-: [b] vulnerability scans are performed on organizational systems with the defined frequency;
-: [c] vulnerability scans are performed on applications with the defined frequency;
-: [d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified; and
-: [e] vulnerability scans are performed on applications when new vulnerabilities are
-identified.
 |-
-|[[Practice_RA.L2-3.11.2_Details|More Practice Details...]]
+| [a] the frequency to scan for vulnerabilities in organizational systems and applications is defined. || Document || Example
+|-
+| [b] vulnerability scans are performed on organizational systems with the defined frequency. || Document || Example
+|-
+| [c] vulnerability scans are performed on applications with the defined frequency. || Document || Example
+|-
+| [d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified. || Document || Example
+|-
+| [e] vulnerability scans are performed on applications when new vulnerabilities are
+identified. || Document || Example
 |}
 === RA.L2-3.11.3 – Vulnerability Remediation ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Remediate vulnerabilities in accordance with risk assessments.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Remediate vulnerabilities in accordance with risk assessments.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] vulnerabilities are identified. || Document || Example
-: [a] vulnerabilities are identified; and
-: [b] vulnerabilities are remediated in accordance with risk assessments.
 |-
-|[[Practice_RA.L2-3.11.3_Details|More Practice Details...]]
+| [b] vulnerabilities are remediated in accordance with risk assessments. || Document || Example
 |}
@@ Line 1,104: / Line 1,259: @@
 === CA.L2-3.12.1 – Security Control Assessment ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
-: [a] the frequency of security control assessments is defined; and
-: [b] security controls are assessed with the defined frequency to determine if the controls are effective in their application.
 |-
-|[[Practice_CA.L2-3.12.1_Details|More Practice Details...]]
+| [a] the frequency of security control assessments is defined. || Document || Example
+|-
+| [b] security controls are assessed with the defined frequency to determine if the controls are effective in their application. || Document || Example
 |}
 === CA.L2-3.12.2 – Operational Plan of Action ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
-: [a] deficiencies and vulnerabilities to be addressed by the plan of action are identified;
-: [b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities; and
-: [c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
 |-
-|[[Practice_CA.L2-3.12.2_Details|More Practice Details...]]
+| [a] deficiencies and vulnerabilities to be addressed by the plan of action are identified. || Document || Example
+|-
+| [b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities. || Document || Example
+|-
+| [c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities. || Document || Example
 |}
 === CA.L2-3.12.3 – Security Control Monitoring ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
-: [a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
 |-
-|[[Practice_CA.L2-3.12.3_Details|More Practice Details...]]
+| [a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls. || Document || Example
 |}
 === CA.L2-3.12.4 – System Security Plan ====
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
-: [a] a system security plan is developed;
-: [b] the system boundary is described and documented in the system security plan;
-: [c] the system environment of operation is described and documented in the system security plan;
-: [d] the security requirements identified and approved by the designated authority as non-applicable are identified;
-: [e] the method of security requirement implementation is described and documented in the system security plan;
-: [f] the relationship with or connection to other systems is described and documented in the system security plan;
-: [g] the frequency to update the system security plan is defined; and
-: [h] system security plan is updated with the defined frequency.
 |-
-|[[Practice_CA.L2-3.12.4_Details|More Practice Details...]]
+| [a] a system security plan is developed. || Document || Example
+|-
+| [b] the system boundary is described and documented in the system security plan. || Document || Example
+|-
+| [c] the system environment of operation is described and documented in the system security plan. || Document || Example
+|-
+| [d] the security requirements identified and approved by the designated authority as non-applicable are identified. || Document || Example
+|-
+| [e] the method of security requirement implementation is described and documented in the system security plan. || Document || Example
+|-
+| [f] the relationship with or connection to other systems is described and documented in the system security plan. || Document || Example
+|-
+| [g] the frequency to update the system security plan is defined. || Document || Example
+|-
+| [h] system security plan is updated with the defined frequency. || Document || Example
 |}
@@ Line 1,159: / Line 1,324: @@
 === SC.L2-3.13.1 – Boundary Protection [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
+|-
+| [a] the external system boundary is defined. || Document || Example
+|-
+| [b] key internal system boundaries are defined. || Document || Example
+|-
+| [c] communications are monitored at the external system boundary. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [d] communications are monitored at key internal boundaries. || Document || Example
-: [a] the external system boundary is defined;
-: [b] key internal system boundaries are defined;
-: [c] communications are monitored at the external system boundary;
-: [d] communications are monitored at key internal boundaries;
-: [e] communications are controlled at the external system boundary;
-: [f] communications are controlled at key internal boundaries;
-: [g] communications are protected at the external system boundary; and
-: [h] communications are protected at key internal boundaries.
 |-
-|[[Practice_SC.L2-3.13.1_Details|More Practice Details...]]
+| [e] communications are controlled at the external system boundary. || Document || Example
+|-
+| [f] communications are controlled at key internal boundaries. || Document || Example
+|-
+| [g] communications are protected at the external system boundary. || Document || Example
+|-
+| [h] communications are protected at key internal boundaries. || Document || Example
 |}
 === SC.L2-3.13.2 – Security Engineering ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
+|-
+| [a] architectural designs that promote effective information security are identified. || Document || Example
+|-
+| [b] software development techniques that promote effective information security are identified. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [c] systems engineering principles that promote effective information security are identified. || Document || Example
-: [a] architectural designs that promote effective information security are identified;
-: [b] software development techniques that promote effective information security are identified;
-: [c] systems engineering principles that promote effective information security are identified;
-: [d] identified architectural designs that promote effective information security are employed;
-: [e] identified software development techniques that promote effective information security are employed; and
-: [f] identified systems engineering principles that promote effective information security are employed.
 |-
-|[[Practice_SC.L2-3.13.2_Details|More Practice Details...]]
+| [d] identified architectural designs that promote effective information security are employed. || Document || Example
+|-
+| [e] identified software development techniques that promote effective information security are employed. || Document || Example
+|-
+| [f] identified systems engineering principles that promote effective information security are employed. || Document || Example
 |}
 === SC.L2-3.13.3 – Role Separation ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Separate user functionality from system management functionality.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Separate user functionality from system management functionality.
+|-
+| [a] user functionality is identified. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] system management functionality is identified. || Document || Example
-: [a] user functionality is identified;
-: [b] system management functionality is identified; and
-: [c] user functionality is separated from system management functionality.
 |-
-|[[Practice_SC.L2-3.13.3_Details|More Practice Details...]]
+| [c] user functionality is separated from system management functionality. || Document || Example
 |}
 === SC.L2-3.13.4 – Shared Resource Control ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Prevent unauthorized and unintended information transfer via shared system resources.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Prevent unauthorized and unintended information transfer via shared system resources.
-: [a] unauthorized and unintended information transfer via shared system resources is
-prevented.
 |-
-|[[Practice_SC.L2-3.13.4_Details|More Practice Details...]]
+| [a] unauthorized and unintended information transfer via shared system resources is prevented. || Document || Example
 |}
 ===  SC.L2-3.13.5 – Public-Access System Separation [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
-: [a] publicly accessible system components are identified; and
-: [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.
 |-
-|[[Practice_SC.L2-3.13.5_Details|More Practice Details...]]
+| [a] publicly accessible system components are identified. || Document || Example
+|-
+| [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks. || Document || Example
 |}
 === SC.L2-3.13.6 – Network Communication by Exception ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] network communications traffic is denied by default. || Document || Example
-: [a] network communications traffic is denied by default; and
-: [b] network communications traffic is allowed by exception.
 |-
-|[[Practice_SC.L2-3.13.6_Details|More Practice Details...]]
+| [b] network communications traffic is allowed by exception. || Document || Example
 |}
 === SC.L2-3.13.7 – Split Tunneling ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
-: [a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).
 |-
-|[[Practice_SC.L2-3.13.7_Details|More Practice Details...]]
+| [a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling). || Document || Example
 |}
 === SC.L2-3.13.8 – Data in Transit ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified. || Document || Example
-: [a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified;
-: [b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified; and
-: [c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.
 |-
-|[[Practice_SC.L2-3.13.8_Details|More Practice Details...]]
+| [b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified. || Document || Example
+|-
+| [c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission. || Document || Example
 |}
 === SC.L2-3.13.9 – Connections Termination ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
-: [a] a period of inactivity to terminate network connections associated with communications sessions is defined;
-: [b] network connections associated with communications sessions are terminated at the end of the sessions; and
-: [c] network connections associated with communications sessions are terminated after the defined period of inactivity.
 |-
-|[[Practice_SC.L2-3.13.9_Details|More Practice Details...]]
+| [a] a period of inactivity to terminate network connections associated with communications sessions is defined. || Document || Example
+|-
+| [b] network connections associated with communications sessions are terminated at the end of the sessions. || Document || Example
+|-
+| [c] network connections associated with communications sessions are terminated after the defined period of inactivity. || Document || Example
 |}
 === SC.L2-3.13.10 – Key Management ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Establish and manage cryptographic keys for cryptography employed in organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Establish and manage cryptographic keys for cryptography employed in organizational systems.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] cryptographic keys are established whenever cryptography is employed. || Document || Example
-: [a] cryptographic keys are established whenever cryptography is employed; and
-: [b] cryptographic keys are managed whenever cryptography is employed.
 |-
-|[[Practice_SC.L2-3.13.10_Details|More Practice Details...]]
+| [b] cryptographic keys are managed whenever cryptography is employed. || Document || Example
 |}
 === SC.L2-3.13.11 – CUI Encryption ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
-: [a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
 |-
-|[[Practice_SC.L2-3.13.11_Details|More Practice Details...]]
+| [a] FIPS-validated cryptography is employed to protect the confidentiality of CUI. || Document || Example
 |}
 === SC.L2-3.13.12 – Collaborative Device Control ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
+|-
+| [a] collaborative computing devices are identified. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] collaborative computing devices provide indication to users of devices in use. || Document || Example
-: [a] collaborative computing devices are identified;
-: [b] collaborative computing devices provide indication to users of devices in use; and
-: [c] remote activation of collaborative computing devices is prohibited.
 |-
-|[[Practice_SC.L2-3.13.12_Details|More Practice Details...]]
+| [c] remote activation of collaborative computing devices is prohibited. || Document || Example
 |}
 === SC.L2-3.13.13 – Mobile Code ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control and monitor the use of mobile code.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Control and monitor the use of mobile code.
-: [a] use of mobile code is controlled; and
-: [b] use of mobile code is monitored.
 |-
-|[[Practice_SC.L2-3.13.13_Details|More Practice Details...]]
+| [a] use of mobile code is controlled. || Document || Example
+|-
+| [b] use of mobile code is monitored. || Document || Example
 |}
 === SC.L2-3.13.14 – Voice over Internet Protocol ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] use of Voice over Internet Protocol (VoIP) technologies is controlled. || Document || Example
-: [a] use of Voice over Internet Protocol (VoIP) technologies is controlled; and
-: [b] use of Voice over Internet Protocol (VoIP) technologies is monitored.
 |-
-|[[Practice_SC.L2-3.13.14_Details|More Practice Details...]]
+| [b] use of Voice over Internet Protocol (VoIP) technologies is monitored. || Document || Example
 |}
 === SC.L2-3.13.15 – Communications Authenticity ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Protect the authenticity of communications sessions.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Protect the authenticity of communications sessions.
-: [a] the authenticity of communications sessions is protected.
 |-
-|[[Practice_SC.L2-3.13.15_Details|More Practice Details...]]
+| [a] the authenticity of communications sessions is protected. || Document || Example
 |}
 === SC.L2-3.13.16 – Data at Rest ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Protect the confidentiality of CUI at rest.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Protect the confidentiality of CUI at rest.
-: [a] the confidentiality of CUI at rest is protected.
 |-
-|[[Practice_SC.L2-3.13.16_Details|More Practice Details...]]
+| [a] the confidentiality of CUI at rest is protected. || Document || Example
 |}
@@ Line 1,362: / Line 1,551: @@
 === SI.L2-3.14.1 – Flaw Remediation [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Identify, report, and correct information and information system flaws in a timely manner.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Identify, report, and correct information and information system flaws in a timely manner.
+|-
+| [a] the time within which to identify system flaws is specified. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] system flaws are identified within the specified time frame. || Document || Example
-: [a] the time within which to identify system flaws is specified;
-: [b] system flaws are identified within the specified time frame;
-: [c] the time within which to report system flaws is specified;
-: [d] system flaws are reported within the specified time frame;
-: [e] the time within which to correct system flaws is specified; and
-: [f] system flaws are corrected within the specified time frame.
 |-
-|[[Practice_SI.L2-3.14.1_Details|More Practice Details...]]
+| [c] the time within which to report system flaws is specified. || Document || Example
+|-
+| [d] system flaws are reported within the specified time frame. || Document || Example
+|-
+| [e] the time within which to correct system flaws is specified. || Document || Example
+|-
+| [f] system flaws are corrected within the specified time frame. || Document || Example
 |}
 === SI.L2-3.14.2 – Malicious Code ProTection [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Provide protection from malicious code at appropriate locations within organizational information systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Provide protection from malicious code at appropriate locations within organizational information systems.
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [a] designated locations for malicious code protection are identified. || Document || Example
-: [a] designated locations for malicious code protection are identified; and
-: [b] protection from malicious code at designated locations is provided.
 |-
-|[[Practice_SI.L2-3.14.2_Details|More Practice Details...]]
+| [b] protection from malicious code at designated locations is provided. || Document || Example
 |}
 === SI.L2-3.14.3 – Security Alerts & Advisories ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Monitor system security alerts and advisories and take action in response.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Monitor system security alerts and advisories and take action in response.
-: [a] response actions to system security alerts and advisories are identified;
-: [b] system security alerts and advisories are monitored; and
-: [c] actions in response to system security alerts and advisories are taken.
 |-
-|[[Practice_SI.L2-3.14.3_Details|More Practice Details...]]
+| [a] response actions to system security alerts and advisories are identified. || Document || Example
+|-
+| [b] system security alerts and advisories are monitored. || Document || Example
+|-
+| [c] actions in response to system security alerts and advisories are taken. || Document || Example
 |}
 === SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Update malicious code protection mechanisms when new releases are available.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Update malicious code protection mechanisms when new releases are available.
-: [a] malicious code protection mechanisms are updated when new releases are available.
 |-
-|[[Practice_SI.L2-3.14.4_Details|More Practice Details...]]
+| [a] malicious code protection mechanisms are updated when new releases are available. || Document || Example
 |}
 === SI.L2-3.14.5 – System & File Scanning [CUI Data] ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
-: [a] the frequency for malicious code scans is defined;
-: [b] malicious code scans are performed with the defined frequency; and
-: [c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
 |-
-|[[Practice_SI.L2-3.14.5_Details|More Practice Details...]]
+| [a] the frequency for malicious code scans is defined. || Document || Example
+|-
+| [b] malicious code scans are performed with the defined frequency. || Document || Example
+|-
+| [c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed. || Document || Example
 |}
 === SI.L2-3.14.6 – Monitor Communications for Attacks ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
+|-
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
+|-
+| [a] the system is monitored to detect attacks and indicators of potential attacks. || Document || Example
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| [b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks. || Document || Example
-: [a] the system is monitored to detect attacks and indicators of potential attacks;
-: [b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks; and
-: [c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks.
 |-
-|[[Practice_SI.L2-3.14.6_Details|More Practice Details...]]
+| [c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks. || Document || Example
 |}
 === SI.L2-3.14.7 – Identify Unauthorized Use ===
 {|class="wikitable"
-|'''SECURITY REQUIREMENT'''
+! style="width: 35%"| '''Assessment Objectives'''
-Identify unauthorized use of organizational systems.
+! style="width: 15%"| '''Collection Approach'''
+! style="width: 50%"| '''Evidence Examples'''
 |-
-|'''ASSESSMENT OBJECTIVES'''
+| colspan="3" | [[Practice_AC.L2-3.x.1_Details|'''AC.L2-3.x.1''']] Identify unauthorized use of organizational systems.
-: [a] authorized use of the system is defined; and
-: [b] unauthorized use of the system is identified.
 |-
-|[[Practice_SI.L2-3.14.7_Details|More Practice Details...]]
+| [a] authorized use of the system is defined. || Document || Example
+|-
+| [b] unauthorized use of the system is identified. || Document || Example
 |}
-AC.L1-3.1.1 Limit information system access to authorized users, processes acting on
-behalf of authorized users, or devices (including other information systems).
-[c] devices (and other systems) authorized to connect to the
-Document
-system are identified.
-[e] system access is limited to processes acting on behalf of
-Screen Share
-authorized users.
-[f] system access is limited to authorized devices (including other
-Screen Share
-systems).
-[a] information flow control policies are defined. Document
-  |  Certified CMMC Assessor (CCA)
-[d] authorizations for controlling the flow of CUI are defined. Document
-AC.L1-3.1.2 Limit information system access to the types of transactions and functions
-that authorized users are permitted to execute.
-[a] the types of transactions and functions that authorized users
-Document
-[a] the duties of individuals requiring separation are defined. Document
-are permitted to execute are defined.
-[b] system access is limited to the defined types of transactions
-Screen Share
-and functions for authorized users.
-Additional: HR policy or procedure discussing account creation
-Document
-process.
-AC.L3-3.1.3 Control the flow of CUI in accordance with approved authorizations. [a] privileged accounts are identified. Document
-[b] methods and enforcement mechanisms for controlling the
-Document
-flow of CUI are defined.
-[c] designated sources and destinations (e.g., networks,
-Artifact
-[c] security functions are identified. Document
-individuals, and devices) for CUI within the system and between interconnected systems are identified.
-[e] approved authorizations for controlling the flow of CUI are
-Screen Share
-enforced.
-AC.L2-3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity
-without collusion.
-[b] responsibilities for duties that require separation are assigned
-Screen Share
-to separate individuals.
-[c] access privileges that enable individuals to exercise the duties
-Screen Share
-that require separation are granted to separate individuals.
-AC.L2-3.1.5 Employ the principle of least privilege, including for specific security
-functions and privileged accounts.
-[b] access to privileged accounts is authorized in accordance
-Artifact
-with the principle of least privilege.
-[d] access to security functions is authorized in accordance with
-Artifact
-the principle of least privilege.
-Additional: Policy or procedure showing the separation of duties
-Document
-for general users and admin users.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[a] nonsecurity functions are identified. Document [a] privileged functions are defined. Document [b] non-privileged users are defined. Document
-CertifiedCMMCAssessor(CCA)  |
-AC.L2-3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
-[b] users are required to use non-privileged accounts or roles
-Screen Share
-when accessing nonsecurity functions.
-[b] privacy and security notices are displayed. Artifact
-AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
-[c] non-privileged users are prevented from executing privileged
-Screen Share
-functions.
-[d] the execution of privileged functions is captured in audit
-Screen Share
-logs.
-AC.L2-3.1.8 Limit unsuccessful logon attempts.
-[a] the means of limiting unsuccessful logon attempts are
-Document
-defined.
-[a] conditions requiring a user session to terminate are defined. Document
-[b] the defined means of limiting unsuccessful logon attempts is
-Artifact
-implemented.
-AC.L2-3.1.9 Provide privacy and security notices consistent with applicable CUI rules. [a] privacy and security notices required by CUI-specified rules
-Document
-are identified, consistent, and associated with the specific CUI
-category.
-AC.L2-3.1.10 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
-[a] the period of inactivity after which the system initiates a
-Document
-session lock is defined.
-[b] access to the system and viewing of data is prevented by
-Artifact
-initiating a session lock after the defined period of inactivity.
-[c] previously visible information is concealed via a pattern
-Document
-hiding display after the defined period of inactivity.
-AC.L2-3.1.11 Terminate (automatically) a user session after a defined condition.
-[b] a user session is automatically terminated after any of the
-Screen Share
-defined conditions occur.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[a] remote access sessions are permitted. Document [b] the types of permitted remote access are identified. Document [c] remote access sessions are controlled. Screen Share
-[d] remote access sessions are monitored. Screen Share
-Additional: Policy or procedure for setting up remote access. Document
-  |  Certified CMMC Assessor (CCA)
-AC.L2-3.1.12 Monitor and control remote access sessions.
-AC.L2-3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote
-access sessions.
-[a] cryptographic mechanisms to protect the confidentiality of
-Document
-remote access sessions are identified.
-[b] cryptographic mechanisms to protect the confidentiality of
-Screen Share
-remote access sessions are implemented.
-[a] wireless access points are identified. Document
-AC.L2-3.1.14 Route remote access via managed access control points.
-[a] managed access control points are identified and
-Screen Share
-implemented.
-[b] remote access is routed through managed network access
-Screen Share
-control points.
-AC.L2-3.1.15 Authorize remote execution of privileged commands and remote access to
-security-relevant information.
-[a] privileged commands authorized for remote execution are
-Document
-identified.
-[b] security-relevant information authorized to be accessed
-Document
-remotely is identified.
-[c] the execution of the identified privileged commands via
-Artifact
-remote access is authorized.
-[d] access to the identified security-relevant information via
-Artifact
-remote access is authorized.
-AC.L2-3.1.16 Authorize wireless access prior to allowing such connections.
-[b] wireless access is authorized prior to allowing such
-Screen Share
-connections.
-AC.L2-3.1.17 Protect wireless access using authentication and encryption.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[b] wireless access to the system is protected using encryption. Screen Share [b] mobile device connections are authorized. Artifact
-[c] mobile device connections are monitored and logged. Screen Share
-CertifiedCMMCAssessor(CCA)  |
-[a] connections to external systems are identified. Document
-[a] wireless access to the system is protected using
-Screen Share
-[b] the use of external systems is identified. Document
-authentication.
-[c] connections to external systems are verified. Artifact
-[d] the use of external systems is verified. Artifact
-[e] connections to external systems are controlled/limited. Screen Share
-AC.L2-3.1.18 Control connection of mobile devices.
-[f] the use of external systems is controlled/limited. Screen Share
-[a] mobile devices that process, store, or transmit CUI are
-Document
-identified.
-AC.L2-3.1.19 Encrypt CUI on mobile devices and mobile computing platforms.
-[a] mobile devices and mobile computing platforms that process,
-Document
-store, or transmit CUI are identified.
-[b] encryption is employed to protect CUI on identified mobile
-Screen Share
-devices and mobile computing platforms.
-AC.L1-3.1.20 Verify and control/limit connections to and use of external information systems.
-AC.L2-3.1.21 Limit use of portable storage devices on external systems.
-[a] the use of portable storage devices containing CUI on
-Document
-external systems is identified and documented.
-[b] limits on the use of portable storage devices containing CUI
-Document
-on external systems are defined.
-[c] the use of portable storage devices containing CUI on
-Document
-external systems is limited as defined.
-AC.L1-3.1.22 Control information posted or processed on publicly accessible information systems.
-[a] individuals authorized to post or process information on
-Document
-publicly accessible systems are identified.
-[b] procedures to ensure FCI is not posted or processed on
-Document
-publicly accessible systems are identified.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-  |  Certified CMMC Assessor (CCA)
-[c] a review process is in place prior to posting of any content to
-Artifact
-publicly accessible systems.
-[d] content on publicly accessible systems is reviewed to ensure
-Artifact
-that it does not include FCI.
-[e] mechanisms are in place to remove and address improper
-Artifact
-posting of FCI.
-AT.L2-3.2.1 Ensure that managers, systems administrators, and users of organizational systems
-are made aware of the security risks associated with their activities and of the applicable policies,
-standards, and procedures related to the security of those systems.
-[a] security risks associated with organizational activities involving
-Document
-CUI are identified.
-[a] potential indicators associated with insider threats are identified. Document
-[b] policies, standards, and procedures related to the security of the
-Document
-system are identified.
-[c] managers, systems administrators, and users of the system are
-Artifact
-made aware of the security risks associated with their activities.
-[d] managers, systems administrators, and users of the system are
-Artifact
-made aware of the applicable policies, standards, and procedures
-related to the security of the system.
-AT.L2-3.2.2 Ensure that personnel are trained to carry out their assigned information security
-related duties and responsibilities.
-[a] information security-related duties, roles, and responsibilities are
-Document
-defined.
-[b] information security-related duties, roles, and responsibilities are
-Artifact
-assigned to designated personnel.
-[c] personnel are adequately trained to carry out their assigned
-Artifact
-information security-related duties, roles, and responsibilities.
-AT.L2-3.2.3 Provide security awareness training on recognizing and reporting potential indicators
-of insider threat.
-[b] security awareness training on recognizing and reporting potential
-Artifact
-indicators of insider threat is provided to managers and employees.
-AU.L2-3.3.1 Create and retain system audit logs and records to the extent needed to enable the
-monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[c] audit records are created (generated). Screen Share [d] audit records, once created, contain the defined content. Screen Share [e] retention requirements for audit records are defined. Document [f] audit records are retained as defined. Screen Share [b] audit records, once created, contain the defined content. Screen Share
-CertifiedCMMCAssessor(CCA)  |
-[a] a process for determining when to review logged events is defined. Document
-[a] audit logs needed (i.e., event types to be logged) to enable the
-Document
-monitoring, analysis, investigation, and reporting of unlawful or
-unauthorized system activity are specified.
-[c] event types being logged are updated based on the review. Artifact
-[b] the content of audit records needed to support monitoring,
-Document
-analysis, investigation, and reporting of unlawful or unauthorized system activity is defined.
-AU.L2-3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
-[a] the content of the audit records needed to support the ability to
-Document
-uniquely trace users to their actions is defined.
-AU.L2-3.3.3 Review and update logged events.
-[b] event types being logged are reviewed in accordance with the
-Artifact
-defined review process.
-AU.L2-3.3.4 Alert in the event of an audit logging process failure.
-[a] personnel or roles to be alerted in the event of an audit logging
-Document
-process failure are identified.
-[b] types of audit logging process failures for which alert will be
-Document
-generated are defined.
-[c] identified personnel or roles are alerted in the event of an audit
-Artifact
-logging process failure.
-AU.L2-3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and
-response to indications of unlawful, unauthorized, suspicious, or unusual activity.
-[a] audit record review, analysis, and reporting processes for
-Document
-investigation and response to indications of unlawful, unauthorized,
-suspicious, or unusual activity are defined.
-[b] defined audit record review, analysis, and reporting processes are
-Artifact
-correlated.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-  |  Certified CMMC Assessor (CCA)
-[a] audit information is protected from unauthorized access. Screen Share
-AU.L2-3.3.6 Provide audit record reduction and report generation to support on-demand analysis
-[b] audit information is protected from unauthorized modification. Screen Share
-and reporting.
-[c] audit information is protected from unauthorized deletion. Screen Share
-[a] an audit record reduction capability that supports on-demand
-Screen Share
-[d] audit logging tools are protected from unauthorized access. Screen Share
-analysis is provided.
-[e] audit logging tools are protected from unauthorized modification. Screen Share
-[b] a report generation capability that supports on-demand reporting is
-Screen Share
-provided.
-[f] audit logging tools are protected from unauthorized deletion. Screen Share
-AU.L2-3.3.7 Provide a system capability that compares and synchronizes internal system clocks
-with an authoritative source to generate time stamps for audit records.
-[a] internal system clocks are used to generate time stamps for audit
-Screen Share
-records.
-[b] an authoritative source with which to compare and synchronize
-Document
-internal system clocks is specified.
-[c] internal system clocks used to generate time stamps for audit
-Screen Share
-records are compared to and synchronized with the specified
-authoritative time source.
-AU.L2-3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
-[a] a baseline configuration is established. Document
-AU.L2-3.3.9 Limit management of audit logging functionality to a subset of privileged users.
-[a] a subset of privileged users granted access to manage audit logging
-Document
-functionality is defined.
-[b] management of audit logging functionality is limited to the defined
-Screen Share
-subset of privileged users.
-CM.L2-3.4.1 Establish and maintain baseline configurations and inventories of organizational
-systems (including hardware, software, firmware, and documentation) throughout the respective
-system development life cycles.
-[b] the baseline configuration includes hardware, software, firmware,
-Artifact
-and documentation.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[d] a system inventory is established. Document
-CertifiedCMMCAssessor(CCA)  |
-[a] changes to the system are tracked. Artifact [b] changes to the system are reviewed. Artifact [c] changes to the system are approved or disapproved. Artifact
-[c] the baseline configuration is maintained (reviewed and updated)
-Artifact
-throughout the system development life cycle.
-[d] changes to the system are logged. Artifact
-[e] the system inventory includes hardware, software, firmware, and
-Artifact
-documentation.
-[f] the inventory is maintained (reviewed and updated) throughout the
-Artifact
-system development life cycle.
-CM.L2-3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems.
-[a] security configuration settings for information technology products
-Document
-employed in the system are established and included in the baseline
-configuration.
-[b] security configuration settings for information technology
-Artifact
-products employed in the system are enforced.
-CM.L2-3.4.3 Track, review, approve or disapprove, and log changes to organizational systems.
-CM.L2-3.4.4 Analyze the security impact of changes prior to implementation.
-[a] the security impact of changes to the system is analyzed prior to
-Artifact
-implementation.
-CM.L2-3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
-[a] physical access restrictions associated with changes to the system
-Document
-are defined.
-[b] physical access restrictions associated with changes to the system
-Document
-are documented.
-[c] physical access restrictions associated with changes to the system
-Artifact
-are approved.
-[d] physical access restrictions associated with changes to the system
-Physical Review
-are enforced.
-[e] logical access restrictions associated with changes to the system are
-Document
-defined.
-[f] logical access restrictions associated with changes to the system are
-Document
-documented.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[a] essential programs are defined. Document [b] the use of nonessential programs is defined. Document
-  |  Certified CMMC Assessor (CCA)
-[d] essential functions are defined. Document [e] the use of nonessential functions is defined. Document
-[g] logical access restrictions associated with changes to the system are
-Artifact
-approved.
-[h] logical access restrictions associated with changes to the system are
-Artifact
-enforced.
-[g] essential ports are defined. Document [h] the use of nonessential ports is defined. Document
-CM.L2-3.4.6 Employ the principle of least functionality by configuring organizational systems to
-provide only essential capabilities.
-[a] essential system capabilities are defined based on the principle of
-Document
-[j] essential protocols are defined. Document
-least functionality.
-[k] the use of nonessential protocols is defined. Document
-[b] the system is configured to provide only the defined essential
-Screen Share
-capabilities.
-[m] essential services are defined. Document
-CM.L2-3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports,
-[n] the use of nonessential services is defined. Document
-protocols, and services.
-[c] the use of nonessential programs is restricted, disabled, or
-Screen Share
-prevented as defined.
-[f] the use of nonessential functions is restricted, disabled, or
-Screen Share
-prevented as defined.
-[i] the use of nonessential ports is restricted, disabled, or prevented as
-Screen Share
-defined.
-[l] the use of nonessential protocols is restricted, disabled, or
-Screen Share
-prevented as defined.
-[o] the use of nonessential services is restricted, disabled, or prevented
-Screen Share
-as defined.
-CM.L2-3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized
-software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized
-software.
-[a] a policy specifying whether whitelisting or blacklisting is to be
-Document
-implemented is specified.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[c] installation of software by users is monitored. Screen Share [a] system users are identified. Document
-CertifiedCMMCAssessor(CCA)  |
-[b] processes acting on behalf of users are identified. Document [c] devices accessing the system are identified. Document
-[b] the software allowed to execute under whitelisting or denied use
-Document
-under blacklisting is specified.
-[c] whitelisting to allow the execution of authorized software or
-Screen Share
-blacklisting to prevent the use of unauthorized software is
-implemented as specified.
-CM.L2-3.4.9 Control and monitor user-installed software.
-[a] a policy for controlling the installation of software by users is
-Document
-established.
-[b] installation of software by users is controlled based on the
-Screen Share
-established policy.
-[a] privileged accounts are identified. Document
-IA.L1-3.5.1 Identify information system users, processes acting on behalf of users, or devices.
-IA.L1-3.5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
-[a] the identity of each user is authenticated or verified as a
-Screen Share
-prerequisite to system access.
-[b] the identity of each process acting on behalf of a user is
-Screen Share
-authenticated or verified as a prerequisite to system access.
-[c] the identity of each device accessing or connecting to the system is
-Screen Share
-authenticated or verified as a prerequisite to system access.
-IA.L2-3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
-[b] multifactor authentication is implemented for local access to
-Screen Share
-privileged accounts.
-[c] multifactor authentication is implemented for network access to
-Screen Share
-privileged accounts.
-[d] multifactor authentication is implemented for network access to
-Screen Share
-non-privileged accounts.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[a] a period within which identifiers cannot be reused is defined. Document [b] reuse of identifiers is prevented within the defined period. Artifact [a] a period of inactivity after which an identifier is disabled is defined. Document [b] identifiers are disabled after the defined period of inactivity. Artifact [a] password complexity requirements are defined. Document
-  |  Certified CMMC Assessor (CCA)
-[b] password change of character requirements are defined. Document
-IA.L2-3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged
-and non-privileged accounts.
-[a] replay-resistant authentication mechanisms are implemented for
-Screen Share
-network account access to privileged and non-privileged accounts.
-IA.L2-3.5.5 Prevent reuse of identifiers for a defined period.
-IA.L2-3.5.6 Disable identifiers after a defined period of inactivity.
-IA.L2-3.5.7 Enforce a minimum password complexity and change of characters when new
-passwords are created.
-[a] passwords are cryptographically protected in storage. Screen Share
-[b] passwords are cryptographically protected in transit. Screen Share
-[c] minimum password complexity requirements as defined are
-Screen Share
-enforced when new passwords are created.
-[d] minimum password change of character requirements as defined
-Screen Share
-are enforced when new passwords are created.
-IA.L2-3.5.8 Prohibit password reuse for a specified number of generations.
-[a] the number of generations during which a password cannot be
-Document
-reused is specified.
-[b] reuse of passwords is prohibited during the specified number of
-Screen Share
-generations.
-IA.L2-3.5.9 Allow temporary password use for system logons with an immediate change to a
-permanent password.
-[a] an immediate change to a permanent password is required when a
-Screen Share
-temporary password is used for system logon.
-IA.L2-3.5.10 Store and transmit only cryptographically-protected passwords.
-IA.L2-3.5.11 Obscure feedback of authentication information.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[a] an operational incident-handling capability is established. Document [b] the operational incident-handling capability includes preparation. Document [c] the operational incident-handling capability includes detection. Document [d] the operational incident-handling capability includes analysis. Document [e] the operational incident-handling capability includes containment. Document [f] the operational incident-handling capability includes recovery. Document
-CertifiedCMMCAssessor(CCA)  |
-[a] incidents are tracked. Artifact
-[a] authentication information is obscured during the authentication
-Screen Share
-[b] incidents are documented. Artifact
-process.
-[c] authorities to whom incidents are to be reported are identified. Document [e] identified authorities are notified of incidents. Screen Share
-IR.L2-3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
-[f] identified organizational officials are notified of incidents. Artifact [a] the incident response capability is tested. Artifact
-[g] the operational incident-handling capability includes user response
-Document
-activities.
-[a] system maintenance is performed. Artifact
-IR.L2-3.6.2 Track, document, and report incidents to designated officials and/or authorities both
-internal and external to the organization.
-[a] tools used to conduct system maintenance are controlled. Artifact
-[d] organizational officials to whom incidents are to be reported are
-Document
-identified.
-IR.L2-3.6.3 Test the organizational incident response capability.
-MA.L2-3.7.1 Perform maintenance on organizational systems.
-MA.L2-3.7.2 Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[b] techniques used to conduct system maintenance are controlled. Artifact [c] mechanisms used to conduct system maintenance are controlled. Artifact
-[d] personnel used to conduct system maintenance are controlled. Physical Review
-  |  Certified CMMC Assessor (CCA)
-MA.L2-3.7.3 Ensure equipment removed for off-site maintenance is sanitized of any CUI. [a] equipment to be removed from organizational spaces for off-site
-Artifact
-maintenance is sanitized of any CUI.
-MA.L2-3.7.4 Check media containing diagnostic and test programs for malicious code before the
-media are used in organizational systems.
-[a] media containing diagnostic and test programs are checked for
-Artifact
-malicious code before being used in organizational systems that
-[a] paper media containing CUI is physically controlled. Document
-process, store, or transmit CUI.
-[b] digital media containing CUI is physically controlled. Document [c] paper media containing CUI is securely stored. Physical Review
-MA.L2-3.7.5 Require multifactor authentication to establish nonlocal maintenance sessions via
-[d] digital media containing CUI is securely stored. Physical Review
-external network connections and terminate such connections when nonlocal maintenance is
-complete.
-[a] multifactor authentication is used to establish nonlocal
-Screen Share
-[a] access to CUI on system media is limited to authorized users. Artifact
-maintenance sessions via external network connections.
-[b] nonlocal maintenance sessions established via external network
-Screen Share
-connections are terminated when nonlocal maintenance is complete.
-MA.L2-3.7.6 Supervise the maintenance activities of maintenance personnel without required
-access authorization.
-[a] maintenance personnel without required access authorization are
-Document
-supervised during maintenance activities.
-MP.L2-3.8.1 Protect (i.e., physically control and securely store) system media containing CUI,
-both paper and digital.
-MP.L2-3.8.2 Limit access to CUI on system media to authorized users.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[a] media containing CUI is marked with applicable CUI markings. Physical Review
-[b] media containing CUI is marked with distribution limitations. Physical Review
-[a] access to media containing CUI is controlled. Document
-CertifiedCMMCAssessor(CCA)  |
-MP.L1-3.8.3 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
-[a] system media containing FCI is sanitized or destroyed before
-Document
-disposal.
-[b] system media containing FCI is sanitized before it is released for
-Document
-reuse.
-[a] the use of removable media on system components is controlled. Artifact
-MP.L2-3.8.4 Mark media with necessary CUI markings and distribution limitations.
-MP.L2-3.8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
-[a] the confidentiality of backup CUI is protected at storage locations. Artifact
-[b] accountability for media containing CUI is maintained during
-Artifact
-transport outside of controlled areas.
-MP.L2-3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
-[a] the confidentiality of CUI stored on digital media is protected
-Artifact
-during transport using cryptographic mechanisms or alternative
-physical safeguards.
-MP.L2-3.8.7 Control the use of removable media on system components.
-MP.L2-3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner.
-[a] the use of portable storage devices is prohibited when such devices
-Artifact
-have no identifiable owner.
-MP.L2-3.8.9 Protect the confidentiality of backup CUI at storage locations.
-PS.L2-3.9.1 Screen individuals prior to authorizing access to organizational systems containing CUI.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[c] the system is protected during and after personnel transfer actions. Artifact [a] authorized individuals allowed physical access are identified. Artifact
-  |  Certified CMMC Assessor (CCA)
-[c] physical access to equipment is limited to authorized individuals. Physical Review
-[a] individuals are screened prior to authorizing access to
-Artifact
-organizational systems containing CUI.
-PS.L2-3.9.2 Ensure that organizational systems containing CUI are protected during and after
-personnel actions such as terminations and transfers.
-[a] a policy and/or process for terminating system access and any
-Document
-credentials coincident with personnel actions is established.
-[b] the support infrastructure for organizational systems is protected. Physical Review
-[b] system access and credentials are terminated consistent with
-Artifact
-personnel actions such as termination or transfer.
-[d] the support infrastructure for organizational systems is monitored. Physical Review
-PE.L1-3.10.1 Limit physical access to organizational information systems, equipment, and the
-[a] visitors are escorted. Physical Review
-respective operating environments to authorized individuals.
-[b] visitor activity is monitored. Physical Review
-[b] physical access to organizational systems is limited to authorized
-Physical Review
-individuals.
-[a] audit logs of physical access are maintained. Artifact
-[d] physical access to operating environments is limited to authorized
-Physical Review
-individuals.
-PE.L2-3.10.2 Protect and monitor the physical facility and support infrastructure for
-organizational systems.
-[a] the physical facility where organizational systems reside is
-Physical Review
-protected.
-[c] the physical facility where organizational systems reside is
-Physical Review
-monitored.
-PE.L1-3.10.3 Escort visitors and monitor visitor activity.
-PE.L1-3.10.4 Maintain audit logs of physical access.
-PE.L1-3.10.5 Control and manage physical access devices.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[a] physical access devices are identified. Document [b] physical access devices are controlled. Physical Review
-[c] physical access devices are managed. Physical Review
-[a] safeguarding measures for CUI are defined for alternate work sites. Document
-CertifiedCMMCAssessor(CCA)  |
-PE.L2-3.10.6 Enforce safeguarding measures for CUI at alternate work sites.
-[b] safeguarding measures for CUI are enforced for alternate work
-Artifact
-sites.
-RA.L2-3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation
-of organizational systems and the associated processing, storage, or transmission of CUI. [a] the frequency to assess risk to organizational operations,
-Document
-organizational assets, and individuals is defined.
-[a] vulnerabilities are identified. Artifact
-[b] risk to organizational operations, organizational assets, and
-Artifact
-[b] vulnerabilities are remediated in accordance with risk assessments. Artifact
-individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
-RA.L2-3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
-[a] the frequency to scan for vulnerabilities in organizational systems
-Document
-and applications is defined.
-[b] vulnerability scans are performed on organizational systems with
-Screen Share
-the defined frequency.
-[c] vulnerability scans are performed on applications with the defined
-Screen Share
-frequency.
-[d] vulnerability scans are performed on organizational systems when
-Screen Share
-new vulnerabilities are identified.
-[e] vulnerability scans are performed on applications when new
-Screen Share
-vulnerabilities are identified.
-RA.L2-3.11.3 Remediate vulnerabilities in accordance with risk assessments.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[a] the frequency of security control assessments is defined. Document
-  |  Certified CMMC Assessor (CCA)
-CA.L2-3.12.1 Periodically assess the security controls in organizational systems to determine if thecontrols are effective in their application.
-[b] security controls are assessed with the defined frequency to Artifact
-[a] a system security plan is developed. Document
-determine if the controls are effective in their application.
-CA.L2-3.12.2 Develop and implement plans of action designed to correct deficiencies and reduceor eliminate vulnerabilities in organizational systems.
-[a] deficiencies and vulnerabilities to be addressed by the plan of
-Artifact
-action are identified.
-[b] a plan of action is developed to correct identified deficiencies and
-Artifact
-reduce or eliminate identified vulnerabilities.
-[c] the plan of action is implemented to correct identified deficiencies
-Artifact
-and reduce or eliminate identified vulnerabilities.
-[g] the frequency to update the system security plan is defined. Document
-CA.L2-3.12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness[h] system security plan is updated with the defined frequency. Document
-of the controls.
-[a] security controls are monitored on an ongoing basis to ensure the
-Artifact
-continued effectiveness of those controls.
-CA.L2-3.12.4 Develop, document, and periodically update system security plans that describe
-system boundaries, system environments of operation, how security requirements are
-implemented, and the relationships with or connections to other systems.
-[b] the system boundary is described and documented in the systemsecurity plan.
-Document
-[c] the system environment of operation is described and documented
-Document
-in the system security plan.
-[d] the security requirements identified and approved by the
-Document
-designated authority as non-applicable are identified.
-[e] the method of security requirement implementation is described
-Document
-and documented in the system security plan.
-[f] the relationship with or connection to other systems is described
-Document
-and documented in the system security plan.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[a] the external system boundary is defined. Document [b] key internal system boundaries are defined. Document [c] communications are monitored at the external system boundary. Screen Share [d] communications are monitored at key internal boundaries. Screen Share [e] communications are controlled at the external system boundary. Screen Share [f] communications are controlled at key internal boundaries. Screen Share [g] communications are protected at the external system boundary. Screen Share [h] communications are protected at key internal boundaries. Screen Share
-CertifiedCMMCAssessor(CCA)  |
-SC.L1-3.13.1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
-[a] user functionality is identified. Document [b] system management functionality is identified. Document
-SC.L2-3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
-[a] architectural designs that promote effective information security
-Document
-are identified.
-[b] software development techniques that promote effective
-Document
-information security are identified.
-[c] systems engineering principles that promote effective information
-Document
-security are identified.
-[d] identified architectural designs that promote effective information
-Artifact
-security are employed.
-[e] identified software development techniques that promote effective
-Artifact
-information security are employed.
-[f] identified systems engineering principles that promote effective
-Artifact
-information security are employed.
-SC.L2-3.13.3 Separate user functionality from system management functionality.
-[c] user functionality is separated from system management
-Screen Share
-functionality.
-SC.L2-3.13.4 Prevent unauthorized and unintended information transfer via shared system
-resources.
-[a] unauthorized and unintended information transfer via shared
-Screen Share
-system resources is prevented.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[a] publicly accessible system components are identified. Document [a] network communications traffic is denied by default. Screen Share
-[b] network communications traffic is allowed by exception. Screen Share
-  |  Certified CMMC Assessor (CCA)
-SC.L1-3.13.5 Implement subnetworks for publicly accessible system components that are
-physically or logically separated from internal networks.
-[b] subnetworks for publicly accessible system components are
-Artifact
-physically or logically separated from internal networks.
-SC.L2-3.13.6 Deny network communications traffic by default and allow network
-communications traffic by exception (i.e., deny all, permit by exception).
-SC.L2-3.13.7 Prevent remote devices from simultaneously establishing non-remote connections
-with organizational systems and communicating via some other connection to resources in
-external networks (i.e., split tunneling).
-[a] remote devices are prevented from simultaneously establishing
-Screen Share
-non-remote connections with the system and communicating via
-some other connection to resources in external networks (i.e., split
-tunneling).
-SC.L2-3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI
-during transmission unless otherwise protected by alternative physical safeguards.
-[a] cryptographic mechanisms intended to prevent unauthorized
-Document
-disclosure of CUI are identified.
-[b] alternative physical safeguards intended to prevent unauthorized
-Document
-disclosure of CUI are identified.
-[c] either cryptographic mechanisms or alternative physical safeguards
-Artifact
-are implemented to prevent unauthorized disclosure of CUI during transmission.
-SC.L2-3.13.9 Terminate network connections associated with communications sessions at the end
-of the sessions or after a defined period of inactivity.
-[a] a period of inactivity to terminate network connections associated
-Document
-with communications sessions is defined.
-[b] network connections associated with communications sessions are
-Screen Share
-terminated at the end of the sessions.
-[c] network connections associated with communications sessions are
-Screen Share
-terminated after the defined period of inactivity.
-SC.L2-3.13.10 Establish and manage cryptographic keys for cryptography employed in
-organizational systems.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[a] collaborative computing devices are identified. Document [c] remote activation of collaborative computing devices is prohibited. Artifact
-CertifiedCMMCAssessor(CCA)  |
-[a] use of mobile code is controlled. Screen Share
-[a] cryptographic keys are established whenever cryptography is
-Artifact
-[b] use of mobile code is monitored. Screen Share
-employed.
-[b] cryptographic keys are managed whenever cryptography is
-Artifact
-employed.
-SC.L2-3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
-[a] FIPS-validated cryptography is employed to protect the
-Screen Share
-confidentiality of CUI.
-[a] the authenticity of communications sessions is protected. Screen Share
-SC.L2-3.13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
-[b] collaborative computing devices provide indication to users of
-Physical Review
-[a] the confidentiality of CUI at rest is protected. Artifact
-devices in use
-SC.L2-3.13.13 Control and monitor the use of mobile code.
-[a] the time within which to identify system flaws is specified. Document
-SC.L2-3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. [a] use of Voice over Internet Protocol (VoIP) technologies is
-Artifact
-controlled.
-[b] use of Voice over Internet Protocol (VoIP) technologies is
-Artifact
-monitored.
-SC.L2-3.13.15 Protect the authenticity of communications sessions.
-SC.L2-3.13.16 Protect the confidentiality of CUI at rest.
-SI.L1-3.14.1 Identify, report, and correct information and information system flaws in a timely manner.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |
-[b] system flaws are identified within the specified time frame. Screen Share
-[c] the time within which to report system flaws is specified. Document [d] system flaws are reported within the specified time frame. Screen Share
-[e] the time within which to correct system flaws is specified. Document [f] system flaws are corrected within the specified time frame. Screen Share
-[a] designated locations for malicious code protection are identified. Document [b] protection from malicious code at designated locations is provided. Screen Share
-[b] system security alerts and advisories are monitored. Artifact
-  |  Certified CMMC Assessor (CCA)
-[a] the frequency for malicious code scans is defined. Document
-SI.L1-3.14.2 Provide protection from malicious code at appropriate locations within
-[b] malicious code scans are performed with the defined frequency. Screen Share
-organizational information systems.
-SI.L2-3.14.3 Monitor system security alerts and advisories and take action in response. [a] response actions to system security alerts and advisories are
-Document
-identified.
-[c] actions in response to system security alerts and advisories are
-Artifact
-taken.
-SI.L1-3.14.4 Update malicious code protection mechanisms when new releases are available.
-[a] malicious code protection mechanisms are updated when newreleases are available.
-Screen Share
-SI.L1-3.14.5 Perform periodic scans of the information system and real-time scans of files from
-external sources as files are downloaded, opened, or executed.
-[c] real-time malicious code scans of files from external sources as files
-Screen Share
-are downloaded, opened, or executed are performed.
-SI.L2-3.14.6 Monitor organizational systems, including inbound and outbound communications
-traffic, to detect attacks and indicators of potential attacks.
-[a] the system is monitored to detect attacks and indicators of
-Screen Share
-potential attacks.
-[b] inbound communications traffic is monitored to detect attacks and
-Screen Share
-indicators of potential attacks.
-[c] outbound communications traffic is monitored to detect attacks
-Screen Share
-and indicators of potential attacks.
-Appendix A : Evidence Collection Approach for CMMC Practices Levels 1 and 2  |
-[a] authorized use of the system is defined. Document
-[b] unauthorized use of the system is identified. Artifact
-CertifiedCMMCAssessor(CCA)  |
-SI.L2-3.14.7 Identify unauthorized use of organizational systems.
-Appendix A : Evidence Collection Approach for CMMCPracticesLevels1and2  |