Level 2 Assessment Guide: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 66: Line 66:
|}
|}


== Access Control (AC) ==
=== Level 2 AC Practices ===
=== Level 2 AC Practices ===
== Awareness and Training (AT) ==
=== Level 2 AT Practices ===
== Audit and Accountability (AU) ==
=== Level 2 AU Practices ===
== Configuration Management (CM) ==
=== Level 2 CM Practices ===
== Identification and Authentication (IA) ==
=== Level 1 IA Practices ===
=== Level 2 IA Practices ===
== Incident Response (IR) ==
=== Level 2 IR Practices ===
== Maintenance (MA) ==
=== Level 2 MA Practices ===
== Media Protection (MP) ==
=== Level 1 MP Practices ===
=== Level 2 MP Practices ===
== Personnel Security (PS) ==
=== Level 2 PS Practices ===
== Physical Protection (PE) ==
=== Level 1 PE Practices ===
=== Level 2 PE Practices ===
== Risk Assessment (RA) ==
=== Level 2 RA Practices ===
== Security Assessment (CA) ==
=== Level 2 CA Practices ===
== System and Communications Protection (SC) ==
=== Level 1 SC Practices ===
=== Level 2 SC Practices ===
== System and Information Integrity (SI) ==
=== Level 1 SI Practices ===
=== Level 2 SI Practices ===

Revision as of 03:26, 20 February 2022

Reference: The official CMMC Level 2 Assessment Guide from the Office of the Under Secretary of Defense Acquisition & Sustainment.

Access Control (AC)

Level 1 AC Practices

AC.L1-3.1.1 - Authorized Access Control

SECURITY REQUIREMENT

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

ASSESSMENT OBJECTIVES
[a] authorized users are identified;
[b] processes acting on behalf of authorized users are identified;
[c] devices (and other systems) authorized to connect to the system are identified;
[d] system access is limited to authorized users;
[e] system access is limited to processes acting on behalf of authorized users; and
[f] system access is limited to authorized devices (including other systems).
More Practice Details...

AC.L1-3.1.2 - Transaction & Function Control

SECURITY REQUIREMENT

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

ASSESSMENT OBJECTIVES
[a] the types of transactions and functions that authorized users are permitted to execute are defined; and
[b] system access is limited to the defined types of transactions and functions for authorized users.
More Practice Details...

AC.L1-3.1.20 - External Connections

SECURITY REQUIREMENT

Verify and control/limit connections to and use of external information systems.

ASSESSMENT OBJECTIVES
[a] connections to external systems are identified;
[b] the use of external systems is identified;
[c] connections to external systems are verified;
[d] the use of external systems is verified;
[e] connections to external systems are controlled/limited; and
[f] the use of external systems is controlled/limited.
More Practice Details...

AC.L1-3.1.22 - Control Public Information

SECURITY REQUIREMENT

Control information posted or processed on publicly accessible information systems.

ASSESSMENT OBJECTIVES
[a] individuals authorized to post or process information on publicly accessible systems are identified;
[b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;
[c] a review process is in place prior to posting of any content to publicly accessible systems;
[d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and
[e] mechanisms are in place to remove and address improper posting of FCI.
More Practice Details...

Level 2 AC Practices

Awareness and Training (AT)

Level 2 AT Practices

Audit and Accountability (AU)

Level 2 AU Practices

Configuration Management (CM)

Level 2 CM Practices

Identification and Authentication (IA)

Level 1 IA Practices

Level 2 IA Practices

Incident Response (IR)

Level 2 IR Practices

Maintenance (MA)

Level 2 MA Practices

Media Protection (MP)

Level 1 MP Practices

Level 2 MP Practices

Personnel Security (PS)

Level 2 PS Practices

Physical Protection (PE)

Level 1 PE Practices

Level 2 PE Practices

Risk Assessment (RA)

Level 2 RA Practices

Security Assessment (CA)

Level 2 CA Practices

System and Communications Protection (SC)

Level 1 SC Practices

Level 2 SC Practices

System and Information Integrity (SI)

Level 1 SI Practices

Level 2 SI Practices