Level 2 Assessment Guide: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
'''Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.'''
'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.'''
 
For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.


== Access Control (AC) ==
== Access Control (AC) ==
Line 67: Line 69:


=== Level 2 AC Practices ===
=== Level 2 AC Practices ===
==== AC.L2-3.1.3 – Control CUI Flow ====
{|class="wikitable"
|-
|'''SECURITY REQUIREMENT'''
Control the flow of CUI in accordance with approved authorizations.
|'''ASSESSMENT OBJECTIVES'''
: [a] information flow control policies are defined;
: [b] methods and enforcement mechanisms for controlling the flow of CUI are defined;
: [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified; 
: [d] authorizations for controlling the flow of CUI are defined; and
: [e] approved authorizations for controlling the flow of CUI are enforced.
|-
|[[Practice_AC.L2-3.1.3_Details|More Practice Details...]]
|}


== Awareness and Training (AT) ==
== Awareness and Training (AT) ==

Revision as of 00:38, 21 February 2022

Source of Reference: The official CMMC Level 2 Assessment Guide from the Office of the Under Secretary of Defense Acquisition & Sustainment.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

Access Control (AC)

Level 1 AC Practices

AC.L1-3.1.1 - Authorized Access Control

SECURITY REQUIREMENT

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

ASSESSMENT OBJECTIVES
[a] authorized users are identified;
[b] processes acting on behalf of authorized users are identified;
[c] devices (and other systems) authorized to connect to the system are identified;
[d] system access is limited to authorized users;
[e] system access is limited to processes acting on behalf of authorized users; and
[f] system access is limited to authorized devices (including other systems).
More Practice Details...

AC.L1-3.1.2 - Transaction & Function Control

SECURITY REQUIREMENT

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

ASSESSMENT OBJECTIVES
[a] the types of transactions and functions that authorized users are permitted to execute are defined; and
[b] system access is limited to the defined types of transactions and functions for authorized users.
More Practice Details...

AC.L1-3.1.20 - External Connections

SECURITY REQUIREMENT

Verify and control/limit connections to and use of external information systems.

ASSESSMENT OBJECTIVES
[a] connections to external systems are identified;
[b] the use of external systems is identified;
[c] connections to external systems are verified;
[d] the use of external systems is verified;
[e] connections to external systems are controlled/limited; and
[f] the use of external systems is controlled/limited.
More Practice Details...

AC.L1-3.1.22 - Control Public Information

SECURITY REQUIREMENT

Control information posted or processed on publicly accessible information systems.

ASSESSMENT OBJECTIVES
[a] individuals authorized to post or process information on publicly accessible systems are identified;
[b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;
[c] a review process is in place prior to posting of any content to publicly accessible systems;
[d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and
[e] mechanisms are in place to remove and address improper posting of FCI.
More Practice Details...

Level 2 AC Practices

AC.L2-3.1.3 – Control CUI Flow

SECURITY REQUIREMENT

Control the flow of CUI in accordance with approved authorizations.

ASSESSMENT OBJECTIVES
[a] information flow control policies are defined;
[b] methods and enforcement mechanisms for controlling the flow of CUI are defined;
[c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;
[d] authorizations for controlling the flow of CUI are defined; and
[e] approved authorizations for controlling the flow of CUI are enforced.
More Practice Details...

Awareness and Training (AT)

Level 2 AT Practices

Audit and Accountability (AU)

Level 2 AU Practices

Configuration Management (CM)

Level 2 CM Practices

Identification and Authentication (IA)

Level 1 IA Practices

Level 2 IA Practices

Incident Response (IR)

Level 2 IR Practices

Maintenance (MA)

Level 2 MA Practices

Media Protection (MP)

Level 1 MP Practices

Level 2 MP Practices

Personnel Security (PS)

Level 2 PS Practices

Physical Protection (PE)

Level 1 PE Practices

Level 2 PE Practices

Risk Assessment (RA)

Level 2 RA Practices

Security Assessment (CA)

Level 2 CA Practices

System and Communications Protection (SC)

Level 1 SC Practices

Level 2 SC Practices

System and Information Integrity (SI)

Level 1 SI Practices

Level 2 SI Practices

Retrieved from "https://cmmcwiki.org/index.php?title=Level_2_Assessment_Guide&oldid=47"