Model Overview: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 61: Line 61:
|
|
|-
|-
|
|'''AC.L2-3.1.7'''
|'''AC.L2-3.1.7'''
''Privileged Functions''
''Privileged Functions''
Line 68: Line 69:
|
|
|-
|-
|
|'''AC.L2-3.1.8'''
|'''AC.L2-3.1.8'''
''Unsuccessful Logon Attempts''
''Unsuccessful Logon Attempts''
Line 75: Line 77:
|
|
|-
|-
|
|'''AC.L2-3.1.9'''
|'''AC.L2-3.1.9'''
''Privacy & Security Notices''
''Privacy & Security Notices''
Line 82: Line 85:
|
|
|-
|-
|
|'''AC.L2-3.1.10'''
|'''AC.L2-3.1.10'''
''Session Lock''
''Session Lock''
Line 91: Line 95:
|
|
|-
|-
|
|'''AC.L2-3.1.11'''
|'''AC.L2-3.1.11'''
''Session Termination''
''Session Termination''
Line 98: Line 103:
|
|
|-
|-
|
|'''AC.L2-3.1.12'''
|'''AC.L2-3.1.12'''
''Control Remote Access''
''Control Remote Access''
Line 105: Line 111:
|
|
|-
|-
|
|'''AC.L2-3.1.13'''
|'''AC.L2-3.1.13'''
''Remote Access Confidentiality''
''Remote Access Confidentiality''
Line 112: Line 119:
|
|
|-
|-
|
|'''AC.L2-3.1.14'''
|'''AC.L2-3.1.14'''
''Remote Access Routing''
''Remote Access Routing''
Line 120: Line 128:
|
|
|-
|-
|
|'''AC.L2-3.1.15'''
|'''AC.L2-3.1.15'''
''Privileged Remote Access''
''Privileged Remote Access''
Line 127: Line 136:
|
|
|-
|-
|
|'''AC.L2-3.1.16'''
|'''AC.L2-3.1.16'''
''Wireless Access Authorization''
''Wireless Access Authorization''
Line 135: Line 145:
|
|
|-
|-
|
|'''AC.L2-3.1.17'''
|'''AC.L2-3.1.17'''
''Wireless Access Protection''
''Wireless Access Protection''
Line 142: Line 153:
|
|
|-
|-
|
|'''AC.L2-3.1.18'''
|'''AC.L2-3.1.18'''
''Mobile Device Connection''
''Mobile Device Connection''
Line 149: Line 161:
|
|
|-
|-
|
|'''AC.L2-3.1.19'''
|'''AC.L2-3.1.19'''
''Encrypt CUI on Mobile''
''Encrypt CUI on Mobile''
Line 156: Line 169:
|
|
|-
|-
|
|'''AC.L2-3.1.21'''
|'''AC.L2-3.1.21'''
''Portable Storage Use''
''Portable Storage Use''

Revision as of 22:01, 22 February 2022

Source of Reference: The official Model Overview from the Office of the Under Secretary of Defense Acquisition & Sustainment.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

Access Control (AC)

Level 1 Level 2 Level 3 (TBD)
AC.L1-3.1.1

Authorized Access Control

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

  • FAR Clause 52.204-21 b.1.i
  • NIST SP 800-171 Rev 2 3.1.1
AC.L2-3.1.3

Control CUI Flow

Control the flow of CUI in accordance with approved authorizations.

  • NIST SP 800-171 Rev 2 3.1.3
AC.L1-3.1.2

Transaction & Function Control

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

  • FAR Clause 52.204-21 b.1.ii
  • NIST SP 800-171 Rev 2 3.1.2
AC.L2-3.1.4

Separation of Duties

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

  • NIST SP 800-171 Rev 2 3.1.4
AC.L1-3.1.20

External Connections

Verify and control/limit connections to and use of external information systems.

  • FAR Clause 52.204-21 b.1.iii
  • NIST SP 800-171 Rev 2 3.1.20
AC.L2-3.1.5

Least Privilege

Employ the principle of least privilege, including for specific security functions and privileged accounts.

  • NIST SP 800-171 Rev 2 3.1.5
AC.L1-3.1.22

Control Public Information

Control information posted or processed on publicly accessible information systems.

  • FAR Clause 52.204-21 b.1.iv
  • NIST SP 800-171 Rev 2 3.1.22
AC.L2-3.1.6

Non-Privileged Account Use

Use non-privileged accounts or roles when accessing nonsecurity functions.

  • NIST SP 800-171 Rev 2 3.1.6
AC.L2-3.1.7

Privileged Functions

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

  • NIST SP 800-171 Rev 2 3.1.7
AC.L2-3.1.8

Unsuccessful Logon Attempts

Limit unsuccessful logon attempts.

  • NIST SP 800-171 Rev 2 3.1.8
AC.L2-3.1.9

Privacy & Security Notices

Provide privacy and security notices consistent with applicable CUI rules.

  • NIST SP 800-171 Rev 2 3.1.9
AC.L2-3.1.10

Session Lock

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

  • NIST SP 800-171 Rev 2 3.1.10
AC.L2-3.1.11

Session Termination

Terminate (automatically) a user session after a defined condition.

  • NIST SP 800-171 Rev 2 3.1.11
AC.L2-3.1.12

Control Remote Access

Monitor and control remote access sessions.

  • NIST SP 800-171 Rev 2 3.1.12
AC.L2-3.1.13

Remote Access Confidentiality

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • NIST SP 800-171 Rev 2 3.1.13
AC.L2-3.1.14

Remote Access Routing

Route remote access via managed access control points.

  • NIST SP 800-171 Rev 2 3.1.14
AC.L2-3.1.15

Privileged Remote Access

Authorize remote execution of privileged commands and remote access to security-relevant information.

  • NIST SP 800-171 Rev 2 3.1.15
AC.L2-3.1.16

Wireless Access Authorization

Authorize wireless access prior to allowing such connections.

  • NIST SP 800-171 Rev 2 3.1.16
AC.L2-3.1.17

Wireless Access Protection

Protect wireless access using authentication and encryption.

  • NIST SP 800-171 Rev 2 3.1.17
AC.L2-3.1.18

Mobile Device Connection

Control connection of mobile devices.

  • NIST SP 800-171 Rev 2 3.1.18
AC.L2-3.1.19

Encrypt CUI on Mobile

Encrypt CUI on mobile devices and mobile computing platforms.

  • NIST SP 800-171 Rev 2 3.1.19
AC.L2-3.1.21

Portable Storage Use Limit use of portable storage devices on external systems.

  • NIST SP 800-171 Rev 2 3.1.21