Level 2 Assessment Guide: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
← Older editNewer edit →
Visual
No edit summary
Importing content from PDF File: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2v2.pdf
Line 1,408: Line 1,408:
|[[Practice_SI.L2-3.14.7_Details|More Practice Details...]]
|[[Practice_SI.L2-3.14.7_Details|More Practice Details...]]
|}
|}
Version 2.13 | September 2024
DoD-CIO-00003 (ZRIN 0790-ZA19)
CMMC Assessment Guide
Level 2
24-T-0461
'''CMMC Assessment Guide – Level 2 '''|''' Version 2.13 '''
ii
NOTICES
The contents of this document do not have the force and effect of law and are not meant to
bind the public in any way. This document is intended only to provide clarity to the public
regarding existing requirements under the law or departmental policies.
DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.
''' '''
'''CMMC Assessment Guide – Level 2 '''|''' Version 2.13 '''
iii
''' '''
TABLE OF CONTENTS
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#9|'''Introduction ............................................................................................................................ 1''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#9|Level 2 Description ..................................................................................................................... 1 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#10|Purpose and Audience ............................................................................................................... 2 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#11|'''Assessment and Certification .................................................................................................. 3''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#11|Assessment Scope ...................................................................................................................... 3 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#12|'''CMMC-Custom Terms .............................................................................................................. 4''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#15|'''Assessment Criteria and Methodology .................................................................................... 7''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#16|Criteria ....................................................................................................................................... 8 <br />
Methodology ............................................................................................................................. 8 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#17|Assessment Findings .................................................................................................................. 9 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#20|'''Requirement Descriptions ..................................................................................................... 12''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#20|Introduction ............................................................................................................................. 12 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#22|'''Access Control (AC)................................................................................................................ 14''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#22|AC.L2-3.1.1 – Authorized Access Control [CUI Data] ........................................................................... 14 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#25|AC.L2-3.1.2 – Transaction &amp; Function Control .................................................................................... 17 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#27|AC.L2-3.1.3 – Control CUI Flow ............................................................................................................ 19 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#30|AC.L2-3.1.4 – Separation of Duties ...................................................................................................... 22 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#32|AC.L2-3.1.5 – Least Privilege ................................................................................................................ 24 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#35|AC.L2-3.1.6 – Non-Privileged Account Use .......................................................................................... 27 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#37|AC.L2-3.1.7 – Privileged Functions ...................................................................................................... 29 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#40|AC.L2-3.1.8 – Unsuccessful Logon Attempts ....................................................................................... 32 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#42|AC.L2-3.1.9 – Privacy &amp; Security Notices ............................................................................................. 34 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#44|AC.L2-3.1.10 – Session Lock ................................................................................................................. 36 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#46|AC.L2-3.1.11 – Session Termination .................................................................................................... 38 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#48|AC.L2-3.1.12 – Control Remote Access ............................................................................................... 40 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#51|AC.L2-3.1.13 – Remote Access Confidentiality .................................................................................... 43 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#53|AC.L2-3.1.14 – Remote Access Routing ............................................................................................... 45 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#55|AC.L2-3.1.15 – Privileged Remote Access ............................................................................................ 47 ]]
''' '''
'''CMMC Assessment Guide – Level 2 '''|''' Version 2.13 '''
iv
''' '''
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#58|AC.L2-3.1.16 – Wireless Access Authorization .................................................................................... 50 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#60|AC.L2-3.1.17 – Wireless Access Protection ......................................................................................... 52 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#62|AC.L2-3.1.18 – Mobile Device Connection .......................................................................................... 54 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#64|AC.L2-3.1.19 – Encrypt CUI on Mobile ................................................................................................. 56 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#66|AC.L2-3.1.20 – External Connections [CUI Data] ................................................................................. 58 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#69|AC.L2-3.1.21 – Portable Storage Use ................................................................................................... 61 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#71|AC.L2-3.1.22 – Control Public Information [CUI Data] ........................................................................ 63 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#73|'''Awareness and Training (AT) ................................................................................................. 65''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#73|AT.L2-3.2.1 – Role-Based Risk Awareness ........................................................................................... 65 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#76|AT.L2-3.2.2 – Role-Based Training ....................................................................................................... 68 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#78|AT.L2-3.2.3 – Insider Threat Awareness .............................................................................................. 70 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#80|'''Audit and Accountability (AU) ............................................................................................... 72''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#80|AU.L2-3.3.1 – System Auditing ............................................................................................................ 72 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#83|AU.L2-3.3.2 – User Accountability ....................................................................................................... 75 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#85|AU.L2-3.3.3 – Event Review ................................................................................................................. 77 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#87|AU.L2-3.3.4 – Audit Failure Alerting .................................................................................................... 79 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#89|AU.L2-3.3.5 – Audit Correlation ........................................................................................................... 81 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#91|AU.L2-3.3.6 – Reduction &amp; Reporting .................................................................................................. 83 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#93|AU.L2-3.3.7 – Authoritative Time Source ............................................................................................ 85 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#95|AU.L2-3.3.8 – Audit Protection ............................................................................................................ 87 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#97|AU.L2-3.3.9 – Audit Management ....................................................................................................... 89 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#99|'''Configuration Management (CM) .......................................................................................... 91''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#99|CM.L2-3.4.1 – System Baselining ......................................................................................................... 91 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#102|CM.L2-3.4.2 – Security Configuration Enforcement ............................................................................ 94 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#104|CM.L2-3.4.3 – System Change Management ...................................................................................... 96 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#106|CM.L2-3.4.4 – Security Impact Analysis ............................................................................................... 98 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#108|CM.L2-3.4.5 – Access Restrictions for Change .................................................................................. 100 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#111|CM.L2-3.4.6 – Least Functionality ..................................................................................................... 103 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#113|CM.L2-3.4.7 – Nonessential Functionality ......................................................................................... 105 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#116|CM.L2-3.4.8 – Application Execution Policy ...................................................................................... 108 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#118|CM.L2-3.4.9 – User-Installed Software .............................................................................................. 110 ]]
''' '''
'''CMMC Assessment Guide – Level 2 '''|''' Version 2.13 '''
v
''' '''
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#120|'''Identification and Authentication (IA) .................................................................................. 112''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#120|IA.L2-3.5.1 – Identification [CUI Data] ............................................................................................... 112 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#122|IA.L2-3.5.2 – Authentication [CUI Data] ............................................................................................ 114 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#125|IA.L2-3.5.3 – Multifactor Authentication ........................................................................................... 117 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#128|IA.L2-3.5.4 – Replay-Resistant Authentication .................................................................................. 120 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#130|IA.L2-3.5.5 – Identifier Reuse ............................................................................................................ 122 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#132|IA.L2-3.5.6 – Identifier Handling ........................................................................................................ 124 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#134|IA.L2-3.5.7 – Password Complexity ................................................................................................... 126 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#136|IA.L2-3.5.8 – Password Reuse ............................................................................................................ 128 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#138|IA.L2-3.5.9 – Temporary Passwords .................................................................................................. 130 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#140|IA.L2-3.5.10 – Cryptographically-Protected Passwords .................................................................... 132 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#142|IA.L2-3.5.11 – Obscure Feedback ...................................................................................................... 134 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#144|'''Incident Response (IR) .......................................................................................................... 136''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#144|IR.L2-3.6.1 – Incident Handling .......................................................................................................... 136 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#147|IR.L2-3.6.2 – Incident Reporting ........................................................................................................ 139 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#150|IR.L2-3.6.3 – Incident Response Testing ............................................................................................ 142 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#152|'''Maintenance (MA) ............................................................................................................... 144''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#152|MA.L2-3.7.1 – Perform Maintenance ................................................................................................ 144 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#154|MA.L2-3.7.2 – System Maintenance Control ..................................................................................... 146 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#156|MA.L2-3.7.3 – Equipment Sanitization .............................................................................................. 148 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#158|MA.L2-3.7.4 – Media Inspection ........................................................................................................ 150 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#160|MA.L2-3.7.5 – Nonlocal Maintenance ............................................................................................... 152 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#163|MA.L2-3.7.6 – Maintenance Personnel ............................................................................................. 155 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#165|'''Media Protection (MP) ......................................................................................................... 157''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#165|MP.L2-3.8.1 – Media Protection ........................................................................................................ 157 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#167|MP.L2-3.8.2 – Media Access .............................................................................................................. 159 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#169|MP.L2-3.8.3 – Media Disposal [CUI Data] .......................................................................................... 161 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#171|MP.L2-3.8.4 – Media Markings .......................................................................................................... 163 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#173|MP.L2-3.8.5 – Media Accountability ................................................................................................. 165 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#175|MP.L2-3.8.6 – Portable Storage Encryption ...................................................................................... 167 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#177|MP.L2-3.8.7 – Removeable Media ..................................................................................................... 169 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#179|MP.L2-3.8.8 – Shared Media ............................................................................................................. 171 ]]
''' '''
'''CMMC Assessment Guide – Level 2 '''|''' Version 2.13 '''
vi
''' '''
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#181|MP.L2-3.8.9 – Protect Backups .......................................................................................................... 173 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#183|'''Personnel Security (PS) ......................................................................................................... 175''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#183|PS.L2-3.9.1 – Screen Individuals ........................................................................................................ 175 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#185|PS.L2-3.9.2 – Personnel Actions ........................................................................................................ 177 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#188|'''Physical Protection (PE) ........................................................................................................ 180''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#188|PE.L2-3.10.1 – Limit Physical Access [CUI Data] ................................................................................ 180 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#190|PE.L2-3.10.2 – Monitor Facility .......................................................................................................... 182 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#192|PE.L2-3.10.3 – Escort Visitors [CUI Data] ........................................................................................... 184 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#194|PE.L2-3.10.4 – Physical Access Logs [CUI Data] ................................................................................. 186 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#196|PE.L2-3.10.5 – Manage Physical Access [CUI Data] ........................................................................... 188 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#198|PE.L2-3.10.6 – Alternative Work Sites ............................................................................................... 190 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#200|'''Risk Assessment (RA)............................................................................................................ 192''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#200|RA.L2-3.11.1 – RIsk Assessments ....................................................................................................... 192 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#203|RA.L2-3.11.2 – Vulnerability Scan ...................................................................................................... 195 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#206|RA.L2-3.11.3 – Vulnerability Remediation ......................................................................................... 198 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#208|'''Security Assessment (CA) ..................................................................................................... 200''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#208|CA.L2-3.12.1 – Security Control Assessment ..................................................................................... 200 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#211|CA.L2-3.12.2 – operational Plan of Action ......................................................................................... 203 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#214|CA.L2-3.12.3 – Security Control Monitoring ...................................................................................... 206 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#216|CA.L2-3.12.4 – System Security Plan ................................................................................................. 208 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#219|'''System and Communications Protection (SC) ....................................................................... 211''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#219|SC.L2-3.13.1 – Boundary Protection [CUI Data] ................................................................................ 211 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#222|SC.L2-3.13.2 – Security Engineering .................................................................................................. 214 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#225|SC.L2-3.13.3 – Role Separation .......................................................................................................... 217 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#227|SC.L2-3.13.4 – Shared Resource Control ........................................................................................... 219 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#229|SC.L2-3.13.5 – Public-Access System Separation [CUI Data] ............................................................. 221 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#231|SC.L2-3.13.6 – Network Communication by Exception ..................................................................... 223 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#233|SC.L2-3.13.7 – Split Tunneling ........................................................................................................... 225 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#235|SC.L2-3.13.8 – Data in Transit ............................................................................................................ 227 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#237|SC.L2-3.13.9 – Connections Termination ........................................................................................... 229 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#239|SC.L2-3.13.10 – Key Management ..................................................................................................... 231 ]]
''' '''
'''CMMC Assessment Guide – Level 2 '''|''' Version 2.13 '''
vii
''' '''
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#242|SC.L2-3.13.11 – CUI Encryption ......................................................................................................... 234 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#244|SC.L2-3.13.12 – Collaborative Device Control ................................................................................... 236 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#246|SC.L2-3.13.13 – Mobile Code ............................................................................................................. 238 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#248|SC.L2-3.13.14 – Voice over Internet Protocol.................................................................................... 240 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#250|SC.L2-3.13.15 – Communications Authenticity ................................................................................. 242 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#252|SC.L2-3.13.16 – Data at Rest .............................................................................................................. 244 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#254|'''System and Information Integrity (SI) ................................................................................... 246''' ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#254|SI.L2-3.14.1 – Flaw Remediation [CUI Data] ...................................................................................... 246 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#257|SI.L2-3.14.2 – Malicious Code Protection [CUI Data] ........................................................................ 249 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#260|SI.L2-3.14.3 – Security Alerts &amp; Advisories ........................................................................................ 252 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#262|SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data] ........................................................... 254 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#264|SI.L2-3.14.5 – System &amp; File Scanning [CUI Data] .............................................................................. 256 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#266|SI.L2-3.14.6 – Monitor Communications for Attacks......................................................................... 258 <br />
]][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#269|SI.L2-3.14.7 – Identify Unauthorized Use .......................................................................................... 261 ]]
[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#272|'''Appendix A – Acronyms and Abbreviations .......................................................................... 264''' ]]
''' '''
'''CMMC Assessment Guide – Level 2 '''|''' Version 2.13 '''
viii
''' '''
''This page intentionally left blank. ''
''' '''
Introduction
CMMC Assessment Guide – Level 2 | Version 2.13
1
Introduction <br />
This document provides guidance in the preparation for and conduct  of a Level  2  self-
assessment or Level 2 certification  assessment  under the Cybersecurity Maturity Model
Certification (CMMC) Program as set forth in  section  170.16  of title  32,  Code of Federal
Regulations (CFR) and 32 CFR § 170.17 respectively. Certification at each CMMC level occurs
independently. Guidance for conducting a Level 1 self-assessment can be found in ''CMMC ''
''Assessment Guide – Level 1''. Guidance for conducting a Level 3 certification assessment can
be found in ''CMMC'' ''Assessment Guide – Level 3''. More details on the model can be found in the
''CMMC Model Overview'' document. <br />
An  ''Assessment''  as defined in 32 CFR  § 170.4  means  ''the testing or evaluation of security ''
''controls to determine the extent to which the controls are implemented correctly, operating as ''
''intended, and producing the desired outcome with respect to meeting the security requirements ''
''for an information system or organization as defined in 32 CFR § 170.15 to 32 CFR § 170.18''.
For Level 2 there are two types of assessments:
  A s''elf-assessment'' is the term for the activity performed by an entity to evaluate its own
CMMC Level, as applied to Level 1 and some Level 2.
  A ''Level 2 certification assessment ''is the term for the activity performed by a Certified
Third-Party Assessment Organization (C3PAO)to evaluate the CMMC level of an OSC.
32 CFR § 170.16(b) describes contract or subcontract eligibility for any contract with a Level
2 self-assessment requirement, and 32 CFR § 170.17(b) describes contract or subcontract
eligibility for any contract with a Level 2 certification  assessment  requirement. Level 2
certification assessment requires the Organization Seeking Assessment (OSA) achieve the
CMMC Status of either Conditional Level 2 (C3PAO) or Final Level 2 (C3PAO), as described
in 32 § CFR 170.4, obtained through an assessment by an accredited C3PAO.
Level 2 Description
Level 2 incorporates the security requirements specified in National Institute of Standards
and Technology (NIST) Special Publication (SP) 800-171 Revision 2, ''Protecting Controlled ''
''Unclassified Information in Nonfederal Systems and Organizations''. <br />
Level 2 addresses the protection of Controlled Unclassified Information (CUI), as defined in
32 CFR § 2002.4(h):
''Information the Government creates or possesses, or that an entity creates or ''
''possesses for or on behalf of the Government, that a law, regulation, or ''
''Government-wide policy requires or permits an agency to handle using ''
''safeguarding or dissemination controls. However, CUI does not include classified ''
''information (see paragraph (e) of this section) or information a non-executive ''
''branch entity possesses and maintains in its own systems that did not come from, ''
''or was not created or possessed by or for, an executive branch agency or an entity ''
''acting for an agency. Law, regulation, or Government-wide policy may require ''
''or permit safeguarding or dissemination controls in three ways: Requiring or ''
''' '''
Introduction
CMMC Assessment Guide – Level 2 | Version 2.13
2
''permitting agencies to control or protect the information but providing no ''
''specific controls, which makes the information CUI Basic; requiring or ''
''permitting agencies to control or protect the information and providing specific ''
''controls for doing so, which makes the information CUI Specified; or requiring or ''
''permitting agencies to control the information and specifying only some of those ''
''controls, which makes the information CUI Specified, but with CUI Basic controls ''
''where the authority does not specify.''
Level 2 certification assessments provides increased assurance to the DoD that an OSA can
adequately protect CUI at a level commensurate with the adversarial  risk,  including
protecting information flow with subcontractors in a multi-tier supply chain.
Purpose and Audience
This guide is intended for assessors, OSAs, cybersecurity professionals, and individuals and
companies that support CMMC efforts. This document can be used as part of preparation for
and conducting a Level 2 self-assessment or a Level 2 certification assessment. The term
Level 2 assessment encompasses both Level 2 self-assessment  and  Level 2 certification
assessment. <br />
Document Organization <br />
This document is organized into the following sections: <br />
  '''Assessment and Certification:''  '''''provides an overview of the Level 2  self-assessment
processes set forth in 32 CFR §170.16 as well as the Level 2 certification assessment
processes set forth in 32 CFR  § 170.17.  It  provides  guidance regarding the scope
requirements set forth in 32 CFR § 170.19(c).
  '''CMMC-Custom Terms:''' incorporates definitions from 32 CFR § 170.4 and definitions
included by reference from 32 CFR § 170.2, and provides clarification of the intent and
scope of custom terms as used in the context of CMMC.
  '''Assessment Criteria and Methodology:'''  provides guidance on the criteria and
methodology (i.e., ''interview'',  ''examine'', and ''test'')  to be employed  during a Level 2
assessment, as well as on assessment findings.
  '''Requirement  Descriptions:  '''provides  guidance specific to  each  Level  2  security
requirement.
''' '''
Assessment and Certification
CMMC Assessment Guide – Level 2 | Version 2.13
3
Assessment and Certification <br />
Certified Assessors as described in 32 CFR § 170.11 will use the assessment methods defined
in NIST  SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#11|1]],  ''Assessing Security Requirements for Controlled Unclassified ''
''Information'',  along with the supplemental information in this guide, to conduct Level  2
certification assessments. Certified Assessors will review information and evidence to verify
that an OSC meets the stated assessment objectives for all of the requirements. <br />
An OSC can obtain a Level 2 certification assessment for an entire enterprise network or for
a specific  enclave(s), depending upon how the CMMC  Assessment  Scope  is  defined  in
accordance with 32 CFR § 170.19(c). <br />
OSAs  conducting self-assessments  in accordance with 32  CFR  § 170.16  are expected to
evaluate their compliance with CMMC requirements using the same criteria established in
NIST SP 800-171A and this assessment guide and used for third-party assessments.
Assessment Scope
The CMMC Assessment Scope must be specified prior to assessment in accordance with the
requirements of 32 CFR § 170.19. The CMMC Assessment Scope is the set of all assets in the
OSA’s environment that will be assessed against CMMC security requirements. <br />
Because the scoping of a Level 2 certification assessment is not the same as the scoping of a
Level  3  certification  assessment,  before determining the CMMC Assessment Scope it is
important to first consider whether the goal is a Level 2 or Level 3 CMMC Status. If the intent
is not to achieve a CMMC Status of Final Level 3 (DIBCAC) as defined in 32 CFR § 170.18,
refer to the guidance provided in the  ''CMMC Scoping Guide  –  Level  2''  document  which
summarizes 32 CFR § 170.19(c). If the intent is to achieve a CMMC Status of Final Level 3
(DIBCAC), refer to the guidance provided in the ''CMMC Scoping Guide – Level 3'' document
which summarizes 32 CFR § 170.19(d). Both documents are available on the official CMMC
documentation site at https://dodcio.defense.gov/CMMC/Documentation/.
1
NIST SP 800-171A, June 2018
''' '''
CMMC-Custom Terms
CMMC Assessment Guide – Level 2 | Version 2.13
4
CMMC-Custom Terms <br />
The CMMC Program has custom terms that align with program requirements. Although some
terms may have other definitions in open forums, it is important to understand these terms
as they apply to the CMMC Program. <br />
The specific terms as associated with Level 2 are: <br />
  '''Assessment: '''As defined in 32 CFR § 170.4 means the testing or evaluation of security
controls to determine the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with respect to meeting the
security requirements for an information system or organization, as defined in 32 CFR §
170.15 to 32 CFR § 170.18.
o  ''Level 2 self-assessment'' is the term for the activity performed by an OSA to evaluate
its own information system when seeking a CMMC Status of Level 2 (Self).
o  ''Level 2 certification assessment'' is the term for the activity performed by a C3PAO
to evaluate the information system of an OSC when seeking a CMMC Status of
Level 2 (C3PAO).
o  ''POA&amp;M closeout self-assessment'' is the term for the activity performed by an OSA
to evaluate only the NOT MET requirements that were identified with POA&amp;M
during the initial assessment, when seeking a CMMC Status of Final Level 2 (Self).
o  ''POA&amp;M closeout certification assessment'' is the term for the activity performed by
a C3PAO or DCMA DIBCAC to evaluate only the NOT MET requirements that were
identified with POA&amp;M during the initial assessment, when seeking a CMMC
Status of Final Level 2 (C3PAO) or Final Level 3 (DIBCAC) respectively.
  '''Assessment Objective: '''As defined in 32 CFR § 170.4 means a set of determination
statements that, taken together, expresses the desired outcome for the assessment of a
security requirement. Successful implementation of the corresponding CMMC security
requirement requires meeting all applicable assessment objectives defined in NIST SP
800–171A or NIST SP 800-172A.
  '''Asset:''' An item of value to stakeholders. An asset may be tangible (e.g., a physical item
such as hardware, firmware, computing platform, network device, or other technology
component) or intangible (e.g., humans, data, information, software, capability, function,
service, trademark, copyright, patent, intellectual property, image, or reputation). The
value of an asset is determined by stakeholders in consideration of loss concerns across
the entire system life cycle. Such concerns include but are not limited to business or
mission concerns, as defined in NIST SP 800-160 Rev 1.
  '''CMMC Assessment Scope: '''As defined in 32 CFR § 170.4 means the set of all assets in the
OSA’s environment that will be assessed against CMMC security requirements.
  '''CMMC Status: '''As defined in 32 CFR § 170.4 is the result of meeting or exceeding the
minimum required score for the corresponding assessment. The CMMC Status of an OSA
information system is officially stored in SPRS and additionally issued on a Certificate of
CMMC Status, if the assessment was conducted by a C3PAO or DCMA DIBCAC.
''' '''
CMMC-Custom Terms
CMMC Assessment Guide – Level 2 | Version 2.13
5
o  ''Conditional Level 2 (Self) ''is defined in § 170.16(a)(1)(ii). The OSA has conducted
a Level 2 self-assessment, submitted compliance results in the Supplier
Performance Risk System (SPRS), and created a CMMC POA&amp;M that meets all
CMMC POA&amp;M requirements listed in 32 CFR §170.16(a)(1)(ii).
o  ''Final Level 2 (Self) ''is defined in § 170.16(a)(1)(iii). The OSA will achieve a CMMC
Status  of  Final Level 2 (Self)  for the information system(s) within the CMMC
Assessment Scope upon implementation of all security requirements and close
out of the POA&amp;M, as applicable.
o  ''Conditional Level 2 (C3PAO) ''is defined in § 170.17(a)(1)(ii). The OSC will achieve
a CMMC Status of Conditional Level 2 (C3PAO) if a POA&amp;M exists upon completion
of the assessment and the POA&amp;M meets all Level 2 POA&amp;M requirements listed
in 32 CFR § 170.21(a)(2).
o  ''Final Level 2 (C3PAO) ''is defined in § 170.17(a)(1)(iii). The OSC will achieve a
CMMC Status of Final  Level 2 (C3PAO) for the information systems within the
CMMC Assessment Scope upon implementation of all security requirements and
as applicable, a POA&amp;M closeout assessment conducted by the C3PAO within 180
days. Additional guidance can be found in 32 CFR § 170.21.
  '''Component:  '''A discrete identifiable information technology ''asset''  that represents a
building block of a system and may include hardware, software, and firmware[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#13|2]]. A
''component'' is one type of ''asset''.
  '''Enduring Exception:''' As defined in 32 CFR § 170.4 means a special circumstance or
system where remediation and full compliance with CMMC security requirements is not
feasible. Examples include systems required to replicate the configuration of ‘fielded’
systems, medical devices, test equipment, OT, and IoT. No operational plan of action is
required but the circumstance must be documented within a system security plan.
Specialized Assets and GFE may be Enduring Exceptions.
  '''Event: '''Any observable occurrence in a system[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#13|3]]. As described in NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#13|4]], the
terms “information system” and “system” can be used interchangeably. ''Events'' sometimes
provide indication that an ''incident'' is occurring.''' '''
  '''Incident:  '''An occurrence that actually or potentially jeopardizes the confidentiality,
integrity, or availability of a system or the information the system processes, stores, or
transmits or that constitutes a violation or imminent threat of violation of security
policies, security procedures, or acceptable use policies.[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#13|5''' ''']]
  '''Information System  (IS):  '''As  defined  in  32  CFR  §  170.4  means a  discrete set of
information resources organized for the collection, processing, maintenance, use,
sharing, dissemination, or disposition of information. An ''IS'' is one type of ''asset''.''' '''
2
NIST SP 800-171 Rev 2, p 59 under system component
3
NIST SP 800-53 Rev. 5, p. 402
4
NIST SP 800-171A, p. v
5
NIST SP 800-171 Rev. 2, Appendix B, p. 54 (adapted)
''' '''
CMMC-Custom Terms
CMMC Assessment Guide – Level 2 | Version 2.13
6
  '''Monitoring:  '''The act of continually  checking, supervising, critically observing, or
determining the status in order to identify change from the performance level required
or expected at an ''organization-defined'' frequency and rate.[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#14|6''' ''']]
  '''Operational plan of action: '''As used in security requirement CA.L2-3.12.2, means the
formal artifact which identifies temporary vulnerabilities and temporary deficiencies in
implementation of requirements and documents how and when they will be mitigated,
corrected, or eliminated.  The OSA defines the format (e.g., document, spreadsheet,
database) and specific content of its operational plan of action. An operational plan of
action is not the same as a POA&amp;M associated with an assessment.
  '''Organization-defined: '''As determined by the OSA being assessed except as defined in
the case of Organization-Defined Parameter (ODP). This can be applied to a frequency or
rate at which something occurs within a given time period, or it could be associated with
describing the configuration of an OSA’s solution.
  '''Periodically: '''Occurring at a regular interval as determined by the OSA that may not
exceed one year.  As used in many requirements  within CMMC, the interval length is
''organization-defined'' to provide OSA flexibility, with an interval length of no more than
one year.''' '''
  '''Security Protection Data (SPD): '''As defined in 32 CFR § 170.4 means data stored or
processed by Security Protection Assets (SPA) that are used to protect an OSC's assessed
environment. SPD is security relevant information and includes, but is not limited to:
configuration data required to operate an SPA, log files generated by or ingested by an
SPA, data related to the configuration or vulnerability status of in-scope assets, and
passwords that grant access to the in-scope environment.
  '''System Security Plan (SSP): '''As defined in 32 CFR § 170.4 means the formal document
that provides an overview of the security requirements for an information system or an
information security program and describes the security controls in place or planned for
meeting those requirements. The system security plan describes the system components
that are included within the system, the environment in which the system operates, how
the security requirements are implemented, and the relationships with or connections to
other systems, as defined in NIST SP 800-53 Rev 5.
  '''Temporary deficiency:''' As defined in 32 CFR § 170.4 means a condition where
remediation of a discovered deficiency is feasible and a known fix is available or is in
process. The deficiency must be documented in an operational plan of action. A
temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC
security requirement but arises after implementation. A temporary deficiency may
apply during the initial implementation of a security requirement if, during roll-out,
specific issues with a very limited subset of equipment is discovered that must be
separately addressed. There is no standard duration for which a temporary deficiency
may be active. For example, FIPS-validated cryptography that requires a patch and the
patched version is no longer the validated version may be a temporary deficiency.
6
NIST SP 800-160 Vol. 1 R1, Engineering Trustworthy Secure Systems, 2022, Appendix B., p. 55
''' '''
Assessment Criteria and Methodology
CMMC Assessment Guide – Level 2 | Version 2.13
7
Assessment Criteria and Methodology <br />
The ''CMMC Assessment Guide – Level 2'' leverages the assessment procedure described in NIST
SP 800-171A Section 2.1[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#15|7]]:
''An assessment procedure consists of an assessment objective and a set of ''
''potential assessment methods and assessment objects that can be used to ''
''conduct the assessment.  Each assessment objective includes a determination ''
''statement related to the requirement that is the subject of the assessment. The ''
''determination statements are linked to the content of the requirement to ensure ''
''traceability of the assessment results to the requirements. The application of an ''
''assessment procedure to a  requirement  produces assessment findings.  These ''
''findings reflect, or are subsequently used, to help determine if the requirement ''
''has been satisfied. <br />
Assessment objects identify the specific items being assessed and can include ''
''specifications, mechanisms, activities, and individuals. <br />
''•
  ''Specifications are the document-based artifacts (e.g., policies, procedures, ''
''security plans, security requirements, functional specifications, architectural ''
''designs) associated with a system. ''
  ''Mechanisms are the specific hardware, software, or firmware safeguards ''
''employed within a system. ''
  ''Activities are the protection-related actions supporting a system that involve ''
''people (e.g., conducting system backup operations, exercising a contingency ''
''plan, and monitoring network traffic). ''
  ''Individuals, or groups of individuals, are people applying the specifications, ''
''mechanisms, or activities described above. ''
''The assessment methods define the nature and the extent of the assessor’s ''
''actions. The methods include ''examine'', ''interview'', and ''test''. <br />
''•
  ''The  ''examine''  method is the process of reviewing, inspecting, observing, ''
''studying, or analyzing assessment objects (i.e., specifications, mechanisms, ''
''activities). The purpose of the ''examine'' method is to facilitate understanding, ''
''achieve clarification, or obtain evidence. ''
  ''The ''interview'' method is the process of holding discussions with individuals ''
''or groups of individuals to facilitate understanding, achieve clarification, or ''
''obtain evidence. ''
  ''And finally, the ''test'' method is the process of exercising assessment objects ''
''(i.e., activities, mechanisms) under specified conditions to compare actual ''
''with expected behavior. ''
7
NIST SP 800-171A, ''Assessing Security Requirements for Controlled Unclassified Information'', June 2018, pp. 4-
5 .
''' '''
Assessment Criteria and Methodology
CMMC Assessment Guide – Level 2 | Version 2.13
8
''In all three assessment methods, the results are used in making specific ''
''determinations called for in the determination statements and thereby achieving ''
''the objectives for the assessment procedure. ''
Criteria
Assessment objectives are provided for each requirement and are based on existing criteria
from NIST SP 800-171A. The criteria are authoritative and provide a basis for the assessment
of a requirement.
Methodology
To verify and validate that an OSA is meeting CMMC requirements, evidence needs to exist
demonstrating that the OSA has fulfilled the objectives of the Level 2 requirements. Because
different assessment objectives can be met in different ways (e.g., through documentation,
computer configuration, network configuration, or training), a variety of techniques may be
used to determine if the OSA meets the Level 2 requirements, including any of the three
assessment methods from NIST SP 800-171A. <br />
The  assessor  will follow the guidance in NIST SP  800-171A when determining which
assessment methods to use:
''Organizations [Certified Assessors] are not expected to employ ''all'' assessment methods ''
''and objects contained within the assessment procedures identified in this publication. ''
''Rather, organizations [Certified Assessors] have the flexibility to determine the level of ''
''effort needed and the assurance required for an assessment (e.g., which assessment ''
''methods and assessment objects are deemed to be the most useful in obtaining the ''
''desired results). This determination is made based on how the organization ''
''[contractor] can accomplish the assessment objectives in the most cost-effective ''
''manner and with sufficient confidence to support the determination that the CUI ''
''requirements have been satisfied.[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#16|8 ]]''
The primary deliverable of an assessment is a compliance score and accompanying report
that contains the findings associated with each requirement. For more detailed information
on assessment methods, see Appendix D of NIST SP 800-171A, incorporated by reference
per 32 CFR § 170.2.
8
NIST SP 800-171A, p. 5.
''' '''
Assessment Criteria and Methodology
CMMC Assessment Guide – Level 2 | Version 2.13
9
Who Is Interviewed
Interviews of applicable staff (possibly at different organizational levels)  may provide
information to help an assessor determine if security requirements have been implemented,
as well as if adequate resourcing, training, and planning have occurred for individuals to
perform the requirements.
What Is Examined
Examination includes reviewing, inspecting, observing, studying, or analyzing assessment
objects. The objects can be documents, mechanisms, or activities. <br />
For some security  requirements, review of  documentation  may assist assessors  in
determining if the assessment objectives have been met. Interviews with staff may help
identify relevant documents. Documents need to be in their final forms; drafts of policies or
documentation are not eligible to be used as evidence because they are not yet official and
still subject to change. Common types of documents that may be used as evidence include: <br />
  policy, process, and procedure documents;
  training materials;
  plans and planning documents; and
  system, network, and data flow diagrams.
This list of documents is not exhaustive or prescriptive. An OSA may not have these specific
documents, and other documents may be reviewed. <br />
In other cases, the security requirement is best self-assessed by observing that safeguards
are in place by viewing hardware, associated configuration information, or observing staff
following a process.
What Is Tested
Testing is an important part of the self-assessment process. Interviews provide information
about  what the OSA  staff believe to be true, documentation provides evidence of
implementing policies and procedures, and testing demonstrates what has or has not been
done. For example, OSA staff may talk about how users are identified, documentation may
provide details on how users are identified, but seeing a demonstration of identifying users
provides evidence that the requirement  is met.  The assessor  will determine which
requirements or objectives within a requirement need demonstration or testing. Most
objectives will require testing.
Assessment Findings
The assessment of a CMMC requirement results in one of three possible findings: MET, NOT
MET, or NOT APPLICABLE as defined in 32 CFR § 170.24. To achieve a Final Level 2 (Self) or
''' '''
Assessment Criteria and Methodology
CMMC Assessment Guide – Level 2 | Version 2.13
10
Final Level 2 (C3PAO) CMMC Status, the OSA will need a finding of MET or NOT APPLICABLE
on all Level 2 security requirements. <br />
  '''MET''':  All applicable assessment  objectives for the security requirement are satisfied
based on evidence. All evidence must be in final form and not draft. Unacceptable forms
of evidence include working papers, drafts, and unofficial or unapproved policies. For
each security requirement marked MET, it is best practice to record statements that
indicate the response conforms to all objectives and document the appropriate evidence
to support the response.''' '''
o  Enduring Exceptions when described, along with any mitigations, in the system
security plan shall be assessed as MET.''' '''
o  Temporary deficiencies that are appropriately addressed in operational plans of
action (i.e., include deficiency reviews, milestones, and show progress towards
the implementation of corrections to reduce or eliminate identified
vulnerabilities) shall be assessed as MET.''' '''
  '''NOT MET''': One or more objectives for the security requirement is not satisfied. For each
security requirement  marked NOT MET, it is best practice to record statements that
explain why and document the appropriate evidence showing that the OSA does not
conform fully to all of the objectives. During Level 2 certification assessments, for each
requirement objective marked NOT MET, the assessor will document why the evidence
does not conform.
  '''NOT APPLICABLE (N/A)''': A security requirement and/or objective does not apply at the
time of the assessment. For each security requirement marked N/A, it is best practice to
record a statement that explains why the requirement does not apply to the OSA. For
example, Public-Access System Separation (SC.L2-3.13.5) might be N/A if there are no
publicly accessible systems within the CMMC Assessment Scope. During an assessment,
an assessment objective assessed as N/A is equivalent to the same assessment objective
being assessed as MET. <br />
If an OSC previously received a favorable adjudication from the DoD CIO indicating that
a requirement is not applicable or that an alternative security measure is equally
effective, the DoD CIO adjudication must be included in the system security plan to
receive consideration during an assessment. Implemented security measures
adjudicated by the DoD CIO as equally effective are assessed as MET if there have been
no changes in the environment. <br />
Each assessment objective in NIST SP 800-171A must yield a finding of MET or NOT
APPLICABLE in order for the overall security requirement to be scored as MET. Assessors
exercise judgment in determining when sufficient and adequate evidence has been
presented to make an assessment finding. <br />
CMMC assessments are conducted and results are captured at the assessment objective
level. One NOT MET assessment  objective  results in a failure of the entire security
requirement.
''' '''
Assessment Criteria and Methodology
CMMC Assessment Guide – Level 2 | Version 2.13
11
A security requirement can be applicable even when assessment objectives included in
the security requirement are scored as N/A. The security requirement is NOT MET when
one or more applicable assessment objectives is NOT MET. <br />
Satisfaction of security requirements may be accomplished by other parts of the
enterprise or an External Service Provider (ESP), as defined in 32 CFR § 170.4. A security
requirement is considered MET if adequate evidence is provided that the enterprise or
External Service Provider (ESP), implements the requirement objectives. An ESP may be
external people, technology, or facilities that the OSA uses, including cloud service
providers, managed service providers, managed security service providers, or
cybersecurity-as-a-service providers.
''' '''
Requirement Descriptions
CMMC Assessment Guide – Level 2 | Version 2.13
12
Requirement Descriptions <br />
Introduction <br />
This section provides detailed information and guidance for assessing each Level 2 security
requirement. The section is organized first  by domain and then by individual security
requirement. Each requirement description contains the following elements as described in
32 CFR § 170.14(c): <br />
  '''Requirement Number, Name, and Statement: '''Headed by the requirement identification
number in the format, DD.L#-REQ (e.g., AC.L2-3.1.1); followed by the requirement short
name identifier, meant to be used for quick reference only; and finally followed by the
complete CMMC security requirement statement.
  '''Assessment Objectives [NIST SP 800-171A]: '''Identifies the specific set of objectives that
must be met to receive MET for the requirement as defined in NIST SP 800-171A.[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#20|9]]
  '''Potential Assessment Methods and Objects [NIST SP 800-171A]: '''Describes the nature
and the extent of the assessment actions as set forth in NIST SP 800-171A. The methods
include ''examine'', ''interview'', and ''test''. Assessment objects identify the items being assessed
and can include specifications, mechanisms, activities, and individuals.[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#20|10 ]]
  '''Discussion [NIST SP 800-171 Rev. 2]: '''Contains discussion from the associated NIST SP
800-171 security requirement.
  '''Further Discussion: '''
o  Expands upon the NIST SP 800-171 Rev. 2 discussion content to provide additional
guidance.
o  Contains examples illustrating application of the requirements. These examples are
intended to provide insight but are not prescriptive of how the requirement must
be implemented, nor are they comprehensive of all assessment objectives
necessary to achieve the requirement. The assessment objectives met within the
example are referenced by letter in a bracket (e.g., [a, d] for objectives “a” and “d”)
within the text.
o  Examples are written from the perspective of an organization or an employee of an
organization implementing solutions or researching approaches to satisfy CMMC
requirements. The objective is to put the reader into the role of implementing or
maintaining  alternatives to satisfy security requirements.  Examples are not all-
inclusive or prescriptive  and do not imply any personal responsibility for
complying with CMMC requirements.
o  Provides potential assessment considerations. These may include common
considerations for assessing the requirement and potential questions that may be
asked when assessing the objectives.
9
NIST SP 800-171A, p. 4.
10
NIST SP 800-171A, pp. 4-5.
''' '''
Requirement Descriptions
CMMC Assessment Guide – Level 2 | Version 2.13
13
  '''Key References: '''Lists the basic safeguarding requirement from NIST SP 800-171 Rev. 2.
''' '''
AC.L2-3.1.1 – Authorized Access Control [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
14
Access Control (AC) <br />
'''AC.L2-3.1.1 – AUTHORIZED ACCESS CONTROL [CUI DATA] '''
Limit system access to authorized users, processes acting on behalf of authorized users, and
devices (including other systems).
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#22|11 ]]'''
Determine if: <br />
[a] authorized users are identified; <br />
[b] processes acting on behalf of authorized users are identified; <br />
[c]  devices (and other systems) authorized to connect to the system are identified; <br />
[d] system access is limited to authorized users; <br />
[e] system access is limited to processes acting on behalf of authorized users; and <br />
[f]  system access is limited to authorized devices (including other systems).
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#22|] 11 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing account management; system
security plan; system design documentation; system configuration settings and associated
documentation; list of active system accounts and the name of the individual associated with
each account; notifications or records of recently transferred, separated, or terminated
employees; list of conditions for group and role membership; list of recently disabled system
accounts along with the name of the individual associated with each account; access
authorization records; account management compliance reviews; system monitoring
records; system audit logs and records; list of devices and systems authorized to connect to
organizational systems; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with account management responsibilities; system or network
administrators; personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for managing system accounts; mechanisms for
implementing account management].
11
NIST SP 800-171A, p. 9.
''' '''
AC.L2-3.1.1 – Authorized Access Control [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
15
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#23|12]] <br />
'''Access control policies (e.g., identity-  or role-based policies, control matrices, and
cryptography) control access between active entities or subjects (i.e., users or processes
acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and
domains) in systems. Access enforcement mechanisms can be employed at the application
and service level to provide increased information security. Other systems include systems
internal and external to the organization. This requirement focuses on account management
for systems and applications. The definition of and enforcement of access authorizations,
other than those determined by account type (e.g., privileged verses ''[sic]'' non-privileged) are
addressed in requirement 3.1.2 (AC.L2-3.1.2).
'''FURTHER DISCUSSION <br />
'''Identify users, processes, and devices that are allowed to use company computers and can
log on to the company network. Automated updates and other automatic processes should
be associated with the user who initiated (authorized) the process. Limit the devices (e.g.,
printers)  that can be accessed by company computers.  Set up your system so that only
authorized users, processes, and devices can access the company network. <br />
This  requirement, AC.L2-3.1.1, controls system access based on user, process, or device
identity. AC.L2-3.1.1 leverages IA.L2-3.5.1 which provides a vetted and trusted identity for
access control.
'''Example 1 <br />
'''Your company maintains a list of all personnel authorized to use company information
systems, including those that store, process, and transmit CUI [a]. This list is used to support
identification and authentication activities conducted by IT when authorizing access to
systems [a,d].
'''Example 2 <br />
'''A coworker wants to buy a new multi-function printer/scanner/fax device and make it
available on the company network within the CUI enclave. You explain that the company
controls system and device access to the network and will prevent network access by
unauthorized systems and devices [c]. You help the coworker submit a ticket that asks for
the printer to be granted access to the network, and appropriate leadership approves the
device [f].
'''Potential Assessment Considerations <br />
'''•
  Is a list of authorized users maintained that defines their identities and roles [a]?
  Are account requests authorized before system access is granted [d,e,f]?
12
NIST SP 800-171 Rev. 2, p. 10.
''' '''
AC.L2-3.1.1 – Authorized Access Control [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
16
'''KEY REFERENCES <br />
'''•
  NIST SP 800-171 Rev. 2 3.1.1
  FAR Clause 52.204-21 b.1.i
''' '''
AC.L2-3.1.2 – Transaction &amp; Function Control
CMMC Assessment Guide – Level 2 | Version 2.13
17
'''AC.L2-3.1.2 – TRANSACTION &amp; FUNCTION CONTROL '''
Limit system access to the types of transactions and functions that authorized users are
permitted to execute.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#25|13 ]]'''
Determine if: <br />
[a] the types of transactions and functions that authorized users are permitted to execute
are defined; and
[b] system access is limited to the defined types of transactions and functions for
authorized users.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#25|]13  ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing access enforcement; system
security plan; system design documentation; list of approved authorizations including
remote access authorizations; system audit logs and records; system configuration settings
and associated documentation; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with access enforcement responsibilities; system or network
administrators; personnel with information security responsibilities; system developers].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing access control policy].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#25|14]] '''
Organizations may choose to define access privileges or other attributes by account, by type
of account, or a combination of both. System account types include individual, shared, group,
system,  anonymous, guest, emergency, developer, manufacturer, vendor, and temporary.
Other attributes required for authorizing access include restrictions on time-of-day, day-of-
week, and point-of-origin.  In defining other account attributes, organizations consider
system-related requirements (e.g., system upgrades scheduled maintenance,) and mission
or business requirements, (e.g., time zone differences, customer requirements, remote
access to support travel requirements).
13
NIST SP 800-171A, p. 9.
14
NIST SP 800-171 Rev. 2, pp. 10-11.
''' '''
AC.L2-3.1.2 – Transaction &amp; Function Control
CMMC Assessment Guide – Level 2 | Version 2.13
18
'''FURTHER DISCUSSION '''
Limit users to only the information systems, roles, or applications they are permitted to use
and are needed for their roles and responsibilities. Limit access to applications and data
based on the authorized users’ roles and responsibilities. Common types of functions a user
can be assigned are create, read, update, and delete.
'''Example <br />
'''Your team manages DoD contracts for your company. Members of your team need to access
the contract information to perform their work properly. Because some of that data contains
CUI, you work with IT to set up your group’s systems so that users can be assigned access
based on their specific roles [a]. Each role limits whether an employee has read-access or
create/read/delete/update -access [b]. Implementing this access control restricts access to
CUI information unless specifically authorized.
'''Potential Assessment Considerations <br />
'''•
  Are access control lists used to limit access to applications and data based on role and/or
identity [a]?
  Is access for authorized users restricted to those parts of the system they are explicitly
permitted to use (e.g., a person who only performs word-processing  cannot access
developer tools) [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.2
  FAR Clause 52.204-21 b.1.ii
<br />
<br />
''' '''
AC.L2-3.1.3 – Control CUI Flow
CMMC Assessment Guide – Level 2 | Version 2.13
19
'''AC.L2-3.1.3 – CONTROL CUI FLOW '''
Control the flow of CUI in accordance with approved authorizations.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#27|15 ]]'''
Determine if: <br />
[a] information flow control policies are defined; <br />
[b] methods and enforcement mechanisms for controlling the flow of CUI are defined; <br />
[c]  designated sources and destinations (e.g., networks, individuals, and devices) for CUI
within the system and between interconnected systems are identified;
[d] authorizations for controlling the flow of CUI are defined; and <br />
[e] approved authorizations for controlling the flow of CUI are enforced.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#27|A]15 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; information flow control policies; procedures
addressing information flow enforcement; system security plan; system design
documentation; system configuration settings and associated documentation; list of
information flow authorizations; system baseline configuration; system audit logs and
records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developers].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing information flow enforcement policy].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#27|16]] '''
Information flow control regulates where information can travel within a system and
between systems (versus who can access the information) and without explicit regard to
subsequent accesses to that information. Flow control restrictions include the following:
keeping export-controlled information from being transmitted in the clear to the internet;
blocking outside traffic that claims to be from within the organization; restricting requests
to the internet that are not from the internal web proxy server; and limiting information
transfers between organizations based on data structures and content.
15
NIST SP 800-171A, p. 10.
16
NIST SP 800-171 Rev. 2, p. 11.
''' '''
AC.L2-3.1.3 – Control CUI Flow
CMMC Assessment Guide – Level 2 | Version 2.13
20
Organizations commonly use information flow control policies and enforcement
mechanisms to control the flow of information between designated sources and destinations
(e.g., networks, individuals, and devices) within systems and between interconnected
systems. Flow control is based on characteristics of the information or the information path.
Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards,
encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that
restrict system services, provide a packet-filtering capability based on header information,
or message-filtering capability based on message content (e.g., implementing key word
searches or using document characteristics). Organizations also consider the
trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and
software components) that are critical to information flow enforcement. <br />
Transferring information between systems representing different security domains with
different security policies introduces risk that such transfers violate one or more domain
security policies. <br />
Organizations consider the shared nature of commercial telecommunications services in the
implementation of security requirements associated with the use of such services.
Commercial telecommunications services are commonly based on network components and
consolidated management systems shared by all attached commercial customers and may
also include third party-provided access lines and other service elements. Such transmission
services may represent sources of increased risk despite contract security provisions. NIST
SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides
guidance on security for virtualization technologies. <br />
In such situations, information owners or stewards provide guidance at designated policy
enforcement points between interconnected systems. Organizations consider mandating
specific architectural solutions when required to enforce specific security policies.
Enforcement includes: prohibiting information transfers between interconnected systems
(i.e., allowing access only); employing hardware mechanisms to enforce one-way
information flows; and implementing trustworthy regrading mechanisms to reassign
security attributes and security labels.
'''FURTHER DISCUSSION '''
Typically, companies will have a firewall between the internal network and the internet.
Often multiple firewalls or routing switches are used inside a network to create zones to
separate sensitive data, business units, or user groups. Proxy servers can be used to break
the connection between multiple networks. All traffic entering or leaving a network is
intercepted by the proxy, preventing direct access between networks. Companies should
also ensure by policy and enforcement mechanisms that all CUI allowed to flow across the
internet is encrypted.
'''Example 1 <br />
'''You  configure a proxy device on your company’s network. CUI is stored within this
environment. Your goal is to better mask and protect the devices inside the network while
enforcing information flow policies. After the device is configured, information does not flow
''' '''
AC.L2-3.1.3 – Control CUI Flow
CMMC Assessment Guide – Level 2 | Version 2.13
21
directly from the internal network to the internet. The proxy device intercepts the traffic and
analyzes it to determine if the  traffic conforms to organization information flow control
policies. If it does, the device allows the information to pass to its destination [b]. The proxy
blocks traffic that does not meet policy requirements [e].
'''Example 2''' <br />
As a subcontractor on a DoD contract, your organization sometimes needs to transmit CUI to
the prime contractor. You create a policy document that specifies who is allowed to transmit
CUI and that such transmission requires manager approval [a,c,d]. The policy instructs users
to encrypt any CUI transmitted via email or to use a designated secure file sharing utility
[b,d]. The policy states that users who do not follow appropriate procedures may be subject
to disciplinary action [e].
'''Potential Assessment Considerations <br />
'''•
  Are designated sources of regulated data identified within the system (e.g., internal
network and IP address) and between interconnected systems (e.g., external networks,
IP addresses, ports, and protocols) [c]?
  Are designated destinations of regulated data identified within the system (e.g., internal
network and IP address) and between interconnected systems (external networks and
IP addresses) [c]?
  Are authorizations defined for each source and destination within the system and
between interconnected systems (e.g., allow or deny rules for each combination of source
and destination) [d]?
  Are approved authorizations for controlling the flow of regulated data enforced within
the system and between interconnected systems (e.g., traffic between authorized sources
and destinations is allowed and traffic between unauthorized sources and destinations
is denied) [e]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.3
<br />
''' '''
AC.L2-3.1.4 – Separation of Duties
CMMC Assessment Guide – Level 2 | Version 2.13
22
'''AC.L2-3.1.4 – SEPARATION OF DUTIES '''
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#30|17 ]]'''
Determine if: <br />
[a] the duties of individuals requiring separation are defined; <br />
[b] responsibilities for duties that require separation are assigned to separate individuals;
and
[c]  access privileges that enable individuals to exercise the duties that require separation
are granted to separate individuals.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#30|A]17 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing divisions of responsibility and
separation of duties; system security plan; system configuration settings and associated
documentation; list of divisions of responsibility and separation of duties; system access
authorizations; system audit logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with responsibilities for defining divisions of responsibility and
separation of duties; personnel with information security responsibilities; system or
network administrators].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing separation of duties policy].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#30|18]] '''
Separation of duties addresses the potential for abuse of authorized privileges and helps to
reduce the risk of malevolent activity without collusion.  Separation of duties includes
dividing mission functions and system support functions among different individuals or
roles; conducting system support functions with different individuals (e.g., configuration
management, quality assurance and testing, system management, programming, and
network security); and ensuring that security personnel administering access  control
functions do not also administer audit functions. Because separation of duty violations can
span systems and application domains, organizations consider the entirety of organizational
systems and system components when developing policy on separation of duties.
17
NIST SP 800-171A, p. 10.
18
NIST SP 800-171 Rev. 2, p. 11.
''' '''
AC.L2-3.1.4 – Separation of Duties
CMMC Assessment Guide – Level 2 | Version 2.13
23
'''FURTHER DISCUSSION '''
No one person should be in charge of an entire critical task from beginning to end.
Documenting and dividing elements of  important duties and tasks between employees
reduces intentional or unintentional execution of malicious activities.
'''Example 1 <br />
'''You are responsible for the management of several key systems within your organization
including some that process CUI. You assign the task of reviewing the system logs to two
different people. This way, no one person is solely responsible for the execution of this
critical security function [c]. <br />
'''Example 2 <br />
'''You are a system administrator. Human Resources notifies you of a new hire, and you create
an account with general privileges, but you are not allowed to grant access to systems that
contain CUI [a,b]. The program manager contacts the team in your organization that has
system administration authority over the CUI systems and informs them which CUI the new
hire will need to access.  Subsequently,  a  second system administrator grants access
privileges to the new hire [c].
'''Potential Assessment Considerations <br />
'''•
  Does system documentation identify the system functions or processes that require
separation of duties (e.g., function combinations that represent a conflict of interest or
an over-allocation of security privilege for one individual) [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.4
''' '''
AC.L2-3.1.5 – Least Privilege
CMMC Assessment Guide – Level 2 | Version 2.13
24
'''AC.L2-3.1.5 – LEAST PRIVILEGE '''
Employ the principle of least privilege, including for specific security functions and
privileged accounts.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#32|19 ]]'''
Determine if: <br />
[a] privileged accounts are identified; <br />
[b] access to privileged accounts is authorized in accordance with the principle of least
privilege;
[c]  security functions are identified; and <br />
[d] access to security functions is authorized in accordance with the principle of least
privilege.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#32|A]19 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing account management; system
security plan; system design documentation; system configuration settings and associated
documentation; list of active system accounts and the name of the individual associated with
each account; list of conditions for group and role membership; notifications or records of
recently transferred, separated, or terminated employees; list of recently disabled system
accounts along with the name of the individual associated with each account; access
authorization records; account management compliance reviews; system monitoring/audit
records; procedures addressing least privilege; list of security functions (deployed in
hardware, software, and firmware) and security-relevant information for which access is to
be explicitly authorized; list of system-generated privileged accounts; list of system
administration personnel; other relevant documents or records].''' '''
'''Interview <br />
'''[SELECT FROM: Personnel with account management responsibilities; system or network
administrators; personnel with information security responsibilities; personnel with
responsibilities for defining least privileges necessary to accomplish specified tasks].
'''Test <br />
'''[SELECT FROM: Organizational processes for managing system accounts; mechanisms for
implementing account management; mechanisms implementing least privilege functions;
mechanisms prohibiting privileged access to the system].
19
NIST SP 800-171A, p. 11.
''' '''
AC.L2-3.1.5 – Least Privilege
CMMC Assessment Guide – Level 2 | Version 2.13
25
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#33|20]] <br />
'''Organizations employ the principle of least privilege for specific duties and authorized
accesses for users and processes. The principle of least privilege is applied with the goal of
authorized privileges no higher than necessary to accomplish required organizational
missions or business functions. Organizations consider the creation of additional processes,
roles, and system accounts as necessary, to achieve least privilege. Organizations also apply
least privilege to the development, implementation, and operation of organizational systems.
Security functions include establishing system accounts, setting events to be logged, setting
intrusion detection parameters, and configuring access authorizations (i.e., permissions,
privileges). <br />
Privileged accounts, including super user accounts, are typically described as system
administrator for various types of commercial off-the-shelf operating systems. Restricting
privileged accounts to specific personnel or roles prevents day-to-day users from having
access to privileged information or functions. Organizations may differentiate in the
application of this requirement between allowed privileges for local accounts and for domain
accounts provided organizations retain the ability to control system configurations for key
security parameters and as otherwise necessary to sufficiently mitigate risk. <br />
'''FURTHER DISCUSSION <br />
'''The principle of least privilege applies to all users and processes on all systems, but it is
critical to systems containing or accessing CUI. Least privilege: <br />
  restricts user access to only the machines and information needed to fulfill job
responsibilities; and
  limits what system configuration settings users can change, only allowing individuals
with a business need to change them.
'''Example <br />
'''You create accounts for an organization that processes CUI. By default, everyone is assigned
a basic user role, which prevents a user from modifying system configurations. Privileged
access is only assigned to users and processes that require it to carry out job functions, such
as IT staff, and is very selectively granted [b,d].
'''Potential Assessment Considerations <br />
'''•
  Are privileged accounts documented and is when they may be used defined [a]?
  Are users assigned privileged accounts to perform their job functions only when it is
necessary [b]?
  Are necessary security functions identified (e.g., access control configuration, system
configuration settings, or privileged account lists) that must be managed through the use
of privileged accounts [c]?
20
NIST SP 800-171 Rev. 2, p. 12.
''' '''
AC.L2-3.1.5 – Least Privilege
CMMC Assessment Guide – Level 2 | Version 2.13
26
  Is access to privileged functions and security information restricted to authorized
employees [d]?
'''KEY REFERENCES <br />
'''•
  NIST SP 800-171 Rev. 2 3.1.5
''' '''
AC.L2-3.1.6 – Non-Privileged Account Use
CMMC Assessment Guide – Level 2 | Version 2.13
27
'''AC.L2-3.1.6 – NON-PRIVILEGED ACCOUNT USE '''
Use non-privileged accounts or roles when accessing nonsecurity functions.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#35|21 ]]'''
Determine if: <br />
[a] nonsecurity functions are identified; and <br />
[b] users are required to use non-privileged accounts or roles when accessing nonsecurity
functions.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#35|A]21 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing least privilege; system
security plan; list of system-generated security functions assigned to system accounts or
roles; system configuration settings and associated documentation; system audit logs and
records; other relevant documents or records].''' '''
'''Interview <br />
'''[SELECT FROM: Personnel with responsibilities for defining least privileges necessary to
accomplish specified organizational tasks; personnel with information security
responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing least privilege functions].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#35|22]] '''
This requirement limits exposure when operating from within privileged accounts or roles.
The inclusion of roles addresses situations where organizations implement access control
policies such as role-based access control and where a change of role provides the same
degree of assurance in the change of access authorizations for the user and all processes
acting on behalf of the user as would be provided by a change between a privileged and non-
privileged account.
'''FURTHER DISCUSSION '''
A user with a privileged account can perform more tasks and access more information than
a person with a non-privileged account. Tasks (including unauthorized tasks orchestrated
by attackers) performed when using the privileged account can have a greater impact on the
21
NIST SP 800-171A, p. 11.
22
NIST SP 800-171 Rev. 2, p. 12.
''' '''
AC.L2-3.1.6 – Non-Privileged Account Use
CMMC Assessment Guide – Level 2 | Version 2.13
28
system. System administrators and users with privileged accounts must be trained not to use
their privileged accounts for everyday tasks, such as browsing the internet or connecting
unnecessarily to other systems or services.
'''Example <br />
'''You are logged in using your privileged account and you need to look up how to reset a non-
functioning application which processes CUI. You should log on to another computer with
your non-privileged account before you connect to the web and start searching for the reset
information [b]. That way, if your account is compromised during the search, it will be your
regular user account rather than an account with elevated privileges.
'''Potential Assessment Considerations <br />
'''•
  Are nonsecurity functions and non-privileged roles defined [a,b]?
  Is it required that nonsecurity functions only be accessed with the use of non-privileged
accounts? How is this verified [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.6
''' '''
AC.L2-3.1.7 – Privileged Functions
CMMC Assessment Guide – Level 2 | Version 2.13
29
'''AC.L2-3.1.7 – PRIVILEGED FUNCTIONS '''
Prevent non-privileged users from executing privileged functions and capture the execution
of such functions in audit logs.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#37|23 ]]'''
Determine if: <br />
[a] privileged functions are defined; <br />
[b] non-privileged users are defined; <br />
[c]  non-privileged users are prevented from executing privileged functions; and <br />
[d] the execution of privileged functions is captured in audit logs.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#37|A]23 ]]'''
'''Examine <br />
'''[SELECT FROM: Privacy and  security policies, procedures addressing system use
notification; documented approval of system use notification messages or banners; system
audit logs and records; system design documentation; user acknowledgements of
notification message or banner; system security plan; system use notification messages;
system configuration settings and associated documentation; other relevant documents or
records].
'''Interview <br />
'''[SELECT FROM: Personnel with responsibilities for defining least privileges necessary to
accomplish specified tasks; personnel with information security responsibilities; system
developers].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing least privilege functions for non-privileged
users; mechanisms auditing the execution of privileged functions].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#37|24]] '''
Privileged functions include establishing system accounts, performing system integrity
checks, conducting patching operations, or administering cryptographic key management
activities.  Non-privileged users are individuals that do not possess appropriate
authorizations. Circumventing intrusion detection and prevention mechanisms or malicious
code protection mechanisms are examples of privileged functions that require protection
23
NIST SP 800-171A, p. 12.
24
NIST SP 800-171 Rev. 2, p. 12.
''' '''
AC.L2-3.1.7 – Privileged Functions
CMMC Assessment Guide – Level 2 | Version 2.13
30
from non-privileged users. Note that this requirement represents a condition to be achieved
by the definition of authorized privileges in 3.1.2 (AC.L2-3.1.2). <br />
Misuse of privileged functions, either intentionally or unintentionally by authorized users,
or by unauthorized external entities that have compromised system accounts, is a serious
and ongoing concern and can have significant adverse impacts on organizations. Logging the
use of privileged functions is one way to detect such misuse, and in doing so, help mitigate
the risk from insider threats and the advanced persistent threat.
'''FURTHER DISCUSSION '''
Non-privileged users should receive only those permissions required to perform their basic
job functions. Privileged users are granted additional permissions because their jobs require
them. Privileged functions typically involve the control, monitoring, or administration of the
system and its security measures. When these special privileged functions are performed,
the activity must be captured in an audit log,  which can be used to identify abuse. Non-
privileged employees must not be granted permission to perform any of the functions of a
privileged user. <br />
This  requirement,  AC.L2-3.1.7, manages non-privileged users by logging any attempts to
execute privileged functions. AC.L2-3.1.7 leverages AU.L2-3.3.2, which ensures logging and
traceability of user actions. AC.L2-3.1.7  also extends AC.L2-3.1.2, which defines  a
requirement to limit types of transactions and functions to those that authorized users are
permitted to execute.
'''Example <br />
'''Your organization  handles CUI and has  put security controls in place that prevent non-
privileged users from performing privileged activities [a,b,c]. However, a standard user was
accidentally given elevated system administrator privileges.  The organization has
implemented an endpoint detection and response solution that provides visibility into the
use of privileged activities. The monitoring system logs a security misconfiguration because
the use of administrative privileges was performed by a user who was not known to have
that ability. This allows you to correct the error [d].
'''Potential Assessment Considerations <br />
'''•
  Is it possible to identify who enabled privileges at any particular time [d]?
  Are the privileged system functions documented (e.g., functions that involve the control,
monitoring or administration of the system, including security functions and log
management) [a]?
  Do documented procedures describe the configuration of the system to ensure system
roles do not grant non-privileged users the ability to execute privileged functions [c]?
  Do procedures describe the configuration of system settings to capture the execution of
all privileged functions in audit logs [d]?
''' '''
AC.L2-3.1.7 – Privileged Functions
CMMC Assessment Guide – Level 2 | Version 2.13
31
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.7
''' '''
AC.L2-3.1.8 – Unsuccessful Logon Attempts
CMMC Assessment Guide – Level 2 | Version 2.13
32
'''AC.L2-3.1.8 – UNSUCCESSFUL LOGON ATTEMPTS '''
Limit unsuccessful logon attempts.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#40|25 ]]'''
Determine if: <br />
[a] the means of limiting unsuccessful logon attempts is defined; and <br />
[b] the defined means of limiting unsuccessful logon attempts is implemented.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#40|A]25 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing unsuccessful logon attempts;
system security plan; system design documentation; system configuration settings and
associated documentation; system audit logs and records; other relevant documents or
records].
'''Interview <br />
'''[SELECT FROM: Personnel with information security responsibilities; system developers;
system or network administrators].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing access control policy for unsuccessful logon
attempts].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#40|26]] '''
This  requirement applies regardless of whether the logon occurs via a local or network
connection. Due to the potential for denial of service, automatic lockouts initiated by systems
are, in most cases, temporary and automatically release after a predetermined period
established by the organization (i.e., a delay algorithm). If a delay algorithm is selected,
organizations may employ different algorithms for different system components based on
the capabilities of the respective components. Responses to unsuccessful logon attempts
may be implemented at the operating system and application levels.
'''FURTHER DISCUSSION '''
Consecutive unsuccessful logon attempts may indicate malicious activity. OSAs can mitigate
these attacks by limiting the number of unsuccessful logon attempts, typically by locking the
account. A defined number of consecutive unsuccessful logon attempts is a common
25
NIST SP 800-171A, p. 12.
26
NIST SP 800-171 Rev. 2, pp. 12-13.
''' '''
AC.L2-3.1.8 – Unsuccessful Logon Attempts
CMMC Assessment Guide – Level 2 | Version 2.13
33
configuration setting. OSAs  are expected to set this number at a level that fits their risk
profile with the knowledge that fewer unsuccessful attempts provide higher security. <br />
After an unsuccessful login attempt threshold is exceeded and the system locks an account,
the account may either remain locked until an administrator takes action to unlock it, or it
may be locked for a predefined time after which it unlocks automatically.
'''Example <br />
'''You attempt to log on to your work computer, which stores CUI. You mistype your password
three times in a row, and an error message is generated telling you the account is locked [b].
You call your IT help desk  or system administrator to request assistance.  The system
administrator explains that the account is locked as a result of three unsuccessful logon
attempts [a]. The administrator offers to unlock the account and notes that you can wait 30
minutes for the account to unlock automatically.
'''Potential Assessment Considerations <br />
'''•
  Is there a defined threshold for the number of unsuccessful logon attempts for which the
system takes action to prevent additional attempts [a]?
  Is a mechanism for limiting the number of unsuccessful logon attempts implemented and
does it use the defined threshold [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.8
''' '''
AC.L2-3.1.9 – Privacy &amp; Security Notices
CMMC Assessment Guide – Level 2 | Version 2.13
34
'''AC.L2-3.1.9 – PRIVACY &amp; SECURITY NOTICES '''
Provide privacy and security notices consistent with applicable CUI rules.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#42|27 ]]'''
Determine if: <br />
[a] privacy and security notices required by CUI-specified rules are identified, consistent,
and associated with the specific CUI category; and
[b] privacy and security notices are displayed.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#42|A]27 ]]'''
'''Examine <br />
'''[SELECT FROM: Privacy and security policies, procedures addressing system use
notification; documented approval of system use notification messages or banners; system
audit logs and records; system design documentation; user acknowledgements of
notification message or banner; system security plan; system use notification messages;
system configuration settings and associated documentation; other relevant documents or
records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; personnel with responsibility for providing legal advice; system
developers].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing system use notification].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#42|28]] '''
System use notifications can be implemented using messages or warning banners displayed
before individuals log in to organizational systems. System use notifications are used only
for access via logon interfaces with human users and are not required when such human
interfaces do not exist.  Based on a risk assessment, organizations consider whether a
secondary system use notification is needed to access applications or other system resources
after the initial network logon. Where necessary, posters or other printed materials may be
used in lieu of an automated system banner. Organizations consult with the Office of General
Counsel for legal review and approval of warning banner content.
27
NIST SP 800-171A, pp. 12-13.
28
NIST SP 800-171 Rev. 2, p. 13.
''' '''
AC.L2-3.1.9 – Privacy &amp; Security Notices
CMMC Assessment Guide – Level 2 | Version 2.13
35
'''FURTHER DISCUSSION '''
Every system containing or providing access to CUI has legal requirements concerning user
privacy and security  notices.  One method of addressing this requirement is the use of a
system-use notification banner that displays the legal requirements of using the system.
Users may be required to click to agree to the displayed requirements of using the system
each time they log on to the machine. This agreement can be used in the civil and/or criminal
prosecution of an attacker that violates the terms. <br />
The legal notification should meet all applicable requirements. At a minimum, the notice
should inform the user that: <br />
  information system usage may be monitored or recorded, and is subject to audit;
  unauthorized use of the information systems is prohibited;
  unauthorized use is subject to criminal and civil penalties; 
  use of the information system affirms consent to monitoring and recording;
  the information system contains CUI with specific requirements imposed  by the
Department of Defense; and
  use of the information system may be subject to other specified requirements associated
with certain types of CUI such as Export Controlled information.
'''Example <br />
'''You are setting up IT equipment including a database server that will contain CUI. You have
worked with legal counsel to draft a notification. It contains both general and specific CUI
security and privacy requirements [a]. The system displays the required security and privacy
information before anyone logs on to your organization’s computers that contain or provide
access to CUI [b].
'''Potential Assessment Considerations <br />
'''•
  Are objectives identified for privacy and security notices, and does the implementation
satisfy the required objectives  [a,b]? Discrepancies may indicate a deficient process
and/or an incomplete objective for the overall requirement.
  Are there any special requirements associated with the specific CUI category [a]?
  Are appropriate notices displayed in areas where paper-based CUI is stored and
processed [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.9
''' '''
AC.L2-3.1.10 – Session Lock
CMMC Assessment Guide – Level 2 | Version 2.13
36
'''AC.L2-3.1.10 – SESSION LOCK '''
Use session lock with pattern-hiding displays to prevent access and viewing of data after a
period of inactivity.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#44|29 ]]'''
Determine if: <br />
[a] the period of inactivity after which the system initiates a session lock is defined; <br />
[b] access to the system and viewing of data is prevented by initiating a session lock after
the defined period of inactivity; and
[c]  previously visible information is concealed via a pattern-hiding display after the
defined period of inactivity.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#44|A]29 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing session lock; procedures
addressing identification and authentication; system design documentation; system
configuration settings and associated documentation; system security plan; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developers].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing access control policy for session lock].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#44|30]] '''
Session locks are temporary actions taken when users stop work and move away from the
immediate vicinity of the system but do not want to log out because of the temporary nature
of their absences. Session locks are implemented where session activities can be determined,
typically at the operating system level (but can also be at the application level). Session locks
are not an acceptable substitute for logging out of the system, for example, if organizations
require users to log out at the end of the workday. <br />
Pattern-hiding displays can include static or dynamic images, for example, patterns used
with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank
29
NIST SP 800-171A, p. 13.
30
NIST SP 800-171 Rev. 2, p. 13.
''' '''
AC.L2-3.1.10 – Session Lock
CMMC Assessment Guide – Level 2 | Version 2.13
37
screen, with the additional caveat that none of the images convey controlled unclassified
information.
'''FURTHER DISCUSSION '''
Session locks can be initiated by the user or, more fundamentally, enabled automatically
when the system has been idle for a period of time, for example, five minutes. Session locks
are a quick way to prevent unauthorized use of the systems without having a user log off.
Minimum configuration requirements are left up to the organization to define. <br />
A locked session shows pattern-hiding information on the screen to mask the data on the
display.
'''Example <br />
'''You  manage systems for an organization that stores, processes, and transmits CUI. You
notice that employees leave their offices without locking their computers. Sometimes their
screens display sensitive company information. You configure all machines to lock after five
minutes of inactivity [a,b]. You also remind your coworkers to lock their systems when they
walk away [a].
'''Potential Assessment Considerations <br />
'''•
  Does the session lock hide previously visible information (e.g., replacing what was visible
with a lock screen or screensaver that does not include sensitive information) [c]?
  If session locks are not managed centrally, how are all computer users made aware of the
requirements and how to configure them [a,b,c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.10
''' '''
AC.L2-3.1.11 – Session Termination
CMMC Assessment Guide – Level 2 | Version 2.13
38
'''AC.L2-3.1.11 – SESSION TERMINATION '''
Terminate (automatically) a user session after a defined condition.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#46|31 ]]'''
Determine if: <br />
[a] conditions requiring a user session to terminate are defined; and <br />
[b] a user session is automatically terminated after any of the defined conditions occur.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#46|A]31 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing session termination; system
design documentation; system security plan; system configuration settings and associated
documentation; list of conditions or trigger events requiring session disconnect; system
audit logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developers].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing user session termination].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#46|32]] '''
This requirement addresses the termination of user-initiated logical sessions in contrast to
the termination of network connections that are associated with communications sessions
(i.e., disconnecting from the network).  A logical session (for local, network, and remote
access) is initiated whenever a user (or process acting on behalf of a user) accesses an
organizational system.  Such user sessions can be terminated (and thus terminate user
access) without terminating network sessions. Session termination terminates all processes
associated with a user’s logical session except those processes that are specifically created
by the user (i.e., session owner) to continue after the session is terminated. Conditions or
trigger events requiring automatic session termination can include organization-defined
periods of user inactivity, targeted responses to certain types of incidents, and time-of-day
restrictions on system use.
31
NIST SP 800-171A, pp. 13-14.
32
NIST SP 800-171 Rev. 2, p. 13.
''' '''
AC.L2-3.1.11 – Session Termination
CMMC Assessment Guide – Level 2 | Version 2.13
39
'''FURTHER DISCUSSION '''
Configure the system to terminate user sessions based on the organization’s policy. Session
termination policies can be simple or sophisticated. Examples are inactivity (end the session
after a specified duration (e.g., one hour[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#47|33]]) of inactivity), day/time (all sessions are
terminated at the end of the established workday), misbehavior (end the session due to an
attempted policy violation), and maintenance (terminate sessions to prevent issues with an
upgrade or service outage). If there is no automatic control of user sessions, an attacker can
take advantage of an unattended session.
'''Example 1 <br />
'''You  manage systems containing CUI  for your organization and configure the system to
terminate all user sessions after 1 hour of inactivity [a]. As the session timeout approaches,
the system prompts users with a warning banner asking if they want to continue the session.
When the session timeout does occur, the login page pops up, and the users must log in to
start a new session [b].
'''Example 2 <br />
'''A user is logged into a corporate database containing CUI but is not authorized to view CUI.
The user has submitted a series of queries that unintentionally violate policy, as they attempt
to extract CUI that the user is not authorized to view [a]. The session terminates with a
warning  as a result of a violation of corporate policy [b]. The user  must reestablish the
session before being able to submit additional legitimate queries.
'''Potential Assessment Considerations <br />
'''•
  Are the conditions in which a user session must be terminated described (e.g., after a
period of inactivity or after a defined time limit) [a]?
  Are procedures documented that describe how to configure the system to enable
automatic termination of user sessions after any of the defined conditions occur [b]?''' '''
  Are user sessions terminated based on organization-defined conditions [a,b]?''' '''
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.11
33
Review DoD Cybersecurity FAQ Q53.2 for information on minimum values.
''' '''
AC.L2-3.1.12 – Control Remote Access
CMMC Assessment Guide – Level 2 | Version 2.13
40
'''AC.L2-3.1.12 – CONTROL REMOTE ACCESS '''
Monitor and control remote access sessions.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#48|34 ]]'''
Determine if: <br />
[a] remote access sessions are permitted; <br />
[b] the types of permitted remote access are identified; <br />
[c]  remote access sessions are controlled; and <br />
[d] remote access sessions are monitored.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#48|A]34 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing remote access
implementation and usage (including restrictions); configuration management plan; system
security plan; system design documentation; system configuration settings and associated
documentation; remote access authorizations; system audit logs and records; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with responsibilities for managing remote access connections;
system or network administrators; personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Remote access management capability for the system].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#48|35]] '''
Remote access is access to organizational systems by users (or processes acting on behalf of
users) communicating through external networks (e.g., the internet). Remote access
methods include dial-up, broadband, and wireless. Organizations often employ encrypted
virtual private networks (VPNs) to enhance confidentiality over remote connections. The use
of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when
adequately provisioned with appropriate control (e.g., employing encryption techniques for
confidentiality protection), may provide sufficient assurance to the organization that it can
effectively treat such connections as internal networks. VPNs with encrypted tunnels can
affect the capability to adequately monitor network communications traffic for malicious
code.
34
NIST SP 800-171A, p. 14.
35
NIST SP 800-171 Rev. 2, pp. 13-14.
''' '''
AC.L2-3.1.12 – Control Remote Access
CMMC Assessment Guide – Level 2 | Version 2.13
41
Automated monitoring and control of remote access sessions allows organizations to detect
cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing
connection activities of remote users on a variety of system components (e.g., servers,
workstations, notebook computers, smart phones, and tablets). <br />
NIST SP 800-46, SP 800-77, and SP 800-113 provide guidance on secure remote access and
virtual private networks.
'''FURTHER DISCUSSION '''
Remote access connections pass through untrusted networks and therefore require proper
security controls such as encryption to ensure data confidentiality. Initialization of all remote
sessions should ensure that only authorized users and devices are connecting. After the
remote session is established, the connection is monitored to track who is accessing the
network remotely and what files are being accessed during the session. <br />
Remote access sessions can encompass more than just remote connections back to a
headquarters network. Access to cloud-based email providers or server infrastructures also
are relevant to this requirement if those environments contain CUI. <br />
This  requirement,  AC.L2-3.1.12,  requires the control of remote access sessions  and
complements five other requirements dealing with remote access (AC.L2-3.1.14,  AC.L2-
3.1.13, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5): <br />
  AC.L2-3.1.14 limits remote access to specific access control points.
  AC.L2-3.1.13  requires the use of cryptographic mechanisms when enabling remote
sessions.
  AC.L2-3.1.15 requires authorization for privileged commands executed during a remote
session.
  IA.L2-3.5.3  requires multifactor authentication for network access to non-privileged
accounts.
  Finally,  MA.L2-3.7.5  requires the addition of multifactor authentication for remote
maintenance sessions.
'''Example <br />
'''You often need to work from remote locations, such as your home or client sites, and you are
permitted to access your organization’s internal networks (including a network containing
CUI) from those remote locations [a]. A system administrator issues you a company laptop
with VPN software installed, which is required to connect to the networks remotely [b]. After
the laptop connects to the VPN server, you must accept a privacy notice that states that the
company’s security department may monitor the connection. This monitoring is achieved
through the analysis of data from sensors on the network notifying IT if issues arise. The
security department may also review audit logs to see who is connecting remotely, when,
and what information they are accessing [d].  During session establishment, the message
“Verifying Compliance” means software like a Device Health Check (DHC) application is
checking the remote device to ensure it meets the established requirements to connect [c].
''' '''
AC.L2-3.1.12 – Control Remote Access
CMMC Assessment Guide – Level 2 | Version 2.13
42
'''Potential Assessment Considerations <br />
'''•
  Do policies identify when remote access is permitted and what methods must be used
[a,b]?
  Are systems configured to permit only approved remote access sessions (e.g., disallow
remote access sessions by default) [c]?
  Are automated or manual mechanisms employed for monitoring remote connections? If
the monitoring is manual, does it occur at a frequency commensurate with the level of
risk [d]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.12
''' '''
AC.L2-3.1.13 – Remote Access Confidentiality
CMMC Assessment Guide – Level 2 | Version 2.13
43
'''AC.L2-3.1.13 – REMOTE ACCESS CONFIDENTIALITY '''
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#51|36 ]]'''
Determine if: <br />
[a] cryptographic mechanisms to protect the confidentiality of remote access sessions are
identified; and
[b] cryptographic mechanisms to protect the confidentiality of remote access sessions are
implemented.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#51|A]36 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing remote access to the system;
system security plan; system design documentation; system configuration settings and
associated documentation; cryptographic mechanisms and associated configuration
documentation; system audit logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developers].
'''Test <br />
'''[SELECT FROM: Cryptographic mechanisms protecting remote access sessions].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#51|37]] '''
Cryptographic standards include FIPS-validated cryptography and NSA-approved
cryptography.
'''FURTHER DISCUSSION '''
A remote access session involves logging into the organization’s systems such as its internal
network or a cloud service provider from a remote location such as home or an alternate
work site.  Because the use of  cryptography  in this requirement  is to protect the
confidentiality of CUI, the cryptography used must meet the criteria specified in requirement
SC.L2-3.13.11.  Although not explicitly required to meet AC.L2-3.1.13  requirements, this
remote access session must be secured using FIPS-validated cryptography to provide
confidentiality and prevent anyone from deciphering session information exchanges.
36
NIST SP 800-171A, p. 14.
37
NIST SP 800-171 Rev. 2, p. 14.
''' '''
AC.L2-3.1.13 – Remote Access Confidentiality
CMMC Assessment Guide – Level 2 | Version 2.13
44
This  requirement,  AC.L2-3.1.13,  requires the use of cryptographic mechanisms when
enabling remote sessions and complements five other requirements dealing with remote
access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5): <br />
  AC.L2-3.1.12 requires the control of remote access sessions.
  AC.L2-3.1.14 limits remote access to specific access control points.
  AC.L2-3.1.15 requires authorization for privileged commands executed during a remote
session.
  IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged
accounts.
  Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote
maintenance sessions.
'''Example <br />
'''You are responsible for implementing a remote network access capability for users who
access CUI remotely. In order to provide session confidentiality, you decide to implement a
VPN mechanism and select a product that has completed FIPS 140 validation [a,b].
'''Potential Assessment Considerations <br />
'''•
  Are cryptographic mechanisms used for remote access sessions (e.g., Transport Layer
Security (TLS) and Internet Protocol Security (IPSec) using FIPS-validated encryption
algorithms)  defined and implemented  [a,b]?  Note that simply using an approved
algorithm is not sufficient – the module (software and/or hardware) used to implement
the algorithm must be separately validated under FIPS 140.
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.13
''' '''
AC.L2-3.1.14 – Remote Access Routing
CMMC Assessment Guide – Level 2 | Version 2.13
45
'''AC.L2-3.1.14 – REMOTE ACCESS ROUTING '''
Route remote access via managed access control points.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#53|38 ]]'''
Determine if: <br />
[a] managed access control points are identified and implemented; and <br />
[b] remote access is routed through managed network access control points.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#53|A]38 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing remote access to the system;
system security plan; system design documentation; list of all managed network access
control points; system configuration settings and associated documentation; system audit
logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities].
'''Test <br />
'''[SELECT FROM: Mechanisms routing all remote accesses through managed network access
control points].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#53|39]] '''
Routing remote access through managed access control points enhances explicit,
organizational control over such connections, reducing the susceptibility to unauthorized
access to organizational systems resulting in the unauthorized disclosure of CUI.
'''FURTHER DISCUSSION '''
The OSA can route all remote access through a limited number of remote access control
points to reduce the attack surface and simplify network management. This allows for better
monitoring and control of the remote connections. <br />
This requirement, AC.L2-3.1.14, limits remote access to specific access control points and
complements five other requirements dealing with remote access (AC.L2-3.1.12, AC.L2-
3.1.13, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5):
38
NIST SP 800-171A, p. 15.
39
NIST SP 800-171 Rev. 2, p. 14.
''' '''
AC.L2-3.1.14 – Remote Access Routing
CMMC Assessment Guide – Level 2 | Version 2.13
46
  AC.L2-3.1.12 requires the control of remote access sessions.
  AC.L2-3.1.13  requires the use of cryptographic mechanisms when enabling remote
sessions.
  AC.L2-3.1.15 requires authorization for privileged commands executed during a remote
session.
  IA.L2-3.5.3  requires multifactor  authentication for network access to non-privileged
accounts.
  Finally,  MA.L2-3.7.5  requires the addition of multifactor authentication for remote
maintenance sessions.
'''Example <br />
'''You manage systems for a company that processes CUI at multiple locations, and several
employees at different locations need to connect to the organization’s networks while
working remotely. Because each company location has a direct connection to headquarters,
you decide to route all remote access through the headquarters location [a]. All remote traffic
is routed through a single location to simplify monitoring [b]. 
'''Potential Assessment Considerations <br />
'''•
  How many managed access control points are implemented [a]?
  Is all remote access routed through the managed access control points [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.14
''' '''
AC.L2-3.1.15 – Privileged Remote Access
CMMC Assessment Guide – Level 2 | Version 2.13
47
'''AC.L2-3.1.15 – PRIVILEGED REMOTE ACCESS '''
Authorize remote execution of privileged commands and remote access to security-relevant
information.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#55|40 ]]'''
Determine if: <br />
[a] privileged commands authorized for remote execution are identified; <br />
[b] security-relevant information authorized to be accessed remotely is identified; <br />
[c]  the execution of the identified privileged commands via remote access is authorized;
and
[d] access to the identified security-relevant information via remote access is authorized.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#55|A]40 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing remote access to the system;
system configuration settings and associated documentation; system security plan; system
audit logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities].''' '''
'''Test <br />
'''[SELECT FROM: Mechanisms implementing remote access management].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#55|41]] '''
A privileged  command is a human-initiated (interactively or via a process operating on
behalf of the human) command executed on a system involving the control, monitoring, or
administration of the system including security functions and associated security-relevant
information. Security-relevant information is any information within the system that can
potentially impact the operation of security functions or the provision of security services in
a manner that could result in failure to enforce the system security policy or maintain
isolation of code and data.  Privileged commands give individuals the ability to execute
sensitive, security-critical, or security-relevant system functions.  Controlling such access
from remote locations helps to ensure that unauthorized individuals are not able to execute
such commands freely with the potential to do serious or catastrophic damage to
40
NIST SP 800-171A, p. 15.
41
NIST SP 800-171 Rev. 2, p. 14.
''' '''
AC.L2-3.1.15 – Privileged Remote Access
CMMC Assessment Guide – Level 2 | Version 2.13
48
organizational systems. Note that the ability to affect the integrity of the system is considered
security-relevant as that could enable the means to by-pass security functions although not
directly impacting the function itself.
'''FURTHER DISCUSSION '''
Privileged users are not necessarily allowed to perform their job functions from a remote
location. Likewise, not all privileged commands may be executed remotely. Allowing remote
execution of privileged commands or remote access to security-relevant information should
be avoided if possible. If absolutely necessary, the privileged  commands  authorized for
remote execution should be identified and documented. Document which user roles have
permissions to remotely execute privileged commands to make changes and to access
security relevant information. Documentation must be used to establish security
mechanisms that enforce the policy. <br />
This requirement, AC.L2-3.1.15, requires authorization for privileged commands executed
during a remote  session  and complements five other requirements dealing with remote
access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.13, IA.L2-3.5.3, and MA.L2-3.7.5): <br />
  AC.L2-3.1.12 requires the control of remote access sessions.
  AC.L2-3.1.14 limits remote access to specific access control points.
  AC.L2-3.1.13  requires the use of cryptographic mechanisms when enabling remote
sessions.
  IA.L2-3.5.3  requires multifactor authentication for network access to non-privileged
accounts.
  Finally,  MA.L2-3.7.5  requires the addition of multifactor authentication for remote
maintenance sessions.
This  requirement,  AC.L2-3.1.15, also extends AC.L2-3.1.2,  which limits the types of
transactions and functions that authorized users are permitted to execute.
'''Example <br />
'''Your company’s  Access Control Policy permits certain work roles to  remotely perform a
limited set of privileged commands from company-owned computers [a]. You implement
controls to enforce who can remotely execute a privileged command,  which privileged
commands they can execute, and who is allowed access to security relevant information such
as audit log configuration settings [a,c,d].
'''Potential Assessment Considerations <br />
'''•
  Does system documentation identify system administration or security functions that
can be executed remotely [a]?
  Is execution of the identified privileged commands via remote access only authorized for
documented operational needs [c]?
''' '''
AC.L2-3.1.15 – Privileged Remote Access
CMMC Assessment Guide – Level 2 | Version 2.13
49
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.15
''' '''
AC.L2-3.1.16 – Wireless Access Authorization
CMMC Assessment Guide – Level 2 | Version 2.13
50
'''AC.L2-3.1.16 – WIRELESS ACCESS AUTHORIZATION '''
Authorize wireless access prior to allowing such connections.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#58|42 ]]'''
Determine if: <br />
[a] wireless access points are identified; and <br />
[b] wireless access is authorized prior to allowing such connections.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#58|A]42 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; configuration management plan; procedures
addressing wireless access implementation and usage (including restrictions); system
security plan; system design documentation; system configuration settings and associated
documentation; wireless access authorizations; system audit logs and records; other
relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with responsibilities for managing wireless access connections;
personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Wireless access management capability for the system].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#58|43]] '''
Establishing usage restrictions and configuration/connection requirements for wireless
access to the system provides criteria for organizations to support wireless access
authorization decisions. Such restrictions and requirements reduce the susceptibility to
unauthorized access to the system through wireless technologies. Wireless networks use
authentication protocols that provide credential protection and mutual authentication.
'''FURTHER DISCUSSION '''
Guidelines from management form the basis for the requirements that must be met prior to
authorizing a wireless connection. These guidelines may include the following: <br />
  types of devices, such as corporate or privately owned equipment;
  configuration requirements of the devices; and
42
NIST SP 800-171A, pp. 15-16.
43
NIST SP 800-171 Rev. 2, p. 14.
''' '''
AC.L2-3.1.16 – Wireless Access Authorization
CMMC Assessment Guide – Level 2 | Version 2.13
51
  authorization requirements before granting such connections.
AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they
all establish control for the connection of mobile devices and wireless devices through the
use of authentication, authorization, and encryption mechanisms.
'''Example <br />
'''Your  company  is implementing a wireless network at its  headquarters.  CUI may be
transmitted on this network. You work with management to draft a policy about the use of
the wireless network. The policy states that only company-approved devices that contain
verified security configuration settings are allowed to connect. The  policy also includes
usage restrictions that must be followed for anyone who wants to use the wireless network.
Authorization is required before devices are allowed to connect to the wireless network [b].
'''Potential Assessment Considerations <br />
'''•
  Is an updated list of approved network devices providing wireless access to the system
maintained [a]?
  Are network devices providing wireless access configured to require users or devices be
authorized prior to permitting a wireless connection [b]?
  Is wireless access to the system authorized and managed [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.16
<br />
''' '''
AC.L2-3.1.17 – Wireless Access Protection
CMMC Assessment Guide – Level 2 | Version 2.13
52
'''AC.L2-3.1.17 – WIRELESS ACCESS PROTECTION '''
Protect wireless access using authentication and encryption.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#60|44 ]]'''
Determine if: <br />
[a] wireless access to the system is protected using authentication; and <br />
[b] wireless access to the system is protected using encryption.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#60|A]44 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; system design documentation; procedures addressing
wireless implementation and usage (including restrictions); system security plan; system
configuration settings and associated documentation; system audit logs and records; other
relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developers].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing wireless access protections to the system].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#60|45]] '''
Organizations authenticate individuals and devices to help protect wireless access to the
system. Special attention is given to the wide variety of devices that are part of the Internet
of Things with potential wireless access to organizational systems.
'''FURTHER DISCUSSION '''
Use  a  combination of authentication and encryption methods to protect the access to
wireless networks.  Authenticating users to a  wireless access point can be achieved  in
multiple ways. The most common authentication and encryption methods used include: <br />
  WPA2-PSK (WiFi Protected Access-Pre-shared Key) – This method uses a password or
passphrase known by the wireless access point and the client (user device). It is common
in small companies that have little turnover because the key must be changed each time
an employee leaves in order to prevent the terminated employee from connecting to the
44
NIST SP 800-171A, p. 16.
45
NIST SP 800-171 Rev. 2, pp. 14-15.
''' '''
AC.L2-3.1.17 – Wireless Access Protection
CMMC Assessment Guide – Level 2 | Version 2.13
53
network without authorization. WPA2 is typically configured to use Advanced
Encryption Standard (AES) encryption.
  WPA2 Enterprise –  This method may be better for larger companies  and enterprise
networks because authentication is based on the identity of the individual user or device
rather than a shared password or passphrase. It typically requires a Remote
Authentication Dial-in User Service (RADIUS) server for authentication and can provide
higher security than WPA2-PSK.
Open authentication must not be used because it authenticates any user and lacks security
capabilities. <br />
Because the use of cryptography in this requirement is to protect the confidentiality of CUI,
the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. <br />
AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they
all establish control for the connection of mobile devices and wireless devices through the
use of authentication, authorization, and encryption mechanisms.
'''Example 1 <br />
'''You  manage the wireless network at a small company and are installing a new wireless
solution that may transmit CUI. You start by selecting a product that employs encryption
validated against the FIPS 140 standard. You configure the wireless solution to use WPA2,
requiring users to enter a pre-shared key to connect to the wireless network [a,b].
'''Example 2 <br />
'''You  manage the wireless network at a large company and are installing a new wireless
solution that may transmit CUI. You start by selecting a product that employs encryption that
is validated against the FIPS 140 standard. Because of the size of your workforce, you
configure the wireless system to authenticate users with a RADIUS server. Users must
provide the wireless system with their domain usernames and passwords to be able to
connect, and the RADIUS server verifies those credentials. Users unable to authenticate are
denied access [a,b].
'''Potential Assessment Considerations <br />
'''•
  Is wireless access limited only to authenticated and authorized users (e.g., required to
supply a username and password) [a]?
  If the organization is securing its wireless network with a pre-shared key, is access to
that key restricted to only authorized users [a]?
  Is wireless access encrypted using FIPS-validated cryptography? Note that simply using
an approved algorithm is not sufficient; the module (software and/or hardware) used to
implement the algorithm must be separately validated under FIPS 140 [b].
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.17
''' '''
AC.L2-3.1.18 – Mobile Device Connection
CMMC Assessment Guide – Level 2 | Version 2.13
54
'''AC.L2-3.1.18 – MOBILE DEVICE CONNECTION '''
Control connection of mobile devices.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#62|46 ]]'''
Determine if: <br />
[a] mobile devices that process, store, or transmit CUI are identified; <br />
[b] mobile device connections are authorized; and <br />
[c]  mobile device connections are monitored and logged.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#62|A]46 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; authorizations for mobile device connections to
organizational systems; procedures addressing access control for mobile device usage
(including restrictions); system design documentation; configuration management plan;
system security plan; system audit logs and records; system configuration settings and
associated documentation; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel using mobile devices to access organizational systems; system or
network administrators; personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Access control capability authorizing mobile device connections to
organizational systems].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#62|47]] '''
A mobile device is a computing device that has a small form factor such that it can easily be
carried by a single individual; is designed to operate without a physical connection (e.g.,
wirelessly transmit or receive information); possesses local, non-removable or removable
data storage; and includes a self-contained power source. Mobile devices may also include
voice communication capabilities, on-board sensors that allow the device to capture
information, or built-in features for synchronizing local data with remote locations.
Examples of mobile devices include smart phones, e-readers, and tablets. <br />
Due to the large variety of mobile devices with different technical characteristics and
capabilities, organizational restrictions may vary for the different types of devices. Usage
restrictions and implementation guidance for mobile devices include: device identification
46
NIST SP 800-171A, p. 16.
47
NIST SP 800-171 Rev. 2, p. 15.
''' '''
AC.L2-3.1.18 – Mobile Device Connection
CMMC Assessment Guide – Level 2 | Version 2.13
55
and authentication; configuration management; implementation of mandatory protective
software (e.g., malicious code detection, firewall); scanning devices for malicious code;
updating virus protection software; scanning for critical software updates and patches;
conducting primary operating system (and possibly other resident software) integrity
checks; and disabling unnecessary hardware (e.g., wireless, infrared). The need to provide
adequate security for mobile devices goes beyond this requirement.  Many controls for
mobile devices are reflected in other CUI security requirements. NIST SP 800-124 provides
guidance on mobile device security.
'''FURTHER DISCUSSION '''
Establish guidelines and acceptable requirements  for proper configuration, use, and
management of mobile devices. Devices that process, store, or transmit CUI must be
identified with a device-specific identifier. There are many different types of identifiers, and
it is important to select one that can accommodate all devices and be used in a consistent
manner. These identifiers are important for facilitating the required monitoring and logging
function. <br />
In addition to smartphones, consider the security of other portable devices such as e-readers
and tablets. <br />
AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they
all establish control for the connection of mobile devices and wireless devices through the
use of authentication, authorization, and encryption mechanisms.
'''Example <br />
'''Your organization has a policy stating that all mobile devices, including iPads, tablets, mobile
phones, and Personal Digital Assistants (PDAs), must be approved and registered with the
IT department before connecting to the network that contains CUI. The IT department uses
a Mobile Device Management solution to monitor mobile devices and enforce policies across
the enterprise [b,c].
'''Potential Assessment Considerations <br />
'''•
  Is a list of mobile devices that are permitted to process, store, or transmit CUI maintained
[a,b]?
  Is the system configured to only permit connections from identified, authorized mobile
devices [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.18
''' '''
AC.L2-3.1.19 – Encrypt CUI on Mobile
CMMC Assessment Guide – Level 2 | Version 2.13
56
'''AC.L2-3.1.19 – ENCRYPT CUI ON MOBILE '''
Encrypt CUI on mobile devices and mobile computing platforms.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#64|48 ]]'''
Determine if: <br />
[a] mobile devices and mobile computing platforms that process, store, or transmit CUI are
identified; and
[b] encryption is employed to protect CUI on identified mobile devices and mobile
computing platforms.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#64|A]48 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing access control for  mobile
devices; system design documentation; system configuration settings and associated
documentation; encryption mechanisms and associated configuration documentation;
system security plan; system audit logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with access control responsibilities for mobile devices; system or
network administrators; personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Encryption mechanisms protecting confidentiality of information on mobile
devices].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#64|49]] '''
Organizations can employ full-device encryption or container-based encryption to protect
the confidentiality of CUI on mobile devices and computing platforms.  Container-based
encryption provides a more fine-grained approach to the encryption of data and information
including encrypting selected data structures such as files, records, or fields.
'''FURTHER DISCUSSION '''
Ensure CUI is encrypted on all mobile devices and mobile computing platforms that process,
store, or transmit CUI including smartphones, tablets, and e-readers.
48
NIST SP 800-171A, p. 17.
49
NIST SP 800-171 Rev. 2, p. 15.
''' '''
AC.L2-3.1.19 – Encrypt CUI on Mobile
CMMC Assessment Guide – Level 2 | Version 2.13
57
Because the use of cryptography in this requirement is to protect the confidentiality of CUI,
the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. <br />
This  requirement,  AC.L2-3.1.19,  specifies  that CUI be encrypted on mobile devices and
extends three other CUI protection requirements  (MP.L2-3.8.1,  MP.L2-3.8.2,  and SC.L2-
3.13.16): <br />
  MP.L2-3.8.1 requires that media containing CUI be protected.
  MP.L2-3.8.2 limits access to CUI to authorized users.
  Finally, SC.L2-3.13.16 requires confidentiality of CUI at rest.
This  requirement,  AC.L2-3.1.19, also leverages SC.L2-3.13.11,  which specifies that the
algorithms used must be FIPS-validated cryptography, and SC.L2-3.13.10, which specifies
that any cryptographic keys in use must be protected.
'''Example  <br />
'''You are in charge of mobile device security for a company that processes CUI. You configure
all laptops to use the full-disk encryption technology built into the operating system. This
approach is FIPS-validated and encrypts all files, folders, and volumes. <br />
Phones and tablets pose a greater technical challenge with their wide range of manufacturers
and operating systems. You select a proprietary mobile device management (MDM) solution
to enforce FIPS-validated encryption on those devices [a,b].
'''Potential Assessment Considerations <br />
'''•
  Is a list maintained of mobile devices and mobile computing platforms that are permitted
to process, store, or transmit CUI [a]?
  Is CUI encrypted on mobile devices using FIPS-validated algorithms [b]?
'''KEY REFERENCE '''
  NIST SP 800-171 Rev. 2 3.1.19
''' '''
AC.L2-3.1.20 – External Connections [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
58
'''AC.L2-3.1.20 – EXTERNAL CONNECTIONS [CUI DATA] '''
Verify and control/limit connections to and use of external systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#66|50 ]]'''
Determine if: <br />
[a] connections to external systems are identified; <br />
[b] the use of external systems is identified; <br />
[c]  connections to external systems are verified; <br />
[d] the use of external systems is verified; <br />
[e] connections to external systems are controlled/limited; and <br />
[f]  the use of external systems is controlled/limited.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#66|A]50 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing the use of external systems;
terms and conditions for external systems; system security plan; list of applications
accessible from external systems; system configuration settings and associated
documentation; system connection or processing agreements; account management
documents; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with responsibilities for defining terms and conditions for use of
external systems to access organizational systems; system or network administrators;
personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing terms and conditions on use of external
systems].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#66|51]] '''
External systems are systems or components of systems for which organizations typically
have no direct supervision and authority over the application of security requirements and
controls or the determination of the effectiveness of implemented controls on those systems.
External systems include personally owned systems, components, or devices and privately-
owned computing and communications devices resident in commercial or public facilities.
50
NIST SP 800-171A, p. 17.
51
NIST SP 800-171 Rev. 2, pp. 15-16.
''' '''
AC.L2-3.1.20 – External Connections [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
59
This requirement also addresses the use of external systems for the processing, storage, or
transmission of CUI, including accessing cloud services (e.g., infrastructure as a service,
platform as a service, or software as a service) from organizational systems. <br />
Organizations establish terms and conditions for the use of external systems in accordance
with organizational security policies and procedures. Terms and conditions address as a
minimum, the types of applications that can be accessed on organizational systems from
external systems. If terms and conditions with the owners of external systems cannot be
established, organizations may impose restrictions on organizational personnel using those
external systems. <br />
This requirement recognizes that there are circumstances where individuals using external
systems (e.g., contractors, coalition partners) need to access organizational systems. In those
situations, organizations need confidence that the external systems contain the necessary
controls so as not to compromise, damage, or otherwise harm organizational systems.
Verification that the required controls have been effectively implemented can be achieved
by third-party, independent assessments, attestations, or other means, depending on the
assurance or confidence level required by organizations. <br />
Note that while “external” typically refers to outside of the organization’s direct supervision
and authority, that is not always the case. Regarding the protection of CUI across an
organization, the organization may have systems that process CUI and others that do not.
And among the systems that process CUI there are likely access restrictions for CUI that
apply between systems. Therefore, from the perspective of a given system, other systems
within the organization may be considered “external&quot; to that system.
'''FURTHER DISCUSSION '''
Control and manage connections between your company network and outside networks.
Outside networks could include the public internet, one of your own company’s networks
that falls outside of your CMMC Assessment Scope (e.g., an isolated lab), or a network that
does not belong to your company. Tools to accomplish include firewalls and connection
allow/deny lists. External systems not controlled by your  company could be running
applications that are prohibited or blocked. Control and limit access to corporate networks
from personally owned devices such as laptops, tablets, and phones. You may choose to limit
how and when your network is connected  to outside systems or only allow  certain
employees to connect to outside systems from network resources.
'''Example <br />
'''Your company has a project that contains CUI. You remind your coworkers of the policy
requirement to use their company laptops, not personal laptops or tablets, when working
remotely on the project [b,f]. You also remind everyone to work from the cloud environment
that is approved for processing and storing CUI rather than the other collaborative tools that
may be used for other projects [b,f].
'''Potential Assessment Considerations <br />
'''•
  Are all connections to external systems outside of the assessment scope identified [a]?
''' '''
AC.L2-3.1.20 – External Connections [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
60
  Are external systems (e.g., systems managed by OSAs, partners, or vendors; personal
devices) that are permitted to connect to or make use of organizational systems
identified [b]?
  Are methods employed to ensure that only authorized connections are being made to
external systems (e.g., requiring log-ins or certificates, access from a specific IP address,
or access via Virtual Private Network (VPN)) [c,e]?
  Are methods employed to confirm that only authorized external systems are connecting
(e.g., if employees are receiving company email on personal cell phones, is the OSA
checking to verify that only known/expected devices are connecting) [d]?
  Is the use of external systems limited, including by policy or physical control [f]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.20
  FAR Clause 52.204-21 b.1.iii
''' '''
''' '''
AC.L2-3.1.21 – Portable Storage Use
CMMC Assessment Guide – Level 2 | Version 2.13
61
'''AC.L2-3.1.21 – PORTABLE STORAGE USE '''
Limit use of portable storage devices on external systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#69|52 ]]'''
Determine if: <br />
[a] the use of portable storage devices containing CUI on external systems is identified and
documented;
[b] limits on the use of portable storage devices containing CUI on external systems are
defined; and
[c]  the use of portable storage devices containing CUI on external systems is limited as
defined.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#69|A]52 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing the use of external systems;
system security plan; system configuration settings and associated documentation; system
connection or processing agreements; account management documents; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with responsibilities for restricting or prohibiting use of
organization-controlled storage devices on external systems; system or network
administrators; personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing restrictions on use of portable storage devices].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#69|53]] '''
Limits on the use of organization-controlled portable storage devices in external systems
include complete prohibition of the use of such devices or restrictions on how the devices
may be used and under what conditions the devices may be used. Note that while “external”
typically refers to outside of the organization’s direct supervision and authority that is not
always the case. Regarding the protection of CUI across an organization, the organization
may have systems that process CUI and others that do not. Among the systems that process
CUI there are likely access restrictions for CUI that apply between systems. Therefore, from
52
NIST SP 800-171A, p. 18.
53
NIST SP 800-171 Rev. 2, p. 16.
''' '''
AC.L2-3.1.21 – Portable Storage Use
CMMC Assessment Guide – Level 2 | Version 2.13
62
the perspective of a given system, other systems within the organization may be considered
“external&quot; to that system.
'''FURTHER DISCUSSION '''
A portable storage device is a system component that can be inserted or attached and easily
removed from a system. It is used to store data or information. Examples of portable storage
devices include: <br />
  compact/digital video disks (CDs/DVDs);
  Universal Serial Bus (USB) drives;
  external hard disk drives;
  flash memory cards/drives; and
  floppy disks.
This requirement can be implemented in two ways: <br />
  identifying the portable storage device usage restrictions, identifying portable storage
devices that may be used on external systems, identifying associated external systems on
which a portable storage device may be used, and administratively (through the use of a
written policy) limiting the usage of the devices to those systems; or
  configuring devices to work only when connected  to a system to which the portable
storage device can authenticate, limiting the devices’ use on external systems to those
that the OSA has the ability to manage.
'''Example <br />
'''Your organization, which stores and processes CUI,  has a  written  portable  device  usage
restriction policy. It states that users can only use external storage devices such as thumb
dives or external hard disks that belong to the company. When needed for a specific business
function, a user checks the device out from IT and returns it to IT when no longer needed
[a,b].
'''Potential Assessment Considerations <br />
'''•
  Are the portable storage devices authorized for external use identified and documented
[a]?
  Are the circumstances defined in which portable storage devices containing CUI may be
used on external systems (e.g., with management approval) [b]?
  Are limitations stipulated for the use of portable storage devices containing CUI on
external systems (e.g., authorized personnel only, encrypted drives required) [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.21
''' '''
AC.L2-3.1.22 – Control Public Information [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
63
'''AC.L2-3.1.22 – CONTROL PUBLIC INFORMATION [CUI DATA] '''
Control CUI posted or processed on publicly accessible systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#71|54 ]]'''
Determine if: <br />
[a] individuals authorized to post or process information on publicly accessible systems
are identified;
[b] procedures to ensure CUI is not posted or processed on publicly accessible systems are
identified;
[c]  a review process is in place prior to posting of any content to publicly accessible
systems;
[d] content on publicly accessible systems is reviewed to ensure that it does not include
CUI; and
[e] mechanisms are in place to remove and address improper posting of CUI.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#71|A]54 ]]'''
'''Examine <br />
'''[SELECT FROM: Access control policy; procedures addressing publicly accessible content;
system security plan; list of users authorized to post publicly accessible content on
organizational systems; training materials and/or records; records of publicly accessible
information reviews; records of response to nonpublic information on public websites;
system audit logs and records; security awareness training records; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with responsibilities for managing publicly accessible
information posted on organizational systems; personnel with information security
responsibilities].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing management of publicly accessible content].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#71|55]] '''
In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the
public is not authorized access to nonpublic information (e.g., information protected under
the Privacy Act, CUI, and proprietary information). This requirement addresses systems that
54
NIST SP 800-171A, p. 18.
55
NIST SP 800-171 Rev. 2, p. 16.
''' '''
AC.L2-3.1.22 – Control Public Information [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
64
are controlled by the organization and accessible to the public, typically without
identification or authentication. Individuals authorized to post CUI onto publicly accessible
systems are designated.  The content of information is reviewed prior to posting onto
publicly accessible systems to ensure that nonpublic information is not included.
'''FURTHER DISCUSSION '''
Only government officials can be authorized to release CUI to the public. Do not allow CUI to
become public – always safeguard the confidentiality of CUI by controlling the posting of CUI
on company-controlled websites or public forums, and the exposure of CUI in public
presentations or on public displays. It is important to know which users  are allowed to
publish information on  publicly accessible systems, like your company website, and
implement a review process before posting such information. If CUI  is discovered on a
publicly accessible system, procedures should be in place to remove that information and
alert the appropriate parties.
'''Example <br />
'''Your company decides to start issuing press releases about its projects in an effort to reach
more potential customers. Your company receives CUI from the government as part of its
DoD contract. Because you recognize the need to manage controlled information, including
CUI, you meet with the employees who write the releases and post information to establish
a review process [c]. It is decided that you will review press releases for CUI before posting
it on the company website [a,d]. Only certain employees will be authorized to post to the
website [a].
'''Potential Assessment Considerations <br />
'''•
  Does information on externally facing systems (i.e., publicly accessible) have a
documented approval chain for public release [c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.1.22
  FAR Clause 52.204-21 b.1.iv
''' '''
AT.L2-3.2.1 – Role-Based Risk Awareness
CMMC Assessment Guide – Level 2 | Version 2.13
65
Awareness and Training (AT) <br />
'''AT.L2-3.2.1 – ROLE-BASED RISK AWARENESS '''
Ensure that managers, systems  administrators, and users of organizational systems are
made aware of the security risks associated with their activities and of the applicable
policies, standards, and procedures related to the security of those systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#73|56 ]]'''
Determine if: <br />
[a] security risks associated with organizational activities involving CUI are identified; <br />
[b] policies, standards, and procedures related to the security of the system are identified; <br />
[c]  managers, systems administrators, and users of the system are made aware of the
security risks associated with their activities; and
[d] managers, systems administrators, and users of the system are made aware of the
applicable policies, standards, and procedures related to the security of the system.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#73|A]56 ]]'''
'''Examine <br />
'''[SELECT FROM: Security awareness and training policy; procedures addressing security
awareness training implementation; relevant codes of federal regulations; security
awareness training curriculum; security awareness training materials; system security plan;
training records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with responsibilities for security awareness training; personnel
with information security responsibilities; personnel composing the general system user
community; personnel with responsibilities for role-based awareness training].
'''Test <br />
'''[SELECT FROM: Mechanisms managing security awareness training; mechanisms managing
role-based security training].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#73|57]] <br />
'''Organizations determine the content and frequency of security awareness training and
security awareness techniques based on the specific organizational requirements and the
systems to which personnel have authorized access. The content includes a basic
56
NIST SP 800-171A, p. 19.
57
NIST SP 800-171 Rev. 2, pp. 16-17.
''' '''
AT.L2-3.2.1 – Role-Based Risk Awareness
CMMC Assessment Guide – Level 2 | Version 2.13
66
understanding of the need for information security and user actions to maintain security and
to respond to suspected security incidents. The content also addresses awareness of the
need for operations security. Security awareness techniques include: formal training;
offering supplies inscribed with security reminders; generating email advisories or notices
from organizational officials; displaying logon screen messages; displaying security
awareness posters; and conducting information security awareness events. <br />
NIST SP 800-50 provides guidance on security awareness and training programs.
'''FURTHER DISCUSSION <br />
'''Awareness training focuses user attention on security. Several techniques can be used, such
as: <br />
  synchronous or asynchronous training;
  simulations (e.g., simulated phishing emails);
  security awareness campaigns (posters, reminders, group discussions); and
  communicating regular email advisories and notices to employees.
Awareness training and role-based training are different. This requirement, AT.L2-3.2.1,
covers awareness training, which provides general security training to influence user
behavior. This training can apply broadly or be tailored to a specific role. Role-based training
focuses on the knowledge, skills, and abilities needed to complete a specific job and is
covered by AT.L2-3.2.2.
'''Example <br />
'''Your organization holds a DoD contract which requires the use of CUI. You want to provide
information to employees so they can identify phishing emails. To do this, you prepare a
presentation that highlights basic traits, including: <br />
  suspicious-looking email address or domain name;
  a message that contains an attachment or URL; and
  a message that is poorly written and often contains obvious misspelled words.
You encourage everyone to not click on attachments or links in a suspicious email [c]. You
tell employees to forward such a message immediately to IT security [d]. You download free
security awareness posters to hang in the office [c,d]. You send regular emails and tips to all
employees to ensure your message is not forgotten over time [c,d].
'''Potential Assessment Considerations <br />
'''•
  Do all users, managers, and system administrators receive initial and refresher training
commensurate with their roles and responsibilities [c,d]?
  Do training materials identify the organization-defined security requirements that must
be met by users while interacting with the system as described in written  policies,
standards, and procedures [d]?
''' '''
AT.L2-3.2.1 – Role-Based Risk Awareness
CMMC Assessment Guide – Level 2 | Version 2.13
67
'''KEY REFERENCES <br />
'''•
  NIST SP 800-171 Rev. 2 3.2.1
''' '''
AT.L2-3.2.2 – Role-Based Training
CMMC Assessment Guide – Level 2 | Version 2.13
68
'''AT.L2-3.2.2 – ROLE-BASED TRAINING '''
Ensure that personnel are trained to carry out their assigned information security-related
duties and responsibilities.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#76|58 ]]'''
Determine if: <br />
[a] information security-related duties, roles, and responsibilities are defined; <br />
[b] information security-related duties, roles, and responsibilities are assigned to
designated personnel; and
[c]  personnel are adequately trained to carry out their assigned information security-
related duties, roles, and responsibilities.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#76|A]58 ]]'''
'''Examine <br />
'''[SELECT FROM: Security awareness and training policy; procedures addressing security
training implementation; codes of federal regulations; security training curriculum; security
training materials; system security plan; training records; other relevant documents or
records].
'''Interview <br />
'''[SELECT FROM: Personnel with responsibilities for role-based security training; personnel
with assigned system security roles and responsibilities; personnel with responsibilities for
security awareness training; personnel with information security responsibilities; personnel
representing the general system user community].
'''Test <br />
'''[SELECT FROM: Mechanisms managing role-based security training; mechanisms managing
security awareness training].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#76|59]] '''
Organizations determine the content and frequency of security training based on the
assigned duties, roles, and responsibilities of individuals and the security requirements of
organizations and the systems to which personnel have authorized access. In addition,
organizations provide system developers, enterprise architects, security architects,
acquisition/procurement officials, software developers, system developers, systems
integrators, system/network administrators, personnel conducting configuration
management and auditing activities, personnel performing independent verification and
58
NIST SP 800-171A, pp. 19-20.
59
NIST SP 800-171 Rev. 2, p. 17.
''' '''
AT.L2-3.2.2 – Role-Based Training
CMMC Assessment Guide – Level 2 | Version 2.13
69
validation, security assessors, and other personnel having access to system-level software,
security-related technical training specifically tailored for their assigned duties. <br />
Comprehensive role-based training addresses management, operational, and technical roles
and responsibilities covering physical, personnel, and technical controls. Such training can
include policies, procedures, tools, and artifacts for the security roles defined. Organizations
also provide the training necessary for individuals to carry out their responsibilities related
to operations and supply chain security within the context of organizational information
security programs. <br />
NIST SP 800-181 provides guidance on role-based information security training in the
workplace. SP 800-161 provides guidance on supply chain risk management.
'''FURTHER DISCUSSION '''
Training imparts skills and knowledge to enable staff to perform a specific job function.
Training should be available to all employees for all organizational roles to accommodate
role changes without being constrained by the training schedule. Awareness training and
role-based training are different. Awareness training provides general security training to
influence user behavior and is covered by AT.L2-3.2.1. This requirement, AT.L2-3.2.2, covers
role-based training that focuses on the knowledge, skills, and abilities needed to complete a
specific job. Role-based training may include awareness topics specific to individual roles
such as ensuring systems administrators understand the risk associated with using an
administrative account.
'''Example <br />
'''Your company upgraded the firewall to a newer, more advanced system to protect the CUI it
stores. You have been identified as an employee who needs training on the new device [a,b,c].
This will enable you to use the firewall effectively and efficiently. Your company considered
training resources when it planned for the upgrade and ensured that training funds were
available as part of the upgrade project [c].
'''Potential Assessment Considerations <br />
'''•
  Are the duties, roles,  and responsibilities that impact, directly or indirectly, the
information security of the company or its systems defined and documented [a]?
  Do information security-related tasks have accountable owners, and is a strictly limited
group of individuals assigned to perform them [b]?
  Are personnel who  are assigned information security-related duties, roles,  and
responsibilities trained on those responsibilities, including the security requirements
unique or inherent to their roles or responsibilities [c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.2.2
''' '''
AT.L2-3.2.3 – Insider Threat Awareness
CMMC Assessment Guide – Level 2 | Version 2.13
70
'''AT.L2-3.2.3 – INSIDER THREAT AWARENESS '''
Provide security awareness training on recognizing and reporting potential indicators of
insider threat.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#78|60 ]]'''
Determine if: <br />
[a] potential indicators associated with insider threats are identified; and <br />
[b] security awareness training on recognizing and reporting potential indicators of insider
threat is provided to managers and employees.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#78|A]60 ]]'''
'''Examine <br />
'''[SELECT FROM: Security awareness and training policy; procedures addressing security
awareness training implementation; security awareness training curriculum; security
awareness training materials; insider threat policy and procedures; system security plan;
other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel that participate in security awareness training; personnel with
responsibilities for basic security awareness training; personnel with information security
responsibilities].
'''Test <br />
'''[SELECT FROM: Mechanisms managing insider threat training].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#78|61]] '''
Potential indicators and possible precursors  of insider threat include behaviors such as:
inordinate, long-term job dissatisfaction; attempts to gain access to information that is not
required for job performance; unexplained access to financial resources; bullying or sexual
harassment of fellow employees; workplace violence; and other serious violations of the
policies, procedures, directives, rules, or practices of organizations.  Security awareness
training includes how to communicate employee and management concerns regarding
potential indicators of insider threat through appropriate organizational channels in
accordance with established organizational policies and procedures.  Organizations may
consider tailoring insider threat awareness topics to the role (e.g., training for managers may
be focused on specific changes in behavior of team members, while training for employees
may be focused on more general observations).
60
NIST SP 800-171A, p. 20.
61
NIST SP 800-171 Rev. 2, p. 17.
''' '''
AT.L2-3.2.3 – Insider Threat Awareness
CMMC Assessment Guide – Level 2 | Version 2.13
71
'''FURTHER DISCUSSION '''
An insider threat is the threat that an insider will use their authorized access, wittingly or
unwittingly, to do harm. Insider threat security awareness training focuses on recognizing
employee behaviors and characteristics that might be indicators of an insider threat and the
guidelines and procedures to handle and report it. Training for managers will provide
guidance on observing team members to identify all potential threat indicators, while
training for general employees will provide guidance for focusing on a smaller number of
indicators. Employee behaviors will vary depending on roles, team membership, and
associated information needs.  The person responsible for specifying insider threat
indicators must be cognizant of these factors. Because of this, organizations may choose to
tailor the training for specific roles. This requirement does not require separate training
regarding insider threat. Organizations may choose to integrate these topics into their
standard security awareness training programs.
'''Example <br />
'''You are responsible for training all employees on the awareness of high-risk behaviors that
can indicate a potential insider threat [b]. You educate yourself on the latest research on
insider threat indicators by reviewing a number of law enforcement bulletins [a]. You then
add the following example to the training package: A baseline of normal behavior for work
schedules has been created. One employee’s normal work schedule is 8:00 AM–5:00 PM, but
another employee noticed that the employee has been working until 9:00 PM every day even
though no projects requiring additional hours have been assigned [b].  The observing
employee reports the abnormal work schedule using the established reporting guidelines.
'''Potential Assessment Considerations <br />
'''•
  Do training materials include potential indicators associated with insider threats (e.g.,
repeated security violations, unusual work hours, unexpected significant transfers of
data, suspicious contacts, concerning behaviors outside the workplace) [a,b]?
  Do training materials include methods of reporting potential indicators of insider threats
to management or responsible security personnel [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.2.3
''' '''
AU.L2-3.3.1 – System Auditing
CMMC Assessment Guide – Level 2 | Version 2.13
72
Audit and Accountability (AU) <br />
'''AU.L2-3.3.1 – SYSTEM AUDITING '''
Create and retain system audit logs and records to the extent needed to enable the
monitoring, analysis, investigation, and reporting of unlawful or unauthorized system
activity.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#80|62 ]]'''
Determine if: <br />
[a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis,
investigation, and reporting of unlawful or unauthorized system activity are specified;
[b] the content of audit records needed to support monitoring, analysis, investigation, and
reporting of unlawful or unauthorized system activity is defined;
[c]  audit records are created (generated); <br />
[d] audit records, once created, contain the defined content; <br />
[e] retention requirements for audit records are defined; and <br />
[f]  audit records are retained as defined.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#80|A]62 ]]'''
'''Examine <br />
'''[SELECT FROM: Audit and accountability policy; procedures addressing auditable events;
system security plan; system design documentation; system configuration settings  and
associated documentation; procedures addressing control of audit records; procedures
addressing audit record generation; system audit logs and records; system auditable events;
system incident reports; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with
information security responsibilities; personnel with audit review, analysis and reporting
responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing system audit logging].
62
NIST SP 800-171A, p. 21.
''' '''
AU.L2-3.3.1 – System Auditing
CMMC Assessment Guide – Level 2 | Version 2.13
73
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#81|63]] '''
An event is any observable occurrence in a system, which includes unlawful or unauthorized
system activity. Organizations identify event types for which a logging functionality is
needed as those events which are significant and relevant to the security of systems and the
environments in which those systems operate to meet specific and ongoing auditing needs.
Event types can include password changes, failed logons or failed  accesses related to
systems, administrative privilege usage, or third-party credential usage. In determining
event types that require logging, organizations consider the monitoring and auditing
appropriate for each of the CUI security requirements. Monitoring and auditing
requirements can be balanced with other system needs. For example, organizations may
determine that systems must have the capability to log every file access both successful and
unsuccessful, but not activate that capability except for specific circumstances due to the
potential burden on system performance. <br />
Audit records can be generated at various levels of abstraction, including at the packet level
as information traverses the network. Selecting the appropriate level of abstraction is a
critical aspect of an audit logging capability and can facilitate the identification of root causes
to problems. Organizations consider in the definition of event types, the logging necessary to
cover related events such as the steps in distributed, transaction-based processes (e.g.,
processes that are distributed across multiple organizations) and actions that occur in
service-oriented or cloud-based architectures. <br />
Audit record content that may be necessary to satisfy this requirement includes time stamps,
source and destination addresses, user or process identifiers, event descriptions, success or
failure indications, filenames involved, and access control or flow control rules invoked.
Event outcomes can include indicators of event success or failure and event-specific results
(e.g., the security state of the system after the event occurred). <br />
Detailed information that organizations may consider in audit records includes full text
recording of privileged commands or the individual identities of group account users.
Organizations consider limiting the additional audit log information to only that information
explicitly needed for specific audit requirements. This facilitates the use of audit trails and
audit logs by not including information that could potentially be misleading or could make it
more difficult to locate information of interest. Audit logs are reviewed and analyzed as often
as needed to provide important information to organizations to facilitate risk-based decision
making. NIST SP 800-92 provides guidance on security log management.
'''FURTHER DISCUSSION '''
OSAs  must ensure that all applicable systems create and retain audit logs that contain
enough information to identify and investigate potentially unlawful or unauthorized system
activity. OSAs must define the audit logs it needs to collect as well as the specific events to
capture within the selected logs. Captured audit records are checked to verify that they
contain the required events.
63
NIST SP 800-171 Rev. 2, pp. 17-18.
''' '''
AU.L2-3.3.1 – System Auditing
CMMC Assessment Guide – Level 2 | Version 2.13
74
In defining the audit log retention period, OSAs must ensure that logs are retained for a
sufficiently long period to allow for the investigation of a security event. The retention period
must take into account the delay of weeks or months that can occur between an initial
compromise and the discovery of attacker activity.
'''Example <br />
'''You set up audit logging capability for your company. You determine that all systems that
contain CUI must have extra detail in the audit logs. Because of this, you configure these
systems to log the following information for all user actions [b,c]: <br />
  time stamps;
  source and destination addresses;
  user or process identifiers;
  event descriptions;
  success or fail indications;''' '''and''' '''
  filenames.''' '''
'''Potential Assessment Considerations <br />
'''•
  Are audit log retention requirements appropriate to the system and its associated level
of risk [e]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.3.1
''' '''
AU.L2-3.3.2 – User Accountability
CMMC Assessment Guide – Level 2 | Version 2.13
75
'''AU.L2-3.3.2 – USER ACCOUNTABILITY '''
Ensure that the actions of individual system users can be uniquely traced to those users so
they can be held accountable for their actions.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#83|64 ]]'''
Determine if: <br />
[a] the content of the audit records needed to support the ability to uniquely trace users to
their actions is defined; and
[b] audit records, once created, contain the defined content.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#83|A]64 ]]'''
'''Examine <br />
'''[SELECT FROM: Audit and accountability policy; procedures addressing audit records and
event types; system security plan; system design documentation; system configuration
settings and associated documentation; procedures addressing audit record generation;
procedures addressing audit review, analysis, and reporting; reports of audit findings;
system audit logs and records; system events; system incident reports; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with
information security responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing system audit logging].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#83|65]] '''
This requirement ensures that the contents of the audit record include the information
needed to link the audit event to the actions of an individual to the extent feasible.
Organizations consider logging for traceability including results from monitoring of account
usage, remote access, wireless connectivity, mobile device connection, communications at
system boundaries, configuration settings, physical access, nonlocal maintenance, use of
maintenance tools, temperature and humidity, equipment delivery and removal, system
component inventory, use of mobile code, and use of VoIP.
64
NIST SP 800-171A, pp. 21-22.
65
NIST SP 800-171 Rev. 2, p. 18.
''' '''
AU.L2-3.3.2 – User Accountability
CMMC Assessment Guide – Level 2 | Version 2.13
76
'''FURTHER DISCUSSION '''
Capturing the necessary information in audit logs ensures that you can trace actions to a
specific user. This may include capturing user IDs, source and destination addresses, and
time stamps. Logging from networks, servers, clients, and applications should be considered
in ensuring accountability. <br />
This  requirement,  AU.L2-3.3.2, which ensures logging and traceability of user actions,
supports the control of non-privileged users required by AC.L2-3.1.7 as well as many other
auditing, configuration management, incident response, and situation awareness
requirements.
'''Example <br />
'''You manage systems for a company that stores, processes, and transmits CUI. You want to
ensure that you can trace all remote access sessions to a specific user. You configure the VPN
device to capture the following information for all remote access connections: source and
destination IP address, user ID, machine name, time stamp, and  user actions during the
remote session [b].
'''Potential Assessment Considerations <br />
'''•
  Are users uniquely traced and held responsible for unauthorized actions [a]?
  Does the system protect against an individual denying having performed an action (non-
repudiation) [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.3.2
<br />
''' '''
AU.L2-3.3.3 – Event Review
CMMC Assessment Guide – Level 2 | Version 2.13
77
'''AU.L2-3.3.3 – EVENT REVIEW '''
Review and update logged events.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#85|66 ]]'''
Determine if: <br />
[a] a process for determining when to review logged events is defined; <br />
[b] event types being logged are reviewed in accordance with the defined review process;
and
[c]  event types being logged are updated based on the review.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#85|A]66 ]]'''
'''Examine <br />
'''[SELECT FROM: Audit and accountability policy; procedures addressing audit records and
event types; system security plan; list of organization-defined event types to be logged;
reviewed and updated records of logged event types; system audit logs and records; system
incident reports; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with
information security responsibilities].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting review and update of logged event types].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#85|67]] '''
The intent of this requirement is to periodically re-evaluate which logged events will
continue to be included in the list of events to be logged. The event types that are logged by
organizations may change over time. Reviewing and updating the set of logged event types
periodically is necessary to ensure that the current set remains necessary and sufficient.
'''FURTHER DISCUSSION '''
This requirement is focused on the configuration of the auditing system, not the review of
the audit records produced by the selected events. The review of the audit logs is covered
under AU.L2-3.3.5 and AU.L2-3.3.6.
66
NIST SP 800-171A, p. 22.
67
NIST SP 800-171 Rev. 2, pp. 18-19.
''' '''
AU.L2-3.3.3 – Event Review
CMMC Assessment Guide – Level 2 | Version 2.13
78
'''Example <br />
'''You are in charge of IT operations for a company that processes CUI and are responsible for
identifying and documenting which events are relevant to the security of your company’s
systems. Your company has decided that this list of events should be updated annually or
when new security threats or events have been identified, which may require additional
events to be logged and reviewed [a]. The list of events you are capturing in your logs started
as the list of recommended events given by the manufacturers of your operating systems and
devices, but it has grown from experience. <br />
Your company experiences a security incident, and a forensics review shows the logs appear
to have been deleted by a remote user. You notice that remote sessions are not currently
being logged [b]. You update the list of events to include logging all VPN sessions [c].
'''Potential Assessment Considerations <br />
'''•
  Do documented processes include methods for determining when to review logged event
types (i.e., regular frequency, after incidents, after major system changes) [a]?
  Do documented processes include methods for reviewing event types being logged (i.e.,
based on specific threat, use case, retention capacity, current utilization, and/or newly
added system component or functionality) [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.3.3
<br />
''' '''
AU.L2-3.3.4 – Audit Failure Alerting
CMMC Assessment Guide – Level 2 | Version 2.13
79
'''AU.L2-3.3.4 – AUDIT FAILURE ALERTING '''
Alert in the event of an audit logging process failure.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#87|68 ]]'''
Determine if: <br />
[a] personnel or roles to be alerted in the event of an audit logging process failure are
identified;
[b] types of audit logging process failures for which alert will be generated are defined; and <br />
[c]  identified personnel or roles are alerted in the event of an audit logging process failure.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#87|A]68 ]]'''
'''Examine <br />
'''[SELECT FROM: Audit and accountability policy; procedures addressing response to audit
logging  processing failures; system design documentation; system security plan; system
configuration settings and associated documentation; list of personnel to be notified in case
of an audit logging processing failure; system incident reports; system audit logs and
records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with
information security responsibilities; system or network administrators; system
developers].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing system response to audit logging process
failures].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#87|69]] '''
Audit logging process failures include software and hardware errors, failures in the audit
record capturing mechanisms, and audit record storage capacity being reached or exceeded.
This requirement applies to each audit record data storage repository (i.e., distinct system
component where audit records are stored), the total audit record storage capacity of
organizations (i.e., all audit record data storage repositories combined), or both.
68
NIST SP 800-171A, p. 22.
69
NIST SP 800-171 Rev. 2, p. 19.
''' '''
AU.L2-3.3.4 – Audit Failure Alerting
CMMC Assessment Guide – Level 2 | Version 2.13
80
'''FURTHER DISCUSSION '''
Audit logging keeps track of activities occurring on the network, servers, user workstations,
and other components of the overall system.  These logs must always be available and
functional.  The  company’s  designated security personnel (e.g.,  system administrator and
security officer) need to be aware when the audit log process fails or becomes unavailable
[a]. Notifications  (e.g., email, Short Message Service  (SMS))  should  to be sent to the
company’s designated security personnel to immediately take appropriate action. If security
personnel are unaware of the audit logging process failure, then they will be unaware of any
suspicious activity occurring at that time. Response to an audit logging process failure should
account for the extent of the failure (e.g., a single component’s audit logging versus failure of
the centralized logging solution), the risks involved in this loss of audit logging, and other
factors (e.g., the possibility that an adversary could have caused the audit logging process
failure).
'''Example <br />
'''You are in charge of IT operations for a  company  that processes CUI, and your
responsibilities include managing the audit logging process. You configure your systems to
send you an email in the event of an audit log failure. One day, you receive one of these alerts.
You connect to the system, restart logging, and determine why the logging stopped [a,b,c].
'''Potential Assessment Considerations <br />
'''•
  Will the system alert personnel with security responsibilities in the event of an audit
processing failure?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.3.4
<br />
''' '''
AU.L2-3.3.5 – Audit Correlation
CMMC Assessment Guide – Level 2 | Version 2.13
81
'''AU.L2-3.3.5 – AUDIT CORRELATION '''
Correlate audit record review, analysis, and reporting processes for investigation and
response to indications of unlawful, unauthorized, suspicious, or unusual activity.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#89|70 ]]'''
Determine if: <br />
[a] audit record review, analysis, and reporting processes for investigation and response to
indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and
[b] defined audit record review, analysis, and reporting processes are correlated.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#89|A]70 ]]'''
'''Examine <br />
'''[SELECT FROM: Audit and accountability policy; procedures addressing audit record review,
analysis, and reporting; system security plan; system design documentation; system
configuration settings and associated documentation; procedures addressing investigation
of and response to suspicious activities; system audit logs and records across different
repositories; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with audit record review, analysis, and reporting responsibilities;
personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting analysis and correlation of audit records;
mechanisms integrating audit review, analysis and reporting].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#89|71]] '''
Correlating audit record review, analysis, and reporting processes helps to ensure that they
do not operate independently, but rather collectively. Regarding the assessment of a given
organizational system, the requirement is agnostic as to whether this correlation is applied
at the system level or at the organization level across all systems.
'''FURTHER DISCUSSION '''
Companies must review, analyze, and report audit records to help detect and respond to
security incidents in a timely manner for the purpose of investigation and corrective actions.
Collection of audit logs into one or more central repositories may facilitate correlated review.
70
NIST SP 800-171A, p. 23.
71
NIST SP 800-171 Rev. 2, p. 19.
''' '''
AU.L2-3.3.5 – Audit Correlation
CMMC Assessment Guide – Level 2 | Version 2.13
82
Small companies may be able to accomplish this manually with well-defined and -managed
procedures. Larger companies will use an automated system for analysis that correlates log
data from across the entire enterprise. Some companies may want to orchestrate the analysis
process  to  include the use of Application Programming Interfaces (APIs)  for collection,
correlation, and the automation of responses based on programed rulesets.
'''Example <br />
'''You are a member of a cyber defense team responsible for audit log analysis. You run an
automated tool that analyzes all the audit logs across a Local Area Network (LAN) segment
simultaneously looking for similar anomalies on separate systems at separate locations.
Some of these systems store CUI. After extracting anomalous information and performing a
correlation analysis [b], you determine that four different systems have had their event log
information cleared between 2:00 AM to 3:00 AM, although the associated dates are
different. The team monitors all systems on the same LAN segment between 2:00 AM to 3:00
AM for the next 30 days.
'''Potential Assessment Considerations <br />
'''•
  Are mechanisms used across different repositories to integrate audit review, analysis,
correlation, and reporting processes [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.3.5
<br />
''' '''
AU.L2-3.3.6 – Reduction &amp; Reporting
CMMC Assessment Guide – Level 2 | Version 2.13
83
'''AU.L2-3.3.6 – REDUCTION &amp; REPORTING '''
Provide audit record reduction and report generation to support on-demand analysis and
reporting.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#91|72 ]]'''
Determine if: <br />
[a] an audit record reduction capability that supports on-demand analysis is provided; and <br />
[b] a report generation capability that supports on-demand reporting is provided.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#91|A]72 ]]'''
'''Examine <br />
'''[SELECT  FROM: Audit and accountability policy; procedures addressing audit record
reduction and report generation; system design documentation; system security plan;
system configuration settings and associated documentation; audit record reduction,
review, analysis, and reporting tools; system audit logs and records; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with audit record reduction and report generation
responsibilities; personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Audit record reduction and report generation capability].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#91|73]] '''
Audit record reduction is a process that manipulates collected audit information and
organizes such information in a summary format that is more meaningful to analysts. Audit
record reduction and report generation capabilities do not always emanate from the same
system or organizational entities conducting auditing activities.  Audit record reduction
capability can include, for example, modern data mining techniques with advanced data
filters to identify anomalous behavior in audit records.  The report generation capability
provided by the system can help generate customizable reports.  Time ordering of audit
records can be a significant issue if the granularity of the time stamp  in the record is
insufficient.
72
NIST SP 800-171A, p. 23.
73
NIST SP 800-171 Rev. 2, p. 19.
''' '''
AU.L2-3.3.6 – Reduction &amp; Reporting
CMMC Assessment Guide – Level 2 | Version 2.13
84
'''FURTHER DISCUSSION '''
Raw audit log data is difficult to review, analyze, and report because of the volume of data.
Audit record reduction is an automated process that interprets raw audit log data and
extracts meaningful and relevant information without altering the original logs. An example
of log reduction for files to be analyzed would be the removal of details associated with
nightly backups. Report generation on reduced log information allows you to create succinct
customized reports without the need to burden the reader with unimportant information. In
addition, the security-relevant audit information must be made available to personnel on
demand for immediate review, analysis, reporting, and event investigation support.
Performing audit log reduction and providing on-demand reports may allow the analyst to
take mitigating action before an adversary completes its malicious actions.
'''Example <br />
'''You are in charge of IT operations in a company that processes CUI. You are responsible for
providing audit record reduction and report generation capability. To support this function,
you deploy an open-source solution that will collect and analyze data for signs of anomalies.
The solution queries your central log repository to extract relevant data and provide you
with a concise and comprehensive view for further analysis to identify potentially malicious
activity [a]. In addition to creating on-demand data sets for analysis, you create customized
reports explaining the contents of the data set [b].
'''Potential Assessment Considerations <br />
'''•
  Does the system support on-demand audit review, analysis, and reporting requirements
and after-the-fact security investigations [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.3.6
''' '''
AU.L2-3.3.7 – Authoritative Time Source
CMMC Assessment Guide – Level 2 | Version 2.13
85
'''AU.L2-3.3.7 – AUTHORITATIVE TIME SOURCE '''
Provide a system capability that compares and synchronizes internal system clocks with an
authoritative source to generate time stamps for audit records.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#93|74 ]]'''
Determine if: <br />
[a] internal system clocks are used to generate time stamps for audit records; <br />
[b] an authoritative source with which to compare and synchronize internal system clocks
is specified; and
[c]  internal system clocks used to generate time stamps for audit records are compared to
and synchronized with the specified authoritative time source.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#93|A]74 ]]'''
'''Examine <br />
'''[SELECT FROM: Audit and accountability policy; procedures addressing time stamp
generation; system design documentation; system security plan; system configuration
settings and associated documentation; system audit logs and records; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with information security responsibilities; system or network
administrators; system developers].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing time stamp generation; mechanisms
implementing internal information system clock synchronization].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#93|75]] '''
Internal system clocks are used to generate time stamps, which include date and time. Time
is expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich
Mean Time (GMT), or local time with an offset from UTC.  The granularity of time
measurements refers to the degree of synchronization between system clocks and reference
clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of
milliseconds.  Organizations may define different time granularities for different system
components. Time service can also be critical to other security capabilities such as access
control and identification and authentication, depending on the nature of the mechanisms
74
NIST SP 800-171A, pp. 23-24.
75
NIST SP 800-171 Rev. 2, p. 19.
''' '''
AU.L2-3.3.7 – Authoritative Time Source
CMMC Assessment Guide – Level 2 | Version 2.13
86
used to support those capabilities. This requirement provides uniformity of time stamps for
systems with multiple system clocks and systems connected over a network.
'''FURTHER DISCUSSION '''
Each system must synchronize its time with a central time server to ensure that all systems
are recording audit logs using the same time source. Reviewing audit logs from multiple
systems can be a difficult task if time is not synchronized. Systems can be synchronized to a
network device or directory service or configured manually.
'''Example <br />
'''You are setting up several new computers on your company’s network, which contains CUI.
You update the time settings on each machine to use the same authoritative time server on
the internet [b,c]. When you review audit logs, all your machines will have synchronized
time, which aids in any potential security investigations.
'''Potential Assessment Considerations <br />
'''•
  Can the records’ time stamps map to Coordinated Universal Time (UTC), compare system
clocks with authoritative Network Time Protocol (NTP) servers, and synchronize system
clocks when the time difference is greater than 1 second [c]?
  Does the system synchronize internal system clocks on a defined frequency [c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.3.7
<br />
''' '''
AU.L2-3.3.8 – Audit Protection
CMMC Assessment Guide – Level 2 | Version 2.13
87
'''AU.L2-3.3.8 – AUDIT PROTECTION '''
Protect audit information and audit logging tools from unauthorized access, modification,
and deletion.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#95|76 ]]'''
Determine if: <br />
[a] audit information is protected from unauthorized access; <br />
[b] audit information is protected from unauthorized modification; <br />
[c]  audit information is protected from unauthorized deletion; <br />
[d] audit logging tools are protected from unauthorized access; <br />
[e] audit logging tools are protected from unauthorized modification; and <br />
[f]  audit logging tools are protected from unauthorized deletion.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#95|A]76 ]]'''
'''Examine <br />
'''[SELECT FROM: Audit and accountability policy; access control policy and procedures;
procedures addressing protection of audit information; system security plan; system design
documentation; system configuration settings and associated documentation, system audit
logs and records; audit logging tools; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with
information security responsibilities; system or network administrators; system
developers].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing audit information protection].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#95|77]] '''
Audit information includes all information (e.g., audit records, audit log settings, and audit
reports) needed to successfully audit system activity. Audit logging tools are those programs
and devices used to conduct audit and logging activities. This requirement focuses on the
technical protection of audit information and limits the ability to access and execute audit
logging tools to authorized individuals. Physical protection of audit information is addressed
by media protection and physical and environmental protection requirements.
76
NIST SP 800-171A, p. 24.
77
NIST SP 800-171 Rev. 2, p. 20.
''' '''
AU.L2-3.3.8 – Audit Protection
CMMC Assessment Guide – Level 2 | Version 2.13
88
'''FURTHER DISCUSSION '''
Audit information is a critical record of what events occurred, the source of the events, and
the outcomes of the events; this information needs to be protected.  The logs must be
properly secured so that the information may not be modified or deleted, either intentionally
or unintentionally. Only those with a legitimate need-to-know should have access to audit
information, whether that information is being accessed directly from logs or from audit
tools.
'''Example <br />
'''You are in charge of  IT operations in a  company  that handles CUI. Your responsibilities
include protecting audit information and audit logging tools. You protect the information
from modification or deletion by having audit log events forwarded to a central server and
by restricting the local audit logs to only be viewable by the system administrators [a,b,c].
Only a small group of security professionals can view the data on the central audit server
[b,c,d]. For an additional layer of protection, you back up the server daily and encrypt the
backups before sending them to a cloud data repository [a,b,c].
'''Potential Assessment Considerations <br />
'''•
  Is there a list of authorized users for audit systems and tools [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.3.8
<br />
''' '''
AU.L2-3.3.9 – Audit Management
CMMC Assessment Guide – Level 2 | Version 2.13
89
'''AU.L2-3.3.9 – AUDIT MANAGEMENT '''
Limit management of audit logging functionality to a subset of privileged users.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#97|78 ]]'''
Determine if: <br />
[a] a subset of privileged users granted access to manage audit logging functionality is
defined; and
[b] management of audit logging functionality is limited to the defined subset of privileged
users.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#97|A]78 ]]'''
'''Examine <br />
'''[SELECT FROM: Audit and accountability policy; access control policy and procedures;
procedures addressing protection of audit information; system security plan; system design
documentation; system configuration settings and associated documentation; access
authorizations; system-generated list of privileged users with access to management of audit
logging functionality; access control list; system audit logs and records; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with
information security responsibilities; system or network administrators; system
developers].
'''Test <br />
'''[SELECT FROM: Mechanisms managing access to audit logging functionality].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#97|79]] '''
Individuals with privileged access to a system and who are also the subject of an audit by
that system, may affect the reliability of audit information by inhibiting audit logging
activities or modifying audit records. This requirement specifies that privileged access be
further defined between audit-related privileges and other privileges, thus limiting the users
with audit-related privileges.
78
NIST SP 800-171A, pp. 24-25.
79
NIST SP 800-171 Rev. 2, p. 20.
''' '''
AU.L2-3.3.9 – Audit Management
CMMC Assessment Guide – Level 2 | Version 2.13
90
'''FURTHER DISCUSSION '''
Companies should restrict access to audit logging functions to a limited number of privileged
users who can modify audit logs and audit settings. General users should not be granted
permissions to perform audit management. All audit managers should be privileged users,
but only a small subset of privileged users will be given audit management responsibilities.
Functions performed by privileged users must be distinctly separate from the functions
performed by users who have audit-related responsibilities to reduce the potential of
fraudulent activities by privileged users not being detected or reported.  When possible,
individuals who manage audit logs should not have access to other privileged functions.
'''Example <br />
'''You are responsible for the administration of select company infrastructure that contains
CUI, but you are not responsible for managing audit information. You are not permitted to
review audit logs, delete audit logs, or modify audit log settings [b]. Full control of audit
logging functions has been given to senior system administrators [a,b]. This separation of
system administration duties from audit logging management is necessary to prevent
possible log file tampering.
'''Potential Assessment Considerations <br />
'''•
  Are audit records of nonlocal accesses to privileged accounts and the execution of
privileged functions protected [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.3.9
<br />
''' '''
CM.L2-3.4.1 – System Baselining
CMMC Assessment Guide – Level 2 | Version 2.13
91
Configuration Management (CM) <br />
'''CM.L2-3.4.1 – SYSTEM BASELINING '''
Establish and maintain baseline configurations and inventories of organizational systems
(including hardware, software, firmware, and documentation) throughout the respective
system development life cycles.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#99|80 ]]'''
Determine if: <br />
[a] a baseline configuration is established; <br />
[b] the baseline configuration includes hardware, software, firmware, and documentation; <br />
[c]  the baseline configuration is maintained (reviewed and updated) throughout the
system development life cycle;
[d] a system inventory is established; <br />
[e] the system inventory includes hardware, software, firmware, and documentation; and <br />
[f]  the inventory is maintained (reviewed and updated) throughout the system
development life cycle.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#99|A]80 ]]'''
'''Examine <br />
'''[SELECT FROM: Configuration management policy; procedures addressing the baseline
configuration of the system; procedures addressing system inventory; system security plan;
configuration management plan; system inventory records; inventory review and update
records; enterprise architecture documentation; system design documentation; system
architecture and configuration documentation; system configuration settings and associated
documentation; change control records; system component installation records; system
component removal records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with configuration management responsibilities; personnel with
responsibilities for establishing the system inventory; personnel with responsibilities for
updating the system inventory; personnel with information security responsibilities; system
or network administrators].
80
NIST SP 800-171A, p. 26.
''' '''
CM.L2-3.4.1 – System Baselining
CMMC Assessment Guide – Level 2 | Version 2.13
92
'''Test <br />
'''[SELECT FROM: Organizational processes for managing baseline configurations;
mechanisms supporting configuration control of the baseline configuration; organizational
processes for developing and documenting an inventory of system components;
organizational processes for updating inventory of system components; mechanisms
supporting or implementing the system inventory; mechanisms implementing updating of
the system inventory].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#100|81]] '''
This requirement establishes and maintains baseline configurations for systems and system
components including for system communications and connectivity. Baseline configurations
are documented, formally reviewed, and agreed-upon sets of specifications for systems or
configuration items within those systems. Baseline configurations serve as a basis for future
builds, releases, and changes to systems. Baseline configurations include information about
system components (e.g., standard software packages installed on workstations, notebook
computers, servers, network components, or mobile devices; current version numbers and
update and patch information on operating systems and applications; and configuration
settings and parameters), network topology, and the logical placement of those components
within the system architecture. Baseline configurations of systems also reflect the current
enterprise architecture. Maintaining effective baseline configurations requires creating new
baselines as organizational systems change over time. Baseline configuration maintenance
includes reviewing and updating the baseline configuration when changes are made based
on security risks and deviations from the established baseline configuration. <br />
Organizations can implement centralized system component inventories that include
components from multiple organizational systems. In such situations, organizations ensure
that the resulting inventories include system-specific information required for proper
component accountability (e.g., system association, system owner).  Information deemed
necessary for effective accountability of system components includes hardware inventory
specifications, software license information, software version numbers, component owners,
and for networked components or devices, machine names and network addresses.
Inventory specifications include manufacturer, device type, model, serial number, and
physical location. <br />
NIST SP 800-128 provides guidance on security-focused configuration management.
'''FURTHER DISCUSSION '''
An effective cybersecurity program depends on consistent, secure system and component
configuration and management. Build and configure systems from a known, secure, and
approved configuration baseline. This includes: <br />
  documenting the software and configuration settings of a system;
81
NIST SP 800-171 Rev. 2, p. 20.
''' '''
CM.L2-3.4.1 – System Baselining
CMMC Assessment Guide – Level 2 | Version 2.13
93
  placement within the network; and
  other specifications as required by the organization.
'''Example <br />
'''You are in charge of upgrading the computer operating systems of your office’s computers.
Some of these computers process, store, or transmit CUI. You research how to set up and
configure a workstation with the least functionality and highest security and use that as the
framework for creating a configuration that minimizes functionality while still allowing
users to do their tasks. After testing the new baseline on a single workstation, you document
this configuration and apply it to the other computers [a]. You then check to make sure that
the software changes are accurately reflected in your master system inventory [e]. Finally,
you set a calendar reminder to review the baseline in three months [f].
'''Potential Assessment Considerations <br />
'''•
  Do baseline configurations include software versions and patch level, configuration
parameters, network information, and communications with connected systems [a,b]?
  Are baseline configurations updated as needed to accommodate security risks or
software changes [c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.4.1
<br />
''' '''
CM.L2-3.4.2 – Security Configuration Enforcement
CMMC Assessment Guide – Level 2 | Version 2.13
94
'''CM.L2-3.4.2 – SECURITY CONFIGURATION ENFORCEMENT '''
Establish and enforce security configuration settings for information technology products
employed in organizational systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#102|82 ]]'''
Determine if: <br />
[a] security configuration settings for information technology products employed in the
system are established and included in the baseline configuration; and
[b] security configuration settings for information technology products employed in the
system are enforced.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#102|A]82 ]]'''
'''Examine <br />
'''[SELECT FROM: Configuration management policy; baseline configuration; procedures
addressing configuration settings for the system; configuration management plan; system
security plan; system design documentation; system configuration settings and associated
documentation; security configuration checklists; evidence supporting approved deviations
from established configuration settings; change control records; system audit logs and
records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with security configuration management responsibilities;
personnel with information security responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Organizational processes for managing configuration settings; mechanisms
that implement, monitor, and/or control system configuration settings; mechanisms that
identify and/or document deviations from established configuration settings; processes for
managing baseline configurations; mechanisms supporting configuration control of baseline
configurations].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#102|83]] <br />
'''Configuration settings are the set of parameters that can be changed in hardware, software,
or firmware components of the system that affect the security posture or functionality of the
system. Information technology products for which security-related configuration settings
can be defined include mainframe computers, servers, workstations, input and output
devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers,
82
NIST SP 800-171A, pp. 26-27.
83
NIST SP 800-171 Rev. 2, p. 21.
''' '''
CM.L2-3.4.2 – Security Configuration Enforcement
CMMC Assessment Guide – Level 2 | Version 2.13
95
gateways, voice and data switches, wireless access points, network appliances, sensors),
operating systems, middleware, and applications. <br />
Security parameters are those parameters impacting the security state of systems including
the parameters required to satisfy other security requirements. Security parameters include:
registry settings; account, file, directory permission settings; and settings for functions,
ports, protocols, and remote connections. Organizations establish organization-wide
configuration settings and subsequently derive specific configuration settings for systems.
The established settings become part of the systems configuration baseline. <br />
Common secure configurations (also referred to as security configuration checklists,
lockdown and hardening guides, security reference guides, security technical
implementation guides) provide recognized, standardized, and established benchmarks that
stipulate secure configuration settings for specific  information technology
platforms/products and instructions for configuring those system components to meet
operational requirements. Common secure configurations can be developed by a variety of
organizations including information technology product developers, manufacturers,
vendors, consortia, academia, industry, federal agencies, and other organizations in the
public and private sectors. <br />
NIST SP 800-70 and SP 800-128 provide guidance on security configuration settings.
'''FURTHER DISCUSSION <br />
'''Information security is an integral part of a company’s configuration management process.
Security-related configuration settings are customized to satisfy the company’s security
requirements and are applied them to all systems once tested and approved. The
configuration settings must reflect the most restrictive settings that are appropriate for the
system. Any required deviations from the baseline are reviewed, documented, and approved.
'''Example <br />
'''You manage baseline configurations for your company’s systems, including those that
process, store, and transmit CUI. As part of this, you download a secure configuration guide
for each of your asset types (servers, workstations, network components, operating systems,
middleware, and applications) from a well-known and trusted IT security organization. You
then apply all of the settings that you can while still ensuring the assets can perform the role
for which they are needed. Once you have the configuration settings identified and tested,
you document them to ensure all applicable machines can be configured the same way [a,b].
'''Potential Assessment Considerations <br />
'''•
  Do security settings reflect the most restrictive settings appropriate [a]?
  Are changes or deviations to security settings documented [b]?
'''KEY REFERENCES <br />
'''•
  NIST SP 800-171 Rev. 2 3.4.2
''' '''
CM.L2-3.4.3 – System Change Management
CMMC Assessment Guide – Level 2 | Version 2.13
96
'''CM.L2-3.4.3 – SYSTEM CHANGE MANAGEMENT '''
Track, review, approve or disapprove, and log changes to organizational systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#104|84 ]]'''
Determine if: <br />
[a] changes to the system are tracked; <br />
[b] changes to the system are reviewed; <br />
[c]  changes to the system are approved or disapproved; and <br />
[d] changes to the system are logged.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#104|A]84 ]]'''
'''Examine <br />
'''[SELECT FROM: Configuration management policy; procedures addressing system
configuration change control; configuration management plan; system architecture and
configuration documentation; system security plan; change control records; system audit
logs and records; change control audit and review reports; agenda/minutes from
configuration change control oversight meetings; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with configuration change control responsibilities; personnel
with information security responsibilities; system or network administrators; members of
change control board or similar].
'''Test <br />
'''[SELECT FROM: Organizational processes for configuration change control; mechanisms that
implement configuration change control].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#104|85]] '''
Tracking, reviewing, approving/disapproving, and logging changes is called configuration
change control. Configuration change control for organizational systems involves the
systematic proposal, justification, implementation, testing, review, and disposition of
changes to the systems, including system upgrades and modifications. Configuration change
control includes changes to baseline configurations for components and configuration items
of systems, changes to configuration settings for information technology products (e.g.,
operating systems, applications, firewalls, routers, and mobile devices), unscheduled and
unauthorized changes, and changes to remediate vulnerabilities.
84
NIST SP 800-171A, p. 27.
85
NIST SP 800-171 Rev. 2, p. 21
''' '''
CM.L2-3.4.3 – System Change Management
CMMC Assessment Guide – Level 2 | Version 2.13
97
Processes for managing configuration changes to systems include Configuration Control
Boards or Change Advisory Boards that review and approve proposed changes to systems.
For new development systems or systems undergoing major upgrades, organizations
consider including representatives from development organizations on the Configuration
Control Boards or Change Advisory Boards. Audit logs of changes include activities before
and after changes are made to organizational systems and the activities required to
implement such changes. <br />
NIST SP 800-128 provides guidance on configuration change control.
'''FURTHER DISCUSSION '''
You must track, review, and approve configuration changes before committing to
production. Changes to computing environments can create unintended and unforeseen
issues that can affect the security and availability of the systems, including those that process
CUI. Relevant experts and stakeholders must review and approve proposed changes. They
should discuss potential impacts before the organization puts the changes in place. Relevant
items include changes to the physical environment and to the systems hosted within it.
'''Example <br />
'''Once a month, the management and technical team leads join a change control board
meeting. During this meeting, everyone reviews all proposed changes to the environment
[b,c]. This includes changes to the physical and computing environments. The meeting
ensures that relevant subject-matter experts review changes and propose alternatives
where needed.
'''Potential Assessment Considerations '''
  Are changes to the system authorized by company management and documented
[a,b,c,d]?
  Are changes documented and tracked (e.g., manually written down or included in a
tracking service such as a ticketing system) [d]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.4.3
<br />
''' '''
CM.L2-3.4.4 – Security Impact Analysis
CMMC Assessment Guide – Level 2 | Version 2.13
98
'''CM.L2-3.4.4 – SECURITY IMPACT ANALYSIS '''
Analyze the security impact of changes prior to implementation.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#106|86 ]]'''
Determine if: <br />
[a] the security impact of changes to the system is analyzed prior to implementation.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#106|A]86 ]]'''
'''Examine <br />
'''[SELECT FROM: Configuration management policy; procedures addressing security impact
analysis for system changes; configuration management plan; security impact analysis
documentation; system security plan; analysis tools and associated outputs; change control
records; system audit logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with responsibility for conducting security impact analysis;
personnel with information security responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Organizational processes for security impact analysis].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#106|87]] '''
Organizational personnel with information security responsibilities (e.g., system
administrators, system security officers, system security managers, and systems security
engineers) conduct security impact analyses. Individuals conducting security impact
analyses possess the necessary skills and technical expertise to analyze the changes to
systems and the associated  security ramifications. Security impact analysis may include
reviewing security plans to understand security requirements and reviewing system design
documentation to understand the implementation of controls and how specific changes
might affect the controls. Security impact analyses may also include risk assessments to
better understand the impact of the changes and to determine if additional controls are
required. <br />
NIST SP 800-128 provides guidance on configuration change control and security impact
analysis.
86
NIST SP 800-171A, p. 27.
87
NIST SP 800-171 Rev. 2, pp. 21-22.
''' '''
CM.L2-3.4.4 – Security Impact Analysis
CMMC Assessment Guide – Level 2 | Version 2.13
99
'''FURTHER DISCUSSION '''
Changes to complex environments are reviewed for potential security impact before
implemented. Changes to IT systems can cause unforeseen problems and have unintended
consequences for both users and the security of the operating environment. Analyze the
security impact of changes prior to implementing them. This can uncover and mitigate
potential problems before they occur.
'''Example <br />
'''You have been asked to deploy a new web browser plug-in. Your standard change
management process requires that you produce a detailed plan for the change, including a
review of its potential security impact. A subject-matter expert who did not submit the
change reviews the plan and tests the new plug-in for functionality and security. You update
the change plan based on the expert’s findings and submit it to the change control board for
final approval [a].
'''Potential Assessment Considerations <br />
'''•
  Are configuration changes tested, validated, and documented before installing them on
the operational system [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.4.4
<br />
''' '''
CM.L2-3.4.5 – Access Restrictions for Change
CMMC Assessment Guide – Level 2 | Version 2.13
100
'''CM.L2-3.4.5 – ACCESS RESTRICTIONS FOR CHANGE '''
Define, document, approve, and enforce physical and logical access restrictions associated
with changes to organizational systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#108|88 ]]'''
Determine if: <br />
[a] physical access restrictions associated with changes to the system are defined; <br />
[b] physical access restrictions associated with changes to the system are documented; <br />
[c]  physical access restrictions associated with changes to the system are approved; <br />
[d] physical access restrictions associated with changes to the system are enforced; <br />
[e] logical access restrictions associated with changes to the system are defined; <br />
[f]  logical access restrictions associated with changes to the system are documented; <br />
[g] logical access restrictions associated with changes to the system are approved; and <br />
[h] logical access restrictions associated with changes to the system are enforced.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#108|A]88 ]]'''
'''Examine <br />
'''[SELECT FROM: Configuration management policy; procedures addressing access
restrictions for changes to the system; system security plan;  configuration management
plan; system design documentation; system architecture and configuration documentation;
system configuration settings and associated documentation; logical access approvals;
physical access approvals; access credentials; change control records; system audit logs and
records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with logical access control responsibilities; personnel with
physical access control responsibilities; personnel with information security
responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Organizational processes for managing access restrictions associated with
changes to the system; mechanisms supporting, implementing, and enforcing access
restrictions associated with changes to the system].
88
NIST SP 800-171A, p. 28.
''' '''
CM.L2-3.4.5 – Access Restrictions for Change
CMMC Assessment Guide – Level 2 | Version 2.13
101
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#109|89]] '''
Any changes to the hardware, software, or firmware components of systems can potentially
have significant effects on the overall security of the systems.  Therefore, organizations
permit only qualified and authorized individuals to access systems for purposes of initiating
changes, including upgrades and modifications. Access restrictions for change also include
software libraries.  Access restrictions include physical and logical access control
requirements, workflow automation, media libraries, abstract layers (e.g., changes
implemented into external interfaces rather than directly into systems), and change
windows (e.g., changes occur only during certain specified times). In addition to security
concerns, commonly-accepted due diligence for configuration management includes access
restrictions as an essential part in ensuring the ability to effectively manage the
configuration. <br />
NIST SP 800-128 provides guidance on configuration change control.
'''FURTHER DISCUSSION '''
Define, identify, and document qualified individuals authorized to make physical and logical
changes to the organization’s hardware, software, software libraries,  or firmware
components. Control of configuration management activities may involve: <br />
  physical access control that prohibits unauthorized users from gaining physical access to
an asset (e.g., requiring a special key card to enter a server room);
  logical access control that prevents unauthorized users from logging onto a system to
make configuration changes (e.g.,  requiring specific credentials for modifying
configuration settings, patching software, or updating software libraries);
  workflow automation in which configuration management workflow rules define human
tasks  and data or files are routed between people authorized to do configuration
management based on pre-defined business rules (e.g., passing an electronic form to a
manager requesting approval of configuration change made by an authorized employee);
  an abstraction layer for configuration management that requires changes be made from
an external system  through constrained interface (e.g.,  software updates can only be
made from a patch management system with a specific IP address); and
  utilization of a configuration management change window (e.g., software updates are
only allowed between 8:00 AM and 10:00 AM or between 6:00 PM and 8:00 PM).
'''Example <br />
'''Your datacenter requires expanded  storage  capacity  in a server.  The change has been
approved, and security is planning to allow an external technician to access the building at a
specific date and time under the supervision of a manager [a,b,c,d]. A system administrator
creates a temporary privileged account that can be used to log into the server’s operating
system and update storage settings [e,f,g]. On the appointed day, the technician is escorted
89
NIST SP 800-171 Rev. 2, p. 22.
''' '''
CM.L2-3.4.5 – Access Restrictions for Change
CMMC Assessment Guide – Level 2 | Version 2.13
102
into the datacenter, upgrades the hardware, expands the storage in the operating system
(OS), and departs. The manager verifies the upgrade and disables the privileged account [h].
'''Potential Assessment Considerations <br />
'''•
  Are only employees who are approved to make physical or logical changes on systems
allowed to do so [a,d,e,h]?
  Are authorized personnel approved and documented by the service owner and IT
security [a,e]?
  Does all change documentation include the name of the authorized employee making the
change [b,d,f,h]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.4.5
<br />
''' '''
CM.L2-3.4.6 – Least Functionality
CMMC Assessment Guide – Level 2 | Version 2.13
103
'''CM.L2-3.4.6 – LEAST FUNCTIONALITY '''
Employ the principle of least functionality by configuring organizational systems to provide
only essential capabilities.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#111|90 ]]'''
Determine if: <br />
[a] essential system capabilities are defined based on the principle of least functionality;
and
[b] the system is configured to provide only the defined essential capabilities.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#111|A]90 ]]'''
'''Examine <br />
'''[SELECT FROM: Configuration management policy; configuration management plan;
procedures addressing least functionality in the system; system security plan; system design
documentation; system configuration settings and associated documentation; security
configuration checklists; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with security configuration management responsibilities;
personnel with information security responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Organizational processes prohibiting or restricting functions, ports,
protocols, or services; mechanisms implementing restrictions or prohibition of functions,
ports, protocols, or services].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#111|91]] '''
Systems can provide a wide variety of functions and services. Some of the functions and
services routinely provided by default, may not be necessary to support essential
organizational missions, functions, or operations.  It is sometimes convenient to provide
multiple services from single system components. However, doing so increases risk over
limiting the services provided by any one component. Where feasible, organizations limit
component functionality to a single function per component. <br />
Organizations review functions and services provided by systems or components of systems,
to determine which functions and services are candidates for elimination.  Organizations
disable unused or unnecessary physical and logical ports and protocols to prevent
unauthorized connection of devices, transfer of information, and tunneling. Organizations
90
NIST SP 800-171A, pp. 28-29.
91
NIST SP 800-171 Rev. 2, p. 22.
''' '''
CM.L2-3.4.6 – Least Functionality
CMMC Assessment Guide – Level 2 | Version 2.13
104
can utilize network scanning tools, intrusion detection and prevention systems, and end-
point protections such as firewalls and host-based intrusion detection systems to identify
and prevent the use of prohibited functions, ports, protocols, and services.
'''FURTHER DISCUSSION '''
You should customize organizational systems to remove non-essential applications and
disable  unnecessary  services.  Systems come with many unnecessary applications and
settings enabled by default  including  unused ports and protocols. Leave only the fewest
capabilities necessary for the systems to operate effectively.
'''Example <br />
'''You have ordered a new server, which has arrived with a number of free utilities installed in
addition to the operating system. Before you deploy the server, you research the utilities to
determine which ones can be eliminated without impacting functionality. You remove the
unneeded software, then move on to disable unused ports and services. The server that
enters  production therefore has only the essential  capabilities enabled for the system to
function in its role [a,b].
'''Potential Assessment Considerations <br />
'''•
  Are the roles and functions for each system identified along with the software and
services required to perform those functions [a]?
  Are the software and services required for those defined functions identified [a]?
  Is the information system configured to exclude any function not needed in the
operational environment [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.4.6
<br />
''' '''
CM.L2-3.4.7 – Nonessential Functionality
CMMC Assessment Guide – Level 2 | Version 2.13
105
'''CM.L2-3.4.7 – NONESSENTIAL FUNCTIONALITY '''
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols,
and services.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#113|92 ]]'''
Determine if: <br />
[a] essential programs are defined; <br />
[b] the use of nonessential programs is defined; <br />
[c]  the use of nonessential programs is restricted, disabled, or prevented as defined; <br />
[d] essential functions are defined; <br />
[e] the use of nonessential functions is defined; <br />
[f]  the use of nonessential functions is restricted, disabled, or prevented as defined; <br />
[g] essential ports are defined; <br />
[h] the use of nonessential ports is defined; <br />
[i]  the use of nonessential ports is restricted, disabled, or prevented as defined; <br />
[j]  essential protocols are defined; <br />
[k] the use of nonessential protocols is defined; <br />
[l]  the use of nonessential protocols is restricted, disabled, or prevented as defined; <br />
[m] essential services are defined; <br />
[n] the use of nonessential services is defined; and <br />
[o] the use of nonessential services is restricted, disabled, or prevented as defined.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#113|A]92 ]]'''
'''Examine <br />
'''[SELECT FROM: Configuration management policy; procedures addressing least
functionality in the system; configuration management plan; system security plan; system
design documentation; security configuration checklists; system configuration settings and
associated documentation; specifications for preventing software program execution;
documented reviews of programs, functions, ports, protocols, and/or services; change
control records; system audit logs and records; other relevant documents or records].
92
NIST SP 800-171A, p. 29.
''' '''
CM.L2-3.4.7 – Nonessential Functionality
CMMC Assessment Guide – Level 2 | Version 2.13
106
'''Interview <br />
'''[SELECT FROM: Personnel with responsibilities for reviewing programs, functions, ports,
protocols, and services on the system; personnel with information security responsibilities;
system or network administrators; system developers].
'''Test <br />
'''[SELECT FROM: Organizational processes for reviewing and disabling nonessential
programs, functions, ports, protocols, or services; mechanisms implementing review and
handling of nonessential programs, functions, ports, protocols, or services; organizational
processes preventing program execution on the system; organizational processes for
software program usage and restrictions; mechanisms supporting or implementing software
program usage and restrictions; mechanisms preventing program execution on the system].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#114|93]] '''
Restricting the use of nonessential software (programs) includes restricting the roles
allowed to approve program execution; prohibiting auto-execute; program blacklisting and
whitelisting; or restricting the number of program instances executed at the same time. The
organization makes a security-based determination which functions, ports, protocols,
and/or services are restricted.  Bluetooth,  File Transfer Protocol (FTP), and peer-to-peer
networking are examples of protocols organizations consider preventing the use  of,
restricting, or disabling.
'''FURTHER DISCUSSION '''
Organizations should only use the minimum set of programs, services, ports, and protocols
required for to accomplish the organization’s mission. This has several implications: <br />
  All unnecessary programs and accounts are removed from all endpoints and servers.
  The organization makes a policy decision to control the execution of programs through
either whitelisting or blacklisting.  Whitelisting means a program can only run if the
software has been vetted in some way, and the executable name has been entered onto a
list of allowed software. Blacklisting means any software can execute as long it is not on
a list of known malicious software.  Whitelisting provides far more security than
blacklisting, but the organization’s policy can direct the implementation of either
approach. Control of execution applies to both servers and endpoints.
  The organization restricts the use of all unnecessary ports, protocols, and system services
in order to limit entry points that attackers can use. For example, the use of the FTP
service is eliminated from all computers, and the associated ports are blocked unless a
required service utilizes those ports. The elimination of nonessential functionality on the
network and systems provides a smaller attack surface for an attacker to gain access and
take control of your network or systems.
This requirement, CM.L2-3.4.7, which requires limiting functionality to essential programs,
ports, protocols, and services, extends CM.L2-3.4.6, which requires adherence to the
93
NIST SP 800-171 Rev. 2, pp. 22-23.
''' '''
CM.L2-3.4.7 – Nonessential Functionality
CMMC Assessment Guide – Level 2 | Version 2.13
107
principle of least functionality but does not specifically address which elements of a system
should be limited.
'''Example <br />
'''You are responsible for purchasing new endpoint hardware, installing organizationally
required software to the hardware, and configuring the endpoint in accordance with the
organization’s policy. The organization has a system imaging capability that loads all
necessary software, but it does not remove unnecessary services, eliminate the use of certain
protocols, or close unused ports. After imaging the systems, you close all ports and block the
use of all protocols except the following: <br />
  TCP for SSH on port 22;
  SMTP on port 25;
  TCP and UDP on port 53; and
  HTTP and HTTPS on port 443.
The use of any other ports or protocols are allowed by exception only [i,l,o].
'''Potential Assessment Considerations <br />
'''•
  Are only applications and services that are needed for the function of the system
configured and enabled [a,b,c,d,e,f]?
  Are only those ports and protocols necessary to provide the service of the information
system configured for that system [g,h,i,j,k,l]?
  Are systems services reviewed to determine what is essential for the function of that
system [m]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.4.7
<br />
''' '''
CM.L2-3.4.8 – Application Execution Policy
CMMC Assessment Guide – Level 2 | Version 2.13
108
'''CM.L2-3.4.8 – APPLICATION EXECUTION POLICY '''
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software
or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized
software.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#116|94 ]]'''
Determine if: <br />
[a] a policy specifying whether whitelisting or blacklisting is to be implemented is
specified;
[b] the software allowed to execute under whitelisting or denied use under blacklisting is
specified; and
[c]  whitelisting to allow the execution of authorized software or blacklisting to prevent the
use of unauthorized software is implemented as specified.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#116|A]94 ]]'''
'''Examine <br />
'''[SELECT FROM: Configuration management policy; procedures addressing least
functionality in the system; system security plan; configuration management plan; system
design documentation; system configuration settings and associated documentation; list of
software programs not authorized to execute on the system; list of software programs
authorized to execute on the system; security configuration checklists; review and update
records associated with list of authorized or unauthorized software programs; change
control records; system audit logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with responsibilities for identifying software authorized or not
authorized to execute on the system; personnel with information security responsibilities;
system or network administrators].
'''Test <br />
'''[SELECT FROM: Organizational process for identifying, reviewing, and updating programs
authorized or not authorized to execute on the system; process for implementing blacklisting
or whitelisting; mechanisms supporting or implementing blacklisting or whitelisting].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#116|95]] '''
The process used to identify software programs that are not authorized to execute on
systems is commonly referred to as blacklisting.  The process used to identify software
94
NIST SP 800-171A, p. 30.
95
NIST SP 800-171 Rev. 2, p. 23.
''' '''
CM.L2-3.4.8 – Application Execution Policy
CMMC Assessment Guide – Level 2 | Version 2.13
109
programs that are authorized to execute on systems is commonly referred to as whitelisting.
Whitelisting is the stronger of the two policies for restricting software program execution.
In addition to whitelisting, organizations consider verifying the integrity of whitelisted
software programs using, for example, cryptographic checksums, digital signatures, or hash
functions.  Verification of whitelisted software can occur either prior to execution or at
system startup. <br />
NIST SP 800-167 provides guidance on application whitelisting.
'''FURTHER DISCUSSION '''
Organizations should determine their blacklisting or whitelisting policy and configure the
system to manage software that is allowed to run. Blacklisting or deny-by-exception allows
all software to run except if on an unauthorized software list such as what is maintained in
antivirus solutions. Whitelisting or permit-by-exception does not allow any software to run
except if on an authorized software list. The stronger policy of the two is whitelisting. <br />
This requirement, CM.L2-3.4.8, requires the implementation of allow-lists and deny-lists for
application software. It leverages CM.L2-3.4.1, which requires the organization to establish
and maintain software inventories. <br />
This requirement, CM.L2-3.4.8, also extends CM.L2-3.4.9, which only requires control and
monitoring of any user installed software.
'''Example <br />
'''To improve your company’s protection from malware, you have decided to allow only
designated programs to run. With additional research you identify a capability within the
latest operating system that can control executables, scripts, libraries, or application
installers run in your environment [c]. To ensure success you begin by authorizing digitally
signed executables.  Once  they are deployed,  you then plan to evaluate and deploy
whitelisting for software libraries and scripts [c].
'''Potential Assessment Considerations <br />
'''•
  Is the information system configured to only allow authorized software to run [a,b,c]?
  Is the system configured to disallow running unauthorized software [a,b,c]?
  Is there a defined list of software programs authorized to execute on the system [b]?
  Is the authorization policy a deny-all, permit by exception for software allowed to execute
on the system [a,b,c]?
  Are automated mechanisms used to prevent program execution in accordance with
defined lists (e.g., whitelisting) [a,b,c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.4.8
''' '''
CM.L2-3.4.9 – User-Installed Software
CMMC Assessment Guide – Level 2 | Version 2.13
110
'''CM.L2-3.4.9 – USER-INSTALLED SOFTWARE '''
Control and monitor user-installed software.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#118|96 ]]'''
Determine if: <br />
[a] a policy for controlling the installation of software by users is established; <br />
[b] installation of software by users is controlled based on the established policy; and <br />
[c]  installation of software by users is monitored.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#118|A]96 ]]'''
'''Examine <br />
'''[SELECT FROM: Configuration management policy; procedures addressing user installed
software; configuration management plan; system security plan; system design
documentation; system configuration settings and associated documentation; list of rules
governing user-installed software; system monitoring records; system audit logs and
records; continuous monitoring strategy; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with responsibilities for governing user-installed software;
personnel operating, using, or maintaining the system; personnel monitoring compliance
with user-installed software policy; personnel with information security responsibilities;
system or network administrators].
'''Test <br />
'''[SELECT FROM: Organizational processes governing user-installed software on the system;
mechanisms enforcing rules or methods for governing the installation of software by users;
mechanisms monitoring policy compliance].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#118|97]] '''
Users can install software in organizational systems if provided the necessary privileges. To
maintain control over the software installed, organizations identify permitted and
prohibited actions regarding software installation through policies.  Permitted software
installations include updates and security patches to existing software and applications from
organization-approved “app stores.” Prohibited software installations may include software
with unknown or suspect pedigrees or software that organizations consider potentially
malicious.  The policies organizations select governing user-installed software may be
96
NIST SP 800-171A, p. 30.
97
NIST SP 800-171 Rev. 2, p. 23.
''' '''
CM.L2-3.4.9 – User-Installed Software
CMMC Assessment Guide – Level 2 | Version 2.13
111
organization-developed or provided by some external entity. Policy enforcement methods
include procedural methods, automated methods, or both.
'''FURTHER DISCUSSION '''
Software that users have the ability to install is limited to items that the organization
approves. When not controlled, users could install software that can create unnecessary risk.
This risk applies both to the individual machine and to the larger operating environment.
Policies and technical controls reduce risk to the organization by preventing users from
installing unauthorized software.
'''Example <br />
'''You are a system administrator. A user calls you for help installing a software package. They
are receiving a message asking for a password because they do not have permission to install
the software. You explain that the policy prohibits users from installing software without
approval [a]. When you set up workstations for users, you do not provide administrative
privileges. After the call, you redistribute the policy to all users ensuring everyone in the
company is aware of the restrictions.
'''Potential Assessment Considerations <br />
'''•
  Are user controls in place to prohibit the installation of unauthorized software [a]?
  Is all software in use on the information systems approved [b]?
  Is there a mechanism in place to monitor the types of software a user is permitted to
download (e.g., is there a whitelist of approved software) [c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.4.9
<br />
''' '''
IA.L2-3.5.1 – Identification [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
112
Identification and Authentication (IA) <br />
'''IA.L2-3.5.1 – IDENTIFICATION [CUI DATA] '''
Identify system users, processes acting on behalf of users, and devices.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#120|98 ]]'''
Determine if: <br />
[a] system users are identified; <br />
[b] processes acting on behalf of users are identified; and <br />
[c]  devices accessing the system are identified.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#120|]98 ]]'''
'''Examine <br />
'''[SELECT FROM: Identification and authentication policy; procedures addressing user
identification and authentication; system security plan, system design documentation;
system configuration settings and associated documentation; system audit logs and records;
list of system accounts; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system operations responsibilities; personnel with
information security responsibilities; system or network administrators; personnel with
account management responsibilities; system developers].
'''Test <br />
'''[SELECT FROM: Organizational processes for uniquely identifying and authenticating users;
mechanisms supporting or implementing identification and authentication capability].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#120|99]] '''
Common device identifiers include media access control (MAC), Internet Protocol (IP)
addresses, or device-unique token identifiers. Management of individual identifiers is not
applicable to shared system accounts. Typically, individual identifiers are the user names
associated with the system accounts assigned to those individuals.  Organizations may
require unique identification of individuals in group accounts or for detailed accountability
of individual activity. In addition, this requirement addresses individual identifiers that are
not necessarily associated with system accounts.  Organizational devices requiring
98
NIST SP 800-171A, p. 31.
99
NIST SP 800-171 Rev. 2, p. 23.
''' '''
IA.L2-3.5.1 – Identification [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
113
identification may be defined by type, by device, or by a combination of type/device. NIST SP
800-63-3 provides guidance on digital identities.
'''FURTHER DISCUSSION '''
Make sure to assign individual, unique identifiers (e.g., user names) to all users  and
processes that  access company systems. Authorized devices also should have unique
identifiers. Unique identifiers can be as simple as a short set of alphanumeric characters (e.g.,
SW001 could refer to a network switch, SW002 could refer to a different network switch). <br />
This requirement, IA.L2-3.5.1, provides a vetted and trusted identity that supports the access
control mechanism required by AC.L2-3.1.1.
'''Example <br />
'''You want to make sure that all employees working on a project  can  access  important
information about it. Because this is work for the DoD and may contain CUI, you also need to
prevent employees who are not working on that  project from being able to access the
information. You assign each employee is assigned a unique user ID, which they use to log
into the system [a].
'''Potential Assessment Considerations <br />
'''•
  Are unique identifiers issued to individual users (e.g., usernames) [a]?
  Are the processes and service accounts that an authorized user initiates identified (e.g.,
scripts, automatic updates, configuration updates, vulnerability scans) [b]?
  Are unique device identifiers used for devices that access the system identified [c]?
'''KEY REFERENCES'''
  NIST SP 800-171 Rev. 2 3.5.1
  FAR Clause 52.204-21 b.1.v
''' '''
IA.L2-3.5.2 – Authentication [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
114
'''IA.L2-3.5.2 – AUTHENTICATION [CUI DATA] '''
Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to
allowing access to organizational systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#122|100 <br />
]]'''Determine if: <br />
[a] the identity of each user is authenticated or verified as a prerequisite to system access; <br />
[b] the identity of each process acting on behalf of a user is authenticated or verified as a
prerequisite to system access; and
[c]  the identity of each device accessing or connecting to the system is authenticated or
verified as a prerequisite to system access.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#122|]100 <br />
]]Examine <br />
'''[SELECT FROM: Identification and authentication policy; system security plan; procedures
addressing authenticator management; procedures addressing user identification and
authentication; system design documentation; list of system authenticator types; system
configuration settings and associated documentation; change control records associated
with managing system authenticators; system audit logs and records; other relevant
documents or records]. <br />
'''Interview <br />
'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
information security responsibilities; system or network administrators]. <br />
'''Test <br />
'''[SELECT FROM: Mechanisms supporting or implementing authenticator management
capability].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#122|101]] <br />
'''Individual authenticators include the following: passwords, key cards, cryptographic
devices, and one-time password devices. Initial authenticator content is the actual content
of the authenticator, for example, the initial password. In contrast, the requirements about
authenticator content include the minimum password length.  Developers ship system
components with factory default authentication credentials to allow for initial installation
and configuration.  Default authentication credentials are often well known, easily
discoverable, and present a significant security risk. <br />
Systems support authenticator management by organization-defined settings and
restrictions for various authenticator characteristics including minimum password length,
100
NIST SP 800-171A, p. 31.
101
NIST SP 800-171 Rev. 2, p. 24.
''' '''
IA.L2-3.5.2 – Authentication [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
115
validation time window for time synchronous one-time tokens, and number of allowed
rejections during the verification stage of biometric authentication.  Authenticator
management includes issuing and revoking, when no longer needed, authenticators for
temporary access such as that required  for remote maintenance.  Device authenticators
include certificates and passwords. <br />
NIST SP 800-63-3 provides guidance on digital identities.
'''FURTHER DISCUSSION <br />
'''Before a person or device is given system access, verify that the user or device is who or what
it claims to be. This verification is called authentication. The most common way to verify
identity is using a username and a hard-to-guess password. <br />
Some devices ship with default usernames and passwords. Some devices ship with a default
username  (e.g.,  admin)  and password.  A  default username and password  must be
immediately changed to something unique. Default passwords may be well known to the
public, easily found in a search, or easy to guess, allowing an unauthorized person to access
the system.
'''Example 1 <br />
'''You are in charge of purchasing. You know that some laptops come with a default username
and password. You notify IT that all default passwords should be reset prior to laptop use
[a]. You ask IT to explain the importance of resetting default passwords and convey how
easily they are discovered using internet searches during next week’s cybersecurity
awareness training.
'''Example 2 <br />
'''Your company decides to use cloud services for email and other capabilities. Upon reviewing
this requirement, you realize every user or device that connects to the cloud service must be
authenticated. As a result, you work with your cloud service provider to ensure that only
properly authenticated users and devices are allowed to connect to the system [a,c].
'''Potential Assessment Considerations <br />
'''•
  Are unique authenticators used to verify user identities (e.g., passwords) [a]?
  An example of a process acting on behalf of users could be a script that logs in as a person
or service account [b]. Can the OSA show that it maintains a record of all of those service
accounts for use when reviewing log data or responding to an incident?
  Are user credentials authenticated in system processes (e.g., credentials binding,
certificates, tokens) [b]?
  Are device identifiers used in authentication processes (e.g., MAC address, non-
anonymous computer name, certificates) [c]?
'''KEY REFERENCES <br />
'''•
  NIST SP 800-171 Rev. 2 3.5.2
''' '''
IA.L2-3.5.2 – Authentication [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
116
  FAR Clause 52.204-21 b.1.vi
''' '''
IA.L2-3.5.3 – Multifactor Authentication
CMMC Assessment Guide – Level 2 | Version 2.13
117
'''IA.L2-3.5.3 – MULTIFACTOR AUTHENTICATION '''
Use multifactor authentication for local and network access to privileged accounts and for
network access to non-privileged accounts.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#125|102 ]]'''
Determine if: <br />
[a] privileged accounts are identified; <br />
[b] multifactor authentication is implemented for local access to privileged accounts; <br />
[c]  multifactor authentication is implemented for network access to privileged accounts;
and
[d] multifactor authentication is implemented for network access to non-privileged
accounts.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#125|A]102 ]]'''
'''Examine <br />
'''[SELECT FROM: Identification and authentication policy; procedures addressing user
identification and authentication; system security plan; system design documentation;
system configuration settings and associated documentation; system audit logs and records;
list of system accounts; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
information security responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting or implementing authenticator management
capability].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#125|103]] '''
Multifactor authentication requires the use of two or more different factors to authenticate.
The factors are defined as something you know (e.g., password, personal identification
number [PIN]); something you have (e.g., cryptographic identification device, token); or
something you are (e.g., biometric).  Multifactor authentication solutions that feature
physical authenticators include hardware authenticators providing time-based or challenge-
response authenticators and smart cards. In addition to authenticating users at the system
level (i.e., at logon), organizations may also employ authentication mechanisms at the
102
NIST SP 800-171A, p. 32.
103
NIST SP 800-171 Rev. 2, pp. 24-25.
''' '''
IA.L2-3.5.3 – Multifactor Authentication
CMMC Assessment Guide – Level 2 | Version 2.13
118
application level, when necessary, to provide increased information security.  Access to
organizational systems is defined as local access or network access. Local access is any access
to organizational systems by users (or processes acting on behalf of users) where such access
is obtained by direct connections without the use of networks. Network access is access to
systems by users (or processes acting on behalf of users) where such access is obtained
through network connections (i.e., nonlocal accesses). Remote access is a type of network
access that involves communication through external networks. The use of encrypted virtual
private networks for connections between organization-controlled and non-organization
controlled endpoints may be treated as internal networks with regard to protecting the
confidentiality of information. <br />
NIST SP 800-63-3 provides guidance on digital identities.
'''FURTHER DISCUSSION '''
Implement a combination of two  or more  factors of authentication to verify privileged
account holders’ identity regardless of how the user is accessing the account. Implement a
combination of two or more factors for non-privileged users accessing the system over a
network. <br />
The implementation of multi-factor authentication will depend on the environment and
business  needs. Although two-factor authentication directly on the computer is most
common, there are situations (e.g., multi-factor identification for a mission system that
cannot be altered) where additional technical or physical solutions can provide security. If a
mobile device is used to access a system or application containing  CUI,  multi-factor
authentication is required. <br />
This  requirement,  IA.L2-3.5.3,  requires multifactor authentication for network access to
non-privileged accounts  and complements five other  requirements  dealing with remote
access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.13, AC.L2-3.1.15, and MA.L2-3.7.5:  <br />
  AC.L2-3.1.12 requires the control of remote access sessions.
  AC.L2-3.1.14 limits remote access to specific access control points.
  AC.L2-3.1.13  requires the use of cryptographic mechanisms when enabling remote
sessions.
  AC.L2-3.1.15 requires authorization for privileged commands executed during a remote.
  Finally,  MA.L2-3.7.5  requires the addition of multifactor authentication for remote
maintenance sessions.
This requirement, IA.L2-3.5.3, also enhances IA.L2-3.5.2, which is a requirement for a less
rigorous form of user authentication.
'''Example <br />
'''You decide to implement multifactor authentication (MFA) to improve security of your
network. Your first step is enabling MFA on VPN access to your internal network [c,d]. When
users initiate remote access, they will be prompted for the additional authentication factor.
''' '''
IA.L2-3.5.3 – Multifactor Authentication
CMMC Assessment Guide – Level 2 | Version 2.13
119
Because  you also  use  a cloud-based  email solution,  you  require  MFA  for access to that
resource as well [c,d]. Finally, you enable MFA for both local and network logins for the
system administrator accounts used to patch and manage servers [a,b,c].
'''Potential Assessment Considerations <br />
'''•
  Does the system uniquely identify and authenticate users, including privileged accounts
[b,c,d]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.5.3
''' '''
IA.L2-3.5.4 – Replay-Resistant Authentication
CMMC Assessment Guide – Level 2 | Version 2.13
120
'''IA.L2-3.5.4 – REPLAY-RESISTANT AUTHENTICATION '''
Employ replay-resistant authentication mechanisms for network access to privileged and
non-privileged accounts.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#128|104 ]]'''
Determine if: <br />
[a] replay-resistant authentication mechanisms are implemented for network account
access to privileged and non-privileged accounts.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#128|A]104 ]]'''
'''Examine <br />
'''[SELECT FROM: Identification and authentication policy; procedures addressing user
identification and authentication; system security plan; system design documentation;
system configuration settings and associated documentation; system audit logs and records;
list of privileged system accounts; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system operations responsibilities; personnel with account
management responsibilities; personnel with information security responsibilities; system
or network administrators; system developers].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting or implementing identification and authentication
capability or replay resistant authentication mechanisms].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#128|105]] '''
Authentication processes resist replay attacks if it is impractical to successfully authenticate
by recording or replaying previous authentication messages. Replay-resistant techniques
include protocols that use nonces or challenges such as time synchronous or challenge-
response one-time authenticators. <br />
NIST SP 800-63-3 provides guidance on digital identities.
'''FURTHER DISCUSSION '''
When insecure protocols are used for access to computing resources, an adversary may be
able to capture login information and immediately reuse (replay) it for other purposes. It is
important to use mechanisms that resist this technique.
104
NIST SP 800-171A, p. 32.
105
NIST SP 800-171 Rev. 2, p. 25.
''' '''
IA.L2-3.5.4 – Replay-Resistant Authentication
CMMC Assessment Guide – Level 2 | Version 2.13
121
'''Example <br />
'''To protect your IT infrastructure, you understand that the methods for authentication must
not be easily copied and re-sent to your systems by an adversary. You select Kerberos for
authentication because of its built-in resistance to replay attacks. As a next step you upgrade
all of your web applications to require Transport Layer Security (TLS), which also is replay-
resistant. Your use of MFA to protect remote access also confers some replay resistance.
'''Potential Assessment Considerations <br />
'''•
  Are only anti-replay authentication mechanisms used [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.5.4
<br />
''' '''
IA.L2-3.5.5 – Identifier Reuse
CMMC Assessment Guide – Level 2 | Version 2.13
122
'''IA.L2-3.5.5 – IDENTIFIER REUSE '''
Prevent reuse of identifiers for a defined period.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#130|106 ]]'''
Determine if: <br />
[a] a period within which identifiers cannot be reused is defined; and <br />
[b] reuse of identifiers is prevented within the defined period.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#130|A]106 ]]'''
'''Examine <br />
'''[SELECT FROM: Identification and authentication policy; system security plan; procedures
addressing authenticator management; procedures addressing user identification and
authentication; system design documentation; list of system authenticator types; system
configuration settings and associated documentation; change control records associated
with managing system authenticators; system audit logs and records; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
information security responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting or implementing authenticator management
capability].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#130|107]] '''
Identifiers are provided for users, processes acting on behalf of users, or devices (IA.L2-
3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used
individual, group, role, or device identifiers to different individuals, groups, roles, or devices.
'''FURTHER DISCUSSION '''
Identifiers uniquely associate a user ID to an individual, group, role, or device.  Establish
guidelines and implement mechanisms to prevent identifiers from being reused for the
period of time established in the policy.
106
NIST SP 800-171A, pp. 32-33.
107
NIST SP 800-171 Rev. 2, p. 25.
''' '''
IA.L2-3.5.5 – Identifier Reuse
CMMC Assessment Guide – Level 2 | Version 2.13
123
'''Example <br />
'''As a system administrator, you maintain a central directory/domain that holds the accounts
for users, computers, and network devices. As part of your job, you issue unique usernames
(e.g., riley@acme.com) for the staff to access resources. When you issue staff computers you
also rename the computer to reflect to whom it is assigned (e.g., riley-laptop01). Riley has
recently left the organization,  so you must manage the former staff member’s account.
Incidentally, their replacement is also named Riley. In the directory, you do not assign the
previous account to the new user, as policy has defined an identifier reuse period of 24
months [a]. In accordance with policy, you create an account called riley02 [b]. This account
is assigned the appropriate permissions for the new user. A new laptop is also provided with
the identifier of riley02-laptop01.
'''Potential Assessment Considerations <br />
'''•
  Are accounts uniquely assigned to employees, contractors, and subcontractors [b]?
  Are account identifiers reused [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.5.5
<br />
''' '''
IA.L2-3.5.6 – Identifier Handling
CMMC Assessment Guide – Level 2 | Version 2.13
124
'''IA.L2-3.5.6 – IDENTIFIER HANDLING '''
Disable identifiers after a defined period of inactivity.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#132|108 ]]'''
Determine if: <br />
[a] a period of inactivity after which an identifier is disabled is defined; and <br />
[b] identifiers are disabled after the defined period of inactivity.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#132|A]108 ]]'''
'''Examine <br />
'''[SELECT FROM: Identification and authentication policy; procedures addressing identifier
management; procedures addressing account management; system security plan; system
design documentation; system configuration settings and associated documentation; list of
system accounts; list of identifiers generated from physical access control devices; other
relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with identifier management responsibilities; personnel with
information security responsibilities; system or network administrators; system
developers].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting or implementing identifier management].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#132|109]] '''
Inactive identifiers pose a risk to organizational information because attackers may exploit
an inactive identifier to gain undetected access to organizational devices. The owners of the
inactive accounts may not notice if unauthorized access to the account has been obtained.
'''FURTHER DISCUSSION '''
Identifiers are uniquely associated with an individual, account, process,  or device.  An
inactive identifier is one that has not been used for a defined extended period of time. For
example, a user account may be needed for a certain time to allow for transition of business
processes to existing or new staff. Once use of the identifier is no longer necessary, it should
be disabled as soon as possible. Failure to maintain awareness of accounts that are no longer
needed yet still active could allow an adversary to exploit IT services.
108
NIST SP 800-171A, p. 33.
109
NIST SP 800-171 Rev. 2, p. 25.
''' '''
IA.L2-3.5.6 – Identifier Handling
CMMC Assessment Guide – Level 2 | Version 2.13
125
'''Example <br />
'''One of your responsibilities  is to enforce  your company’s inactive account policy: any
account that has not been used in the last 45 days must be disabled [a]. You enforce this by
writing a script that runs once a day to check the last login date for each account and
generates a report of the accounts with no login records for the last 45 days. After reviewing
the report, you notify each inactive employee’s supervisor and disable the account [b].
'''Potential Assessment Considerations <br />
'''•
  Are user accounts or identifiers monitored for inactivity [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.5.6
''' '''
IA.L2-3.5.7 – Password Complexity
CMMC Assessment Guide – Level 2 | Version 2.13
126
'''IA.L2-3.5.7 – PASSWORD COMPLEXITY '''
Enforce a minimum password complexity and change of characters when new passwords
are created.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#134|110 ]]'''
Determine if: <br />
[a] password complexity requirements are defined; <br />
[b] password change of character requirements are defined; <br />
[c]  minimum password complexity requirements as defined are enforced when new
passwords are created; and
[d] minimum password change of character requirements as defined are enforced when
new passwords are created.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#134|A]110 ]]'''
'''Examine <br />
'''[SELECT FROM: Identification and authentication policy; password policy; procedures
addressing authenticator management; system security plan; system configuration settings
and associated documentation; system design documentation; password configurations and
associated documentation; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
information security responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting or implementing authenticator management
capability].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#134|111]] '''
This requirement applies to single-factor authentication of individuals using passwords as
individual or group authenticators, and in a similar manner, when passwords are used as
part of multifactor authenticators. The number of changed characters refers to the number
of changes required with respect to the total number of positions in the current password.
To mitigate certain brute force attacks against passwords, organizations may also consider
salting passwords.
110
NIST SP 800-171A, pp. 33-34.
111
NIST SP 800-171 Rev. 2, p. 25.
''' '''
IA.L2-3.5.7 – Password Complexity
CMMC Assessment Guide – Level 2 | Version 2.13
127
'''FURTHER DISCUSSION '''
Password complexity means using different types of characters as well as a specified number
of characters. This applies to both the creation of new passwords and the modification of
existing passwords. Characters to manage complexity include numbers, lowercase and
uppercase letters, and symbols.  Minimum complexity requirements are left up to the
organization to define. Define the lowest level of password complexity required. Define the
number of characters that must be changed when an existing password is changed. Enforce
these rules for all passwords. Salting passwords adds a string of random characters (salt) to
a password prior to hashing. This ensures the randomness of the resulting hash value.
'''Example <br />
'''You work with management to define password complexity rules and ensure they are listed
in the company’s security policy. You define and enforce a minimum number of characters
for each password and ensure that a certain number of characters must be changed when
updating passwords [a,b]. Characters include numbers, lowercase and uppercase letters, and
symbols [a]. These rules help create hard-to-guess passwords, which help to secure your
network.
'''Potential Assessment Considerations <br />
'''•
  Is  a degree of complexity  specified  for passwords, (e.g., are account passwords a
minimum of 12 characters and a mix of upper/lower case, numbers,  and special
characters), including minimum requirements for each type [a,b,c]?
  Is a change of characters required when new passwords are created [d]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.5.7
<br />
''' '''
IA.L2-3.5.8 – Password Reuse
CMMC Assessment Guide – Level 2 | Version 2.13
128
'''IA.L2-3.5.8 – PASSWORD REUSE '''
Prohibit password reuse for a specified number of generations.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#136|112 ]]'''
Determine if: <br />
[a] the number of generations during which a password cannot be reused is specified and <br />
[b] reuse of passwords is prohibited during the specified number of generations.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#136|A]112 ]]'''
'''Examine <br />
'''[SELECT FROM: Identification and authentication policy; password policy; procedures
addressing authenticator management; system security plan; system design documentation;
system configuration settings and associated documentation; password configurations and
associated documentation; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
information security responsibilities; system or network administrators; system
developers].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting or implementing password-based authenticator
management capability].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#136|113]] '''
Password lifetime restrictions do not apply to temporary passwords.
'''FURTHER DISCUSSION '''
Individuals may not reuse their passwords for a defined period of time and a set number of
passwords generated.
'''Example <br />
'''You explain in your company’s security policy that changing passwords regularly provides
increased security by reducing the ability of adversaries to exploit stolen or purchased
passwords over an extended period. You define how often individuals can reuse their
passwords and the minimum number of password generations before reuse [a]. If a user
112
NIST SP 800-171A, p. 34.
113
NIST SP 800-171 Rev. 2, p. 25.
''' '''
IA.L2-3.5.8 – Password Reuse
CMMC Assessment Guide – Level 2 | Version 2.13
129
tries to reuse a password before the number of password generations has been exceeded, an
error message is generated, and the user is required to enter a new password [b].
'''Potential Assessment Considerations <br />
'''•
  How many generations of password changes need to take place before a password can
be reused [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.5.8
<br />
''' '''
IA.L2-3.5.9 – Temporary Passwords
CMMC Assessment Guide – Level 2 | Version 2.13
130
'''IA.L2-3.5.9 – TEMPORARY PASSWORDS '''
Allow temporary password use for system logons with an immediate change to a permanent
password.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#138|114 ]]'''
Determine if: <br />
[a] an immediate change to a permanent password is required when a temporary password
is used for system logon.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#138|A]114 ]]'''
'''Examine <br />
'''[SELECT FROM: Identification and authentication policy; password policy; procedures
addressing authenticator management; system security plan; system configuration settings
and associated documentation; system design documentation; password configurations and
associated documentation; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
information security responsibilities; system or network administrators; system
developers].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting or implementing password-based authenticator
management capability].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#138|115]] '''
Changing temporary passwords to permanent passwords immediately after system logon
ensures that the necessary strength of the authentication mechanism is implemented at the
earliest opportunity, reducing the susceptibility to authenticator compromises.
'''FURTHER DISCUSSION '''
Users must change their temporary passwords the first time they log in.  Temporary
passwords often follow a consistent style within an organization and can be more easily
guessed than passwords created by the unique user. This approach to temporary passwords
should be avoided.
114
NIST SP 800-171A, p. 34.
115
NIST SP 800-171 Rev. 2, p. 25.
''' '''
IA.L2-3.5.9 – Temporary Passwords
CMMC Assessment Guide – Level 2 | Version 2.13
131
'''Example <br />
'''One of your duties as a systems administrator is to create accounts for new users. You
configure all systems with user accounts to require users to change a temporary password
upon initial login to a permanent password [a]. When a user logs on for the first time, they
are prompted to create a unique password that meets all of the defined complexity rules.
'''Potential Assessment Considerations <br />
'''•
  Are temporary passwords only valid to allow a user to perform a password reset [a]?
  Does the system enforce an immediate password change after logon when a temporary
password is issued [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.5.9
<br />
''' '''
IA.L2-3.5.10 – Cryptographically-Protected Passwords
CMMC Assessment Guide – Level 2 | Version 2.13
132
'''IA.L2-3.5.10 – CRYPTOGRAPHICALLY-PROTECTED PASSWORDS '''
Store and transmit only cryptographically-protected passwords.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#140|116 ]]'''
Determine if: <br />
[a] passwords are cryptographically protected in storage; and <br />
[b] passwords are cryptographically protected in transit.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#140|A]116 ]]'''
'''Examine <br />
'''[SELECT FROM: Identification and authentication policy; system security plan; procedures
addressing authenticator management; procedures addressing user identification and
authentication; system design documentation; list of system authenticator types; system
configuration settings and associated documentation; change control records associated
with managing system authenticators; system audit logs and records; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with authenticator management responsibilities; personnel with
information security responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting or implementing authenticator management
capability].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#140|117]] '''
Cryptographically-protected passwords use salted one-way cryptographic hashes of
passwords. <br />
See NIST Cryptographic Standards and Guidelines.
'''FURTHER DISCUSSION '''
All passwords must be cryptographically protected using a one-way function for storage and
transmission. This type of protection changes passwords into another form, or a hashed
password. A one-way transformation makes it theoretically impossible to turn the hashed
116
NIST SP 800-171A, pp. 34-35.
117
NIST SP 800-171 Rev. 2, pp. 25-26.
''' '''
IA.L2-3.5.10 – Cryptographically-Protected Passwords
CMMC Assessment Guide – Level 2 | Version 2.13
133
password back into the original password, but inadequate complexity (IA.L2-3.5.7) may still
facilitate offline cracking of hashes.
'''Example <br />
'''You are responsible for managing passwords for your organization.  You protect all
passwords with a one-way transformation, or hashing, before storing them. Passwords are
never transmitted across a network unencrypted [a,b].
'''Potential Assessment Considerations <br />
'''•
  Are passwords prevented from being stored in reversible encryption form in any
company systems [a]?
  Are passwords stored as one-way hashes constructed from passwords [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.5.10
<br />
''' '''
IA.L2-3.5.11 – Obscure Feedback
CMMC Assessment Guide – Level 2 | Version 2.13
134
'''IA.L2-3.5.11 – OBSCURE FEEDBACK '''
Obscure feedback of authentication information.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#142|118 ]]'''
Determine if: <br />
[a] authentication information is obscured during the authentication process.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#142|A]118 ]]'''
'''Examine <br />
'''[SELECT FROM: Identification and authentication policy; procedures addressing
authenticator feedback; system security plan; system design documentation; system
configuration settings and associated documentation; system audit logs and records; other
relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with information security responsibilities; system or network
administrators; system developers].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting or implementing the obscuring of feedback of
authentication information during authentication].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#142|119]] '''
The feedback from systems does not provide any information that would allow unauthorized
individuals to compromise authentication mechanisms. For some types of systems or system
components, for example, desktop or notebook computers with relatively large monitors,
the threat (often referred to as shoulder surfing) may be significant.  For  other types of
systems or components, for example, mobile devices with small displays, this threat may be
less significant, and is balanced against the increased likelihood of typographic input errors
due to the small keyboards. Therefore, the means for obscuring the authenticator feedback
is selected accordingly.  Obscuring authenticator feedback includes displaying asterisks
when users type passwords into input devices or displaying feedback for a very limited time
before fully obscuring it.
'''FURTHER DISCUSSION '''
Authentication information includes passwords. When users enter a password, the system
displays a symbol, such as an asterisk, to obscure feedback preventing others from seeing
118
NIST SP 800-171A, p. 35.
119
NIST SP 800-171 Rev. 2, p. 26.
''' '''
IA.L2-3.5.11 – Obscure Feedback
CMMC Assessment Guide – Level 2 | Version 2.13
135
the actual characters. Feedback is obscured based on a defined policy (e.g., smaller devices
may briefly show characters before obscuring).
'''Example <br />
'''As a system administrator, you configure your systems to display an asterisk when users
enter their passwords into a computer system [a]. For mobile devices, the password
characters are briefly displayed to the user before being obscured. This prevents people from
figuring out passwords by looking over someone’s shoulder.
'''Potential Assessment Considerations <br />
'''•
  Is the feedback immediately obscured when the authentication is presented on a larger
display (e.g., desktop or notebook computers with relatively large monitors) [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.5.11
<br />
''' '''
IR.L2-3.6.1 – Incident Handling
CMMC Assessment Guide – Level 2 | Version 2.13
136
Incident Response (IR) <br />
'''IR.L2-3.6.1 – INCIDENT HANDLING '''
Establish an operational incident-handling capability for organizational systems that
includes preparation, detection, analysis, containment, recovery, and user response
activities.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#144|120 ]]'''
Determine if: <br />
[a] an operational incident-handling capability is established; <br />
[b] the operational incident-handling capability includes preparation; <br />
[c]  the operational incident-handling capability includes detection; <br />
[d] the operational incident-handling capability includes analysis; <br />
[e] the operational incident-handling capability includes containment; <br />
[f]  the operational incident-handling capability includes recovery; and <br />
[g] the operational incident-handling capability includes user response activities.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#144|A]120 ]]'''
'''Examine <br />
'''[SELECT FROM: Incident response policy; contingency planning policy; procedures
addressing incident handling; procedures addressing incident response assistance; incident
response plan; contingency plan; system security plan; procedures addressing incident
response training; incident response training curriculum; incident response training
materials; incident response training records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with incident handling responsibilities; personnel with
contingency planning responsibilities; personnel with incident response training and
operational  responsibilities; personnel with incident response assistance and support
responsibilities; personnel with access to incident response support and assistance
capability; personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Incident-handling capability for the organization; organizational processes
for incident response assistance; mechanisms supporting or implementing incident
response assistance].
120
NIST SP 800-171A, p. 36.
''' '''
IR.L2-3.6.1 – Incident Handling
CMMC Assessment Guide – Level 2 | Version 2.13
137
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#145|121]] '''
Organizations recognize that incident handling capability is dependent on the capabilities of
organizational systems and the mission/business processes being supported by those
systems.  Organizations consider incident handling as part of the definition, design, and
development of mission/business processes and systems. Incident-related information can
be obtained from a variety of sources including audit monitoring, network monitoring,
physical access monitoring, user and administrator reports, and reported supply chain
events.  Effective incident handling capability includes coordination among many
organizational entities including mission/business owners, system owners, authorizing
officials, human resources offices, physical and personnel security offices, legal departments,
operations personnel, procurement offices, and the risk executive. <br />
As part of user response activities, incident response training is provided by organizations
and is linked directly to the assigned roles and responsibilities of organizational personnel
to ensure that the appropriate content and level of detail is included in such training. For
example, regular users may only need to know who to call or how to recognize an incident
on the system; system administrators may require additional training on how to handle or
remediate incidents; and incident responders may receive more specific training on
forensics, reporting, system recovery, and restoration. Incident response training includes
user training in the identification/reporting of suspicious activities from external and
internal sources. User response activities also includes incident response assistance which
may consist of help desk support, assistance groups, and access to forensics services or
consumer redress services, when required. <br />
NIST SP 800-61 provides guidance on incident handling. SP 800-86 and SP 800-101 provide
guidance on integrating forensic techniques into incident response. SP 800-161 provides
guidance on supply chain risk management.
'''FURTHER DISCUSSION '''
Incident handling capabilities prepare your organization to respond to incidents and may: <br />
  identify people inside and outside your organization you may need to contact during an
incident;
  establish a way to report incidents, such as an email address or a phone number;
  establish a system for tracking incidents; and
  determine a place and a way to store evidence of an incident.
Software and hardware may be required to analyze incidents when they occur. Incident
prevention activities are also part of an incident-handling capability. The incident-handling
team provides input for such things as risk assessments and training. <br />
OSAs detect incidents using different indicators. Indicators may include: <br />
  alerts from sensors or antivirus software;
121
NIST SP 800-171 Rev. 2, p. 26.
''' '''
IR.L2-3.6.1 – Incident Handling
CMMC Assessment Guide – Level 2 | Version 2.13
138
  a filename that looks unusual; and
  log entries that raise concern.
After detecting an incident, an incident response team performs analysis. This requires some
knowledge of normal network operations. The incident should be documented including all
the log entries associated with the incident. <br />
Containment of the incident is a critical step to stop the damage the incident is causing to
your network. Containment activities should be based on previously defined organizational
priorities and assessment of risk. <br />
Recovery activities restore systems to pre-incident functionality and address its underlying
causes. Organizations should use recovery activities as a means of improving their overall
resilience to future attacks.
'''Example <br />
'''Your manager asks you to set up your company’s incident-response capability [a]. First, you
create an email address to collect information on possible incidents. Next, you draft a contact
list of all the people who need to know when an incident occurs. You document a procedure
for how to submit incidents that includes roles and responsibilities when a potential incident
is detected or reported. The procedure also explains how to track incidents, from initial
creation to closure [b].
'''Potential Assessment Considerations <br />
'''•
  Is there an incident response policy which specifically outlines requirements for handling
of incidents involving CUI [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.6.1
''' '''
IR.L2-3.6.2 – Incident Reporting
CMMC Assessment Guide – Level 2 | Version 2.13
139
'''IR.L2-3.6.2 – INCIDENT REPORTING '''
Track, document, and report incidents to designated officials and/or authorities both
internal and external to the organization.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#147|122 ]]'''
Determine if: <br />
[a] incidents are tracked; <br />
[b] incidents are documented; <br />
[c]  authorities to whom incidents are to be reported are identified; <br />
[d] organizational officials to whom incidents are to be reported are identified; <br />
[e] identified authorities are notified of incidents; and <br />
[f]  identified organizational officials are notified of incidents.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#147|A]122 ]]'''
'''Examine <br />
'''[SELECT FROM: Incident response policy; procedures addressing incident monitoring;
incident response records and documentation; procedures addressing incident reporting;
incident reporting records and documentation; incident response plan; system security plan;
other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with incident monitoring responsibilities; personnel with
incident reporting responsibilities; personnel who have or should have reported incidents;
personnel (authorities) to whom incident information is to be reported; personnel with
information security responsibilities].
'''Test <br />
'''[SELECT FROM: Incident monitoring capability for the organization; mechanisms supporting
or implementing tracking and documenting of system security incidents; organizational
processes for incident reporting; mechanisms supporting or implementing incident
reporting].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#147|123]] '''
Tracking and documenting system security incidents includes maintaining records about
each incident, the status of the incident, and other pertinent information necessary for
122
NIST SP 800-171A, pp. 36-37.
123
NIST SP 800-171 Rev. 2, pp. 26-27.
''' '''
IR.L2-3.6.2 – Incident Reporting
CMMC Assessment Guide – Level 2 | Version 2.13
140
forensics, evaluating incident details, trends, and handling.  Incident information can be
obtained from a variety of sources including incident reports, incident response teams, audit
monitoring, network monitoring, physical access monitoring, and user/administrator
reports. Reporting incidents addresses specific incident reporting requirements within an
organization and the formal incident reporting requirements for the organization. Suspected
security incidents may also be reported and include the receipt of suspicious email
communications that can potentially contain malicious code. The types of security incidents
reported, the content and timeliness of the reports, and the designated reporting authorities
reflect applicable laws, Executive Orders, directives, regulations, and policies. <br />
NIST SP 800-61 provides guidance on incident handling.
'''FURTHER DISCUSSION '''
Incident handling is the actions the organization takes to prevent or contain the impact of an
incident to the organization while it is occurring or shortly after it has occurred. The majority
of the process consists of  incident  identification, containment, eradication, and recovery.
During this process, it is essential to track the work processes required in order to effectively
respond. Designate a central hub to serve as the point to coordinate, communicate, and track
activities. The hub should receive and document information from system administrators,
incident handlers, and others involved throughout the process.  As the incident process
moves toward eradication, executives, affected business units, and any required external
stakeholders should be kept aware of the incident in order to make decisions affecting the
business. Report to designated authorities, taking into account applicable laws, directives,
regulations, and other  guidance. Specify  staff  responsible for communicating about the
incident to internal and external stakeholders.
'''Example <br />
'''You notice unusual activity on a server and determine a potential security incident has
occurred. You open a tracking ticket with the Security Operations Center (SOC), which
assigns an incident handler to work the ticket [a]. The handler investigates and documents
initial findings, which lead to a determination that unauthorized access occurred on the
server  [b].  The SOC establishes an incident management  team consisting  of security,
database, network, and system administrators. The team meets daily to update progress and
plan courses of action to contain the incident [a]. At the end of the day, the team provides a
status report to IT executives [d,f]. Two days later, the team declares the incident contained.
The team produces a final report as the database system is rebuilt and placed back into
operation.
'''Potential Assessment Considerations <br />
'''•
  Is there an incident response policy that directs the establishment of requirements for
tracking and reporting of incidents involving CUI to appropriate officials [a,d]?
  Is cybersecurity incident information promptly reported to management [e,f]?
''' '''
IR.L2-3.6.2 – Incident Reporting
CMMC Assessment Guide – Level 2 | Version 2.13
141
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.6.2
''' '''
IR.L2-3.6.3 – Incident Response Testing
CMMC Assessment Guide – Level 2 | Version 2.13
142
'''IR.L2-3.6.3 – INCIDENT RESPONSE TESTING '''
Test the organizational incident response capability.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#150|124 ]]'''
Determine if: <br />
[a] the incident response capability is tested.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#150|A]124 ]]'''
'''Examine <br />
'''[SELECT FROM: Incident response policy; contingency planning policy; procedures
addressing incident response testing; procedures addressing contingency plan testing;
incident response testing material; incident response test results; incident response test
plan; incident response plan; contingency plan; system security plan; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with incident response testing responsibilities; personnel with
information security responsibilities; personnel with responsibilities for testing plans
related to incident response].
'''Test <br />
'''[SELECT FROM: Mechanisms and processes for incident response].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#150|125]] '''
Organizations test incident response capabilities to determine the effectiveness of the
capabilities and to identify potential weaknesses or deficiencies. Incident response testing
includes the use of checklists, walk-through or tabletop exercises, simulations (both parallel
and full interrupt), and comprehensive exercises. Incident response testing can also include
a determination of the effects on organizational operations (e.g., reduction in mission
capabilities), organizational assets, and individuals due to incident response. <br />
NIST SP 800-84 provides guidance on testing programs for information technology
capabilities.
'''FURTHER DISCUSSION '''
Testing incident response capability validates existing plans and  highlights potential
deficiencies. The test should address questions such as what happens during an incident;
124
NIST SP 800-171A, p. 37.
125
NIST SP 800-171 Rev. 2, p. 27.
''' '''
IR.L2-3.6.3 – Incident Response Testing
CMMC Assessment Guide – Level 2 | Version 2.13
143
who is responsible for incident management;  what tasks are assigned within the IT
organization;  what support is  needed from legal, public affairs, or other business
components;  how resources are added  if needed during the incident;  and how law
enforcement is involved. Any negative impacts to the normal day-to-day operations when
responding to an incident should also be identified and documented.
'''Example <br />
'''You decide to conduct an incident response table top exercise that simulates an attacker
gaining access to the network through a compromised server. You include relevant IT staff
such as security, database, network, and system administrators  as participants.  You also
request representatives from legal, human resources, and communications. You provide a
scenario to the group and have prepared key questions aligned with the response plans to
guide the exercise. During the exercise, you focus on how the team executes the incident
response plan. Afterward, you conduct a debrief with everyone that was involved to provide
feedback and develop improvements to the incident response plan [a].
'''Potential Assessment Considerations <br />
'''•
  Does the incident response policy outline requirements for regular incident response
plan testing and reviews of incident response capabilities [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.6.3
''' '''
MA.L2-3.7.1 – Perform Maintenance
CMMC Assessment Guide – Level 2 | Version 2.13
144
Maintenance (MA) <br />
'''MA.L2-3.7.1 – PERFORM MAINTENANCE '''
Perform maintenance on organizational systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#152|126 ]]'''
Determine if: <br />
[a] system maintenance is performed.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#152|A]126 ]]'''
'''Examine <br />
'''[SELECT FROM: System maintenance policy; procedures addressing controlled system
maintenance; maintenance records; manufacturer or vendor maintenance specifications;
equipment sanitization records; media sanitization records; system security plan; other
relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system maintenance responsibilities; personnel with
information security responsibilities; personnel responsible for media sanitization; system
or network administrators].
'''Test <br />
'''[SELECT FROM: Organizational processes for scheduling, performing, documenting,
reviewing, approving, and monitoring maintenance and repairs for systems; organizational
processes for sanitizing  system components; mechanisms supporting or implementing
controlled maintenance; mechanisms implementing sanitization of system components].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#152|127]] '''
This requirement addresses the information security aspects of the system maintenance
program and applies to all types of maintenance to any system component (including
hardware, firmware, applications) conducted by any local or nonlocal entity.  System
maintenance also includes those components not directly associated with information
processing and data or information retention such as scanners, copiers, and printers.
126
NIST SP 800-171A, p. 38.
127
NIST SP 800-171 Rev. 2, p. 27.
''' '''
MA.L2-3.7.1 – Perform Maintenance
CMMC Assessment Guide – Level 2 | Version 2.13
145
'''FURTHER DISCUSSION '''
One common form of computer security maintenance is regular patching of discovered
vulnerabilities in software and operating systems, though there  are others that require
attention. <br />
System maintenance includes: <br />
  corrective maintenance (e.g., repairing problems with the technology);
  preventative maintenance (e.g., updates to prevent potential problems);
  adaptive maintenance (e.g., changes to the operative environment); and
  perfective maintenance (e.g., improve operations).
'''Example <br />
'''You are responsible for maintenance activities on your company’s machines. This includes
regular planned maintenance, unscheduled maintenance, reconfigurations when required,
and damage repairs [a]. You know that failing to conduct maintenance activities can impact
system security and availability, so you ensure that maintenance is regularly performed. You
track all maintenance performed to assist with troubleshooting later if needed.
'''Potential Assessment Considerations <br />
'''•
  Are systems, devices, and supporting systems maintained per manufacturer
recommendations or company defined schedules [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.7.1
<br />
''' '''
MA.L2-3.7.2 – System Maintenance Control
CMMC Assessment Guide – Level 2 | Version 2.13
146
'''MA.L2-3.7.2 – SYSTEM MAINTENANCE CONTROL '''
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct
system maintenance.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#154|128 ]]'''
Determine if: <br />
[a] tools used to conduct system maintenance are controlled; <br />
[b] techniques used to conduct system maintenance are controlled; <br />
[c]  mechanisms used to conduct system maintenance are controlled; and <br />
[d] personnel used to conduct system maintenance are controlled.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#154|A]128 ]]'''
'''Examine <br />
'''[SELECT FROM: System maintenance policy; procedures addressing system maintenance
tools and media; maintenance records;  system maintenance tools and associated
documentation; maintenance tool inspection records; system security plan; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system maintenance responsibilities; personnel with
information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for approving, controlling, and monitoring
maintenance tools; mechanisms supporting or implementing approval, control, and
monitoring of maintenance tools; organizational processes for inspecting maintenance tools;
mechanisms supporting or implementing inspection of maintenance tools; organizational
process for inspecting media for malicious code; mechanisms supporting or implementing
inspection of media used for maintenance].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#154|129]] '''
This requirement addresses security-related issues with maintenance tools that are not
within the organizational system boundaries that process, store, or transmit CUI, but are
used specifically for diagnostic and repair actions on those systems.  Organizations have
flexibility in determining the controls in place for maintenance tools, but can include
approving, controlling, and monitoring the use of such tools. Maintenance tools are potential
128
NIST SP 800-171A, p. 38.
129
NIST SP 800-171 Rev. 2, pp. 27-28.
''' '''
MA.L2-3.7.2 – System Maintenance Control
CMMC Assessment Guide – Level 2 | Version 2.13
147
vehicles for transporting malicious code, either intentionally or unintentionally, into a
facility and into organizational systems. Maintenance tools can include hardware, software,
and firmware items, for example, hardware and software diagnostic test equipment and
hardware and software packet sniffers.
'''FURTHER DISCUSSION '''
Tools used to perform maintenance must remain secure so they do not introduce viruses or
other malware into your system. Controlling  your maintenance techniques prevents
intentional or unintentional harm to your network and systems. Additionally, the personnel
responsible for maintenance activities should be supervised considering their elevated
privilege on company assets.
'''Example <br />
'''You are responsible for maintenance activities on your company’s machines.  To avoid
introducing additional vulnerability into the systems you are maintaining, you make sure
that all maintenance tools are approved and their usage is monitored and controlled [a,b].
You ensure the tools are kept current and up-to-date [a]. You and your backup are the only
people authorized to use these tools and perform system maintenance [d].
'''Potential Assessment Considerations <br />
'''•
  Are  physical or logical access controls used  to limit access to maintenance tools to
authorized personnel [a]?
  Are physical or logical access controls used to limit access to system documentation and
organizational maintenance process documentation to authorized personnel [b]?
  Are physical or logical access controls used to limit access to automated mechanisms
(e.g., automated scripts, scheduled jobs) to authorized personnel [c]?
  Are physical or logical access controls used to limit access to the system entry points that
enable maintenance (e.g., administrative portals, local and remote console access, and
physical equipment panels) to authorized personnel [d]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.7.2
<br />
''' '''
MA.L2-3.7.3 – Equipment Sanitization
CMMC Assessment Guide – Level 2 | Version 2.13
148
'''MA.L2-3.7.3 – EQUIPMENT SANITIZATION '''
Ensure equipment removed for off-site maintenance is sanitized of any CUI.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#156|130 ]]'''
Determine if: <br />
[a] equipment to be removed from organizational spaces for off-site maintenance is
sanitized of any CUI.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#156|A]130 ]]'''
'''Examine <br />
'''[SELECT FROM: System maintenance policy; procedures addressing controlled system
maintenance; maintenance records; manufacturer or vendor maintenance specifications;
equipment sanitization records; media sanitization records; system security plan; other
relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system maintenance responsibilities; personnel with
information security responsibilities; personnel responsible for media sanitization; system
or network administrators].
'''Test <br />
'''[SELECT FROM: Organizational processes for scheduling, performing, documenting,
reviewing, approving, and monitoring maintenance and repairs for systems; organizational
processes for sanitizing system components; mechanisms supporting or implementing
controlled maintenance; mechanisms implementing sanitization of system components].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#156|131]] '''
This requirement addresses the information security aspects of system maintenance that are
performed off-site and applies to all types of maintenance  to any system component
(including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty,
in-house, software maintenance agreement). <br />
NIST SP 800-88 provides guidance on media sanitization.
'''FURTHER DISCUSSION '''
Sanitization is a process that makes access to data infeasible on media such as a hard drive.
The process may overwrite the entire media with a fixed pattern such as binary zeros. In
130
NIST SP 800-171A, p. 39.
131
NIST SP 800-171 Rev. 2, p. 28.
''' '''
MA.L2-3.7.3 – Equipment Sanitization
CMMC Assessment Guide – Level 2 | Version 2.13
149
addition to clearing the data an organization could purge (e.g., degaussing, secure erasing, or
disassembling) the data, or even destroy the media (e.g.,  incinerating, shredding, or
pulverizing). Performing one of these activities ensures that the data is extremely hard to
recover, thus ensuring its confidentiality. <br />
For additional guidance on which specific sanitization actions should be taken on any specific
type of media, review the description of the Purge actions given in NIST SP 800-88 Revision
1 – Guidelines for Media Sanitization.
'''Example <br />
'''You manage your organization’s IT equipment. A recent DoD project has been using a storage
array to house CUI. Recently, the array has experienced disk issues. After troubleshooting
with the vendor, they recommend several drives be replaced in the array. Knowing the drives
may  contain  CUI,  you  reference NIST 800-88 Rev. 1 and determine a strategy you can
implement on the defective equipment – processing the drives with a degaussing unit [a].
Once all the drives have been wiped, you document the action and ship the faulty drives to
the vendor.
'''Potential Assessment Considerations <br />
'''•
  Is there a process for sanitizing (e.g., erasing, wiping, degaussing) equipment that was
used to store, process, or transmit CUI before it is removed from the facility for off-site
maintenance (e.g., manufacturer or contracted maintenance support) [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.7.3
''' '''
MA.L2-3.7.4 – Media Inspection
CMMC Assessment Guide – Level 2 | Version 2.13
150
'''MA.L2-3.7.4 – MEDIA INSPECTION '''
Check media containing diagnostic and test programs for malicious code before the media
are used in organizational systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#158|132 ]]'''
Determine if: <br />
[a] media containing diagnostic and test programs are checked for malicious code before
being used in organizational systems that process, store, or transmit CUI.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#158|A]132 ]]'''
'''Examine '''
[SELECT FROM: System maintenance policy; procedures addressing system maintenance
tools; system maintenance tools and associated documentation; maintenance records;
system security plan; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system maintenance responsibilities; personnel with
information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational process for inspecting media for malicious code;
mechanisms supporting or implementing inspection of media used for maintenance].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#158|133]] '''
If, upon inspection of media containing maintenance diagnostic and test programs,
organizations determine that the media contain malicious code, the incident is handled
consistent with incident handling policies and procedures.
'''FURTHER DISCUSSION '''
As part of troubleshooting, a vendor may provide a diagnostic application to install on a
system. As this is executable code, there is a chance that the file is corrupt or infected with
malicious code. Implement procedures to scan any files prior to installation. The same level
of scrutiny must be made as with any file a staff member may download. <br />
This requirement, MA.L2-3.7.4, extends both SI.L2-3.14.2 and SI.L2-3.14.4. SI.L2-3.14.2 and
SI.L2-3.14.4 require the implementation and updating of mechanisms to protect systems
132
NIST SP 800-171A, p. 39.
133
NIST SP 800-171 Rev. 2, p. 28.
''' '''
MA.L2-3.7.4 – Media Inspection
CMMC Assessment Guide – Level 2 | Version 2.13
151
from malicious code, and MA.L2-3.7.4 extends this requirement to diagnostic and testing
tools.
'''Example <br />
'''You  have  recently been experiencing performance issues on one of your servers.  After
troubleshooting for much of the morning, the vendor has asked to install a utility that will
collect more data from the server. The file is stored on the vendor’s FTP server. The support
technician gives you the FTP site so you can anonymously download the utility file. You also
ask him for a hash of the utility file. As you download the file to your local computer, you
realize it is compressed.  You  unzip the file and perform a manual  antivirus  scan, which
reports no issues [a]. To verify the utility file has not been altered, you run an application to
see that the hash from the vendor matches.
'''Potential Assessment Considerations <br />
'''•
  Are media containing diagnostic and test programs (e.g., downloaded or copied utilities
or tools from manufacturer, third-party, or in-house support teams) checked  for
malicious code (e.g., using antivirus or antimalware scans) before the media are used on
organizational systems [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.7.4
''' '''
MA.L2-3.7.5 – Nonlocal Maintenance
CMMC Assessment Guide – Level 2 | Version 2.13
152
'''MA.L2-3.7.5 – NONLOCAL MAINTENANCE '''
Require multifactor authentication to establish nonlocal maintenance sessions via external
network connections and terminate such connections when nonlocal maintenance is
complete.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#160|134 ]]'''
Determine if: <br />
[a] multifactor authentication is used to establish nonlocal maintenance sessions via
external network connections; and
[b] nonlocal maintenance sessions established via external network connections are
terminated when nonlocal maintenance is complete.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#160|A]134 ]]'''
'''Examine <br />
'''[SELECT FROM: System maintenance policy; procedures addressing nonlocal system
maintenance; system security plan; system design documentation; system configuration
settings and associated documentation; maintenance records; diagnostic records; other
relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system maintenance responsibilities; personnel with
information security responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Organizational processes for managing nonlocal maintenance; mechanisms
implementing, supporting, and managing nonlocal maintenance; mechanisms for strong
authentication of nonlocal maintenance diagnostic sessions; mechanisms for terminating
nonlocal maintenance sessions and network connections].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#160|135]] '''
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals
communicating through an external network. The authentication techniques employed in
the establishment of these nonlocal maintenance and diagnostic sessions reflect the network
access requirements in IA.L2-3.5.3.
134
NIST SP 800-171A, pp. 39-40.
135
NIST SP 800-171 Rev. 2, p. 28.
''' '''
MA.L2-3.7.5 – Nonlocal Maintenance
CMMC Assessment Guide – Level 2 | Version 2.13
153
'''FURTHER DISCUSSION '''
Nonlocal maintenance activities must use multifactor authentication.  Multifactor
authentication requires at least two factors, such as: <br />
  something you know (e.g., password, personal identification number [PIN]);
  something you have (e.g., cryptographic identification device, token); or
  something you are (e.g., biometric fingerprint or facial scan).
Requiring two or more factors to prove your identity increases the security of the
connection. Nonlocal maintenance activities are activities conducted from external network
connections such as over the internet. After nonlocal maintenance activities are complete,
shut down the external network connection. <br />
This  requirement,  MA.L2-3.7.5  specifies  the addition of multifactor authentication for
remote maintenance sessions and complements five other requirements  dealing with
remote access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.13, AC.L2-3.1.15, and IA.L2-3.5.3): <br />
  AC.L2-3.1.12 requires the control of remote access sessions.
  AC.L2-3.1.14 limits remote access to specific access control points.
  AC.L2-3.1.13  requires the use of cryptographic mechanisms when enabling remote
sessions.
  AC.L2-3.1.15 requires authorization for privileged commands executed during a remote
session.
  Finally,  IA.L2-3.5.3  requires multifactor authentication for network access to non-
privileged accounts.
'''Example <br />
'''You are responsible for maintaining your company’s firewall. In order to conduct
maintenance while working remotely, you connect to the firewall’s management interface
and log in using administrator credentials. The firewall then sends a verification request to
the multifactor authentication app on your smartphone [a]. You need both of these things to
prove your identity [a]. After you respond to the multifactor challenge, you have access to
the maintenance interface. When you finish your activities, you shut down the remote
connection by logging out and quitting your web browser [b].
'''Potential Assessment Considerations <br />
'''•
  Is multifactor authentication required prior to maintenance of a system when connecting
remotely from outside the system boundary [a]?
  Are personnel required to manually terminate remote maintenance sessions established
via external network connections when maintenance is complete,  or are connections
terminated automatically through system session management mechanisms [b]?
''' '''
MA.L2-3.7.5 – Nonlocal Maintenance
CMMC Assessment Guide – Level 2 | Version 2.13
154
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.7.5
''' '''
MA.L2-3.7.6 – Maintenance Personnel
CMMC Assessment Guide – Level 2 | Version 2.13
155
'''MA.L2-3.7.6 – MAINTENANCE PERSONNEL '''
Supervise the maintenance activities of maintenance  personnel without required access
authorization.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#163|136 ]]'''
Determine if: <br />
[a] maintenance personnel without required access authorization are supervised during
maintenance activities.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#163|A]136 ]]'''
'''Examine <br />
'''[SELECT FROM: System maintenance policy; procedures addressing maintenance personnel;
service provider contracts; service-level agreements; list of authorized personnel;
maintenance records; access control records; system security plan; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system maintenance responsibilities; personnel with
information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for authorizing and managing maintenance
personnel; mechanisms supporting or implementing authorization of maintenance
personnel].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#163|137]] '''
This requirement applies to individuals who are performing hardware or software
maintenance on organizational systems, while PE.L2-3.10.1 addresses physical access for
individuals whose maintenance duties place them within the physical protection perimeter
of the systems (e.g., custodial staff, physical plant maintenance personnel). Individuals not
previously identified as authorized maintenance personnel, such as information technology
manufacturers, vendors, consultants, and systems integrators, may require privileged access
to organizational systems, for example, when required to conduct maintenance activities
with little or no notice. Organizations may choose to issue temporary credentials to these
individuals based on organizational risk assessments.  Temporary credentials may be for
one-time use or for very limited time periods.
136
NIST SP 800-171A, p. 40.
137
NIST SP 800-171 Rev. 2, p. 28.
''' '''
MA.L2-3.7.6 – Maintenance Personnel
CMMC Assessment Guide – Level 2 | Version 2.13
156
'''FURTHER DISCUSSION '''
Individuals without proper permissions must be supervised while conducting maintenance
on organizational machines. Consider creating temporary accounts with short-term
expiration periods rather than regular user accounts. Additionally, limit the permissions and
access these accounts have to the most restrictive settings possible.
'''Example <br />
'''One of your software providers has to come on-site to update the software on your
company’s computers. You give the individual a temporary logon and password that expires
in 12 hours and is limited to accessing only the computers necessary to complete the work
[a]. This gives the technician access long enough to perform the update. You monitor the
individual’s physical and network activity while the maintenance is taking place [a] and
revoke access when the job is done.
'''Potential Assessment Considerations <br />
'''•
  Are there  processes  for escorting and supervising maintenance personnel without
required access authorization (e.g., vendor support personnel, short-term maintenance
contractors) during system maintenance [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.7.6
''' '''
MP.L2-3.8.1 – Media Protection
CMMC Assessment Guide – Level 2 | Version 2.13
157
Media Protection (MP) <br />
'''MP.L2-3.8.1 – MEDIA PROTECTION '''
Protect (i.e., physically control and securely store) system media containing CUI, both paper
and digital.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#165|138 ]]'''
Determine if: <br />
[a] paper media containing CUI is physically controlled; <br />
[b] digital media containing CUI is physically controlled; <br />
[c]  paper media containing CUI is securely stored; and <br />
[d] digital media containing CUI is securely stored.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#165|A]138 ]]'''
'''Examine <br />
'''[SELECT FROM: System media protection policy; procedures addressing media storage;
procedures addressing media access restrictions; access control policy and procedures;
physical and environmental protection policy and procedures; system security plan; media
storage facilities; access control records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system media protection responsibilities; personnel with
information security responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Organizational processes for restricting information media; mechanisms
supporting or implementing media access restrictions].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#165|139]] '''
System media includes digital and non-digital media.  Digital media includes diskettes,
magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and
digital video disks. Non-digital media includes paper and microfilm. Protecting digital media
includes limiting access to design specifications stored on compact disks or flash drives in
the media library to the project leader and any individuals on the development team.
Physically controlling system media includes conducting inventories, maintaining
138
NIST SP 800-171A, p. 41.
139
NIST SP 800-171 Rev. 2, p. 29.
''' '''
MP.L2-3.8.1 – Media Protection
CMMC Assessment Guide – Level 2 | Version 2.13
158
accountability for stored media, and ensuring procedures are in place to allow individuals to
check out and return media to the media library. Secure storage includes a locked drawer,
desk, or cabinet, or a controlled media library. <br />
Access to CUI on system media can be limited by physically controlling such media, which
includes conducting inventories, ensuring procedures are in place to allow individuals to
check out and return media to the media library, and maintaining accountability for all
stored media. <br />
NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.
'''FURTHER DISCUSSION '''
CUI can be contained on two types of physical media: <br />
  hardcopy (e.g., CD drives, USB drives, magnetic tape); and
  digital devices (e.g., CD drives, USB drives, video).
You should store physical media containing CUI in a secure location. This location should be
accessible only to those people with the proper permissions.  All who access CUI should
follow the process for checking it out and returning it.
'''Example <br />
'''Your company has CUI for a specific Army contract contained on a USB drive. You store the
drive in a locked drawer, and you log it on an inventory [d]. You establish a procedure to
check out the USB drive so you have a history of who is accessing it. These procedures help
to maintain the confidentiality, integrity, and availability of the data.
'''Potential Assessment Considerations <br />
'''•
  Is hardcopy media containing CUI handled only by authorized personnel according to
defined procedures [a]?
  Is  digital media containing CUI handled only by authorized personnel according to
defined procedures [b]?
  Is paper media containing CUI physically secured (e.g., in a locked drawer or cabinet) [c]?
  Is digital media containing CUI securely stored (e.g., in access-controlled repositories)
[d]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.8.1
''' '''
MP.L2-3.8.2 – Media Access
CMMC Assessment Guide – Level 2 | Version 2.13
159
'''MP.L2-3.8.2 – MEDIA ACCESS '''
Limit access to CUI on system media to authorized users.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#167|140 ]]'''
Determine if: <br />
[a] access to CUI on system media is limited to authorized users.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#167|A]140 ]]'''
'''Examine <br />
'''[SELECT FROM: System media protection policy; procedures addressing media storage;
physical and environmental protection policy and procedures; access control policy and
procedures; system security plan; system media; designated controlled areas; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system media protection and storage responsibilities;
personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for storing media; mechanisms supporting or
implementing secure media storage and media protection].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#167|141]] '''
Access can be limited by physically controlling system media and secure storage  areas.
Physically controlling system media includes conducting inventories, ensuring procedures
are in place to allow individuals to check out and return system media to the media library,
and maintaining accountability for all stored media. Secure storage includes a locked drawer,
desk, or cabinet, or a controlled media library.
'''FURTHER DISCUSSION '''
Limit physical access to CUI to people permitted to access CUI. Use locked or controlled
storage areas and limit access to only those allowed to access CUI. Keep track of who accesses
physical CUI in an audit log.
140
NIST SP 800-171A, p. 41.
141
NIST SP 800-171 Rev. 2, p. 29.
''' '''
MP.L2-3.8.2 – Media Access
CMMC Assessment Guide – Level 2 | Version 2.13
160
'''Example <br />
'''Your company has CUI for a specific Army contract contained on a USB drive. In order to
control the data, you establish specific procedures for handling the drive. You designate the
project manager as the owner of the data and require anyone who needs access to the data
to get permission from the data owner [a]. The data owner maintains a list of users that are
authorized to access the information. Before an authorized individual can get access to the
USB drive that contains the CUI they have to fill out a log and check out the drive. When they
are done with the data, they check in the drive and return it to its secure storage location.
'''Potential Assessment Considerations <br />
'''•
  Is  a list of users who are authorized to access the CUI contained on system media
maintained [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.8.2
''' '''
MP.L2-3.8.3 – Media Disposal [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
161
'''MP.L2-3.8.3 – MEDIA DISPOSAL [CUI DATA] '''
Sanitize or destroy system media containing CUI before disposal or release for reuse.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#169|142 ]]'''
Determine if: <br />
[a] system media containing CUI is sanitized or destroyed before disposal; and <br />
[b] system media containing CUI is sanitized before it is released for reuse.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#169|A]142 ]]'''
'''Examine <br />
'''[SELECT FROM: System media protection policy; procedures addressing media sanitization
and disposal; applicable standards and policies addressing media sanitization; system
security plan; media sanitization records; system audit logs and records; system design
documentation; system configuration settings and associated documentation; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with media sanitization responsibilities; personnel with
information security responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Organizational processes for media sanitization; mechanisms supporting or
implementing media sanitization].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#169|143]] '''
This requirement applies to all system media, digital and non-digital, subject to disposal or
reuse. Examples include: digital media found in workstations, network components,
scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media
such as paper and microfilm. The sanitization process removes information from the media
such that the information cannot be retrieved or reconstructed. Sanitization techniques,
including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of
information to unauthorized individuals when such media is released for reuse or disposal.
Organizations determine the appropriate sanitization methods, recognizing that destruction
may be necessary when other methods cannot be applied to the media requiring sanitization. <br />
Organizations use discretion on the employment of sanitization techniques and procedures
for media containing information that is in the public domain or publicly releasable or
deemed to have no adverse impact on organizations or individuals if released for reuse or
142
NIST SP 800-171A, pp. 41-42.
143
NIST SP 800-171 Rev. 2, p. 29.
''' '''
MP.L2-3.8.3 – Media Disposal [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
162
disposal. Sanitization of non-digital media includes destruction, removing CUI from
documents, or redacting selected sections or words from a document by obscuring the
redacted sections or words in a manner equivalent in effectiveness to removing the words
or sections from the document. NARA policy and guidance control sanitization processes.
NIST SP 800-88 provides guidance on media sanitization.
'''FURTHER DISCUSSION '''
“Media” refers to a broad range of items that store information, including paper documents,
disks, tapes, digital photography, USB drives, CDs, DVDs, and mobile phones. It is important
to know what information is on media so that you can handle it properly. If there is CUI, you
or someone in your company should either: <br />
  shred or destroy the device before disposal so it cannot be read; or 
  clean or purge the information, if you want to reuse the device.
See NIST Special Publication 800-88, Revision 1, ''Guidelines for Media Sanitization'', for more
information.
'''Example <br />
'''As you pack for an office move, you find some old CDs in a file cabinet. You determine that
one has information about an old project your company did for the DoD. You shred the CD
rather than simply throwing it in the trash [a].
'''Potential Assessment Considerations <br />
'''•
  Is all managed data storage erased, encrypted, or destroyed using mechanisms to ensure
that no usable data is retrievable [a,b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.8.3
  FAR Clause 52.204-21 b.1.vii
''' '''
''' '''
MP.L2-3.8.4 – Media Markings
CMMC Assessment Guide – Level 2 | Version 2.13
163
'''MP.L2-3.8.4 – MEDIA MARKINGS '''
Mark media with necessary CUI markings and distribution limitations.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#171|144 ]]'''
Determine if: <br />
[a] media containing CUI is marked with applicable CUI markings; and <br />
[b] media containing CUI is marked with distribution limitations.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#171|A]144 ]]'''
'''Examine <br />
'''[SELECT FROM: System media protection policy; procedures addressing media marking;
physical and environmental protection policy and procedures; system security plan; list of
system media marking security attributes; designated controlled areas; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system media protection and marking responsibilities;
personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for marking information media; mechanisms
supporting or implementing media marking].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#171|145]] '''
The term security marking refers to the application or use of human-readable security
attributes. System media includes digital and non-digital media. Marking of system media
reflects applicable federal laws, Executive Orders, directives, policies, and regulations.
'''FURTHER DISCUSSION '''
All media, hardcopy and digital, must be properly marked to alert individuals to the presence
of CUI stored on the media. The National Archives and Records Administration (NARA) has
published guidelines for labeling media of different sizes.[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#171|146 <br />
]]MP.L2-3.8.8 requires that media have an identifiable owner, so organizations may find it
desirable to include ownership information on the device label as well.
144
NIST SP 800-171A, p. 42.
145
NIST SP 800-171 Rev. 2, p. 30.
146
NARA, ''CUI Notice 2019-01: Controlled Unclassified Information (CUI) Coversheets and Labels''
''' '''
MP.L2-3.8.4 – Media Markings
CMMC Assessment Guide – Level 2 | Version 2.13
164
'''Example <br />
'''You were recently contacted by the project team for a new DoD program. The team said they
wanted the CUI in use for the program to be properly protected. When speaking with them,
you realize that most of the protections will be provided as part of existing enterprise
cybersecurity capabilities. They also mentioned that the project team will use several USB
drives to share  specific data.  You explain that  the team must ensure the USB drives are
externally marked to indicate the presence of CUI [a]. The project team labels the outside of
each USB drive with an appropriate CUI  label following NARA guidance [a].  Further, the
labels indicate that distribution is limited to those employees supporting the DoD program
[a].
'''Potential Assessment Considerations <br />
'''•
  Are all media containing CUI identified [a,b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.8.4
''' '''
MP.L2-3.8.5 – Media Accountability
CMMC Assessment Guide – Level 2 | Version 2.13
165
'''MP.L2-3.8.5 – MEDIA ACCOUNTABILITY '''
Control access to media containing CUI and maintain accountability for media during
transport outside of controlled areas.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#173|147 ]]'''
Determine if: <br />
[a] access to media containing CUI is controlled; and <br />
[b] accountability for media containing CUI is maintained during transport outside of
controlled areas.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#173|A]147 ]]'''
'''Examine <br />
'''[SELECT FROM: System media protection policy; procedures addressing media storage;
physical and environmental protection policy and procedures; access control policy and
procedures; system security plan; system media; designated controlled areas; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system  media protection and storage responsibilities;
personnel with information security responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Organizational processes for storing media; mechanisms supporting or
implementing media storage and media protection].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#173|148]] '''
Controlled areas are areas or spaces for which organizations provide physical or procedural
controls to meet the requirements established for protecting systems and information.
Controls to maintain accountability for media during transport include locked containers
and cryptography.  Cryptographic mechanisms can provide confidentiality and integrity
protections depending upon the mechanisms used.  Activities associated with transport
include the actual transport as well as those activities such as releasing media for transport
and ensuring that media enters the appropriate transport processes.  For the actual
transport, authorized transport and courier personnel may include individuals external to
the organization. Maintaining accountability of media during transport includes restricting
transport activities to authorized personnel and tracking and obtaining explicit records of
147
NIST SP 800-171A, p. 42.
148
NIST SP 800-171 Rev. 2, p. 30.
''' '''
MP.L2-3.8.5 – Media Accountability
CMMC Assessment Guide – Level 2 | Version 2.13
166
transport activities as the media moves through the transportation system to prevent and
detect loss, destruction, or tampering.
'''FURTHER DISCUSSION '''
CUI is protected in both physical and digital formats. Physical control can be accomplished
using traditional concepts like restricted access to physical locations or locking papers in a
desk or filing cabinet. The digitization of data makes access to CUI much easier. CUI can be
stored and transported on magnetic disks, tapes, USB drives, CD-ROMs, and so on.  This
makes digital CUI data very portable. It is important for an organization to apply mechanisms
to prevent unauthorized access to CUI due to ease of transport.''' '''
'''Example <br />
'''Your team has recently completed configuring a server for a DoD customer. The customer
has asked that it be ready to plug in and use. An application installed on the server contains
data that is considered CUI. You box the server for shipment using tamper-evident packaging
and label it with the specific recipient for the shipment [b]. You select a reputable shipping
service so you will get a tracking number to monitor the progress. Once the item is shipped,
you send the recipients the tracking number so they can monitor and ensure prompt delivery
at their facility.
'''Potential Assessment Considerations <br />
'''•
  Do only approved individuals have access to media containing CUI [a]?
  Is access to the media containing CUI recorded in an audit log [b]?
  Is all CUI data on media encrypted or physically locked prior to transport outside of
secure locations [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.8.5
''' '''
MP.L2-3.8.6 – Portable Storage Encryption
CMMC Assessment Guide – Level 2 | Version 2.13
167
'''MP.L2-3.8.6 – PORTABLE STORAGE ENCRYPTION '''
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital
media during transport unless otherwise protected by alternative physical safeguards.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#175|149 ]]'''
Determine if: <br />
[a] the confidentiality of CUI stored on digital media is protected during transport using
cryptographic mechanisms or alternative physical safeguards.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#175|A]149 ]]'''
'''Examine <br />
'''[SELECT FROM: System media protection policy; procedures addressing media transport;
system  design documentation; system security plan; system configuration settings and
associated documentation; system media transport records; system audit logs and records;
other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system media  transport responsibilities; personnel with
information security responsibilities].
'''Test <br />
'''[SELECT FROM: Cryptographic mechanisms protecting information on digital media during
transportation outside controlled areas].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#175|150]] '''
This requirement applies to portable storage devices (e.g., USB memory sticks, digital video
disks, compact disks, external or removable hard disk drives). <br />
NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.
'''FURTHER DISCUSSION '''
CUI can be stored and transported on a variety of portable media, which increases the chance
that the CUI can be lost. When identifying the paths CUI flows through your company, identify
devices to include in this requirement.
149
NIST SP 800-171A, p. 43.
150
NIST SP 800-171 Rev. 2, p. 30.
''' '''
MP.L2-3.8.6 – Portable Storage Encryption
CMMC Assessment Guide – Level 2 | Version 2.13
168
To mitigate the risk of losing or exposing CUI, implement an encryption scheme to protect
the data. Even if the media are lost, proper encryption renders the data inaccessible. When
encryption is not an option, apply alternative physical safeguards during transport. <br />
Because the use of cryptography in this requirement is to protect the confidentiality of CUI,
the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. <br />
This requirement, MP.L2-3.8.6, provides additional protections to those provided by MP.L2-
3.8.5. This requirement  is intended to protect against situations where control of media
access fails, such as through the loss of the media.
'''Example <br />
'''You manage the backups for file servers in your datacenter. You know that in addition to the
company’s sensitive information, CUI''' '''is stored on the file servers. As part of a broader plan
to protect data, you send the backup tapes off site to a vendor. You are aware that your
backup software provides the option to encrypt data onto tape. You develop a plan to test
and enable backup encryption for the data sent off site. This encryption provides additional
protections for the data on the backup tapes during transport and offsite storage [a].
'''Potential Assessment Considerations <br />
'''•
  Are all CUI data on media encrypted or physically protected prior to transport outside of
controlled areas [a]?
  Are cryptographic mechanisms used to protect digital media during transport outside of
controlled areas [a]?
  Do cryptographic mechanisms comply with FIPS 140-2 [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.8.6
''' '''
MP.L2-3.8.7 – Removeable Media
CMMC Assessment Guide – Level 2 | Version 2.13
169
'''MP.L2-3.8.7 – REMOVEABLE MEDIA '''
Control the use of removable media on system components.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#177|151 ]]'''
Determine if: <br />
[a] the use of removable media on system components is controlled.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#177|A]151 ]]'''
'''Examine <br />
'''[SELECT FROM: System media protection policy; system use policy; procedures addressing
media usage restrictions; system security plan; rules of behavior; system design
documentation; system configuration settings and associated documentation; system audit
logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system media use responsibilities; personnel with
information security responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Organizational processes for media use; mechanisms restricting or
prohibiting use of system media on systems or system components].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#177|152]] '''
In contrast to requirement MP.L2-3.8.1, which restricts user access to media, this
requirement restricts the use of certain types of media on systems, for example, restricting
or prohibiting the use of flash drives or external hard disk drives. Organizations can employ
technical and nontechnical controls (e.g., policies, procedures, and rules of behavior) to
control the use of system media.  Organizations may control the use of portable storage
devices, for example, by using physical cages on workstations to prohibit access to certain
external ports, or disabling or removing the ability to insert, read, or write to such devices. <br />
Organizations may also limit the use of portable storage devices to only approved devices
including devices provided by the organization, devices provided by other approved
organizations, and devices that are not personally owned. Finally, organizations may control
the use of portable storage devices based on the type of device, prohibiting the use of
writeable, portable devices, and implementing this restriction by disabling or removing the
capability to write to such devices. Malicious code protection mechanisms include anti-virus
signature definitions and reputation-based technologies. Many technologies and methods
151
NIST SP 800-171A, p. 43.
152
NIST SP 800-171 Rev. 2, pp. 30-31.
''' '''
MP.L2-3.8.7 – Removeable Media
CMMC Assessment Guide – Level 2 | Version 2.13
170
exist to limit or eliminate the effects of malicious code. Pervasive configuration management
and comprehensive software integrity controls may be effective in preventing execution of
unauthorized code. In addition to commercial off-the-shelf software, malicious code may also
be present in custom-built software. This could include logic bombs, back doors, and other
types of cyber-attacks that could affect organizational missions/business functions.
Traditional malicious code protection mechanisms cannot always detect such code. In these
situations, organizations rely instead on other safeguards including secure coding practices,
configuration management and control, trusted procurement processes, and monitoring
technologies  to help ensure that software does not perform functions other than the
functions intended.
'''FURTHER DISCUSSION '''
Removable media are any type of media storage that you can remove from your computer
or machine (e.g., CDs, DVDs, diskettes, and USB drives). Write a specific policy for removable
media. The policy should cover the various types of removable media (e.g., write-once media
and rewritable media) and should discuss the company’s  approach to removable media.
Ensure the following controls are considered and included in the policy: <br />
  limit the use of removable media to the smallest number needed; and
  scan all removable media for viruses.
'''Example <br />
'''You are in charge of IT operations. You establish a policy for removable media that includes
USB drives [a]. The policy information such as: <br />
  only USB drives issued by the organization may be used; and
  USB drives are to be used for work purposes only [a].
You set up a separate computer to scan these drives before anyone uses them on the
network. This computer has anti-virus software installed that is kept up to date.
'''Potential Assessment Considerations <br />
'''•
  Are removable media allowed [a]?
  Are policies and/or procedures in use to control the use of removable media [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.8.7
''' '''
MP.L2-3.8.8 – Shared Media
CMMC Assessment Guide – Level 2 | Version 2.13
171
'''MP.L2-3.8.8 – SHARED MEDIA '''
Prohibit the use of portable storage devices when such devices have no identifiable owner.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#179|153 ]]'''
Determine if: <br />
[a] the use of portable storage devices is prohibited when such devices have no identifiable
owner.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#179|A]153 ]]'''
'''Examine <br />
'''[SELECT FROM: System media protection policy; system use policy; procedures addressing
media usage restrictions; system security plan; rules of behavior; system configuration
settings and associated documentation; system design documentation; system audit logs and
records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system media use responsibilities; personnel with
information security responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Organizational processes for media use; mechanisms prohibiting use of
media on systems or system components].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#179|154]] '''
Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable
storage devices reduces the overall risk of using such technologies by allowing organizations
to assign responsibility and accountability for addressing known vulnerabilities in the
devices (e.g., insertion of malicious code).
'''FURTHER DISCUSSION '''
A portable storage device is a system component that can be inserted into and removed from
a system and is used to store data or information. It typically plugs into a laptop or desktop
port (e.g., USB port). These devices can contain malicious files that can lead to a compromise
of a connected system. Therefore, use should be prohibited if the device cannot be traced to
an owner who is responsible and accountable for its security.
153
NIST SP 800-171A, p. 43.
154
NIST SP 800-171 Rev. 2, p. 31.
''' '''
MP.L2-3.8.8 – Shared Media
CMMC Assessment Guide – Level 2 | Version 2.13
172
This  requirement,  MP.L2-3.8.8, furthers the protections provided by MP.L2-3.8.7  by
prohibiting unidentified media use even if that media type is allowable.
'''Example <br />
'''You are the IT manager. One day, a staff member reports finding a USB drive in the parking
lot. You investigate and learn that there are no labels on the outside of the drive to indicate
who might be responsible for it. You send an email to all employees to remind them that IT
policies expressly prohibit plugging unknown devices into company computers. You also
direct staff members to turn in to the IT help desk any devices that have no identifiable
owner [a].
'''Potential Assessment Considerations <br />
'''•
  Do portable storage devices used have identifiable owners [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.8.8
''' '''
MP.L2-3.8.9 – Protect Backups
CMMC Assessment Guide – Level 2 | Version 2.13
173
'''MP.L2-3.8.9 – PROTECT BACKUPS '''
Protect the confidentiality of backup CUI at storage locations.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#181|155 ]]'''
Determine if: <br />
[a] the confidentiality of backup CUI is protected at storage locations.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#181|A]155 ]]'''
'''Examine <br />
'''[SELECT FROM: Procedures addressing system backup; system configuration settings and
associated documentation; security plan; backup storage locations; system backup logs or
records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with system backup responsibilities; personnel with information
security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for conducting system backups; mechanisms
supporting or implementing system backups].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#181|156]] '''
Organizations can employ cryptographic mechanisms or alternative physical controls to
protect the confidentiality of backup information at designated storage locations. Backed-up
information containing CUI may include system-level information and user-level
information. System-level information includes system-state information, operating system
software, application software, and licenses. User-level information includes information
other than system-level information.
'''FURTHER DISCUSSION '''
You protect CUI to ensure that it remains private (confidentiality) and unchanged (integrity).
Methods to ensure confidentiality may include: <br />
  encrypting files or media;
  managing who has access to the information; and
  physically securing devices and media that contain CUI.
155
NIST SP 800-171A, p. 44.
156
NIST SP 800-171 Rev. 2, p. 31.
''' '''
MP.L2-3.8.9 – Protect Backups
CMMC Assessment Guide – Level 2 | Version 2.13
174
Storage locations for information are varied, and may include: <br />
  external hard drives;
  USB drives;
  magnetic media (tape cartridge);
  optical disk (CD, DVD);
  Networked Attached Storage (NAS);
  servers; and
  cloud backup.
This requirement, MP.L2-3.8.9, requires the confidentiality of backup information at storage
locations.
'''Example <br />
'''You are in charge of protecting CUI for your company. Because the company’s backups
contain CUI, you work with IT to protect the confidentiality of backup data. You agree to
encrypt all CUI data as it is saved to an external hard drive [a].
'''Potential Assessment Considerations <br />
'''•
  Are data backups encrypted on media before removal from a secured facility [a]?
  Are cryptographic mechanisms FIPS validated [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.8.9
''' '''
PS.L2-3.9.1 – Screen Individuals
CMMC Assessment Guide – Level 2 | Version 2.13
175
Personnel Security (PS) <br />
'''PS.L2-3.9.1 – SCREEN INDIVIDUALS '''
Screen individuals prior to authorizing access to organizational systems containing CUI.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#183|157 ]]'''
Determine if: <br />
[a] individuals are screened prior to authorizing access to organizational systems
containing CUI.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#183|A]157 ]]'''
'''Examine <br />
'''[SELECT FROM: Personnel security policy; procedures addressing personnel screening;
records of screened personnel; system security plan; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with personnel security responsibilities; personnel with
information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for personnel screening].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#183|158]] '''
Personnel security screening (vetting) activities involve the evaluation/assessment of
individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the
trustworthiness of the individual) prior to authorizing access to organizational systems
containing CUI. The screening activities reflect applicable federal laws, Executive Orders,
directives, policies, regulations, and specific criteria established for the level of access
required for assigned positions.
'''FURTHER DISCUSSION '''
Ensure all employees who need access to CUI undergo organization-defined screening before
being granted access. Base the types of screening on the requirements for a given position
and role.
157
NIST SP 800-171A, p. 45.
158
NIST SP 800-171 Rev. 2, p. 31.
''' '''
PS.L2-3.9.1 – Screen Individuals
CMMC Assessment Guide – Level 2 | Version 2.13
176
The effective screening of personnel provided by this requirement, PS.L2-3.9.1, improves
upon the effectiveness of authentication performed in IA.L2-3.5.2.
'''Example <br />
'''You are in charge of security at your organization.  You complete standard criminal
background and credit checks of all individuals you hire before they can access CUI [a]. Your
screening program follows appropriate laws, policies, regulations, and criteria for the level
of access required for each position.
'''Potential Assessment Considerations <br />
'''•
  Are appropriate background checks completed prior granting access to organizational
systems containing CUI [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.9.1
''' '''
PS.L2-3.9.2 – Personnel Actions
CMMC Assessment Guide – Level 2 | Version 2.13
177
'''PS.L2-3.9.2 – PERSONNEL ACTIONS '''
Ensure that organizational systems containing CUI are protected during and after personnel
actions such as terminations and transfers.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#185|159 ]]'''
Determine if: <br />
[a] a policy and/or process for terminating system access and any credentials coincident
with personnel actions is established;
[b] system access and credentials are terminated consistent with personnel actions such as
termination or transfer; and
[c]  the system is protected during and after personnel transfer actions.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#185|A]159 ]]'''
'''Examine <br />
'''[SELECT FROM: Personnel security policy; procedures addressing personnel transfer and
termination; records of personnel transfer and termination actions; list of system accounts;
records of terminated or revoked authenticators and credentials; records of exit interviews;
other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with personnel security responsibilities; personnel with account
management responsibilities; system or network administrators; personnel with
information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for personnel transfer and termination;
mechanisms supporting or implementing personnel transfer and termination notifications;
mechanisms for disabling system access and revoking authenticators].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#185|160]] '''
Protecting CUI during and after personnel actions may include returning system-related
property and conducting exit interviews.  System-related property includes hardware
authentication tokens, identification cards, system administration technical manuals, keys,
and building passes.  Exit interviews ensure that individuals who have been terminated
understand the security constraints imposed by being former employees and that proper
accountability is achieved for system-related property.  Security topics of interest at exit
interviews can include reminding terminated individuals of nondisclosure agreements and
159
NIST SP 800-171A, p. 45.
160
NIST SP 800-171 Rev. 2, pp. 31-32.
''' '''
PS.L2-3.9.2 – Personnel Actions
CMMC Assessment Guide – Level 2 | Version 2.13
178
potential limitations on future employment. Exit interviews may not be possible for some
terminated individuals, for example, in cases related to job abandonment, illnesses, and non-
availability of supervisors.  For termination actions, timely execution is essential for
individuals terminated for cause. In certain situations, organizations consider disabling the
system accounts of individuals that are being terminated prior to the individuals being
notified. <br />
This requirement applies to reassignments or transfers of individuals when the personnel
action is permanent or of such extended durations as to require protection. Organizations
define the CUI protections appropriate for the types of reassignments or transfers, whether
permanent or extended. Protections that may be required for transfers or reassignments to
other positions within organizations include returning old and issuing new keys,
identification cards, and building passes; changing system access authorizations (i.e.,
privileges); closing system accounts and establishing new accounts; and providing for access
to official records to which individuals had access at previous work locations and in previous
system accounts.
'''FURTHER DISCUSSION '''
Employee access to CUI is removed when they change jobs or leave the company. When
employment or program access is terminated for any reason, the following actions may occur
within the defined time frame: <br />
  all company IT equipment (e.g., laptops, cell phones, storage devices) is returned;
  all identification, access cards, and keys are returned; and
  an exit interview is conducted to remind the employee of their obligations to not discuss
CUI, even after employment.
Additionally, perform the following: <br />
  remove access to all accounts granting access to CUI or modify access to CUI as
appropriate for a new work role;
  disable or close employee accounts for departing employees; and
  limit access to physical spaces with CUI for departing employees or those who transition
to a work role that does not require access to CUI.
This requirement, PS.L2-3.9.2, leverages the identification of system users required by IA.L2-
3.5.1 in order to ensure that all accesses are identified and removed.
'''Example 1 <br />
'''You are in charge of IT operations. Per organizational policies, when workers leave the
company, you remove them from any physical CUI access lists. If you are not their supervisor,
you contact their supervisor or human resources immediately and ask them to: <br />
  turn in the former employees’ computers for proper handling;
''' '''
PS.L2-3.9.2 – Personnel Actions
CMMC Assessment Guide – Level 2 | Version 2.13
179
  inform help desk or system administrators to have the former employees’ system access
revoked;
  retrieve the former employees’ identification and access cards; and
  have the former employees attend an exit interview where you or human  resources
remind them of their obligations to not discuss CUI [b].
'''Example 2 <br />
'''An employee transfers from one working group in your company to another. Human
resources team notifies IT of the transfer date, and the employee’s new manager follows
procedure by submitting a ticket to the IT help desk to provide information on the access
rights the employee will require in their new role. IT implements the rights for the new
position and revokes the access for the prior position on the official date of the transfer [c].
'''Potential Assessment Considerations <br />
'''•
  Is information system access disabled upon employee termination or transfer [c]?
  Are authenticators/ credentials associated with the employee revoked upon termination
or transfer within a certain time frame [b,c]?
  Is all company information system-related property retrieved from the terminated or
transferred employee within a certain timeframe [a,c]?
  Is access to company information and information systems formerly controlled by the
terminated or transferred employee retained for a certain timeframe [a,c]?
  Is the information security office and data owner of the change in authorization notified
within a certain timeframe [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.9.2
''' '''
PE.L2-3.10.1 – Limit Physical Access [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
180
Physical Protection (PE) <br />
'''PE.L2-3.10.1 – LIMIT PHYSICAL ACCESS [CUI DATA] '''
Limit physical access to organizational systems, equipment, and the respective operating
environments to authorized individuals.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#188|161 ]]'''
Determine if: <br />
[a] authorized individuals allowed physical access are identified; <br />
[b] physical access to organizational systems is limited to authorized individuals; <br />
[c]  physical access to equipment is limited to authorized individuals; and <br />
[d] physical access to operating environments is limited to authorized individuals.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#188|]161 ]]'''
'''Examine <br />
'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
physical access authorizations; system security plan; authorized personnel access list;
authorization credentials; physical access list reviews; physical access termination records
and associated documentation; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with physical access authorization responsibilities; personnel
with physical access to system facility; personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for physical access authorizations; mechanisms
supporting or implementing physical access authorizations].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#188|162]] '''
This requirement applies to employees, individuals with permanent physical access
authorization credentials, and visitors. Authorized individuals have credentials that include
badges, identification cards, and smart cards.  Organizations determine the strength of
authorization credentials needed consistent with applicable laws, directives, policies,
161
NIST SP 800-171A, p. 46.
162
NIST SP 800-171 Rev. 2, p. 32.
''' '''
PE.L2-3.10.1 – Limit Physical Access [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
181
regulations, standards, procedures, and guidelines. This requirement applies only to areas
within facilities that have not been designated as publicly accessible. <br />
Limiting physical access to equipment may include placing equipment in locked rooms or
other secured areas and allowing access to authorized individuals only,  and placing
equipment in locations that can be monitored by organizational personnel.  Computing
devices, external disk drives, networking devices, monitors, printers, copiers, scanners,
facsimile machines, and audio devices are examples of equipment.
'''FURTHER DISCUSSION '''
This addresses the company’s physical space (e.g., office, testing environments, equipment
rooms),  technical assets, and non-technical assets  that need to be protected from
unauthorized physical access. Specific environments are limited to authorized employees,
and access is controlled with badges, electronic locks, physical key locks, etc. <br />
Output devices, such as printers, are placed in areas where their use does not expose data to
unauthorized individuals. Lists of personnel with authorized access are developed and
maintained, and personnel are issued appropriate authorization credentials.
'''Example <br />
'''You  manage  a  DoD  project  that  requires special equipment used only by project team
members [b,c]. You work with the facilities manager to put locks on the doors to the areas
where the equipment is stored and used [b,c,d].  Project team members are the only
individuals issued with keys to the space. This restricts access to only those employees who
work on the DoD project and require access to that equipment.
'''Potential Assessment Considerations <br />
'''•
  Are lists of personnel with authorized access developed and maintained, and are
appropriate authorization credentials issued [a]?
  Has the facility/building manager designated building areas as “sensitive” and designed
physical security protections (e.g., guards, locks, cameras, card readers) to limit physical
access to the area to only authorized employees [b,c,d]?
  Are output devices such as printers placed in areas where their use does not expose data
to unauthorized individuals [c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.10.1
  FAR Clause 52.204-21 b.1.viii
''' '''
PE.L2-3.10.2 – Monitor Facility
CMMC Assessment Guide – Level 2 | Version 2.13
182
'''PE.L2-3.10.2 – MONITOR FACILITY  '''
Protect and monitor the physical facility and support infrastructure for organizational
systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A] '''
Determine if:
[a] the physical facility where organizational systems reside is protected; <br />
[b] the support infrastructure for organizational systems is protected; <br />
[c]  the physical facility where organizational systems reside is monitored; and <br />
[d] the support infrastructure for organizational systems is monitored.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A] '''
'''Examine <br />
'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
physical access monitoring; system security plan; physical access logs or records; physical
access monitoring records; physical access log reviews; other relevant documents or
records].
'''Interview <br />
'''[SELECT FROM: Personnel with physical access monitoring responsibilities; personnel with
incident response responsibilities; personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for monitoring physical access; mechanisms
supporting or implementing physical access monitoring; mechanisms supporting or
implementing the review of physical access logs].
'''DISCUSSION [NIST SP 800-171 R2] '''
Monitoring of physical access includes publicly accessible areas within organizational
facilities. This can be accomplished, for example, by the employment of guards; the use of
sensor devices; or the use of video surveillance equipment such as cameras. Examples of
support infrastructure include system distribution, transmission, and power lines. Security
controls applied to the support infrastructure prevent accidental damage, disruption, and
physical tampering. Such controls may also be necessary to prevent eavesdropping or
modification of unencrypted transmissions. Physical access controls to support
infrastructure include locked wiring closets; disconnected or locked spare jacks; protection
of cabling by conduit or cable trays; and wiretapping sensors.
''' '''
PE.L2-3.10.2 – Monitor Facility
CMMC Assessment Guide – Level 2 | Version 2.13
183
'''FURTHER DISCUSSION'''
The infrastructure inside of a facility, such as power and network cables, is protected so that
visitors and unauthorized employees cannot access it. The protection is also monitored by
security guards, video cameras, sensors, or alarms.
'''Example'''
You are responsible for protecting your IT facilities. You install video cameras at each
entrance and exit, connect them to a video recorder, and show the camera feeds on a display
at the reception desk [c,d]. You also make sure there are secure locks on all entrances, exits,
and windows to the facilities [a,b].
'''Potential Assessment Considerations''' <br />
  Is physical access monitored to detect and respond to physical security incidents [c, d]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev 2 3.10.2
''' '''
PE.L2-3.10.3 – Escort Visitors [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
184
'''PE.L2-3.10.3 – ESCORT VISITORS [CUI DATA] '''
Escort visitors and monitor visitor activity.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#192|163 ]]'''
Determine if: <br />
[a] visitors are escorted; and <br />
[b] visitor activity is monitored.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#192|]163 ]]'''
'''Examine <br />
'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
physical access control; system security plan; physical access control logs or records;
inventory records of physical access control devices; system entry and exit points; records
of key and lock combination changes; storage locations for physical access control devices;
physical access control devices; list of security safeguards controlling access to designated
publicly accessible areas within facility; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with physical access control responsibilities; personnel with
information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for physical access control; mechanisms
supporting or implementing physical access control; physical access control devices].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#192|164]] '''
Individuals with permanent physical access authorization credentials are not considered
visitors. Audit logs can be used to monitor visitor activity.
'''FURTHER DISCUSSION '''
Do not allow visitors, even those people you know well, to walk around your facility without
an escort. Make sure that all non-employees wear special visitor badges and/or are escorted
by an employee at all times while on the property.
163
NIST SP 800-171A, p. 47.
164
NIST SP 800-171 Rev. 2, p. 32.
''' '''
PE.L2-3.10.3 – Escort Visitors [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
185
'''Example <br />
'''Coming back from a meeting, you see the friend of a coworker walking down the hallway
near your office. You know this person well and trust them, but are not sure why they are in
the building. You stop to talk, and the person explains that they are meeting a coworker for
lunch, but cannot remember where the lunchroom is.  You walk the person back to the
reception area to get a visitor badge and wait until someone can escort them to the lunch
room [a]. You report this incident and the company decides to install a badge reader at the
main door so visitors cannot enter without an escort [a].
'''Potential Assessment Considerations <br />
'''•
  Are personnel required to accompany visitors to areas in a facility with physical access
to organizational systems [a]?
  Are visitors clearly distinguishable from regular personnel [b]?
  Is visitor activity monitored (e.g., use of cameras or guards, reviews of secure areas upon
visitor departure, review of visitor audit logs) [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.10.3
  FAR Clause 52.204-21 Partial b.1.ix
<br />
''' '''
PE.L2-3.10.4 – Physical Access Logs [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
186
'''PE.L2-3.10.4 – PHYSICAL ACCESS LOGS [CUI DATA] '''
Maintain audit logs of physical access.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#194|165 ]]'''
Determine if: <br />
[a] audit logs of physical access are maintained.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#194|]165 ]]'''
'''Examine <br />
'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
physical access control; system security plan; physical access control logs or records;
inventory records of physical access control devices; system entry and exit points; records
of key and lock combination changes; storage locations for physical access control devices;
physical access control devices; list of security safeguards controlling access to designated
publicly accessible areas within facility; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with physical access control responsibilities; personnel with
information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for physical access control; mechanisms
supporting or implementing physical access control; physical access control devices].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#194|166]] '''
Organizations have flexibility in the types of audit logs employed. Audit logs can be
procedural (e.g., written log of individuals accessing the facility), automated (e.g., capturing
ID provided by a PIV card), or some combination thereof. Physical access points can include
facility access points, interior access points to systems or system components requiring
supplemental access controls, or both.  System components (e.g., workstations, notebook
computers) may be in areas designated as publicly accessible with organizations
safeguarding access to such devices.
'''FURTHER DISCUSSION '''
Make sure you have a record of who accesses your facility (e.g., office, plant, factory). You can
do this in writing by having employees and visitors sign in and sign out or by electronic
165
NIST SP 800-171A, p. 47.
166
NIST SP 800-171 Rev. 2, pp. 32-33.
''' '''
PE.L2-3.10.4 – Physical Access Logs [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
187
means such as badge readers. Whatever means you use, you need to retain the access records
for the time period that your company has defined.
'''Example <br />
'''You and your coworkers like to have friends and family join you for lunch at the office on
Fridays. Your small company has just signed a contract with the DoD, however, and you now
need to document who enters and leaves your facility. You work with the reception staff to
ensure that all non-employees sign in at the reception area and sign out when they leave [a].
You retain those paper sign-in sheets in a locked filing cabinet for one year.  Employees
receive badges or key cards that enable tracking and logging access to company facilities.
'''Potential Assessment Considerations <br />
'''•
  Are logs of physical access to sensitive areas (both authorized access and visitor access)
maintained per retention requirements [a]?
  Are visitor access records retained for as long as required [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.10.4
  FAR Clause 52.204-21 Partial b.1.ix
''' '''
PE.L2-3.10.5 – Manage Physical Access [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
188
'''PE.L2-3.10.5 – MANAGE PHYSICAL ACCESS [CUI DATA] '''
Control and manage physical access devices.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#196|167 ]]'''
Determine if: <br />
[a] physical access devices are identified; <br />
[b] physical access devices are controlled; and <br />
[c]  physical access devices are managed.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#196|]167 ]]'''
'''Examine <br />
'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
physical access control; system security plan; physical access control logs or records;
inventory records of physical access control devices; system entry and exit points; records
of key and lock combination changes; storage locations for physical access control devices;
physical access control devices; list of security safeguards controlling access to designated
publicly accessible areas within facility; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with physical access control responsibilities; personnel with
information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for physical access control; mechanisms
supporting or implementing physical access control; physical access control devices].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#196|168]] '''
Physical access devices include keys, locks, combinations, and card readers.
'''FURTHER DISCUSSION '''
Identifying and controlling physical access devices (e.g., locks, badges, key cards) is just as
important as monitoring and limiting who is able to physically access certain equipment.
Physical access devices are only strong protection if you know who has them and what access
they allow. Physical access devices can be managed using manual or automatic processes
167
NIST SP 800-171A, pp. 47-48.
168
NIST SP 800-171 Rev. 2, p. 33.
''' '''
PE.L2-3.10.5 – Manage Physical Access [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
189
such a list of who is assigned what key, or updating the badge access system as personnel
change roles.
'''Example <br />
'''You are a facility manager. A team member retired today and returns their company keys to
you.  The project on which they were working requires  access to areas that  contain
equipment with CUI. You receive the keys, check your electronic records against the serial
numbers on the keys to ensure all have been returned, and mark each key returned [c].
'''Potential Assessment Considerations <br />
'''•
  Are lists or inventories of physical access devices maintained (e.g., keys, facility badges,
key cards) [a]?
  Is  access to physical access devices  limited  (e.g.,  granted to, and accessible only by,
authorized individuals) [b]?
  Are physical access devices managed (e.g., revoking key card access when necessary,
changing locks as needed, maintaining access control devices and systems) [c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.10.5
  FAR Clause 52.204-21 Partial b.1.ix
''' '''
PE.L2-3.10.6 – Alternative Work Sites
CMMC Assessment Guide – Level 2 | Version 2.13
190
'''PE.L2-3.10.6 – ALTERNATIVE WORK SITES '''
Enforce safeguarding measures for CUI at alternate work sites.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#198|169 ]]'''
Determine if: <br />
[a] safeguarding measures for CUI are defined for alternate work sites; and <br />
[b] safeguarding measures for CUI are enforced for alternate work sites.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#198|A]169 ]]'''
'''Examine <br />
'''[SELECT FROM: Physical and environmental protection policy; procedures addressing
alternate work sites for personnel; system security plan; list of safeguards required for
alternate work sites; assessments of safeguards at alternate work sites; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel approving use of alternate work sites; personnel using alternate
work sites; personnel assessing controls at alternate work sites; personnel with information
security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for security at alternate work sites; mechanisms
supporting alternate work sites; safeguards employed at alternate work sites; means of
communications between personnel at alternate work sites and security personnel].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#198|170]] '''
Alternate work sites may include government facilities or the private residences of
employees. Organizations may define different security requirements for specific alternate
work sites or types of sites depending on the work-related activities conducted at those sites. <br />
NIST SP 800-46 and NIST SP 800-114 provide guidance on enterprise and user security
when teleworking.
'''FURTHER DISCUSSION '''
Many people work from home or travel as part of their job. Define and implement safeguards
to account for protection of information beyond the enterprise perimeter. Safeguards may
169
NIST SP 800-171A, p. 48.
170
NIST SP 800-171 Rev. 2, p. 33.
''' '''
PE.L2-3.10.6 – Alternative Work Sites
CMMC Assessment Guide – Level 2 | Version 2.13
191
include physical protections, such as locked file drawers, as well as electronic protections
such as encryption, audit logging, and proper access controls.
'''Example <br />
'''Many of your company’s project managers work remotely as they often travel to sponsor
locations or even work from home. Because the projects on which they work require access
to CUI, you must ensure the same level of protection is afforded as when they work in the
office.  You ensure that each laptop is deployed with patch management and anti-virus
software protection  [b].  Because  data may be stored on the local hard drive,  you have
enabled full-disk encryption on their laptops [b]. When a remote staff member needs access
to the internal network you require VPN connectivity that also disconnects the laptop from
the remote network (i.e.,  prevents  split tunneling) [b]. The VPN requires multifactor
authentication to verify remote users are who they claim to be [b].
'''Potential Assessment Considerations <br />
'''•
  Do all alternate sites where CUI data is stored or processed meet the same physical
security requirements as the main site [b]?
  Does the alternate processing site provide information security measures equivalent to
those of the primary site [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.10.6
''' '''
RA.L2-3.11.1 – RIsk Assessments
CMMC Assessment Guide – Level 2 | Version 2.13
192
Risk Assessment (RA) <br />
'''RA.L2-3.11.1 – RISK ASSESSMENTS '''
Periodically assess the risk to organizational operations (including mission, functions, image,
or reputation), organizational assets, and individuals, resulting from the operation of
organizational systems and the associated processing, storage, or transmission of CUI.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#200|171 ]]'''
Determine if: <br />
[a] the frequency to assess risk to organizational operations, organizational assets, and
individuals is defined; and
[b] risk to organizational operations, organizational assets, and individuals resulting from
the operation of an organizational system that processes, stores, or transmits CUI is
assessed with the defined frequency.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#200|A]171 ]]'''
'''Examine <br />
'''[SELECT FROM: Risk assessment policy; security planning policy and procedures;
procedures addressing organizational risk assessments; system security plan; risk
assessment; risk assessment results; risk assessment reviews; risk assessment updates;
other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with risk assessment responsibilities; personnel with
information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for risk assessment; mechanisms supporting or
for conducting, documenting, reviewing, disseminating, and updating the risk assessment].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#200|172]] '''
Clearly defined system boundaries are a prerequisite for effective risk assessments. Such risk
assessments consider threats, vulnerabilities, likelihood, and impact to organizational
operations, organizational assets, and individuals based on the operation  and use of
organizational systems.  Risk assessments also consider risk from external parties (e.g.,
service providers, contractor operating systems on behalf of the organization, individuals
171
NIST SP 800-171A, p. 49.
172
NIST SP 800-171 Rev. 2, p. 33.
''' '''
RA.L2-3.11.1 – RIsk Assessments
CMMC Assessment Guide – Level 2 | Version 2.13
193
accessing organizational systems, outsourcing entities). Risk assessments, either formal or
informal, can be conducted at the organization level, the mission or business process level,
or the system level, and at any phase in the system development life cycle. <br />
NIST SP 800-30 provides guidance on conducting risk assessments.
'''FURTHER DISCUSSION '''
Risk arises from anything that can reduce an organization’s assurance of mission/business
success; cause harm to image or reputation; or harm individuals, other organizations, or the
Nation. <br />
Organizations assess the risk to their operations and assets at regular intervals. Areas where
weakness or vulnerabilities could lead to risk may include: <br />
  poorly designed and executed business processes;
  inadvertent actions of people, such as disclosure or modification of information;
  intentional actions of people inside and outside the organization;
  failure of systems to perform as intended;
  failures of technology; and
  external events, such as natural disasters, public infrastructure and supply chain failures.
When conducting risk assessments use established criteria and procedures. The results of
formal risk assessments are documented. It is important to note that risk assessments differ
from vulnerability assessments  (see  RA.L2-3.11.2). A vulnerability assessment provides
input to a risk assessment  along with other information such  as  results from likelihood
analysis and analysis of potential treat sources. <br />
Risk assessments should be performed at defined regular intervals. Mission risks include
anything that will keep an organization from meeting its mission. Function risk is anything
that will prevent the performance of a function.  Image and reputation risks refer to
intangible risks that have value and could cause damage to potential or future trust
relationships.[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#201|173]] <br />
This  requirement,  RA.L2-3.11.1,  which requires  periodically assessing the risk to
organization systems, assets, and individuals, is a baseline Risk Assessment requirement.
RA.L2-3.11.1 enables other Risk Assessment requirements (e.g., RA.L2-3.11.3, Vulnerability
Remediation), as well as CA.L2-3.12.2, Plan of Action.
'''Example <br />
'''You are a system administrator. You and your team members are working on a big
government contract requiring you to store CUI. As part of your periodic (e.g., annual) risk
assessment exercise, you  evaluate  the  new  risk involved with storing CUI [a,b]. When
conducting the assessment you consider increased legal exposure, financial requirements of
safeguarding CUI, potentially elevated attention from external attackers, and other factors.
173
NIST SP 800-30, ''Guide for Conducting Risk Assessments'', September 2012.
''' '''
RA.L2-3.11.1 – RIsk Assessments
CMMC Assessment Guide – Level 2 | Version 2.13
194
After determining how storing CUI affects your overall risk profile, you use that as a basis for
a conversation on how that risk should be mitigated.
'''Potential Assessment Considerations <br />
'''•
  Have initial and periodic risk assessments been conducted [b]?
  Are methods defined for assessing risk (e.g., reviewing security assessments, incident
reports, and security advisories, identifying threat sources, threat events, and
vulnerabilities, and determining likelihood, impact, and overall risk to the confidentiality
of CUI) [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.11.1
''' '''
RA.L2-3.11.2 – Vulnerability Scan
CMMC Assessment Guide – Level 2 | Version 2.13
195
'''RA.L2-3.11.2 – VULNERABILITY SCAN '''
Scan for vulnerabilities in organizational systems and applications periodically and when
new vulnerabilities affecting those systems and applications are identified.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#203|174 ]]'''
Determine if: <br />
[a] the frequency to scan for vulnerabilities in organizational systems and applications is
defined;
[b] vulnerability scans are performed on organizational systems with the defined
frequency;
[c]  vulnerability scans are performed on applications with the defined frequency; <br />
[d] vulnerability scans are performed on organizational systems when new vulnerabilities
are identified; and
[e] vulnerability scans are performed on applications when new vulnerabilities are
identified.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#203|A]174 ]]'''
'''Examine <br />
'''[SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk
assessment; system security plan; security assessment report; vulnerability scanning tools
and associated configuration documentation; vulnerability scanning results; patch and
vulnerability management records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with risk assessment, security assessment and vulnerability
scanning responsibilities; personnel with vulnerability scan analysis and remediation
responsibilities; personnel with information security responsibilities; system or network
administrators].
'''Test <br />
'''[SELECT FROM: Organizational processes for vulnerability scanning, analysis, remediation,
and information sharing; mechanisms supporting or implementing vulnerability scanning,
analysis, remediation, and information sharing].
174
NIST SP 800-171A, pp. 49-50.
''' '''
RA.L2-3.11.2 – Vulnerability Scan
CMMC Assessment Guide – Level 2 | Version 2.13
196
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#204|175]] '''
Organizations determine the required vulnerability scanning for all system components,
ensuring that potential sources of vulnerabilities such as networked printers, scanners, and
copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new
vulnerabilities are discovered, announced, and scanning methods developed. This process
ensures that potential vulnerabilities in the system are identified and addressed as quickly
as possible. Vulnerability analyses for custom software applications may require additional
approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three
approaches. Organizations can employ these analysis approaches in source code reviews and
in a variety of tools (e.g., static analysis tools, web-based application scanners, binary
analyzers). Vulnerability scanning includes: scanning for patch levels; scanning for functions,
ports, protocols, and services that should not be accessible to users or devices; and scanning
for improperly configured or incorrectly operating information flow control mechanisms. <br />
To facilitate interoperability, organizations consider using products that are Security
Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in
the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the
Open Vulnerability Assessment Language (OVAL) to determine the presence of system
vulnerabilities.  Sources for vulnerability information include the Common Weakness
Enumeration (CWE) listing and the National Vulnerability Database (NVD). <br />
Security assessments, such as red team exercises, provide additional sources of potential
vulnerabilities for which to scan.  Organizations also consider using scanning tools that
express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain
situations, the nature of the vulnerability scanning may be more intrusive or the system
component that is the subject of the scanning may contain highly sensitive information.
Privileged access authorization to selected system components facilitates thorough
vulnerability scanning and protects the sensitive nature of such scanning. <br />
NIST SP 800-40 provides guidance on vulnerability management.
'''FURTHER DISCUSSION '''
A vulnerability scanner is an application that identifies vulnerabilities in organizational
assets. Most scanners can create a prioritized list of vulnerabilities ordered by their level of
severity. Scan for vulnerabilities on all devices connected to the network including servers,
desktops, laptops, virtual machines, containers, firewalls, switches, and printers. All assets
that are within the scope of the CMMC assessment must be scanned, including assets such as
laptop computers that may not routinely connect to an organization’s network. <br />
Perform reviews of your organization’s custom-developed software. Vulnerability analysis
of a custom-made solution may require a penetration tester to properly test and validate
findings. Automated vulnerability scanners may not be as thorough when scanning custom
developed applications. Source code scanners can help identify weaknesses and
vulnerabilities within code prior to compilation and use.
175
NIST SP 800-171 Rev. 2, pp. 33-34.
''' '''
RA.L2-3.11.2 – Vulnerability Scan
CMMC Assessment Guide – Level 2 | Version 2.13
197
The vulnerability scanning process is a regular activity, not a single occurrence.
Organizations put in place a vulnerability scanner that updates its database each time it
performs a scan so it can identify the most current known vulnerabilities. Schedule scans
with consideration of the potential for impact to normal operations and use caution when
scanning critical assets. <br />
This requirement, RA.L2-3.11.2, which ensures scanning for vulnerabilities in
organizational systems and application, is a baseline Risk Assessment requirement. RA.L2-
3.11.2, contributes to performing risk assessments as described in RA.L2-3.11.1.
'''Example <br />
'''You are a system administrator. Your organization has assessed its risk and determined that
it needs to scan for vulnerabilities in systems and applications once each quarter [a]. You
conduct some tests and decide that it is important to be able to schedule scans after standard
business hours. You also realize that you have remote workers and that you will need to be
sure to scan their remote computers as well [b]. After some final tests, you integrate the scans
into normal IT operations, running as scheduled [b,c]. You verify that the scanner application
receives the latest updates on vulnerabilities and that those are included in future scans [d,e].
'''Potential Assessment Considerations <br />
'''•
  Is  the frequency specified for vulnerability scans to be performed in organizational
systems and applications (e.g., continuous passive scanning, scheduled active scans) [a]?
  Are vulnerability scans performed on a defined frequency or randomly in accordance
with company policy [a,b,c]?
  Are systems periodically scanned for common and new vulnerabilities [d,e]?
  Is the list of scanned system vulnerabilities updated on a defined frequency or when new
vulnerabilities are identified and reported [d,e]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.11.2
''' '''
RA.L2-3.11.3 – Vulnerability Remediation
CMMC Assessment Guide – Level 2 | Version 2.13
198
'''RA.L2-3.11.3 – VULNERABILITY REMEDIATION '''
Remediate vulnerabilities in accordance with risk assessments.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#206|176 ]]'''
Determine if: <br />
[a] vulnerabilities are identified; and <br />
[b] vulnerabilities are remediated in accordance with risk assessments.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#206|A]176 ]]'''
'''Examine <br />
'''[SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk
assessment; system security plan; security assessment report; vulnerability scanning tools
and associated configuration documentation; vulnerability scanning results; patch and
vulnerability management records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with risk assessment, security assessment and vulnerability
scanning responsibilities; personnel with vulnerability scan analysis responsibilities;
personnel with vulnerability remediation responsibilities; personnel with information
security responsibilities; system or network administrators].
'''Test <br />
'''[SELECT FROM: Organizational processes for vulnerability scanning, analysis, remediation,
and information sharing; mechanisms supporting or implementing vulnerability scanning,
analysis, remediation, and information sharing].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#206|177]] '''
Vulnerabilities discovered, for example, via the scanning conducted in response to RA.L2-
3.11.2, are remediated with consideration of the related assessment of risk.  The
consideration of risk influences the prioritization of remediation efforts and the level of
effort to be expended in the remediation for specific vulnerabilities.
'''FURTHER DISCUSSION '''
Not all vulnerabilities captured in a vulnerability scanner may pose the same level of risk to
an organization. Prioritize mitigation efforts to close the most critical vulnerabilities first.
176
NIST SP 800-171A, p. 50.
177
NIST SP 800-171 Rev. 2, p. 34.
''' '''
RA.L2-3.11.3 – Vulnerability Remediation
CMMC Assessment Guide – Level 2 | Version 2.13
199
Track all vulnerability remediation to ensure completion; also track vulnerabilities that you
have determined not to remediate. <br />
This  requirement,  RA.L2-3.11.3, benefits from CA.L2-3.12.2.  RA.L2-3.11.3  allows
remediation of vulnerabilities to take place based on the developed plans of actions for
vulnerabilities from CA.L2-3.12.2.
'''Example <br />
'''You are a system administrator. Each quarter you receive a list of vulnerabilities generated
by your company’s vulnerability scanner [a]. You prioritize that list and note which
vulnerabilities should be targeted as soon as possible as well as which vulnerabilities you
can safely defer addressing at this time. You document the reasoning behind accepting the
risk of the unremediated flaws and note to continue to monitor these vulnerabilities in case
you need to revise the decision at a later date [b].
'''Potential Assessment Considerations <br />
'''•
  Are the results of risk assessments used to prioritize vulnerabilities for remediation [b]?
  For any given vulnerability is action taken for remediation, acceptance, avoidance, or
transference of the vulnerability risk [b]?
  Are all high risk vulnerabilities prioritized [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.11.3
''' '''
CA.L2-3.12.1 – Security Control Assessment
CMMC Assessment Guide – Level 2 | Version 2.13
200
Security Assessment (CA) <br />
'''CA.L2-3.12.1 – SECURITY CONTROL ASSESSMENT '''
Periodically assess the security controls in organizational systems to determine if the
controls are effective in their application. <br />
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#208|178 ]]'''
Determine if: <br />
[a] the frequency of security control assessments is defined; and <br />
[b] security controls are assessed with the defined frequency to determine if the controls
are effective in their application.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#208|A]178 ]]'''
'''Examine <br />
'''[SELECT FROM: Security assessment and authorization policy; procedures addressing
security assessment planning; procedures addressing security assessments; security
assessment plan; system security plan; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with security assessment responsibilities; personnel with
information security responsibilities].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting security assessment, security assessment plan
development, and security assessment reporting]. <br />
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#208|179]] '''
Organizations assess security controls in organizational systems and the environments in
which those systems operate as part of the system development life cycle. Security controls
are the safeguards or countermeasures organizations implement to satisfy security
requirements. By assessing the implemented security controls, organizations determine if
the security safeguards or countermeasures are in place and operating as intended. Security
control assessments ensure that information security is built into organizational systems;
identify weaknesses and deficiencies early in the development process; provide essential
information needed to make risk-based decisions; and ensure compliance to vulnerability
178
NIST SP 800-171A, p. 51.
179
NIST SP 800-171 Rev. 2, pp. 34-35.
''' '''
CA.L2-3.12.1 – Security Control Assessment
CMMC Assessment Guide – Level 2 | Version 2.13
201
mitigation procedures. Assessments are conducted on the implemented security controls as
documented in system security plans. <br />
Security assessment reports document assessment results in sufficient detail as deemed
necessary by organizations, to determine the accuracy and completeness of the reports and
whether the security controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting security requirements. Security
assessment results are provided to the individuals or roles appropriate for the types of
assessments being conducted. <br />
Organizations ensure that security assessment results are current, relevant to the
determination of security control effectiveness, and obtained with the appropriate level of
assessor independence. Organizations can choose to use other types of assessment activities
such as vulnerability scanning and system monitoring to maintain the security posture of
systems during the system life cycle. <br />
NIST SP 800-53 provides guidance on security and privacy controls for systems and
organizations. SP 800-53A provides guidance on developing security assessment plans and
conducting assessments. <br />
'''FURTHER DISCUSSION '''
Avoid a “set it and forget it” mentality when implementing security controls. The security
landscape is constantly changing. Reassess existing controls at periodic intervals in order to
validate their effectiveness in your environment. Set the assessment schedule according to
organizational needs. Consider regulatory obligations and internal policies when assessing
the controls. <br />
Outputs from security control assessments typically include: <br />
  documented assessment results;
  proposed new controls, or updates to existing controls;
  remediation plans; and
  newly identified risks.
This  requirement,  CA.L2-3.12.1, which ensures determining security controls are
implemented properly, promotes effective security assessments for organizational systems
mandated by CA.L2-3.12.3.
'''Example <br />
'''You are in charge of IT operations. You need to ensure that the security controls
implemented within the system are achieving their objectives [b]. Taking the requirements
outlined in your SSP as a guide, you conduct annual written reviews of the security controls
to ensure they meet your organization’s needs. When you find controls that do not meet
requirements, you propose updated or new controls, develop a written implementation plan,
document new risks, and execute the changes.
''' '''
CA.L2-3.12.1 – Security Control Assessment
CMMC Assessment Guide – Level 2 | Version 2.13
202
'''Potential Assessment Considerations <br />
'''•
  Are security controls assessed at least annually [a]?
  Is the output of the security controls assessment documented [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.12.1
''' '''
CA.L2-3.12.2 – operational Plan of Action
CMMC Assessment Guide – Level 2 | Version 2.13
203
'''CA.L2-3.12.2 – OPERATIONAL PLAN OF ACTION '''
Develop and implement plans of action designed to correct deficiencies and reduce or
eliminate vulnerabilities in organizational systems. <br />
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#211|180 ]]'''
Determine if: <br />
[a] deficiencies and vulnerabilities to be addressed by the plan of action are identified; <br />
[b] a plan of action is developed to correct identified deficiencies and reduce or eliminate
identified vulnerabilities; and
[c]  the plan of action is implemented to correct identified deficiencies and reduce or
eliminate identified vulnerabilities.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#211|A]180 ]]'''
'''Examine <br />
'''[SELECT FROM: Security assessment and authorization policy; procedures addressing plan
of action; system security plan; security assessment plan; security assessment report;
security assessment evidence; plan of action; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with plan of action development and implementation
responsibilities; personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Mechanisms for developing, implementing, and maintaining plan of action]. <br />
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#211|181]] '''
The plan of action is a key document in the information security program. Organizations
develop plans of action that describe how any unimplemented security requirements will be
met and how any planned mitigations will be implemented. Organizations can document the
system security plan and plan of action as separate or combined documents and in any
chosen format. <br />
Federal agencies may consider the submitted system security plans and plans of action as
critical inputs to an overall risk management decision to process, store, or transmit CUI on a
system hosted by a nonfederal organization and whether it is advisable to pursue an
agreement or contract with the nonfederal organization.
180
NIST SP 800-171A, p. 51.
181
NIST SP 800-171 Rev. 2, p. 35.
''' '''
CA.L2-3.12.2 – operational Plan of Action
CMMC Assessment Guide – Level 2 | Version 2.13
204
'''FURTHER DISCUSSION '''
When you write a plan of action, define the clear goal or objective of the plan. You may
include the following in the action plan: <br />
  ownership of who is accountable for ensuring the plan’s performance;
  specific steps or milestones that are clear and actionable;
  assigned responsibility for each step or milestone;
  milestones to measure plan progress; and
  completion dates.
This requirement, CA.L2-3.12.2, which ensures developing and implementing operational
plans of action to correct and reduce vulnerabilities in systems, is driven by risk management
requirement  RA.L2-3.11.1, which promotes periodically assessing risk to organizational
systems. CA.L2-3.12.2 promotes monitoring security controls on an ongoing basis as defined
in requirement CA.L2-3.12.3. <br />
An operational  plan of action in accordance with CA.L2-3.12.2 differs from a CMMC
assessment  POA&amp;M as described in 32 CFR § 170.21.  The assessment POA&amp;M  places
conditions on which security requirements can be assessed as NOT MET and allows the OSA
to qualify for a CMMC Status of Conditional Level 2 (Self), Conditional Level 2 (C3PAO), or
Conditional Level 3 (DIBCAC). Operational plans of action are not subject to the 180 day
POA&amp;M closeout requirement.  Severity, availability of remediation, and  business
requirements are among the factors to consider when creating and maintaining operational
plans of action.
'''Example <br />
'''As IT director, one of your duties is to develop action plans when you discover that your
company is not meeting security requirements or when a security issue arises [b]. A recent
vulnerability scan identified several items that need to be addressed so you develop a plan
to fix them [b]. Your plan identifies the people responsible for fixing the issues, how to do it,
and when the remediation will be completed [b]. You also define how to verify that the
person responsible has fixed the vulnerability [b]. You document this in an operational plan
of action that is updated as milestones are reached [b]. You have a separate resource review
the modifications after they have been completed to ensure the plan has been implemented
correctly [c].
'''Potential Assessment Considerations <br />
'''•
  Is there an action plan to remediate identified weaknesses or deficiencies [a]?
  Is the action plan maintained as remediation is performed [b]?
  Does the action plan designate remediation dates and milestones for each item [c]?
''' '''
CA.L2-3.12.2 – operational Plan of Action
CMMC Assessment Guide – Level 2 | Version 2.13
205
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.12.2
''' '''
CA.L2-3.12.3 – Security Control Monitoring
CMMC Assessment Guide – Level 2 | Version 2.13
206
'''CA.L2-3.12.3 – SECURITY CONTROL MONITORING '''
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the
controls.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#214|182 ]]'''
Determine if: <br />
[a] security controls are monitored on an ongoing basis to ensure the continued
effectiveness of those controls.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#214|A]182 ]]'''
'''Examine <br />
'''[SELECT FROM: Security planning policy; organizational procedures addressing system
security plan development and implementation; procedures addressing system security
plan reviews and updates; enterprise architecture documentation; system security plan;
records of system security plan reviews and updates; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with security planning and system security plan implementation
responsibilities; personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for system security plan development, review,
update, and approval; mechanisms supporting the system security plan].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#214|183]] '''
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities,
and information security to support organizational risk management decisions. The terms
continuous and ongoing imply that organizations assess and analyze security controls and
information security-related risks at a frequency sufficient to support risk-based decisions.
The results of continuous monitoring programs generate appropriate risk response actions
by organizations. Providing access to security information on a continuing basis through
reports or dashboards gives organizational officials the capability to make effective and
timely risk management decisions.  Automation supports more frequent updates to
hardware, software, firmware inventories, and other system information. Effectiveness is
further enhanced when continuous monitoring outputs are formatted to provide
information that is specific, measurable, actionable, relevant, and timely.  Monitoring
182
NIST SP 800-171A, p. 52.
183
NIST SP 800-171 Rev. 2, p. 35.
''' '''
CA.L2-3.12.3 – Security Control Monitoring
CMMC Assessment Guide – Level 2 | Version 2.13
207
requirements, including the need for specific monitoring, may also be referenced in other
requirements. <br />
NIST SP 800-137 provides guidance on continuous monitoring.
'''FURTHER DISCUSSION '''
Provide a plan for monitoring the state of security controls on a recurring basis that occurs
more frequently than the periodic assessments discussed in CA.L2-3.12.1.  This process
provides a mechanism to assess the overall security posture of your organization, which
directly relates to activities discussed in CA.L2-3.12.4.  As a result,  the process not only
maintains awareness of vulnerabilities and threats, but it also informs management of the
effectiveness of the security controls in determining if security controls are current and for
management to make an acceptable risk decision.
'''Example <br />
'''You are responsible for ensuring your company fulfills all cybersecurity requirements for its
DoD contracts. You review those requirements and the security controls your company has
put in place to meet them. You then create a plan to evaluate each control regularly over the
next year. You mark several controls to be evaluated by a third-party security assessor. You
assign  other IT resources in the organization  to evaluate controls within their area of
responsibility. To ensure progress you establish recurring meetings with the accountable IT
staff to assess continuous monitoring progress, review security information, evaluate risks
from gaps in continuous monitoring, and produce reports for your management [a].
'''Potential Assessment Considerations <br />
'''•
  Are the security controls that need to be continuously monitored identified [a]?
  Is the timeframe for continuous monitoring activities to support risk-based decision
making defined [a]?
  Is the output of continuous monitoring activities provided to stakeholders [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.12.3
''' '''
CA.L2-3.12.4 – System Security Plan
CMMC Assessment Guide – Level 2 | Version 2.13
208
'''CA.L2-3.12.4 – SYSTEM SECURITY PLAN '''
Develop, document, and periodically update system security plans that describe system
boundaries, system environments of operation, how security requirements are
implemented, and the relationships with or connections to other systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#216|184 ]]'''
Determine if: <br />
[a] a system security plan is developed; <br />
[b] the system boundary is described and documented in the system security plan; <br />
[c]  the system environment of operation is described and documented in the system
security plan;
[d] the security requirements identified and approved by the designated authority as
non-applicable are identified;
[e] the method of security requirement implementation is described and documented in
the system security plan;
[f]  the relationship with or connection to other systems is described and documented in
the system security plan;
[g] the frequency to update the system security plan is defined; and <br />
[h] system security plan is updated with the defined frequency.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#216|A]184 ]]'''
'''Examine <br />
'''[SELECT FROM: Security planning policy; procedures addressing system security plan
development and implementation; procedures addressing system security plan reviews and
updates; enterprise architecture documentation; system security plan; records of system
security plan reviews and updates; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with security planning and system security plan implementation
responsibilities; personnel with information security responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for system security plan development, review,
update, and approval; mechanisms supporting the system security plan].
184
NIST SP 800-171A, p. 52.
''' '''
CA.L2-3.12.4 – System Security Plan
CMMC Assessment Guide – Level 2 | Version 2.13
209
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#217|185]] '''
System security plans relate security requirements to a set of security controls.  System
security plans also describe, at a high level, how the security controls meet those security
requirements, but do not provide detailed, technical  descriptions of the design or
implementation of the controls.  System security plans contain sufficient information to
enable a design and implementation that is unambiguously compliant with the intent of the
plans and subsequent determinations of risk if the plan is implemented as intended. Security
plans need not be single documents; the plans can be a collection of various documents
including documents that already exist.  Effective security plans make extensive use of
references to policies, procedures, and additional documents (e.g., design and
implementation specifications) where more detailed information can be obtained.  This
reduces the documentation requirements associated with security programs and maintains
security-related information in other established management/operational areas related to
enterprise architecture, system development life cycle, systems engineering, and acquisition. <br />
Federal agencies may consider the submitted system security plans and plans of action as
critical inputs to an overall risk management decision to process, store, or transmit CUI on a
system hosted by a nonfederal organization and whether it is advisable to pursue an
agreement or contract with the nonfederal organization. <br />
NIST SP 800-18 provides guidance on developing security plans.
'''FURTHER DISCUSSION '''
A system security plan (SSP) is a document that outlines how an organization implements
its security requirements. OSAs must have an SSP  in place at the time of assessment to
describe each information system within the CMMC Assessment Scope. The absence of an
up-to-date SSP at the time of the assessment would result in a finding that an assessment
could not be completed due to incomplete information and noncompliance with DFARS
clause 252.204-7012. OSAs are free to choose the format of their SSP. At a minimum, an SSP
must include: <br />
  Description of the CMMC Assessment Scope;
  CMMC Assessment Scope  Description: high-level description of the assets  within the
assessment scope[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#217|186]];
  Description of the Environment of Operation: physical surroundings in which an
information system processes, stores, and transmits information;
  Identified and Approved Security Requirements: requirements levied on an information
system that are derived from applicable laws, Executive Orders, directives, policies,
standards, instructions, regulations, procedures, or organizational mission/business
case needs to ensure the confidentiality, integrity, and availability of the information
being processed, stored, or transmitted;
185
NIST SP 800-171 Rev. 2, pp. 35-36.
186
There is no requirement to embed every asset in the SSP. .
''' '''
CA.L2-3.12.4 – System Security Plan
CMMC Assessment Guide – Level 2 | Version 2.13
210
  Implementation Method for Security Requirements: description of how the identified
and approved security requirements are implemented with the system or environment;
  Connections and Relationships to Other Systems and Networks: description of related,
dependent, and interconnected systems; and
  Defined Frequency of Updates: at least annually.
In addition to the requirements above, an SSP often includes: <br />
  general information system description: technical and functional description;
  design  philosophies:  defense-in-depth strategies and allowed interfaces and network
protocols; and
  roles and responsibilities: description of the roles and responsibilities for key personnel,
which may include the system owner, system custodian, authorizing officials, and other
stakeholders
This  requirement,  CA.L2-3.12.4, which requires  developing, documenting, and updating
system security plans, promotes effective information security within organizational
systems required by SC.L2-3.13.2, as well as other system and communications protection
requirements.
'''Example <br />
'''You are in charge of system security. You develop an SSP and have senior leadership formally
approve the document [a]. The SSP explains how your organization handles CUI and defines
how that data is stored, transmitted, and protected [d,e]. The criteria outlined in the SSP is
used to guide configuration of the network and other information resources to meet your
company’s goals. Knowing that it is important to keep the SSP current, you establish a policy
that requires a formal review and update of the SSP each year [g,h].
'''Potential Assessment Considerations <br />
'''•
  Do mechanisms exist to develop and periodically update an SSP [a,g]?
  Are security requirements identified and approved by the designated authority as
non-applicable documented [d]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.12.4
''' '''
SC.L2-3.13.1 – Boundary Protection [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
211
System and Communications Protection (SC) <br />
'''SC.L2-3.13.1 – BOUNDARY PROTECTION [CUI DATA] '''
Monitor, control, and protect communications (i.e., information transmitted or received by
organizational systems) at the external boundaries and key internal boundaries of
organizational systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#219|187 ]]'''
Determine if: <br />
[a] the external system boundary is defined; <br />
[b] key internal system boundaries are defined; <br />
[c]  communications are monitored at the external system boundary; <br />
[d] communications are monitored at key internal boundaries; <br />
[e] communications are controlled at the external system boundary; <br />
[f]  communications are controlled at key internal boundaries; <br />
[g] communications are protected at the external system boundary; and <br />
[h] communications are protected at key internal boundaries.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#219|]187 ]]'''
'''Examine <br />
'''[SELECT FROM: System and communications protection policy; procedures addressing
boundary protection; system security plan; list of key internal boundaries of the system;
system design documentation; boundary protection hardware and software; enterprise
security architecture documentation; system audit logs and records; system configuration
settings and associated documentation; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developers; personnel with boundary protection responsibilities].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing boundary protection capability].
187
NIST SP 800-171A, p. 53.
''' '''
SC.L2-3.13.1 – Boundary Protection [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
212
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#220|188]] '''
Communications can be monitored, controlled, and protected at boundary components and
by restricting or prohibiting interfaces in organizational systems.  Boundary components
include gateways, routers, firewalls, guards, network-based malicious code analysis and
virtualization systems, or encrypted tunnels implemented within a system security
architecture (e.g., routers protecting firewalls or application gateways residing on protected
subnetworks).  Restricting or prohibiting interfaces in organizational systems includes
restricting external web communications traffic to designated web servers within managed
interfaces and prohibiting external traffic that appears to be spoofing internal addresses. <br />
Organizations consider the shared nature of commercial telecommunications services in the
implementation of security requirements associated with the use of such services.
Commercial telecommunications services are commonly based on network components and
consolidated management systems shared by all attached commercial customers and may
also include third party-provided access lines and other service elements. Such transmission
services may represent sources of increased risk despite contract security provisions. NIST
SP 800-41 provides guidance on firewalls and firewall policy. NIST SP 800-125B provides
guidance on security for virtualization technologies.
'''FURTHER DISCUSSION '''
Fences, locks, badges, and key cards help keep non-employees out of your physical facilities.
Similarly, your company’s IT network or system has boundaries that must be protected.
Many companies use a web proxy and a firewall. <br />
When an employee uses a company computer to go to a website, a web proxy makes the
request on the user’s behalf, looks at the web request, and decides if it should let the
employee go to the website. <br />
A firewall controls access from the inside and outside, protecting valuable information and
resources stored on the company’s network. A firewall stops unwanted traffic on the internet
from passing through an outside “fence” to the company’s networks and information
systems.  Internal boundaries determine where data can flow, for instance a software
development environment may have its own boundary controlling,  monitoring, and
protecting the data that can leave that boundary. <br />
It may be wise to monitor, control, or protect one part of the company network from another.
This can also be accomplished  with a firewall  and  limits  the ability of attackers  and
disgruntled employees from entering sensitive parts of your internal network and causing
damage.
'''Example <br />
'''You are setting up the new network and want to keep your  company’s information and
resources safe. You start by sketching out a simple diagram that identifies the external
boundary of your network and any internal boundaries that are needed [a,b]. The first piece
188
NIST SP 800-171 Rev. 2, p. 36.
''' '''
SC.L2-3.13.1 – Boundary Protection [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
213
of equipment you install is the firewall, a device to separate your internal network from the
internet. The firewall also has a feature that allows you to block access to potentially
malicious websites, and you configure that service as well [a,c,e,g]. Some of your coworkers
complain that they cannot get onto certain websites [c,e,g]. You explain that the new network
blocks websites that are known for spreading malware. The firewall sends you a daily digest
of blocked activity so that you can monitor the system for attack trends [c,d].
'''Potential Assessment Considerations <br />
'''•
  What are the external system boundary components that make up the entry and exit
points for data flow (e.g., firewalls, gateways, cloud service boundaries), behind which all
system components that handle regulated data are contained? What are the supporting
system components necessary for the protection of regulated data [a]?
  What are the internal system boundary components that make up the entry and exit
points for key internal data flow (e.g., internal firewalls, routers, any devices that can
bridge the connection between one segment of the system and another) that separate
segments of the internal network –  including devices that separate internal network
segments such as development and production networks as well as a traditional
Demilitarized Zone (DMZ) at the edge of the network [b]?
  Is data flowing in and out of the external and key internal system boundaries monitored
(e.g., connections are logged and able to be reviewed, suspicious traffic generates alerts)
[c,d]?
  Is  data  traversing  the external and internal system  boundaries  controlled  such that
connections are denied by default and only authorized connections are allowed [e,f]?
  Is data flowing in and out of the external and key internal system boundaries protected
(e.g., applying encryption when required or prudent, tunneling traffic as needed) [g,h]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.1
  FAR Clause 52.204-21 b.1.x
''' '''
SC.L2-3.13.2 – Security Engineering
CMMC Assessment Guide – Level 2 | Version 2.13
214
'''SC.L2-3.13.2 – SECURITY ENGINEERING '''
Employ architectural designs, software development techniques, and systems engineering
principles that promote effective information security within organizational systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#222|189 ]]'''
Determine if: <br />
[a] architectural designs that promote effective information security are identified; <br />
[b] software development techniques that promote effective information security are
identified;
[c]  systems engineering principles that promote effective information security are
identified;
[d] identified architectural designs that promote effective information security are
employed;
[e] identified software development techniques that promote effective information
security are employed; and
[f]  identified systems engineering principles that promote effective information security
are employed.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#222|A]189 ]]'''
'''Examine <br />
'''[SELECT FROM: Security planning policy; procedures addressing system security plan
development and implementation; procedures addressing system security plan reviews and
updates; enterprise architecture documentation; system security plan; records of system
security plan reviews and updates; system and communications protection policy;
procedures addressing security engineering principles used in the specification, design,
development, implementation, and modification of the system; security architecture
documentation; security requirements and specifications for the system; system design
documentation; system configuration settings and associated documentation; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with responsibility for determining information system security
requirements; personnel with information system design, development, implementation,
and modification responsibilities; personnel with security planning and system security plan
implementation responsibilities; personnel with information security responsibilities].
189
NIST SP 800-171A, pp. 53-54.
''' '''
SC.L2-3.13.2 – Security Engineering
CMMC Assessment Guide – Level 2 | Version 2.13
215
'''Test <br />
'''[SELECT FROM: Organizational processes for system security plan development, review,
update, and approval; mechanisms supporting the system security plan; processes for
applying security engineering principles in system specification, design, development,
implementation, and modification; automated mechanisms  supporting the application of
security engineering principles in information system specification, design, development,
implementation, and modification].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#223|190]] '''
Organizations apply systems security engineering principles to new development systems
or systems undergoing major upgrades. For legacy systems, organizations apply systems
security engineering principles to system upgrades and modifications to the extent feasible,
given the current state of hardware, software, and firmware components within those
systems. The application of systems security engineering concepts and principles helps to
develop trustworthy, secure, and resilient systems and system components and reduce the
susceptibility of organizations to disruptions, hazards, and threats.  Examples of these
concepts and principles include developing layered protections; establishing security
policies, architecture, and controls as the foundation for design; incorporating security
requirements into the system development life cycle; delineating physical and logical
security boundaries; ensuring that developers are trained on how to build secure software;
and performing threat modeling to identify use cases, threat agents, attack vectors and
patterns, design patterns, and compensating controls needed to mitigate risk. Organizations
that apply security engineering concepts and principles can facilitate the development of
trustworthy, secure systems, system components, and system services; reduce risk to
acceptable levels; and make informed risk-management decisions. <br />
NIST SP 800-160-1 provides guidance on systems security engineering.
'''FURTHER DISCUSSION '''
Familiarity with security engineering principles and their successful  application to your
infrastructure will increase the security of your environment.  NIST SP 800-160  ''System ''
''Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of ''
''Trustworthy Secure Systems''  can serve as a source of security engineering and design
principles. <br />
Decide which designs and principles to apply. Some will not be possible or appropriate for a
given company or for specific systems or components. <br />
Designs and principles should be applied to policies and security standards. Starting with
the  baseline configuration, they should be extended through all layers of the technology
stack (e.g.,  hardware, software, firmware) and throughout all the components of the
infrastructure.  The application of these chosen designs and principles should drive you
190
NIST SP 800-171 Rev. 2, pp. 36-37.
''' '''
SC.L2-3.13.2 – Security Engineering
CMMC Assessment Guide – Level 2 | Version 2.13
216
towards a secure architecture with the required security capabilities and intrinsic behaviors
present throughout the lifecycle of your technology. <br />
As legacy components age, it may become increasingly difficult for those components to meet
security principles and requirements. This should factor into life-cycle decisions for those
components (e.g., replacing legacy hardware, upgrading or re-writing software, upgrading
run-time environments).
'''Example <br />
'''You are responsible for developing strategies to protect data and harden your infrastructure.
You are on a team responsible for performing a major upgrade to a legacy system. You refer
to your documented security engineering principles [c]. Reviewing each, you decide which
are appropriate and applicable  [c].  You apply the chosen designs and principles when
creating your design for the upgrade [f]. <br />
You document the security requirements for the software and hardware changes to ensure
the principles are followed. You review the upgrade at critical points in the workflow to
ensure the requirements are met. You assist in updating the policies covering the use of the
upgraded system so user behavior stays aligned with the principles.
'''Potential Assessment Considerations <br />
'''•
  Does the organization have a defined system architecture [a,d]?
  Are system security engineering principles applied in the specification, design,
development and implementation of the systems [d,e,f]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.2
''' '''
SC.L2-3.13.3 – Role Separation
CMMC Assessment Guide – Level 2 | Version 2.13
217
'''SC.L2-3.13.3 – ROLE SEPARATION '''
Separate user functionality from system management functionality.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#225|191 ]]'''
Determine if: <br />
[a] user functionality is identified; <br />
[b] system management functionality is identified; and <br />
[c]  user functionality is separated from system management functionality.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#225|A]191 ]]'''
'''Examine <br />
'''[SELECT FROM: System and communications protection policy; procedures addressing
application partitioning; system design documentation; system configuration settings and
associated documentation; system security plan; system audit logs and records; other
relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developer].
'''Test <br />
'''[SELECT FROM: Separation of user functionality from system management functionality].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#225|192]] '''
System management functionality includes functions necessary to administer databases,
network components, workstations, or servers, and typically requires privileged user access.
The separation of user functionality from system management functionality is physical or
logical. Organizations can implement separation of system management functionality from
user functionality by using different computers, different central processing units, different
instances of operating systems, or different network addresses; virtualization techniques; or
combinations of these or other methods, as appropriate. This type of separation includes
web administrative interfaces that use separate authentication methods for users of any
other system resources. Separation of system and user functionality may include isolating
administrative interfaces on different domains and with additional access controls.
191
NIST SP 800-171A, p. 54.
192
NIST SP 800-171 Rev. 2, p. 37.
''' '''
SC.L2-3.13.3 – Role Separation
CMMC Assessment Guide – Level 2 | Version 2.13
218
'''FURTHER DISCUSSION '''
Prevent users and user services from accessing system management functionality on IT
components (e.g., databases, network components, workstations, servers). This reduces the
attack surface to those critical interfaces by limiting who can access and how they can be
accessed. By separating the user functionality from system management functionality, the
administrator or privileged functions are not available to the general user. <br />
The intent of this requirement is to ensure: <br />
  general users are not permitted to perform system administration functions; and
  system administrators only perform system administration functions from their
privileged account.
This can be accomplished using separation like VLANs or logical separation using strong
access control methods.
'''Example <br />
'''As a system administrator, you are responsible for managing a number of core systems.
Policy  prevents you from conducting any administration from the computer or system
account you use for day-to-day work [a,b]. The servers you manage also are isolated from
the main corporate network. To work with them you use a special unique account to connect
to a “jump” server that has access to the systems you routinely administer.
'''Potential Assessment Considerations <br />
'''•
  Are physical or logical controls used to separate user functionality from system
management-related functionality (e.g.,  to ensure that administration (e.g., privilege)
options are not available to general users) [c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.3
''' '''
SC.L2-3.13.4 – Shared Resource Control
CMMC Assessment Guide – Level 2 | Version 2.13
219
'''SC.L2-3.13.4 – SHARED RESOURCE CONTROL '''
Prevent unauthorized and unintended information transfer via shared system resources.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#227|193 ]]'''
Determine if: <br />
[a] unauthorized and unintended information transfer via shared system resources is
prevented.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#227|A]193 ]]'''
'''Examine <br />
'''[SELECT FROM: System and communications protection policy; procedures addressing
application partitioning; system security plan; system  design documentation; system
configuration settings and associated documentation; system audit logs and records; other
relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developer].
'''Test <br />
'''[SELECT FROM: Separation of user functionality from system management functionality].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#227|194]] '''
The control of information in shared system resources (e.g., registers, cache memory, main
memory, hard disks) is also commonly referred to as object reuse and residual information
protection. This requirement prevents information produced by the actions of prior users or
roles (or the actions of processes acting on behalf of prior users or roles) from being available
to any current users or roles (or current processes acting on behalf of current users or roles)
that obtain access to shared system resources after those resources have been released back
to the system. This requirement also applies to encrypted representations of information.
This requirement does not address information remnants, which refers to residual
representation of data that has been nominally deleted; covert channels (including storage
or timing channels) where shared resources are manipulated to violate information flow
restrictions; or components within systems for which there are only single users or roles.
193
NIST SP 800-171A, pp. 54-55.
194
NIST SP 800-171 Rev. 2, p. 37.
''' '''
SC.L2-3.13.4 – Shared Resource Control
CMMC Assessment Guide – Level 2 | Version 2.13
220
'''FURTHER DISCUSSION '''
No shared system resource, such as cache memory, hard disks, registers, or main memory
may  pass information from one user  to another user.  In other words, when objects are
reused no residual information should exist on that object. This protects the confidentiality
of the information. This is typically a feature provided by operating system and software
vendors.
'''Example <br />
'''You are a system administrator responsible for creating and deploying the system hardening
procedures for your company’s computers. You ensure that the computer baselines include
software patches to prevent attackers from exploiting flaws in the processor architecture to
read data (e.g., the Meltdown and Spectre exploits). You also verify that the computer
operating system is configured to prevent users from accessing other users’ folders [a].
'''Potential Assessment Considerations <br />
'''•
  Are shared system resources identified and documented [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.4
''' '''
SC.L2-3.13.5 – Public-Access System Separation [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
221
'''SC.L2-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION [CUI DATA] '''
Implement subnetworks for publicly accessible system components that are physically or
logically separated from internal networks.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#229|195 ]]'''
Determine if: <br />
[a] publicly accessible system components are identified; and <br />
[b] subnetworks for publicly accessible system components are physically or logically
separated from internal networks.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#229|A]195 ]]'''
'''Examine <br />
'''[SELECT FROM: System and communications protection policy; procedures addressing
boundary protection; system security plan; list of key internal boundaries of the system;
system design documentation; boundary protection hardware and software; system
configuration settings and associated  documentation; enterprise security architecture
documentation; system audit logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developers; personnel with boundary protection responsibilities].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing boundary protection capability].
'''DISCUSSION [NIST SP 800-171 REV. 2] '''
Subnetworks that are physically or logically separated from internal networks are referred
to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control
devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-
based technologies. <br />
NIST SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides
guidance on security for virtualization technologies.
195
NIST SP 800-171A, p. 55.
''' '''
SC.L2-3.13.5 – Public-Access System Separation [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
222
'''FURTHER DISCUSSION[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#230|196]] '''
Separate the publicly accessible systems from the internal systems that need to be protected.
Do not place internal systems on the same network as the publicly accessible systems and
block access by default from DMZ networks to internal networks. <br />
One method of accomplishing this is to create a DMZ network, which enhances security by
providing public access to a specific set of resources while preventing connections from
those resources to the rest of the IT environment. Some OSAs achieve a similar result through
the use of a cloud computing environment that is separated from the rest of the company’s
infrastructure.
'''Example <br />
'''The head of recruiting at your company wants to launch a website to post job openings and
allow the public to download an application form [a]. After some discussion, your team
realizes it needs to use a firewall to create a perimeter network to do this [b]. You host the
server separately from the company’s internal network and make sure the network on which
it resides is isolated with the proper firewall rules [b].
'''Potential Assessment Considerations <br />
'''•
  Are any system components reachable by the public (e.g., internet-facing web servers,
VPN gateways, publicly accessible cloud services) [a]?
  Are  publicly accessible system components on physically or logically separated
subnetworks (e.g., isolated subnetworks using separate, dedicated VLAN segments such
as DMZs) [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.5
  FAR Clause 52.204-21 b.1.xi
''' '''
196
NIST SP 800-171 Rev. 2, pp. 37-38.
''' '''
SC.L2-3.13.6 – Network Communication by Exception
CMMC Assessment Guide – Level 2 | Version 2.13
223
'''SC.L2-3.13.6 – NETWORK COMMUNICATION BY EXCEPTION '''
Deny network communications traffic by default and allow network communications traffic
by exception (i.e., deny all, permit by exception).
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#231|197 ]]'''
Determine if: <br />
[a] network communications traffic is denied by default; and <br />
[b] network communications traffic is allowed by exception.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#231|A]197 ]]'''
'''Examine <br />
'''[SELECT FROM: System and communications protection policy; procedures addressing
boundary protection; system security plan; system design documentation; system
configuration settings and associated documentation; system audit logs and records; other
relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developer; personnel with boundary protection responsibilities].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing traffic management at managed interfaces].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#231|198]] '''
This requirement applies to inbound and outbound network communications traffic at the
system boundary and at identified points within the system. A deny-all, permit-by-exception
network communications traffic policy ensures that only those connections which are
essential and approved are allowed.
'''FURTHER DISCUSSION '''
Block all traffic entering and leaving  the network,  but permit specific traffic based on
organizational policies, exceptions, or criteria. This process of permitting only authorized
traffic to the network is called whitelisting  and  limits the number of unintentional
connections to the network.
197
NIST SP 800-171A, p. 55.
198
NIST SP 800-171 Rev. 2, p. 38.
''' '''
SC.L2-3.13.6 – Network Communication by Exception
CMMC Assessment Guide – Level 2 | Version 2.13
224
This  requirement,  SC.L2-3.13.6, requires a deny-all permit by  exception approach for all
network communications. In doing so, it adds specifics for SC.L2-3.13.1, which only requires
monitoring, control, and protection of communication channels.
'''Example <br />
'''You are setting up a new environment to house CUI. To properly isolate the CUI network, you
install a firewall between it and other networks and set the firewall rules to deny all traffic
[a]. You review each service and application that runs in the new environment and determine
that you only need to allow http and https traffic outbound [b]. You test the functionality of
the required services and make some needed adjustments, then comment each firewall rule
so there is documentation of why it is required. You review the firewall rules on a regular
basis to make sure no unauthorized changes were made.
'''Potential Assessment Considerations <br />
'''•
  Are network communications traffic on relevant system components  (e.g., host and
network firewalls, routers, gateways) denied by default (e.g., configured with an implicit
deny rule that takes effect in the absence of any other matching traffic rules) [a]?
  Are network communications traffic on relevant system components (e.g., host and
network firewalls, routers, gateways) allowed by exception (e.g., configured with explicit
allow rules that takes effect only when network traffic matches one or more rules) [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.6
''' '''
SC.L2-3.13.7 – Split Tunneling
CMMC Assessment Guide – Level 2 | Version 2.13
225
'''SC.L2-3.13.7 – SPLIT TUNNELING '''
Prevent remote devices from simultaneously establishing non-remote connections with
organizational systems and communicating via some other connection to resources in
external networks (i.e., split tunneling).
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#233|199 ]]'''
Determine if: <br />
[a] remote devices are prevented from simultaneously establishing non-remote
connections with the system and communicating via some other connection to
resources in external networks (i.e., split tunneling).
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#233|A]199 ]]'''
'''Examine <br />
'''[SELECT FROM: System and communications protection policy; procedures addressing
boundary protection; system security plan; system design documentation; system hardware
and software; system architecture; system configuration settings and associated
documentation; system audit logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developer; personnel with boundary protection responsibilities].
'''Test <br />
'''[SELECT FROM: Mechanisms implementing boundary protection capability; mechanisms
supporting or restricting non-remote connections].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#233|200]] '''
Split tunneling might be desirable by remote users to communicate with local system
resources such as printers or file servers.  However, split tunneling allows unauthorized
external connections, making the system more vulnerable to attack and to exfiltration of
organizational information.  This requirement is implemented in remote devices (e.g.,
notebook computers, smart phones, and tablets) through configuration settings to disable
split tunneling in those devices, and by preventing configuration settings from being readily
configurable by users. This requirement is implemented in the system by the detection of
split tunneling (or of configuration settings that allow split tunneling) in the remote device,
and by prohibiting the connection if the remote device is using split tunneling.
199
NIST SP 800-171A, p. 56.
200
NIST SP 800-171 Rev. 2, p. 38.
''' '''
SC.L2-3.13.7 – Split Tunneling
CMMC Assessment Guide – Level 2 | Version 2.13
226
'''FURTHER DISCUSSION '''
Split tunneling for a  remote user utilizes two connections: accessing resources on the
internal  network via a VPN and simultaneously  accessing an external network such as a
public network or the internet. <br />
Split  tunneling presents a potential opportunity  where an open unencrypted connection
from a public network could allow an adversary to access resources on internal network. As
a mitigation strategy, the split tunneling setting should be disabled on all devices so that all
traffic, including traffic for external networks or the internet, goes through the VPN.
'''Example <br />
'''You are a system administrator responsible for configuring the network to prevent remote
users from using split tunneling. You review the configuration of remote user laptops. You
discover that remote users are able  to access files, email, database and other services
through the VPN connection while also being able to print and access resources on their local
network. You change the configuration settings for all company computers to disable split
tunneling [a]. You test a laptop that has had the new hardening procedures applied and verify
that all traffic from the laptop is now routed through the VPN connection.
'''Potential Assessment Considerations <br />
'''•
  Does the system prevent remote devices that have established connections (e.g., remote
laptops) with the system from communicating outside that communications path with
resources on uncontrolled/unauthorized networks [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.7
''' '''
SC.L2-3.13.8 – Data in Transit
CMMC Assessment Guide – Level 2 | Version 2.13
227
'''SC.L2-3.13.8 – DATA IN TRANSIT '''
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during
transmission unless otherwise protected by alternative physical safeguards. <br />
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#235|201 ]]'''
Determine if: <br />
[a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are
identified;
[b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are
identified; and
[c]  either cryptographic mechanisms or alternative physical safeguards are implemented
to prevent unauthorized disclosure of CUI during transmission.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#235|A]201 ]]'''
'''Examine <br />
'''[SELECT FROM: System and communications  protection policy; procedures addressing
transmission confidentiality and integrity; system security plan; system design
documentation; system configuration settings and associated documentation; system audit
logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developer].
'''Test <br />
'''[SELECT FROM: Cryptographic mechanisms or mechanisms supporting or implementing
transmission  confidentiality; organizational processes for defining and implementing
alternative physical safeguards]. <br />
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#235|202]] '''
This requirement applies to internal and external networks and any system components that
can transmit information including servers, notebook computers, desktop computers,
mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths
outside the physical protection of controlled boundaries are susceptible to both interception
and  modification.  Organizations relying on commercial providers offering transmission
services as commodity services rather than as fully dedicated services (i.e., services which
can be highly specialized to individual customer needs), may find it difficult to obtain the
necessary assurances regarding the implementation of the controls for transmission
201
NIST SP 800-171A, p. 56.
202
NIST SP 800-171 Rev. 2, p. 38.
''' '''
SC.L2-3.13.8 – Data in Transit
CMMC Assessment Guide – Level 2 | Version 2.13
228
confidentiality.  In such situations, organizations determine what types of confidentiality
services are available in commercial telecommunication service packages. If it is infeasible
or impractical to obtain the necessary safeguards and assurances of the effectiveness of the
safeguards through appropriate contracting vehicles, organizations implement
compensating safeguards or explicitly accept the additional risk.  An example of an
alternative physical safeguard is a protected distribution system (PDS) where the
distribution medium is protected against electronic or physical intercept, thereby ensuring
the confidentiality of the information being transmitted.
'''FURTHER DISCUSSION '''
The intent of this requirement is to ensure CUI is cryptographically protected during transit,
particularly on the internet. The most common way to accomplish this is to establish a TLS
tunnel between the source and destination using the most current version of TLS.  This
requirement  does not specify a mutually authenticated handshake, but mutual
authentication is the most secure approach to creating a tunnel. <br />
Because the use of cryptography in this requirement is to protect the confidentiality of CUI,
the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. <br />
This requirement, SC.L2-3.13.8, requires cryptographic mechanisms be used to prevent the
disclosure of CUI in-transit and leverages SC.L2-3.13.11, which specifies that the algorithms
used must be FIPS-validated cryptography. <br />
'''Example <br />
'''You are a system administrator responsible for configuring encryption on all devices that
contain CUI. Because your users regularly store CUI on laptops and take them out of the
office, you encrypt the hard drives with a FIPS-validated encryption tool built into the
operating system. For users who need to share CUI, you install a Secure FTP server to allow
CUI to be transmitted in a compliant manner [a]. You verify that the server is using a FIPS-
validated encryption module by checking the NIST Cryptographic Module Validation
Program website  [c].  You turn on the “FIPS Compliance” setting for the server during
configuration because that is what is required for this product in order to use only FIPS-
validated cryptography [c]. <br />
'''Potential Assessment Considerations <br />
'''•
  Are cryptographic mechanisms used to prevent unauthorized disclosure of information
during transmission unless otherwise protected by alternative physical measures (e.g.,
PDS) [c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.8
''' '''
SC.L2-3.13.9 – Connections Termination
CMMC Assessment Guide – Level 2 | Version 2.13
229
'''SC.L2-3.13.9 – CONNECTIONS TERMINATION '''
Terminate network connections associated with communications sessions at the end of the
sessions or after a defined period of inactivity.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#237|203 ]]'''
Determine if: <br />
[a] a period of inactivity to terminate network connections associated with
communications sessions is defined;
[b] network connections associated with communications sessions are terminated at the
end of the sessions; and
[c]  network connections associated with communications sessions are terminated after the
defined period of inactivity.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#237|A]203 ]]'''
'''Examine <br />
'''[SELECT FROM: System and communications protection policy; procedures addressing
network disconnect; system design documentation; system security plan; system
configuration settings and associated documentation; system audit logs and records; other
relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developer].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting or implementing network disconnect capability].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#237|204]] '''
This requirement applies to internal and external networks.  Terminating network
connections associated with communications sessions include de-allocating associated
TCP/IP address or port pairs at the operating system level, or de-allocating networking
assignments at the application level if multiple application sessions are using a single,
operating system-level network connection.  Time periods of user inactivity may be
established by organizations and include time periods by type of network access or  for
specific network accesses.
203
NIST SP 800-171A, p. 57.
204
NIST SP 800-171 Rev. 2, pp. 38-39.
''' '''
SC.L2-3.13.9 – Connections Termination
CMMC Assessment Guide – Level 2 | Version 2.13
230
'''FURTHER DISCUSSION '''
Prevent malicious actors from taking advantage of an open network session or an
unattended computer at the end of the connection. Balance user work patterns and needs
against security to determine the length of inactivity that will force a termination. <br />
This requirement, SC.L2-3.13.9, specifies network connections be terminated under certain
conditions, which complements AC.L2-3.1.18 that specifies  control of mobile device
connections.
'''Example <br />
'''You are an administrator of a server that provides remote access. Your company’s policies
state that network connections must be terminated after being idle for 60 minutes [a]. You
edit the server configuration file and set the timeout to 60 minutes and restart the remote
access software  [c].  You test the software and verify that the  connection is terminated
appropriately.
'''Potential Assessment Considerations <br />
'''•
  Are the network connections requiring management and time-out for inactivity
documented [a]?
  Are  the network connections requiring management and time-out for inactivity
configured and implemented [c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.9
''' '''
SC.L2-3.13.10 – Key Management
CMMC Assessment Guide – Level 2 | Version 2.13
231
'''SC.L2-3.13.10 – KEY MANAGEMENT '''
Establish and manage cryptographic keys for cryptography employed in organizational
systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#239|205 <br />
]]'''Determine if: <br />
[a] cryptographic keys are established whenever cryptography is employed; and <br />
[b] cryptographic keys are managed whenever cryptography is employed.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#239|A]205 ]]'''
'''Examine '''
[SELECT FROM: System and communications protection policy; procedures addressing
cryptographic key establishment and management; system security plan; system design
documentation; cryptographic mechanisms; system configuration settings and associated
documentation; system audit logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; personnel with responsibilities for cryptographic key establishment and
management].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting or implementing cryptographic key establishment
and management].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#239|206]] <br />
'''Cryptographic key management and establishment can be performed using manual
procedures or mechanisms supported by manual procedures.  Organizations define key
management requirements in accordance with applicable federal laws, Executive Orders,
policies, directives, regulations, and standards specifying appropriate options, levels, and
parameters. <br />
NIST SP 800-56A and NIST SP 800-57-1 provide guidance on cryptographic key management
and key establishment.
'''FURTHER DISCUSSION <br />
'''Develop  processes and technical mechanisms to protect the cryptographic keys’
confidentiality, authenticity, and authorized use in accordance with industry standards and
205
NIST SP 800-171A, p. 57.
206
NIST SP 800-171 Rev. 2, p. 39.
''' '''
SC.L2-3.13.10 – Key Management
CMMC Assessment Guide – Level 2 | Version 2.13
232
regulations. Key management systems provide oversight, assurance, and the capability to
demonstrate the cryptographic keys are created in a secure manner and protected from loss
or misuse throughout their lifecycle (e.g., active, expired, revoked). For a small number of
keys, this can be accomplished with manual procedures and mechanisms. As the number of
keys and cryptographic units increase, automation and tool support will be required. <br />
The first intent of this requirement is to ensure cryptographic keys are properly created in a
secure manner that prevents them from being reproduced by an adversary.  The second
intent of this requirement is to ensure cryptographic keys are managed in a secure manner
that prevents them from being stolen by an adversary. <br />
Key establishment involves the creation of keys and coordination among parties that will use
the keys of the methodology for generating the final keying material. This is discussed in
detail in SP 800-56A, B, and C. <br />
Key management involves protecting keys when they are distributed, when they are stored,
when they are being used, and when they are being recovered. <br />
Key establishment best practices are identified in NIST SP 800-56A, B, and C. Key
management best practices are identified in NIST SP 800-57 Parts 1, 2, and 3. <br />
This  requirement, SC.L2-3.13.10, complements AC.L2-3.1.19  by specifying that any
cryptographic keys in use must be protected. <br />
'''Example 1 <br />
'''You are a system administrator responsible for providing key management. You have
generated a public-private key pair to exchange CUI [a]. You require all system
administrators to read the key management policy before you allow them to install the
private key on their machines [b]. No one else is allowed to know or have a copy of the private
key per the policy. You provide the public key to the other parties who will be sending you
CUI and test the Public Key Infrastructure (PKI) to ensure the encryption is working [a]. You
set a revocation period of one year on all your certificates per organizational policy [b]. <br />
'''Example 2 <br />
'''You encrypt all of your company’s computers using the disk encryption utility built into the
operating system. As you configure encryption on each device, it generates a cryptographic
key. You associate each key with the correct computer in your inventory spreadsheet and
restrict access to the spreadsheet to the system administrators whose work role requires
them to manage the computers [b]. <br />
'''Potential Assessment Considerations <br />
'''•
  Are cryptographic keys established whenever cryptography is employed (e.g., digital
signatures, authentication, authorization, transport, or other cryptographic
mechanisms) [a]?
  Are cryptographic keys maintained whenever cryptography is employed (e.g., key
storage, backup, recovery, revocation, destruction, etc.) [b]?
''' '''
SC.L2-3.13.10 – Key Management
CMMC Assessment Guide – Level 2 | Version 2.13
233
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.10
''' '''
SC.L2-3.13.11 – CUI Encryption
CMMC Assessment Guide – Level 2 | Version 2.13
234
'''SC.L2-3.13.11 – CUI ENCRYPTION '''
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#242|207 ]]'''
Determine if: <br />
[a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#242|A]207 ]]'''
'''Examine <br />
'''[SELECT FROM: System and communications protection policy; procedures addressing
cryptographic  protection; system security plan; system design documentation; system
configuration settings and associated documentation; cryptographic module validation
certificates; list of FIPS-validated cryptographic modules; system audit logs and records; any
other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developers; personnel with responsibilities for cryptographic
protection].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting or implementing cryptographic protection].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#242|208]] '''
Cryptography can be employed to support many security solutions including the protection
of controlled unclassified information, the provision of digital signatures, and the
enforcement of information separation when authorized individuals have the necessary
clearances for such information but lack the necessary formal access approvals.
Cryptography can also be used to support random number generation and hash generation.
Cryptographic standards include FIPS-validated cryptography and/or NSA-approved
cryptography.
'''FURTHER DISCUSSION '''
FIPS-validated cryptography means the cryptographic module has to have been tested and
validated to meet FIPS 140-2 requirements. Simply using an approved algorithm is not
sufficient – the module (software and/or hardware) used to implement the algorithm must
be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is
207
NIST SP 800-171A, pp. 57-58.
208
NIST SP 800-171 Rev. 2, p. 39.
''' '''
SC.L2-3.13.11 – CUI Encryption
CMMC Assessment Guide – Level 2 | Version 2.13
235
required to protect CUI when transmitted or stored outside the protected environment of
the covered OSA information system (including wireless/remote access). Encryption used
for other purposes, such as within applications or devices within the protected environment
of the covered OSA information system, would not need to use FIPS-validated cryptography. <br />
This requirement, SC.L2-3.13.11, complements AC.L2-3.1.19, MP.L2-3.8.6, SC.L2-3.13.8, and
SC.L2-3.13.16  by specifying that FIPS-validated cryptography must be used.  While FIPS-
validated modules and algorithms are critical for protecting CUI, in limited cases Enduring
Exceptions and temporary deficiencies may apply when implementing such cryptographic
mechanisms.
'''Example <br />
'''You are a system administrator responsible for deploying encryption on all devices that
contain CUI. You must ensure that the encryption you use on the devices is FIPS-validated
cryptography [a]. An employee informs you of a need to carry a large volume of CUI offsite
and asks for guidance on how to do so. You provide the user with disk encryption software
that you have verified via the NIST website that uses a CMVP-validated encryption module
[a]. Once the encryption software is active, the user copies the CUI data onto the drive for
transport.
'''Potential Assessment Considerations <br />
'''•
  Is cryptography implemented to protect the confidentiality of CUI at rest and in transit,
through the configuration of systems and applications or through the use of encryption
tools [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.11
''' '''
SC.L2-3.13.12 – Collaborative Device Control
CMMC Assessment Guide – Level 2 | Version 2.13
236
'''SC.L2-3.13.12 – COLLABORATIVE DEVICE CONTROL '''
Prohibit remote activation of collaborative computing devices and provide indication of
devices in use to users present at the device.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#244|209 ]]'''
Determine if: <br />
[a] collaborative computing devices are identified; <br />
[b] collaborative computing devices provide indication to users of devices in use; and <br />
[c]  remote activation of collaborative computing devices is prohibited.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#244|A]209 ]]'''
'''Examine <br />
'''[SELECT FROM: System and communications protection policy; procedures addressing
collaborative computing; access control policy and procedures; system security plan; system
design documentation; system audit logs and records; system configuration settings and
associated documentation; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developer; personnel with responsibilities for managing
collaborative computing devices].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting or implementing management of remote activation
of collaborative computing devices; mechanisms providing an indication of  use of
collaborative computing devices].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#244|210]] '''
Collaborative computing devices include networked white boards, cameras, and
microphones.  Indication of use includes signals to users when collaborative computing
devices are activated.  Dedicated video conferencing systems, which rely on one of the
participants calling or connecting to the other party to activate the video conference, are
excluded.
209
NIST SP 800-171A, p. 58.
210
NIST SP 800-171 Rev. 2, p. 39.
''' '''
SC.L2-3.13.12 – Collaborative Device Control
CMMC Assessment Guide – Level 2 | Version 2.13
237
'''FURTHER DISCUSSION '''
Notification that a device is in use can include an indicator light that turns on or a specific
text window that appears on screen. If a device does not have the means to alert a user when
in use, the organization should provide manual means. Manual means can include, as
necessary: <br />
  paper notification on entryways; and
  locking entryways when a collaborative computing device is in use.
This  requirement  is not intended to include technologies that enable users to share the
contents of their computer screens via the internet. <br />
'''Example''' <br />
A group of remote employees at your company routinely collaborate using cameras and
microphones attached to their computers [a]. To prevent the misuse of these devices, you
disable the ability to turn on cameras or microphones remotely [c]. You ensure the machines
alert users when the camera or microphone are in use with a light beside the camera and an
onscreen notification [b]. Although remote activation is blocked, this enables users to see if
the devices are active.
'''Potential Assessment Considerations <br />
'''•
  Are the collaborative computing devices configured to provide indication to users when
in use (e.g., a light, text notification, or audio tone) or are users alerted before entering a
space (e.g., written notice posted outside the space) where they are in use [b]?
  Are the collaborative computing devices configured to prevent them from being turned
on without user interaction or consent [c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.12
''' '''
SC.L2-3.13.13 – Mobile Code
CMMC Assessment Guide – Level 2 | Version 2.13
238
'''SC.L2-3.13.13 – MOBILE CODE '''
Control and monitor the use of mobile code.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#246|211 ]]'''
Determine if: <br />
[a] use of mobile code is controlled; and <br />
[b] use of mobile code is monitored.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#246|A]211 ]]'''
'''Examine <br />
'''[SELECT FROM: System and communications protection policy; procedures addressing
mobile code; mobile code usage restrictions, mobile code implementation policy and
procedures; system audit logs and records; system security plan; list of acceptable mobile
code and mobile code technologies; list of unacceptable mobile code and mobile
technologies; authorization records; system monitoring records; system audit logs and
records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; personnel with responsibilities for managing mobile code].
'''Test <br />
'''[SELECT FROM: Organizational process for controlling, authorizing, monitoring, and
restricting mobile code; mechanisms supporting or implementing the management of
mobile code; mechanisms supporting or implementing the monitoring of mobile code].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#246|212]] '''
Mobile code technologies include Java, JavaScript, ActiveX, Postscript, PDF, Flash animations,
and VBScript. Decisions regarding the use of mobile code in organizational systems are based
on the potential for the code to cause damage to the systems if used maliciously.  Usage
restrictions and implementation guidance apply to the selection and use of mobile code
installed on servers and mobile code downloaded and executed on individual workstations,
notebook computers, and devices (e.g., smart phones). Mobile code policy and procedures
address controlling or preventing the development, acquisition, or introduction of
unacceptable mobile code in systems, including requiring mobile code to be digitally signed
by a trusted source.
211
NIST SP 800-171A, pp. 58-59.
212
NIST SP 800-171 Rev. 2, pp. 39-40.
''' '''
SC.L2-3.13.13 – Mobile Code
CMMC Assessment Guide – Level 2 | Version 2.13
239
'''FURTHER DISCUSSION '''
Ensure mobile code is authorized to execute in company systems only in accordance with
policy and technical configuration, and that unauthorized mobile code is not. Monitor the use
of mobile code through boundary devices (e.g., firewalls), audit logs, or security utilities (e.g.,
mobile device management, advanced endpoint protection)  and implement remediation
activities as needed. <br />
The first intent of this requirement is to ensure the limits of mobile code usage and usage
restrictions are documented and enforced. This includes documenting all authorizations for
the use of mobile code and ensuring it is not used in other ways. Usage restrictions and
implementation guidance apply to the selection and use of mobile code installed on servers
and mobile code downloaded and executed on individual workstations and devices to
include all mobile devices and smart phones.  <br />
The second intent is to monitor the use of mobile code and implement remediation steps if
its use does not align with policy.
'''Example <br />
'''Your company has decided to prohibit the use of Flash, ActiveX, and Java plug-ins for web
browsers on all of its computers [a]. To  enforce this policy you configure the computer
baseline configuration to disable and deny the execution of mobile code [a]. You implement
an exception process to re-enable  mobile code execution only for those users with a
legitimate business need [a]. <br />
One department complains that a web application they need to perform their job no longer
works. You meet with them and verify that the web application uses ActiveX in the browser.
You submit a change request with the Change Review Board. Once the change is approved,
you reconfigure the department’s computers to allow the running of ActiveX in the browser.
You also configure the company firewall to alert you if ActiveX is used by any website but the
allowed one [b]. You set a reminder for yourself to check in with the department at the end
of the year to verify they still need that web application.
'''Potential Assessment Considerations <br />
'''•
  Are there defined limits of mobile code usage and established usage restrictions, which
specifically authorize use of mobile code (e.g., Java, JavaScript, ActiveX, PDF, Flash,
Shockwave, Postscript, VBScript) within the information system [a]?
  Is the use of mobile code documented, monitored, and managed (e.g., Java, JavaScript,
ActiveX, PDF, Flash, Shockwave, Postscript, VBScript) [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.13
''' '''
SC.L2-3.13.14 – Voice over Internet Protocol
CMMC Assessment Guide – Level 2 | Version 2.13
240
'''SC.L2-3.13.14 – VOICE OVER INTERNET PROTOCOL '''
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#248|213 ]]'''
Determine if: <br />
[a] use of Voice over Internet Protocol (VoIP) technologies is controlled; and <br />
[b] use of Voice over Internet Protocol (VoIP) technologies is monitored.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#248|A]213 ]]'''
'''Examine <br />
'''[SELECT FROM: System and communications protection policy; procedures addressing
VoIP; VoIP usage restrictions; VoIP implementation guidance; system security plan; system
design documentation; system audit logs and records; system configuration settings and
associated documentation; system monitoring records; other relevant documents or
records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; personnel with responsibilities for managing VoIP].
'''Test <br />
'''[SELECT FROM: Organizational process for authorizing, monitoring, and controlling VoIP;
mechanisms supporting or implementing authorizing, monitoring, and controlling VoIP].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#248|214]] '''
VoIP has different requirements, features, functionality, availability, and service limitations
when compared with the Plain Old Telephone Service (POTS) (i.e., the standard telephone
service).  In contrast, other telephone services are based on high-speed, digital
communications lines, such as Integrated Services Digital Network (ISDN) and Fiber
Distributed Data Interface (FDDI).  The main distinctions between POTS and non-POTS
services are speed and bandwidth.  To address the threats associated with VoIP, usage
restrictions and implementation guidelines are based on the potential for the VoIP
technology to cause damage to the system if it is used maliciously. Threats to VoIP are similar
to those inherent with any Internet-based application. <br />
NIST SP 800-58 provides guidance on Voice Over IP Systems.
213
NIST SP 800-171A, p. 59.
214
NIST SP 800-171 Rev. 2, p. 40.
''' '''
SC.L2-3.13.14 – Voice over Internet Protocol
CMMC Assessment Guide – Level 2 | Version 2.13
241
'''FURTHER DISCUSSION '''
Controlling VoIP technologies starts with establishing guidelines and enforcing the
appropriate usage that is described in organizational policies. Monitoring should include the
users’ activity for anything other than what is permitted and authorized and detection of
insecure or unauthorized use of the VoIP technology. Security concerns for VoIP include
eavesdropping on calls and using ID spoofing to impersonate trusted individuals. <br />
Selecting a solution that can encrypt VoIP traffic is helpful in maintaining the confidentiality
and integrity of the voice data.
'''Example <br />
'''You are a system administrator responsible for the VoIP system. You configure VoIP for new
users after being notified that they have signed the Acceptable Use Policy for VoIP technology
[a].  You verify that the VoIP solution is configured to use encryption and have enabled
requirements for passwords on voice mailboxes and on phone extension management. You
require phone system administrators to log in using multifactor authentication when
managing the system [a]. You  add the VoIP software to the list of applications that are
patched monthly as needed [a,b]. Finally, you configure the VoIP system to send logs to your
log aggregator so that they can be correlated with those from other systems and examined
for signs of suspicious activity [b].
'''Potential Assessment Considerations <br />
'''•
  Are VoIP technologies (e.g., approved and managed products or solutions) that may or
may not be used in the system defined [a]?
  Is monitoring for unapproved VoIP technologies or unapproved use of the allowed VoIP
solutions employed [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.14
''' '''
SC.L2-3.13.15 – Communications Authenticity
CMMC Assessment Guide – Level 2 | Version 2.13
242
'''SC.L2-3.13.15 – COMMUNICATIONS AUTHENTICITY '''
Protect the authenticity of communications sessions.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#250|215 ]]'''
Determine if: <br />
[a] the authenticity of communications sessions is protected.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#250|A]215 ]]'''
'''Examine <br />
'''[SELECT FROM: System and communications protection policy; procedures addressing
session authenticity; system security plan; system design documentation; system
configuration settings and associated documentation; system audit logs and records; other
relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities].
'''Test '''
[SELECT FROM: Mechanisms supporting or implementing session authenticity]
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#250|216]] '''
Authenticity protection includes protecting against man-in-the-middle attacks, session
hijacking, and the insertion of false information into communications sessions.  This
requirement addresses communications protection at the session versus packet level (e.g.,
sessions in service-oriented architectures providing web-based services) and establishes
grounds for confidence at both ends of communications sessions in ongoing identities of
other parties and in the validity of information transmitted. <br />
NIST SP 800-77, NIST SP 800-95, and NIST SP 800-113 provide guidance on secure
communications sessions.
'''FURTHER DISCUSSION '''
The intent of this requirement is to ensure a trust relationship is established between both
ends of a communication session. Each end can be assured that the other end is who it is
supposed to be. This is often implemented using a mutual authentication handshake when
the session is established, especially between devices.  Session authenticity is usually
215
NIST SP 800-171A, p. 59.
216
NIST SP 800-171 Rev. 2, p. 40.
''' '''
SC.L2-3.13.15 – Communications Authenticity
CMMC Assessment Guide – Level 2 | Version 2.13
243
provided by a security protocol enforced for a communication session. Choosing and
enforcing a protocol will provide authenticity throughout a communications session.
'''Example <br />
'''You are a system  administrator  responsible for  ensuring  that the two-factor user
authentication mechanism for the servers is configured correctly.  You  purchase and
maintain the digital certificate and replace it with a new one before the old one expires. You
ensure the TLS configuration settings on the web servers, VPN solution, and other
components that use TLS are correct, using secure settings that address risks against attacks
on the encrypted sessions [a].
'''Potential Assessment Considerations <br />
'''•
  Is a communications protocol used that ensures the sending and receiving parties do not
change during a communications session [a]?
  Are controls in place to validate the identities and information transmitted to protect
against man-in-the-middle attacks, session hijacking, and insertion of false information
into communications sessions [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.15
''' '''
SC.L2-3.13.16 – Data at Rest
CMMC Assessment Guide – Level 2 | Version 2.13
244
'''SC.L2-3.13.16 – DATA AT REST '''
Protect the confidentiality of CUI at rest.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#252|217 ]]'''
Determine if: <br />
[a] the confidentiality of CUI at rest is protected.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#252|A]217 ]]'''
'''Examine <br />
'''[SELECT FROM: System and communications protection policy; procedures addressing
protection of information at rest; system security plan; system design documentation; list of
information at rest requiring confidentiality protections; system configuration settings and
associated documentation; cryptographic mechanisms and associated configuration
documentation; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; system developer].
'''Test <br />
'''[SELECT FROM: Mechanisms supporting or implementing confidentiality protections for
information at rest].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#252|218]] '''
Information at rest refers to the state of information when it is not in process or in transit
and is located on storage devices as specific components of systems. The focus of protection
at rest is not on the type of storage device or the frequency of access but rather the state of
the information.  Organizations can use different mechanisms to achieve confidentiality
protections, including the use of cryptographic mechanisms and file share scanning.
Organizations may also use other controls including secure off-line storage in lieu of online
storage when adequate protection of information at rest cannot otherwise be achieved or
continuous monitoring to identify malicious code at rest.
'''FURTHER DISCUSSION '''
CUI at rest means information that is not moving through the network; typically this means
data currently stored on hard drives, media, and mobile devices. Implement the necessary
security controls to protect the confidentiality of CUI at rest.  Although an approved
217
NIST SP 800-171A, pp. 59-60.
218
NIST SP 800-171 Rev. 2, p. 40.
''' '''
SC.L2-3.13.16 – Data at Rest
CMMC Assessment Guide – Level 2 | Version 2.13
245
encryption method protects data stored at rest, there are other technical and physical
solutions. The methods chosen should depend on the environment and business needs. <br />
Implementing encryption for CUI is one approach to this requirement, but it is not
mandatory. Physical security is often employed to restrict access to CUI, particularly when it
resides on servers within a company’s offices. Other approaches for protecting CUI include
system-related protections such as configurations and rule sets for firewalls, gateways,
intrusion detection/prevention systems, filtering routers, and authenticator content that
eliminate attempts at exfiltration.  You  may also employ other security requirements
including secure off-line storage. <br />
Because the use of cryptography in this requirement is to protect the confidentiality of CUI,
the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. <br />
This  requirement,  SC.L2-3.13.16,  specifies  confidentially be provided for CUI at rest and
complements MP.L2-3.8.9, which specifies confidentially of CUI at backup storage locations.
This  requirement,  SC.L2-3.13.16, also leverages  SC.L2-3.13.11,  which specifies that the
algorithms used must be FIPS-validated cryptography.
'''Example 1 <br />
'''Your company has a policy stating CUI must be protected at rest and you work to enforce
that policy. You research Full Disk Encryption (FDE) products that meet the FIPS encryption
requirement. After testing, you deploy the encryption to all computers to protect CUI at rest
[a].
'''Example 2 <br />
'''You have used encryption to protect the CUI on most of the computers at your company, but
you have some devices that do not support encryption. You create a policy requiring these
devices to be signed out when needed, stay in possession of the signer when checked out,
and to be signed back in and locked up in a secured closet when the user is done with the
device [a]. At the end of the day each Friday, you audit the sign-out sheet and make sure all
devices are returned to the closet.
'''Potential Assessment Considerations <br />
'''•
  Is the confidentiality of CUI at rest protected using encryption of storage devices and/or
appropriate physical methods [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.13.16
''' '''
SI.L2-3.14.1 – Flaw Remediation [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
246
System and Information Integrity (SI) <br />
'''SI.L2-3.14.1 – FLAW REMEDIATION [CUI DATA] '''
Identify, report, and correct system flaws in a timely manner.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#254|219 ]]'''
Determine if: <br />
[a] the time within which to identify system flaws is specified; <br />
[b] system flaws are identified within the specified time frame; <br />
[c]  the time within which to report system flaws is specified; <br />
[d] system flaws are reported within the specified time frame; <br />
[e] the time within which to correct system flaws is specified; and <br />
[f]  system flaws are corrected within the specified time frame.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#254|]219 ]]'''
'''Examine <br />
'''[SELECT FROM: System and information integrity policy; procedures addressing flaw
remediation; procedures addressing configuration management; system security plan; list
of flaws and vulnerabilities potentially affecting the system; list of recent security flaw
remediation actions performed on the system (e.g., list of installed patches, service packs,
hot fixes, and other software updates to correct system flaws); test results from the
installation of software and firmware updates to correct system flaws; installation/change
control records for security-relevant software and firmware updates; other relevant
documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; personnel installing, configuring, and maintaining the system; personnel
with responsibility for flaw remediation; personnel with configuration management
responsibility].
'''Test <br />
'''[SELECT FROM: Organizational processes for identifying, reporting, and correcting system
flaws; organizational process for installing software and firmware updates; mechanisms
219
NIST SP 800-171A, p. 61.
''' '''
SI.L2-3.14.1 – Flaw Remediation [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
247
supporting or implementing reporting, and correcting system flaws; mechanisms supporting
or implementing testing software and firmware updates].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#255|220]] '''
Organizations identify systems that are affected by announced software and firmware flaws
including potential vulnerabilities resulting from those flaws and report this information to
designated personnel with information security responsibilities. Security-relevant updates
include patches, service packs, hot fixes, and anti-virus signatures. Organizations address
flaws discovered during security assessments, continuous monitoring, incident response
activities, and system error handling.  Organizations can take advantage of available
resources such as the Common Weakness Enumeration (CWE) database or Common
Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in
organizational systems. <br />
Organization-defined time periods for updating security-relevant software and firmware
may vary based on a variety of factors including the criticality of the update (i.e., severity of
the vulnerability related to the discovered flaw). Some types of flaw remediation may require
more testing than other types of remediation. NIST SP 800-40 provides guidance on patch
management technologies.
'''FURTHER DISCUSSION '''
All software and firmware have potential flaws. Many vendors work to remedy those flaws
by releasing vulnerability information and updates to their software and firmware. OSAs
must have a process to review relevant vendor notifications and updates about problems or
weaknesses. After reviewing the information, the OSA must implement a patch management
process that allows for software and firmware flaws to be fixed without adversely affecting
the system functionality. OSAs must define the time frames within which flaws are identified,
reported, and corrected for all systems. OSAs should consider purchasing support from their
vendors to ensure timely access to updates.
'''Example <br />
'''You know that software vendors typically release patches, service packs, hot fixes, etc. and
want to make sure your software is up to date. You develop a policy that requires checking
vendor websites for flaw notifications every week [a]. The policy further requires that those
flaws be assessed for severity and patched on end-user computers once each week and
servers once each month [c,e]. Consistent with that policy, you configure the system to check
for updates weekly or daily depending on the criticality of the software [b,e]. Your team
reviews  available updates and implements the applicable ones  according to  the defined
schedule [f].
220
NIST SP 800-171 Rev. 2, pp. 40-41.
''' '''
SI.L2-3.14.1 – Flaw Remediation [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
248
'''Potential Assessment Considerations <br />
'''•
  Is the time frame (e.g., a set number of days) within which system flaw identification
activities (e.g., vulnerability scans, configuration scans, manual review) must be
performed defined and documented [a]?
  Are system flaws (e.g., vulnerabilities, misconfigurations) identified in accordance with
the specified time frame [b]?
  Is the time frame (e.g., a set number of days dependent on the assessed severity of a flaw)
within which system flaws must be corrected defined and documented [e]?
  Are  system flaws (e.g., applied security patches, made configuration changes, or
implemented workarounds or mitigations) corrected in accordance with the specified
time frame [f]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.14.1
  FAR Clause 52.204-21 b.1.xii
<br />
''' '''
SI.L2-3.14.2 – Malicious Code Protection [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
249
'''SI.L2-3.14.2 – MALICIOUS CODE PROTECTION [CUI DATA] '''
Provide protection from malicious code at designated locations within organizational
systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#257|221 ]]'''
Determine if: <br />
[a] designated locations for malicious code protection are identified; and <br />
[b] protection from malicious code at designated locations is provided.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#257|]221 ]]'''
'''Examine <br />
'''[SELECT FROM: System and information integrity policy; configuration management policy
and procedures; procedures addressing malicious code protection; records of malicious
code protection updates; malicious code protection mechanisms; system security plan;
system configuration settings and associated documentation; record of actions initiated by
malicious code protection mechanisms in response to malicious code detection; scan results
from malicious code protection mechanisms; system design documentation; system audit
logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; personnel installing, configuring, and maintaining the system; personnel
with responsibility for malicious code protection; personnel with configuration management
responsibility].
'''Test <br />
'''[SELECT FROM: Organizational processes for employing, updating, and configuring
malicious code protection mechanisms; organizational process for addressing false positives
and resulting potential impact; mechanisms supporting or implementing employing,
updating, and configuring malicious code protection mechanisms; mechanisms supporting
or implementing malicious code scanning and subsequent actions].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#257|222]] '''
Designated locations include system entry and exit points which may include firewalls,
remote access servers, workstations, electronic mail servers, web servers, proxy servers,
notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan
horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE,
221
NIST SP 800-171A, pp. 61-62.
222
NIST SP 800-171 Rev. 2, p. 41.
''' '''
SI.L2-3.14.2 – Malicious Code Protection [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
250
Unicode), contained within compressed or hidden files, or hidden in files using techniques
such as steganography. Malicious code can be inserted into systems in a variety of ways
including web accesses, electronic mail, electronic mail attachments, and portable storage
devices. Malicious code insertions occur through the exploitation of system vulnerabilities. <br />
Malicious code protection mechanisms include anti-virus signature definitions and
reputation-based technologies.  A variety of technologies and methods exist to limit or
eliminate the effects of malicious code.  Pervasive configuration management and
comprehensive software integrity controls may be effective in preventing execution of
unauthorized code. In addition to commercial off-the-shelf software, malicious code may also
be present in custom-built software. This could include logic bombs, back doors, and other
types of cyber-attacks that could affect organizational missions/business functions.
Traditional malicious code protection mechanisms cannot always detect such code. In these
situations, organizations rely instead on other safeguards including secure coding practices,
configuration management and control, trusted procurement processes, and monitoring
technologies  to help ensure that software does not perform functions other than the
functions intended. NIST SP 800-83 provides guidance on malware incident prevention.
'''FURTHER DISCUSSION '''
A designated location may be a network device such as a firewall or an end user’s computer. <br />
Malicious code, which can be delivered by a range of means (e.g., email, removable media, or
websites), includes the following: <br />
  virus – program designed to damage, steal information, change data, send email, show
messages, or any combination of these things;
  spyware – program designed to gather information about a person’s activity in secret
when they click on a link, usually installed without the person knowing ;
  trojan horse – type of malware made to look like legitimate software and used by cyber
criminals to get access to a company’s systems; and
  ransomware – type of malware that threatens to publish the victim’s data or perpetually
block access to it unless a ransom is paid.
Use anti-malware tools to stop or lessen the impact of malicious code.
'''Example <br />
'''You are buying a new computer and want to protect your company’s information from
viruses, spyware, etc. You buy and install anti-malware software [a,b].
'''Potential Assessment Considerations <br />
'''•
  Are system components (e.g., workstations, servers, email gateways, mobile devices) for
which malicious code protection must be provided identified and documented [a]?
''' '''
SI.L2-3.14.2 – Malicious Code Protection [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
251
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.14.2
  FAR Clause 52.204-21 b.1.xiii
<br />
''' '''
SI.L2-3.14.3 – Security Alerts &amp; Advisories
CMMC Assessment Guide – Level 2 | Version 2.13
252
'''SI.L2-3.14.3 – SECURITY ALERTS &amp; ADVISORIES '''
Monitor system security alerts and advisories and take action in response.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#260|223 ]]'''
Determine if: <br />
[a] response actions to system security alerts and advisories are identified; <br />
[b] system security alerts and advisories are monitored; and <br />
[c]  actions in response to system security alerts and advisories are taken.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#260|A]223 ]]'''
'''Examine '''
[SELECT FROM: System and information integrity policy; procedures addressing security
alerts, advisories, and directives; system security plan; records of security alerts and
advisories; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: Personnel with security alert and advisory responsibilities; personnel
implementing, operating, maintaining, and using the system; personnel, organizational
elements, and external organizations to whom alerts, advisories, and directives are to be
disseminated; system or network administrators; personnel with information security
responsibilities].
'''Test <br />
'''[SELECT FROM: Organizational processes for defining, receiving, generating, disseminating,
and complying with security alerts, advisories, and directives; mechanisms supporting or
implementing definition, receipt, generation, and dissemination of security alerts,
advisories, and directives; mechanisms supporting or implementing security directives].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#260|224]] '''
There are many publicly available sources of system security alerts and advisories. The
United States Computer Emergency Readiness Team (US-CERT) generates security alerts
and advisories to maintain  situational awareness across the federal government and in
nonfederal organizations. Software vendors, subscription services, and relevant industry
information sharing and analysis centers (ISACs) may also provide security alerts and
advisories. Examples of response actions include notifying relevant external organizations,
223
NIST SP 800-171A, p. 62.
224
NIST SP 800-171 Rev. 2, p. 41.
''' '''
SI.L2-3.14.3 – Security Alerts &amp; Advisories
CMMC Assessment Guide – Level 2 | Version 2.13
253
for example, external mission/business partners, supply chain partners, external service
providers, and peer or supporting organizations. <br />
NIST SP 800-161 provides guidance on supply chain risk management.
'''FURTHER DISCUSSION '''
Solicit and receive security alerts, advisories, and directives from reputable external
organizations. Identify sources relevant to the industry and technology used by your
company. Methods to receive alerts and advisories may include: <br />
  signing up for email distributions;
  subscribing to RSS feeds; and
  attending meetings.
Review alerts and advisories for applicability as they are received. The frequency of the
reviews should be based on the frequency of the alerts and advisories to ensure you have the
most up-to-date information. <br />
External alerts and advisories may prompt you to generate internal security alerts,
advisories, or directives, and share these with all personnel with a need-to-know. The
individuals should assess the risk related to a given alert and act to respond as appropriate.
Sometimes it may require a configuration update. Other times, the information may also
require adjusting system architecture in order to thwart a threat described in an advisory.
'''Example <br />
'''You  monitor  security  advisories each week.  You review the alert emails and online
subscription service alerts to determine which ones apply [b].  You create a list of the
applicable alerts and research what steps you need to take to address them. Next, you
generate a plan that you review with your change management group so that the work can
be scheduled [c].
'''Potential Assessment Considerations <br />
'''•
  Are the responses to system security alerts and advisories identified in relation to the
assessed severity of potential flaws (e.g., communicating with responsible personnel,
initiating vulnerability scans, initiating system flaw remediation activities) [a]?
  Are system security alerts and advisories addressed (e.g., assessing potential severity or
likelihood,  communicating with responsible personnel, initiating vulnerability scans,
initiating system flaw remediation activities) [a,c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.14.3
''' '''
''' '''
SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
254
'''SI.L2-3.14.4 – UPDATE MALICIOUS CODE PROTECTION [CUI DATA] '''
Update malicious code protection mechanisms when new releases are available.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#262|225 ]]'''
Determine if: <br />
[a] malicious code protection mechanisms are updated when new releases are available.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#262|]225 ]]'''
'''Examine <br />
'''[SELECT FROM: System and information integrity policy; configuration management policy
and procedures; procedures addressing malicious code protection; malicious code
protection mechanisms; records of malicious code protection updates; system security plan;
system design documentation; system configuration settings and associated documentation;
scan results from malicious code protection mechanisms; record of actions initiated by
malicious code protection mechanisms in response to malicious code detection; system audit
logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; personnel installing, configuring, and maintaining the system; personnel
with responsibility for malicious code protection; personnel with configuration management
responsibility].
'''Test <br />
'''[SELECT FROM: Organizational processes for employing, updating, and configuring
malicious code protection mechanisms; organizational process for addressing false positives
and resulting potential impact; mechanisms supporting or implementing malicious code
protection mechanisms (including updates and configurations); mechanisms supporting or
implementing malicious code scanning and subsequent actions].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#262|226]] '''
Malicious code protection mechanisms include anti-virus signature definitions and
reputation-based technologies.  A variety of technologies and methods exist to limit or
eliminate the effects of malicious code.  Pervasive configuration management and
comprehensive software integrity controls may be effective in preventing execution of
unauthorized code. In addition to commercial off-the-shelf software, malicious code may also
be present in custom-built software. This could include logic bombs, back doors, and other
types of cyber-attacks that could affect organizational missions/business functions.
225
NIST SP 800-171A, pp. 62-63.
226
NIST SP 800-171 Rev. 2, pp. 41-42.
''' '''
SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
255
Traditional malicious code protection mechanisms cannot always detect such code. In these
situations, organizations rely instead on other safeguards including secure coding practices,
configuration management and control, trusted procurement processes, and monitoring
technologies  to help ensure that software does not perform functions  other than the
functions intended.
'''FURTHER DISCUSSION '''
Malware changes on an hourly or daily basis, and it is important to update detection and
protection mechanisms frequently to maintain the effectiveness of the protection.
'''Example <br />
'''You  have installed anti-malware software to protect a computer from malicious code.
Knowing that malware evolves rapidly, you configure the software to automatically check
for malware definition updates every day and update as needed [a].
'''Potential Assessment Considerations <br />
'''•
  Is there a defined frequency by which malicious code protection mechanisms must be
updated (e.g., frequency of automatic updates or manual processes) [a]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.14.4
  FAR Clause 52.204-21 b.1.xiv
<br />
''' '''
SI.L2-3.14.5 – System &amp; File Scanning [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
256
'''SI.L2-3.14.5 – SYSTEM &amp; FILE SCANNING [CUI DATA] '''
Perform periodic scans of organizational systems and real-time scans of files from external
sources as files are downloaded, opened, or executed.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#264|227 ]]'''
Determine if: <br />
[a] the frequency for malicious code scans is defined; <br />
[b] malicious code scans are performed with the defined frequency; and <br />
[c]  real-time malicious code scans of files from external sources as files are downloaded,
opened, or executed are performed.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#264|]227 ]]'''
'''Examine <br />
'''[SELECT FROM: System and information integrity policy; configuration management policy
and procedures; procedures addressing malicious code protection; malicious code
protection mechanisms; records of malicious code protection updates; system security plan;
system design documentation; system configuration settings and associated documentation;
scan results from malicious code protection mechanisms; record of actions initiated by
malicious code protection mechanisms in response to malicious code detection; system audit
logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT  FROM: System or network administrators; personnel with information security
responsibilities; personnel installing, configuring, and maintaining the system; personnel
with responsibility for malicious code protection; personnel with configuration management
responsibility].
'''Test <br />
'''[SELECT FROM: Organizational processes for employing, updating, and configuring
malicious code protection mechanisms; organizational process for addressing false positives
and resulting potential impact; mechanisms supporting or implementing malicious code
protection mechanisms (including updates and configurations); mechanisms supporting or
implementing malicious code scanning and subsequent actions].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#264|228]] '''
Periodic scans of organizational systems and real-time scans of files from external sources
can detect malicious code.  Malicious code can be encoded in various formats (e.g.,
227
NIST SP 800-171A, p. 63.
228
NIST SP 800-171 Rev. 2, p. 42.
''' '''
SI.L2-3.14.5 – System &amp; File Scanning [CUI Data]
CMMC Assessment Guide – Level 2 | Version 2.13
257
UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using
techniques such as steganography. Malicious code can be inserted into systems in a variety
of ways including web accesses, electronic mail, electronic mail attachments, and portable
storage devices.  Malicious code insertions occur through the exploitation of system
vulnerabilities.
'''FURTHER DISCUSSION '''
Use anti-malware software to scan for and identify viruses in your computer systems and
determine how often scans are conducted. Real-time scans look at the system whenever new
files are downloaded, opened, and saved. Periodic scans check previously saved files against
updated malware information.
'''Example <br />
'''You work with your company’s email provider to enable enhanced protections that will scan
all attachments to identify and quarantine those that may be harmful prior to a user opening
them [c]. In addition, you configure  antivirus software on each computer to scan for
malicious code every day [a,b]. The software also scans files that are downloaded or copied
from removable media such as USB drives. It quarantines any suspicious files and notifies
the security team [c].
'''Potential Assessment Considerations <br />
'''•
  Are files from media (e.g., USB drives, CD-ROM) included in the definition of external
sources and are they being scanned [c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.14.5
  FAR Clause 52.204-21 b.1.xv
''' '''
SI.L2-3.14.6 – Monitor Communications for Attacks
CMMC Assessment Guide – Level 2 | Version 2.13
258
'''SI.L2-3.14.6 – MONITOR COMMUNICATIONS FOR ATTACKS '''
Monitor organizational systems, including inbound and outbound communications traffic, to
detect attacks and indicators of potential attacks.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#266|229 ]]'''
Determine if: <br />
[a] the system is monitored to detect attacks and indicators of potential attacks; <br />
[b] inbound communications traffic is monitored to detect attacks and indicators of
potential attacks; and
[c]  outbound communications traffic is monitored to detect attacks and indicators of
potential attacks.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#266|A]229 ]]'''
'''Examine <br />
'''[SELECT FROM: System and information integrity policy; procedures addressing system
monitoring tools and techniques; continuous monitoring strategy; system and information
integrity policy; procedures addressing system monitoring tools and techniques; facility
diagram or layout; system security plan; system monitoring tools and techniques
documentation; system design documentation; locations within system where monitoring
devices are deployed; system protocols; system configuration settings and associated
documentation; system audit logs and records; other relevant documents or records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; personnel installing, configuring, and maintaining the system; personnel
with responsibility monitoring the system; personnel with responsibility for the intrusion
detection system].
'''Test <br />
'''[SELECT FROM: Organizational processes for system monitoring; mechanisms supporting or
implementing intrusion detection capability and system monitoring; mechanisms
supporting or implementing system monitoring capability; organizational processes for
intrusion detection and system monitoring; mechanisms supporting or implementing the
monitoring of inbound and outbound communications traffic].
229
NIST SP 800-171A, pp. 63-64.
''' '''
SI.L2-3.14.6 – Monitor Communications for Attacks
CMMC Assessment Guide – Level 2 | Version 2.13
259
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#267|230]] '''
System monitoring includes external and internal monitoring. External monitoring includes
the observation of events occurring at the system boundary (i.e., part of perimeter defense
and boundary protection). Internal monitoring includes the observation of events occurring
within the system.  Organizations can monitor systems, for example, by observing audit
record activities in real time or by observing other system aspects such as access patterns,
characteristics of access, and other actions.  The  monitoring objectives may guide
determination of the events. System monitoring capability is achieved through a variety of
tools and techniques (e.g., intrusion detection systems, intrusion prevention systems,
malicious code protection software, scanning tools, audit record monitoring software,
network monitoring software). Strategic locations for monitoring devices include selected
perimeter locations and near server farms supporting critical applications, with such devices
being employed at managed system interfaces. The granularity of monitoring information
collected is based on organizational monitoring objectives and the capability of systems to
support such objectives. <br />
System monitoring is an integral part of continuous monitoring and incident response
programs. Output from system monitoring serves as input to continuous monitoring and
incident response programs.  A network connection is any connection with a device that
communicates through a network (e.g., local area network, Internet). A remote connection
is any connection with a device communicating through an external network (e.g., the
Internet). Local, network, and remote connections can be either wired or wireless. <br />
Unusual or unauthorized activities or conditions related to inbound/outbound
communications traffic include internal traffic that indicates the presence of malicious code
in systems or propagating among system components, the unauthorized exporting of
information, or signaling to external systems. Evidence of malicious code is used to identify
potentially compromised systems or system components. System monitoring requirements,
including the need for specific types of system monitoring, may be referenced in other
requirements. <br />
NIST SP 800-94 provides guidance on intrusion detection and prevention systems.
'''FURTHER DISCUSSION '''
Think of indicators of attack as a set of footprints an adversary leaves during an attack.
Indicators of attack provide information on the steps the adversary followed and its intent.
Indicators of attacks on organizational systems may include: <br />
  internal traffic that indicates the presence of malicious code;
  anomalous activity detected during non-business hours;
  unauthorized data leaving the organization; and
  communicating to external information systems.
230
NIST SP 800-171 Rev. 2, pp. 42-43.
''' '''
SI.L2-3.14.6 – Monitor Communications for Attacks
CMMC Assessment Guide – Level 2 | Version 2.13
260
To detect attacks and indicators of attacks, deploy monitoring devices or agents. Place these
sensors at strategic points within the systems and networks to collect essential information.
Strategic points include internal and external system boundaries. Monitor both inbound
traffic and outbound traffic as well as actions on hosts. <br />
This requirement, SI.L2-3.14.6, provides details for the communications of organizational
systems. SI.L2-3.14.6 supports the requirement AU.L2-3.3.1, which involves creating and
retaining records for monitoring, analysis, and investigations.
'''Example <br />
'''It is your job to look for known indicators of attack or anomalous activity  within your
systems and communications traffic [a,b,c]. Because these indicators can show up in a variety
of places on your network, you have created a checklist of places to check each week. These
include the office firewall logs, the audit logs of the file server where CUI is stored, and the
connection log for your VPN gateway [b]. <br />
You conduct additional reviews when you find an indicator, or something that does not
perform as it should [a].
'''Potential Assessment Considerations <br />
'''•
  Are details provided for the methodology of determining attacks and indicators of attack
[a]?
  Are monitoring devices deployed within the information system to collect information
that may indicate an attack [a]?
  Are communications traffic flows understood and is there a deployed capability to review
that traffic [b,c]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.14.6
''' '''
SI.L2-3.14.7 – Identify Unauthorized Use
CMMC Assessment Guide – Level 2 | Version 2.13
261
'''SI.L2-3.14.7 – IDENTIFY UNAUTHORIZED USE '''
Identify unauthorized use of organizational systems.
'''ASSESSMENT OBJECTIVES [NIST SP 800-171A][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#269|231 ]]'''
Determine if: <br />
[a] authorized use of the system is defined; and <br />
[b] unauthorized use of the system is identified.
'''POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171[[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#269|A]231 ]]'''
'''Examine <br />
'''[SELECT FROM: Continuous monitoring strategy; system and information integrity policy;
procedures addressing system monitoring tools and techniques; facility diagram/layout;
system security plan; system design documentation; system monitoring tools and
techniques documentation; locations within system where monitoring devices are deployed;
system configuration settings and associated documentation; other relevant documents or
records].
'''Interview <br />
'''[SELECT FROM: System or network administrators; personnel with information security
responsibilities; personnel installing, configuring, and maintaining the system; personnel
with responsibility for monitoring the system].
'''Test <br />
'''[SELECT FROM: Organizational processes for system monitoring; mechanisms supporting or
implementing system monitoring capability].
'''DISCUSSION [NIST SP 800-171 REV. 2][[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#269|232]] '''
System monitoring includes external and internal monitoring. System monitoring can detect
unauthorized use of organizational systems.  System monitoring is an integral part of
continuous monitoring and incident response programs. Monitoring is achieved through a
variety  of tools and techniques (e.g., intrusion detection systems, intrusion prevention
systems, malicious code protection software, scanning tools, audit record monitoring
software, network monitoring software). Output from system monitoring serves as input to
continuous monitoring and incident response programs. <br />
Unusual/unauthorized activities or conditions related to inbound and outbound
communications traffic include internal traffic that indicates the presence of malicious code
in systems or propagating among  system components, the unauthorized exporting of
231
NIST SP 800-171A, p. 64.
232
NIST SP 800-171 Rev. 2, p. 43.
''' '''
SI.L2-3.14.7 – Identify Unauthorized Use
CMMC Assessment Guide – Level 2 | Version 2.13
262
information, or signaling to external systems. Evidence of malicious code is used to identify
potentially compromised systems or system components. System monitoring requirements,
including the need for specific types of system monitoring, may be referenced in other
requirements. <br />
NIST SP 800-94 provides guidance on intrusion detection and prevention systems.
'''FURTHER DISCUSSION '''
Define authorized use of your systems. Create an acceptable use policy to  establish the
baseline for how users access devices, internal network services, and the internet. Define
authorized use by specific roles such as: user, administrator, and technician. After authorized
use is defined, identify unauthorized use of systems. <br />
Monitor systems by observing audit activities from the system logs. This can be
accomplished in real time using automated solutions or by manual means. To identify
unauthorized use, leverage existing tools and techniques, such as: <br />
  intrusion detection systems;
  intrusion prevention systems;
  malicious code protection software;
  scanning tools;
  audit record monitoring software; and
  network monitoring software.
This requirement, SI.L2-3.14.7, which deals with identifying unauthorized use of
organizational systems, is related to requirements: AC.L2-3.1.1, AU.L2-3.3.1, IA.L2-3.5.1,
and IA.L2-3.5.2. All of these requirements help create the building blocks that support
SI.L2-3.14.7.
'''Example 1 <br />
'''You are in charge of IT operations. You need to ensure that everyone using an organizational
system is authorized to do so and conforms to the written authorized use policy. To do this,
you deploy an application that monitors user activity and records the information for later
analysis. You review the data from this application for signs of activity that does not conform
to the acceptable use policy [a,b].
'''Example 2 <br />
'''You are alerted through your Intrusion Detection System (IDS) that one of your users is
connecting to a server that is from a high-risk domain (based on your commercial domain
reputation service). You investigate and determine that it’s not the user, but instead an
unauthorized connection attempt [b]. You add the domain to your list of blocked domains
to prevent connections in the future.
''' '''
SI.L2-3.14.7 – Identify Unauthorized Use
CMMC Assessment Guide – Level 2 | Version 2.13
263
'''Potential Assessment Considerations <br />
'''•
  Is authorized use of systems defined (e.g., data types permitted for storage or processing,
personnel authorized to access, times or days of permitted use, permitted software) [a]?
  Is unauthorized use of systems defined (e.g., not authorized to use systems for bitcoin
mining, not authorized for pornographic content, not authorized to access gambling
games/content) [b]?
'''KEY REFERENCES '''
  NIST SP 800-171 Rev. 2 3.14.7
''' '''
Appendix A – Acronyms and Abbreviations
CMMC Assessment Guide – Level 2 | Version 2.13
264
Appendix A – Acronyms and Abbreviations
AC
Access Control
AES
Advanced Encryption Standard
API
Application Programming Interface
AT
Awareness and Training
AU
Audit and Accountability
C3PAO
CMMC Third-Party Assessment Organization
CA
Security Assessment
CD-ROM
Compact Disk Read-Only Memory
CFR
Code of Federal Regulations
CM
Configuration Management
CMMC
Cybersecurity Maturity Model Certification
CMVP
Cryptographic Module Validation Program
CUI
Controlled Unclassified Information
CVE
Common Vulnerabilities and Exposures
CWE
Common Weakness Enumeration
DCMA
Defense Contract Management Agency
DFARS
Defense Federal Acquisition Regulation Supplement
DHC
Device Health Check
DIBCAC
Defense Industrial Base Cybersecurity Assessment Center
DMZ
Demilitarized Zone
DoD
Department of Defense
DVD
Digital Versatile Disc or Digital Video Disc
ESP
External Service Provider
FAQ
Frequently Asked Question
FAR
Federal Acquisition Regulation
FDDI
Fiber Distributed Data Interface
FDE
Full Disk Encryption 
FIPS
Federal Information Processing Standard
FTP
File Transfer Protocol
IA
Identification and Authentication
ID
Identification
IDS
Intrusion Detection System
''' '''
Appendix A – Acronyms and Abbreviations
CMMC Assessment Guide – Level 2 | Version 2.13
265
IoT
Internet of Things
IP
Internet Protocol
IPSec
Internet Protocol Security
IR
Incident Response
ISAC
Information Sharing and Analysis Center
ISDN
Integrated Services Digital Network
IT
Information Technology
LAN
Local Area Network
MA
Maintenance
MAC
Media Access Control
MDM
Mobile Device Management
MFA
Multifactor Authentication
MP
Media Protection
NARA
National Archives and Records Administration 
NAS
Networked Attached Storage
NIST
National Institute of Standards and Technology
NSA
National Security Agency
NTP
Network Time Protocol
OS
Operating System
OSA
Organization Seeking Assessment
OSC
Organization Seeking Certification
OT
Operational Technology 
PDA
Personal Digital Assistant
PE
Physical Protection
PIV
Personal Identity Verification
PKI
Public Key Infrastructure
POTS
Plain Old Telephone Service
PS
Personnel Security
RADIUS
Remote Authentication Dial-in User Service
RA
Risk Assessment
SC
System and Communications Protection
SI
System and Information Integrity
SMS
Short Message Service
SOC
Security Operations Center 
''' '''
Appendix A – Acronyms and Abbreviations
CMMC Assessment Guide – Level 2 | Version 2.13
266
SP
Special Publication
SSP
System Security Plan
TLS
Transport Layer Security
URL
Universal Resource Locator (aka Uniform Resource Locator)
USB
Universal Serial Bus
UTC
Coordinated Universal Time
UUENCODE  Unix-to-Unix Encode <br />
VLAN
Virtual Local Area Network
VoIP
Voice over Internet Protocol
VPN
Virtual Private Network
WPA2-PSK  WiFi Protected Access-Pre-shared Key
''' '''
CMMC Assessment Guide – Level 2 | Version 2.13
267
''This page intentionally left blank. ''
= Document Outline =
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#9|Introduction]]
** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#9|Level 2 Description]]
** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#10|Purpose and Audience]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#11|Assessment and Certification]]
** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#11|Assessment Scope]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#12|CMMC-Custom Terms]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#15|Assessment Criteria and Methodology]]
** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#16|Criteria]]
** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#16|Methodology]]
*** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#17|Who Is Interviewed]]
*** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#17|What Is Examined]]
*** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#17|What Is Tested]]
** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#17|Assessment Findings]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#20|Requirement Descriptions]]
** [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#20|Introduction]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#22|Access Control (AC)]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#73|Awareness and Training (AT)]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#80|Audit and Accountability (AU)]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#99|Configuration Management (CM)]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#120|Identification and Authentication (IA)]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#144|Incident Response (IR)]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#152|Maintenance (MA)]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#165|Media Protection (MP)]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#183|Personnel Security (PS)]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#188|Physical Protection (PE)]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#200|Risk Assessment (RA)]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#208|Security Assessment (CA)]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#219|System and Communications Protection (SC)]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#254|System and Information Integrity (SI)]]
* [[f5bcd4bd1e7f429a2a5d8f204cde2d5dad9583bd.html#272|Appendix A – Acronyms and Abbreviations]]
-----
Original source: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2v2.pdf

Revision as of 18:11, 25 February 2025

Source of Reference: The official CMMC Level 2 Assessment Guide from the Department of Defense Chief Information Officer (DoD CIO).

For inquiries and reporting errors on this wiki, please contact us. Thank you.

Access Control (AC)

Level 2 AC Practices

AC.L2-3.1.3 – CONTROL CUI FLOW

SECURITY REQUIREMENT

Control the flow of CUI in accordance with approved authorizations.

ASSESSMENT OBJECTIVES
[a] information flow control policies are defined;
[b] methods and enforcement mechanisms for controlling the flow of CUI are defined;
[c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;
[d] authorizations for controlling the flow of CUI are defined; and
[e] approved authorizations for controlling the flow of CUI are enforced.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.4 – SEPARATION OF DUTIES

SECURITY REQUIREMENT

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

ASSESSMENT OBJECTIVES
[a] the duties of individuals requiring separation are defined;
[b] responsibilities for duties that require separation are assigned to separate individuals; and
[c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.5 – LEAST PRIVILEGE

SECURITY REQUIREMENT

Employ the principle of least privilege, including for specific security functions and privileged accounts.

ASSESSMENT OBJECTIVES
[a] privileged accounts are identified;
[b] access to privileged accounts is authorized in accordance with the principle of least privilege;
[c] security functions are identified; and
[d] access to security functions is authorized in accordance with the principle of least privilege.
DoD Assessment Scoring Value: 3
More Practice Details...

AC.L2-3.1.6 – NON-PRIVILEGED ACCOUNT USE

SECURITY REQUIREMENT

Use non-privileged accounts or roles when accessing nonsecurity functions.

ASSESSMENT OBJECTIVES
[a] nonsecurity functions are identified; and
[b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.7 – PRIVILEGED FUNCTIONS

SECURITY REQUIREMENT

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

ASSESSMENT OBJECTIVES
[a] privileged functions are defined;
[b] non-privileged users are defined;
[c] non-privileged users are prevented from executing privileged functions; and
[d] the execution of privileged functions is captured in audit logs.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.8 – UNSUCCESSFUL LOGON ATTEMPTS

SECURITY REQUIREMENT

Limit unsuccessful logon attempts.

ASSESSMENT OBJECTIVES
[a] the means of limiting unsuccessful logon attempts is defined; and
[b] the defined means of limiting unsuccessful logon attempts is implemented.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.9 – PRIVACY & SECURITY NOTICES

SECURITY REQUIREMENT

Provide privacy and security notices consistent with applicable CUI rules.

ASSESSMENT OBJECTIVES
[a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and
[b] privacy and security notices are displayed.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.10 – SESSION LOCK

SECURITY REQUIREMENT

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

ASSESSMENT OBJECTIVES
[a] the period of inactivity after which the system initiates a session lock is defined;
[b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and
[c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.11 – SESSION TERMINATION

SECURITY REQUIREMENT

Terminate (automatically) a user session after a defined condition.

ASSESSMENT OBJECTIVES
[a] conditions requiring a user session to terminate are defined; and
[b] a user session is automatically terminated after any of the defined conditions
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.12 – CONTROL REMOTE ACCESS

SECURITY REQUIREMENT

Monitor and control remote access sessions.

ASSESSMENT OBJECTIVES
[a] remote access sessions are permitted;
[b] the types of permitted remote access are identified;
[c] remote access sessions are controlled; and
[d] remote access sessions are monitored.
DoD Assessment Scoring Value: 5
More Practice Details...

AC.L2-3.1.13 – REMOTE ACCESS CONFIDENTIALITY

SECURITY REQUIREMENT

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

ASSESSMENT OBJECTIVES
[a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and
[b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
DoD Assessment Scoring Value: 5
More Practice Details...

AC.L2-3.1.14 – REMOTE ACCESS ROUTING

SECURITY REQUIREMENT

Route remote access via managed access control points.

ASSESSMENT OBJECTIVES
[a] managed access control points are identified and implemented; and
[b] remote access is routed through managed network access control points.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.15 – PRIVILEGED REMOTE ACCESS

SECURITY REQUIREMENT

Authorize remote execution of privileged commands and remote access to security-relevant information.

ASSESSMENT OBJECTIVES
[a] privileged commands authorized for remote execution are identified;
[b] security-relevant information authorized to be accessed remotely is identified;
[c] the execution of the identified privileged commands via remote access is authorized; and
[d] access to the identified security-relevant information via remote access is authorized.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.16 – WIRELESS ACCESS AUTHORIZATION

SECURITY REQUIREMENT

Authorize wireless access prior to allowing such connections.

ASSESSMENT OBJECTIVES
[a] wireless access points are identified; and
[b] wireless access is authorized prior to allowing such connections.
DoD Assessment Scoring Value: 5
More Practice Details...

AC.L2-3.1.17 – WIRELESS ACCESS PROTECTION

SECURITY REQUIREMENT

Protect wireless access using authentication and encryption.

ASSESSMENT OBJECTIVES
[a] wireless access to the system is protected using authentication; and
[b] wireless access to the system is protected using encryption.
DoD Assessment Scoring Value: 5
More Practice Details...

AC.L2-3.1.18 – MOBILE DEVICE CONNECTION

SECURITY REQUIREMENT

Control connection of mobile devices.

ASSESSMENT OBJECTIVES
[a] mobile devices that process, store, or transmit CUI are identified;
[b] mobile device connections are authorized; and
[c] mobile device connections are monitored and logged.
DoD Assessment Scoring Value: 5
More Practice Details...

AC.L2-3.1.19 – ENCRYPT CUI ON MOBILE

SECURITY REQUIREMENT

Encrypt CUI on mobile devices and mobile computing platforms.

ASSESSMENT OBJECTIVES
[a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and
[b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
DoD Assessment Scoring Value: 3
More Practice Details...

AC.L2-3.1.21 – PORTABLE STORAGE USE

SECURITY REQUIREMENT

Limit use of portable storage devices on external systems.

ASSESSMENT OBJECTIVES
[a] the use of portable storage devices containing CUI on external systems is identified and documented;
[b] limits on the use of portable storage devices containing CUI on external systems are defined; and
[c] the use of portable storage devices containing CUI on external systems is limited as defined.
DoD Assessment Scoring Value: 1
More Practice Details...

Awareness and Training (AT)

Level 2 AT Practices

AT.L2-3.2.1 – ROLE-BASED RISK AWARENESS

SECURITY REQUIREMENT

Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

ASSESSMENT OBJECTIVES
[a] security risks associated with organizational activities involving CUI are identified;
[b] policies, standards, and procedures related to the security of the system are identified;
[c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
[d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
DoD Assessment Scoring Value: 5
More Practice Details...

AT.L2-3.2.2 – ROLE-BASED TRAINING

SECURITY REQUIREMENT

Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|-

ASSESSMENT OBJECTIVES
[a] information security-related duties, roles, and responsibilities are defined;
[b] information security-related duties, roles, and responsibilities are assigned to designated personnel; and
[c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.
DoD Assessment Scoring Value: 5
More Practice Details...

AT.L2-3.2.3 – INSIDER THREAT AWARENESS

SECURITY REQUIREMENT

Provide security awareness training on recognizing and reporting potential indicators of insider threat.

ASSESSMENT OBJECTIVES
[a] potential indicators associated with insider threats are identified; and
[b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
DoD Assessment Scoring Value: 1
More Practice Details...

Audit and Accountability (AU)

Level 2 AU Practices

AU.L2-3.3.1 – SYSTEM AUDITING

SECURITY REQUIREMENT

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

ASSESSMENT OBJECTIVES
[a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified;
[b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined;
[c] audit records are created (generated);
[d] audit records, once created, contain the defined content;
[e] retention requirements for audit records are defined; and
[f] audit records are retained as defined.
DoD Assessment Scoring Value: 5
More Practice Details...

AU.L2-3.3.2 – USER ACCOUNTABILITY

SECURITY REQUIREMENT

Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

ASSESSMENT OBJECTIVES
[a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined; and
[b] audit records, once created, contain the defined content.
DoD Assessment Scoring Value: 3
More Practice Details...

AU.L2-3.3.3 – EVENT REVIEW

SECURITY REQUIREMENT

Review and update logged events.

ASSESSMENT OBJECTIVES
[a] a process for determining when to review logged events is defined;
[b] event types being logged are reviewed in accordance with the defined review process; and
[c] event types being logged are updated based on the review.
DoD Assessment Scoring Value: 1
More Practice Details...

AU.L2-3.3.4 – AUDIT FAILURE ALERTING

SECURITY REQUIREMENT

Alert in the event of an audit logging process failure.

ASSESSMENT OBJECTIVES
[a] personnel or roles to be alerted in the event of an audit logging process failure are identified;
[b] types of audit logging process failures for which alert will be generated are defined; and
[c] identified personnel or roles are alerted in the event of an audit logging process failure.
DoD Assessment Scoring Value: 1
More Practice Details...

AU.L2-3.3.5 – AUDIT CORRELATION

SECURITY REQUIREMENT

Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

ASSESSMENT OBJECTIVES
[a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and
[b] defined audit record review, analysis, and reporting processes are correlated.
DoD Assessment Scoring Value: 5
More Practice Details...

AU.L2-3.3.6 – REDUCTION & REPORTING

SECURITY REQUIREMENT

Provide audit record reduction and report generation to support on-demand analysis and reporting.

ASSESSMENT OBJECTIVES
[a] an audit record reduction capability that supports on-demand analysis is provided; and
[b] a report generation capability that supports on-demand reporting is provided.
DoD Assessment Scoring Value: 1
More Practice Details...

AU.L2-3.3.7 – AUTHORITATIVE TIME SOURCE

SECURITY REQUIREMENT

Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

ASSESSMENT OBJECTIVES
[a] internal system clocks are used to generate time stamps for audit records;
[b] an authoritative source with which to compare and synchronize internal system clocks is specified; and
[c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.
DoD Assessment Scoring Value: 1
More Practice Details...

AU.L2-3.3.8 – AUDIT PROTECTION

SECURITY REQUIREMENT

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

ASSESSMENT OBJECTIVES
[a] audit information is protected from unauthorized access;
[b] audit information is protected from unauthorized modification;
[c] audit information is protected from unauthorized deletion;
[d] audit logging tools are protected from unauthorized access;
[e] audit logging tools are protected from unauthorized modification; and
[f] audit logging tools are protected from unauthorized deletion.
DoD Assessment Scoring Value: 1
More Practice Details...

AU.L2-3.3.9 – AUDIT MANAGEMENT

SECURITY REQUIREMENT

Limit management of audit logging functionality to a subset of privileged users.

ASSESSMENT OBJECTIVES
[a] a subset of privileged users granted access to manage audit logging functionality is defined; and
[b] management of audit logging functionality is limited to the defined subset of privileged users.
DoD Assessment Scoring Value: 1
More Practice Details...

Configuration Management (CM)

Level 2 CM Practices

CM.L2-3.4.1 – SYSTEM BASELINING

SECURITY REQUIREMENT

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

ASSESSMENT OBJECTIVES
[a] a baseline configuration is established;
[b] the baseline configuration includes hardware, software, firmware, and documentation;
[c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle;
[d] a system inventory is established;
[e] the system inventory includes hardware, software, firmware, and documentation; and
[f] the inventory is maintained (reviewed and updated) throughout the system development life cycle.
DoD Assessment Scoring Value: 5
More Practice Details...

CM.L2-3.4.2 – SECURITY CONFIGURATION ENFORCEMENT

SECURITY REQUIREMENT

Establish and enforce security configuration settings for information technology products employed in organizational systems.

ASSESSMENT OBJECTIVES
[a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration; and
[b] security configuration settings for information technology products employed in the system are enforced.
DoD Assessment Scoring Value: 5
More Practice Details...

CM.L2-3.4.3 – SYSTEM CHANGE MANAGEMENT

SECURITY REQUIREMENT

Track, review, approve or disapprove, and log changes to organizational systems.

ASSESSMENT OBJECTIVES
[a] changes to the system are tracked;
[b] changes to the system are reviewed;
[c] changes to the system are approved or disapproved; and
[d] changes to the system are logged.
DoD Assessment Scoring Value: 1
More Practice Details...

CM.L2-3.4.4 – SECURITY IMPACT ANALYSIS

SECURITY REQUIREMENT

Analyze the security impact of changes prior to implementation.

ASSESSMENT OBJECTIVES
[a] the security impact of changes to the system is analyzed prior to implementation.
DoD Assessment Scoring Value: 1
More Practice Details...

CM.L2-3.4.5 – ACCESS RESTRICTIONS FOR CHANGE

SECURITY REQUIREMENT

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

ASSESSMENT OBJECTIVES
[a] physical access restrictions associated with changes to the system are defined;
[b] physical access restrictions associated with changes to the system are documented;
[c] physical access restrictions associated with changes to the system are approved;
[d] physical access restrictions associated with changes to the system are enforced;
[e] logical access restrictions associated with changes to the system are defined;
[f] logical access restrictions associated with changes to the system are documented;
[g] logical access restrictions associated with changes to the system are approved; and
[h] logical access restrictions associated with changes to the system are enforced.
DoD Assessment Scoring Value: 5
More Practice Details...

CM.L2-3.4.6 – LEAST FUNCTIONALITY

SECURITY REQUIREMENT

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

ASSESSMENT OBJECTIVES
[a] essential system capabilities are defined based on the principle of least functionality; and
[b] the system is configured to provide only the defined essential capabilities.
DoD Assessment Scoring Value: 5
More Practice Details...

CM.L2-3.4.7 – NONESSENTIAL FUNCTIONALITY

SECURITY REQUIREMENT

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

ASSESSMENT OBJECTIVES
[a] essential programs are defined;
[b] the use of nonessential programs is defined;
[c] the use of nonessential programs is restricted, disabled, or prevented as defined;
[d] essential functions are defined;
[e] the use of nonessential functions is defined;
[f] the use of nonessential functions is restricted, disabled, or prevented as defined;
[g] essential ports are defined;
[h] the use of nonessential ports is defined;
[i] the use of nonessential ports is restricted, disabled, or prevented as defined;
[j] essential protocols are defined;
[k] the use of nonessential protocols is defined;
[l] the use of nonessential protocols is restricted, disabled, or prevented as defined;
[m] essential services are defined;
[n] the use of nonessential services is defined; and
[o] the use of nonessential services is restricted, disabled, or prevented as defined.
DoD Assessment Scoring Value: 5
More Practice Details...

CM.L2-3.4.8 – APPLICATION EXECUTION POLICY

SECURITY REQUIREMENT

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

ASSESSMENT OBJECTIVES
[a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified;
[b] the software allowed to execute under whitelisting or denied use under blacklisting is specified; and
[c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
DoD Assessment Scoring Value: 5
More Practice Details...

CM.L2-3.4.9 – USER-INSTALLED SOFTWARE

SECURITY REQUIREMENT

Control and monitor user-installed software.

ASSESSMENT OBJECTIVES
[a] a policy for controlling the installation of software by users is established;
[b] installation of software by users is controlled based on the established policy; and
[c] installation of software by users is monitored.
DoD Assessment Scoring Value: 1
More Practice Details...

Identification and Authentication (IA)

Level 2 IA Practices

IA.L2-3.5.3 – MULTIFACTOR AUTHENTICATION

SECURITY REQUIREMENT

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

ASSESSMENT OBJECTIVES
[a] privileged accounts are identified;
[b] multifactor authentication is implemented for local access to privileged accounts;
[c] multifactor authentication is implemented for network access to privileged accounts; and
[d] multifactor authentication is implemented for network access to non-privileged accounts.
DoD Assessment Scoring Value: 5
More Practice Details...

IA.L2-3.5.4 – REPLAY-RESISTANT AUTHENTICATION

SECURITY REQUIREMENT

Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

ASSESSMENT OBJECTIVES
[a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.
DoD Assessment Scoring Value: 1
More Practice Details...

IA.L2-3.5.5 – IDENTIFIER REUSE

SECURITY REQUIREMENT

Prevent reuse of identifiers for a defined period.

ASSESSMENT OBJECTIVES
[a] a period within which identifiers cannot be reused is defined; and
[b] reuse of identifiers is prevented within the defined period.
DoD Assessment Scoring Value: 1
More Practice Details...

IA.L2-3.5.6 – IDENTIFIER HANDLING

SECURITY REQUIREMENT

Disable identifiers after a defined period of inactivity.

ASSESSMENT OBJECTIVES
[a] a period of inactivity after which an identifier is disabled is defined; and
[b] identifiers are disabled after the defined period of inactivity.
DoD Assessment Scoring Value: 1
More Practice Details...

IA.L2-3.5.7 – PASSWORD COMPLEXITY

SECURITY REQUIREMENT

Enforce a minimum password complexity and change of characters when new passwords are created.

ASSESSMENT OBJECTIVES
[a] password complexity requirements are defined;
[b] password change of character requirements are defined;
[c] minimum password complexity requirements as defined are enforced when new passwords are created; and
[d] minimum password change of character requirements as defined are enforced when new passwords are created.
DoD Assessment Scoring Value: 1
More Practice Details...

IA.L2-3.5.8 – PASSWORD REUSE

SECURITY REQUIREMENT

Prohibit password reuse for a specified number of generations.

ASSESSMENT OBJECTIVES
[a] the number of generations during which a password cannot be reused is specified and [b] reuse of passwords is prohibited during the specified number of generations.
DoD Assessment Scoring Value: 1
More Practice Details...

IA.L2-3.5.9 – TEMPORARY PASSWORDS

SECURITY REQUIREMENT

Allow temporary password use for system logons with an immediate change to a permanent password.

ASSESSMENT OBJECTIVES
[a] an immediate change to a permanent password is required when a temporary password is used for system logon.
DoD Assessment Scoring Value: 1
More Practice Details...

IA.L2-3.5.10 – CRYPTOGRAPHICALLY-PROTECTED PASSWORDS

SECURITY REQUIREMENT

Store and transmit only cryptographically-protected passwords.

ASSESSMENT OBJECTIVES
[a] passwords are cryptographically protected in storage; and
[b] passwords are cryptographically protected in transit.
DoD Assessment Scoring Value: 5
More Practice Details...

IA.L2-3.5.11 – OBSCURE FEEDBACK

SECURITY REQUIREMENT

Obscure feedback of authentication information.

ASSESSMENT OBJECTIVES
[a] authentication information is obscured during the authentication process.
DoD Assessment Scoring Value: 1
More Practice Details...

Incident Response (IR)

Level 2 IR Practices

IR.L2-3.6.1 – INCIDENT HANDLING

SECURITY REQUIREMENT

Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

ASSESSMENT OBJECTIVES
[a] an operational incident-handling capability is established;
[b] the operational incident-handling capability includes preparation;
[c] the operational incident-handling capability includes detection;
[d] the operational incident-handling capability includes analysis;
[e] the operational incident-handling capability includes containment;
[f] the operational incident-handling capability includes recovery; and
[g] the operational incident-handling capability includes user response
DoD Assessment Scoring Value: 5
More Practice Details...

IR.L2-3.6.2 – INCIDENT REPORTING

SECURITY REQUIREMENT

Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

ASSESSMENT OBJECTIVES
[a] incidents are tracked;
[b] incidents are documented;
[c] authorities to whom incidents are to be reported are identified;
[d] organizational officials to whom incidents are to be reported are identified;
[e] identified authorities are notified of incidents; and
[f] identified organizational officials are notified of incidents.
DoD Assessment Scoring Value: 5
More Practice Details...

IR.L2-3.6.3 – INCIDENT RESPONSE TESTING

SECURITY REQUIREMENT

Test the organizational incident response capability.

ASSESSMENT OBJECTIVES
[a] the incident response capability is tested.
DoD Assessment Scoring Value: 1
More Practice Details...

Maintenance (MA)

Level 2 MA Practices

MA.L2-3.7.1 – PERFORM MAINTENANCE

SECURITY REQUIREMENT

Perform maintenance on organizational systems.

ASSESSMENT OBJECTIVES
[a] system maintenance is performed.
DoD Assessment Scoring Value: 3
More Practice Details...

MA.L2-3.7.2 – SYSTEM MAINTENANCE CONTROL

SECURITY REQUIREMENT

Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

ASSESSMENT OBJECTIVES
[a] tools used to conduct system maintenance are controlled;
[b] techniques used to conduct system maintenance are controlled;
[c] mechanisms used to conduct system maintenance are controlled; and
[d] personnel used to conduct system maintenance are controlled.
DoD Assessment Scoring Value: 5
More Practice Details...

MA.L2-3.7.3 – EQUIPMENT SANITIZATION

SECURITY REQUIREMENT

Ensure equipment removed for off-site maintenance is sanitized of any CUI.

ASSESSMENT OBJECTIVES
[a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.
DoD Assessment Scoring Value: 1
More Practice Details...

MA.L2-3.7.4 – MEDIA INSPECTION

SECURITY REQUIREMENT

Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.

ASSESSMENT OBJECTIVES
[a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.
DoD Assessment Scoring Value: 3
More Practice Details...

MA.L2-3.7.5 – NONLOCAL MAINTENANCE

SECURITY REQUIREMENT

Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

ASSESSMENT OBJECTIVES
[a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections; and
[b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.
DoD Assessment Scoring Value: 1
More Practice Details...

MA.L2-3.7.6 – MAINTENANCE PERSONNEL

SECURITY REQUIREMENT

Supervise the maintenance activities of maintenance personnel without required access authorization.

ASSESSMENT OBJECTIVES
[a] maintenance personnel without required access authorization are supervised during maintenance activities.
DoD Assessment Scoring Value: 1
More Practice Details...

Media Protection (MP)

Level 2 MP Practices

MP.L2-3.8.1 – MEDIA PROTECTION

SECURITY REQUIREMENT

Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

ASSESSMENT OBJECTIVES
[a] paper media containing CUI is physically controlled;
[b] digital media containing CUI is physically controlled;
[c] paper media containing CUI is securely stored; and
[d] digital media containing CUI is securely stored.
DoD Assessment Scoring Value: 3
More Practice Details...

MP.L2-3.8.2 – MEDIA ACCESS

SECURITY REQUIREMENT

Limit access to CUI on system media to authorized users.

ASSESSMENT OBJECTIVES
[a] access to CUI on system media is limited to authorized users.
DoD Assessment Scoring Value: 3
More Practice Details...

MP.L2-3.8.4 – MEDIA MARKINGS

SECURITY REQUIREMENT

Mark media with necessary CUI markings and distribution limitations.

ASSESSMENT OBJECTIVES
[a] media containing CUI is marked with applicable CUI markings; and
[b] media containing CUI is marked with distribution limitations.
DoD Assessment Scoring Value: 1
More Practice Details...

MP.L2-3.8.5 – MEDIA ACCOUNTABILITY

SECURITY REQUIREMENT

Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

ASSESSMENT OBJECTIVES
[a] access to media containing CUI is controlled; and
[b] accountability for media containing CUI is maintained during transport outside of controlled areas.
DoD Assessment Scoring Value: 1
More Practice Details...

MP.L2-3.8.6 – PORTABLE STORAGE ENCRYPTION

SECURITY REQUIREMENT

Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

ASSESSMENT OBJECTIVES
[a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.
DoD Assessment Scoring Value: 1
More Practice Details...

MP.L2-3.8.7 – REMOVEABLE MEDIA

SECURITY REQUIREMENT

Control the use of removable media on system components.

ASSESSMENT OBJECTIVES
[a] the use of removable media on system components is controlled.
DoD Assessment Scoring Value: 5
More Practice Details...

MP.L2-3.8.8 – SHARED MEDIA

SECURITY REQUIREMENT

Prohibit the use of portable storage devices when such devices have no identifiable owner.ASSESSMENT OBJECTIVES

ASSESSMENT OBJECTIVES
[a] the use of portable storage devices is prohibited when such devices have no identifiable owner.
DoD Assessment Scoring Value: 3
More Practice Details...

MP.L2-3.8.9 – PROTECT BACKUPS

SECURITY REQUIREMENT

Protect the confidentiality of backup CUI at storage locations.

ASSESSMENT OBJECTIVES
[a] the confidentiality of backup CUI is protected at storage locations.
DoD Assessment Scoring Value: 1
More Practice Details...

Personnel Security (PS)

Level 2 PS Practices

PS.L2-3.9.1 – SCREEN INDIVIDUALS

SECURITY REQUIREMENT

Screen individuals prior to authorizing access to organizational systems containing CUI.

ASSESSMENT OBJECTIVES
[a] individuals are screened prior to authorizing access to organizational systems containing CUI.
DoD Assessment Scoring Value: 3
More Practice Details...

PS.L2-3.9.2 – PERSONNEL ACTIONS

SECURITY REQUIREMENT

Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

ASSESSMENT OBJECTIVES
[a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established;
[b] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and
[c] the system is protected during and after personnel transfer actions.
DoD Assessment Scoring Value: 5
More Practice Details...

Physical Protection (PE)

Level 2 PE Practices

PE.L2-3.10.2 – MONITOR FACILITY

SECURITY REQUIREMENT

Protect and monitor the physical facility and support infrastructure for organizational systems.

ASSESSMENT OBJECTIVES
[a] the physical facility where organizational systems reside is protected;
[b] the support infrastructure for organizational systems is protected;
[c] the physical facility where organizational systems reside is monitored; and
[d] the support infrastructure for organizational systems is monitored.
DoD Assessment Scoring Value: 5
More Practice Details...

PE.L2-3.10.6 – ALTERNATIVE WORK SITES

SECURITY REQUIREMENT

Enforce safeguarding measures for CUI at alternate work sites.

ASSESSMENT OBJECTIVES
[a] safeguarding measures for CUI are defined for alternate work sites; and
[b] safeguarding measures for CUI are enforced for alternate work sites.
DoD Assessment Scoring Value: 1
More Practice Details...

Risk Assessment (RA)

Level 2 RA Practices

RA.L2-3.11.1 – RISK ASSESSMENTS

SECURITY REQUIREMENT

Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

ASSESSMENT OBJECTIVES
[a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined; and
[b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
DoD Assessment Scoring Value: 3
More Practice Details...

RA.L2-3.11.2 – VULNERABILITY SCAN

SECURITY REQUIREMENT

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

ASSESSMENT OBJECTIVES
[a] the frequency to scan for vulnerabilities in organizational systems and applications is defined;
[b] vulnerability scans are performed on organizational systems with the defined frequency;
[c] vulnerability scans are performed on applications with the defined frequency;
[d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified; and
[e] vulnerability scans are performed on applications when new vulnerabilities are

identified.

DoD Assessment Scoring Value: 5
More Practice Details...

RA.L2-3.11.3 – VULNERABILITY REMEDIATION

SECURITY REQUIREMENT

Remediate vulnerabilities in accordance with risk assessments.

ASSESSMENT OBJECTIVES
[a] vulnerabilities are identified; and
[b] vulnerabilities are remediated in accordance with risk assessments.
DoD Assessment Scoring Value: 1
More Practice Details...

Security Assessment (CA)

Level 2 CA Practices

CA.L2-3.12.1 – SECURITY CONTROL ASSESSMENT

SECURITY REQUIREMENT

Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

ASSESSMENT OBJECTIVES
[a] the frequency of security control assessments is defined; and
[b] security controls are assessed with the defined frequency to determine if the controls are effective in their application.
DoD Assessment Scoring Value: 5
More Practice Details...

CA.L2-3.12.2 – PLAN OF ACTION

SECURITY REQUIREMENT

Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

ASSESSMENT OBJECTIVES
[a] deficiencies and vulnerabilities to be addressed by the plan of action are identified;
[b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities; and
[c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
DoD Assessment Scoring Value: 3
More Practice Details...

CA.L2-3.12.3 – SECURITY CONTROL MONITORING

SECURITY REQUIREMENT

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

ASSESSMENT OBJECTIVES
[a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
DoD Assessment Scoring Value: 5
More Practice Details...

CA.L2-3.12.4 – SYSTEM SECURITY PLAN

SECURITY REQUIREMENT

Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

ASSESSMENT OBJECTIVES
[a] a system security plan is developed;
[b] the system boundary is described and documented in the system security plan;
[c] the system environment of operation is described and documented in the system security plan;
[d] the security requirements identified and approved by the designated authority as non-applicable are identified;
[e] the method of security requirement implementation is described and documented in the system security plan;
[f] the relationship with or connection to other systems is described and documented in the system security plan;
[g] the frequency to update the system security plan is defined; and
[h] system security plan is updated with the defined frequency.
DoD Assessment Scoring Value: NA
More Practice Details...

System and Communications Protection (SC)

Level 2 SC Practices

SC.L2-3.13.2 – SECURITY ENGINEERING

SECURITY REQUIREMENT

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

ASSESSMENT OBJECTIVES
[a] architectural designs that promote effective information security are identified;
[b] software development techniques that promote effective information security are identified;
[c] systems engineering principles that promote effective information security are identified;
[d] identified architectural designs that promote effective information security are employed;
[e] identified software development techniques that promote effective information security are employed; and
[f] identified systems engineering principles that promote effective information security are employed.
DoD Assessment Scoring Value: 5
More Practice Details...

SC.L2-3.13.3 – ROLE SEPARATION

SECURITY REQUIREMENT

Separate user functionality from system management functionality.

ASSESSMENT OBJECTIVES
[a] user functionality is identified;
[b] system management functionality is identified; and
[c] user functionality is separated from system management functionality.
DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.4 – SHARED RESOURCE CONTROL

SECURITY REQUIREMENT

Prevent unauthorized and unintended information transfer via shared system resources.

ASSESSMENT OBJECTIVES
[a] unauthorized and unintended information transfer via shared system resources is

prevented.

DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.6 – NETWORK COMMUNICATION BY EXCEPTION

SECURITY REQUIREMENT

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

ASSESSMENT OBJECTIVES
[a] network communications traffic is denied by default; and
[b] network communications traffic is allowed by exception.
DoD Assessment Scoring Value: 5
More Practice Details...

SC.L2-3.13.7 – SPLIT TUNNELING

SECURITY REQUIREMENT

Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

ASSESSMENT OBJECTIVES
[a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).
DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.8 – DATA IN TRANSIT

SECURITY REQUIREMENT

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

ASSESSMENT OBJECTIVES
[a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified;
[b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified; and
[c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.
DoD Assessment Scoring Value: 3
More Practice Details...

SC.L2-3.13.9 – CONNECTIONS TERMINATION

SECURITY REQUIREMENT

Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

ASSESSMENT OBJECTIVES
[a] a period of inactivity to terminate network connections associated with communications sessions is defined;
[b] network connections associated with communications sessions are terminated at the end of the sessions; and
[c] network connections associated with communications sessions are terminated after the defined period of inactivity.
DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.10 – KEY MANAGEMENT

SECURITY REQUIREMENT

Establish and manage cryptographic keys for cryptography employed in organizational systems.

ASSESSMENT OBJECTIVES
[a] cryptographic keys are established whenever cryptography is employed; and
[b] cryptographic keys are managed whenever cryptography is employed.
DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.11 – CUI ENCRYPTION

SECURITY REQUIREMENT

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

ASSESSMENT OBJECTIVES
[a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
DoD Assessment Scoring Value: 3 to 5
More Practice Details...

SC.L2-3.13.12 – COLLABORATIVE DEVICE CONTROL

SECURITY REQUIREMENT

Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

ASSESSMENT OBJECTIVES
[a] collaborative computing devices are identified;
[b] collaborative computing devices provide indication to users of devices in use; and
[c] remote activation of collaborative computing devices is prohibited.
DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.13 – MOBILE CODE

SECURITY REQUIREMENT

Control and monitor the use of mobile code.

ASSESSMENT OBJECTIVES
[a] use of mobile code is controlled; and
[b] use of mobile code is monitored.
DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.14 – VOICE OVER INTERNET PROTOCOL

SECURITY REQUIREMENT

Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

ASSESSMENT OBJECTIVES
[a] use of Voice over Internet Protocol (VoIP) technologies is controlled; and
[b] use of Voice over Internet Protocol (VoIP) technologies is monitored.
DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.15 – COMMUNICATIONS AUTHENTICITY

SECURITY REQUIREMENT

Protect the authenticity of communications sessions.

ASSESSMENT OBJECTIVES
[a] the authenticity of communications sessions is protected.
DoD Assessment Scoring Value: 5
More Practice Details...

SC.L2-3.13.16 – DATA AT REST

SECURITY REQUIREMENT

Protect the confidentiality of CUI at rest.

ASSESSMENT OBJECTIVES
[a] the confidentiality of CUI at rest is protected.
DoD Assessment Scoring Value: 1
More Practice Details...

System and Information Integrity (SI)

Level 2 SI Practices

SI.L2-3.14.3 – SECURITY ALERTS & ADVISORIES

SECURITY REQUIREMENT

Monitor system security alerts and advisories and take action in response.

ASSESSMENT OBJECTIVES
[a] response actions to system security alerts and advisories are identified;
[b] system security alerts and advisories are monitored; and
[c] actions in response to system security alerts and advisories are taken.
DoD Assessment Scoring Value: 5
More Practice Details...

SI.L2-3.14.6 – MONITOR COMMUNICATIONS FOR ATTACKS

SECURITY REQUIREMENT

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

ASSESSMENT OBJECTIVES
[a] the system is monitored to detect attacks and indicators of potential attacks;
[b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks; and
[c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks.
DoD Assessment Scoring Value: 5
More Practice Details...

SI.L2-3.14.7 – IDENTIFY UNAUTHORIZED USE

SECURITY REQUIREMENT

Identify unauthorized use of organizational systems.

ASSESSMENT OBJECTIVES
[a] authorized use of the system is defined; and
[b] unauthorized use of the system is identified.
DoD Assessment Scoring Value: 3
More Practice Details...




Version 2.13 | September 2024

DoD-CIO-00003 (ZRIN 0790-ZA19)

CMMC Assessment Guide

Level 2

24-T-0461





CMMC Assessment Guide – Level 2 | Version 2.13

ii

NOTICES

The contents of this document do not have the force and effect of law and are not meant to

bind the public in any way. This document is intended only to provide clarity to the public

regarding existing requirements under the law or departmental policies.

DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.







CMMC Assessment Guide – Level 2 | Version 2.13

iii

TABLE OF CONTENTS

Introduction ............................................................................................................................ 1

Level 2 Description ..................................................................................................................... 1
Purpose and Audience ............................................................................................................... 2

Assessment and Certification .................................................................................................. 3

Assessment Scope ...................................................................................................................... 3

CMMC-Custom Terms .............................................................................................................. 4

Assessment Criteria and Methodology .................................................................................... 7

Criteria ....................................................................................................................................... 8
Methodology ............................................................................................................................. 8
Assessment Findings .................................................................................................................. 9

Requirement Descriptions ..................................................................................................... 12

Introduction ............................................................................................................................. 12

Access Control (AC)................................................................................................................ 14

AC.L2-3.1.1 – Authorized Access Control [CUI Data] ........................................................................... 14
AC.L2-3.1.2 – Transaction & Function Control .................................................................................... 17
AC.L2-3.1.3 – Control CUI Flow ............................................................................................................ 19
AC.L2-3.1.4 – Separation of Duties ...................................................................................................... 22
AC.L2-3.1.5 – Least Privilege ................................................................................................................ 24
AC.L2-3.1.6 – Non-Privileged Account Use .......................................................................................... 27
AC.L2-3.1.7 – Privileged Functions ...................................................................................................... 29
AC.L2-3.1.8 – Unsuccessful Logon Attempts ....................................................................................... 32
AC.L2-3.1.9 – Privacy & Security Notices ............................................................................................. 34
AC.L2-3.1.10 – Session Lock ................................................................................................................. 36
AC.L2-3.1.11 – Session Termination .................................................................................................... 38
AC.L2-3.1.12 – Control Remote Access ............................................................................................... 40
AC.L2-3.1.13 – Remote Access Confidentiality .................................................................................... 43
AC.L2-3.1.14 – Remote Access Routing ............................................................................................... 45
AC.L2-3.1.15 – Privileged Remote Access ............................................................................................ 47







CMMC Assessment Guide – Level 2 | Version 2.13

iv

AC.L2-3.1.16 – Wireless Access Authorization .................................................................................... 50
AC.L2-3.1.17 – Wireless Access Protection ......................................................................................... 52
AC.L2-3.1.18 – Mobile Device Connection .......................................................................................... 54
AC.L2-3.1.19 – Encrypt CUI on Mobile ................................................................................................. 56
AC.L2-3.1.20 – External Connections [CUI Data] ................................................................................. 58
AC.L2-3.1.21 – Portable Storage Use ................................................................................................... 61
AC.L2-3.1.22 – Control Public Information [CUI Data] ........................................................................ 63

Awareness and Training (AT) ................................................................................................. 65

AT.L2-3.2.1 – Role-Based Risk Awareness ........................................................................................... 65
AT.L2-3.2.2 – Role-Based Training ....................................................................................................... 68
AT.L2-3.2.3 – Insider Threat Awareness .............................................................................................. 70

Audit and Accountability (AU) ............................................................................................... 72

AU.L2-3.3.1 – System Auditing ............................................................................................................ 72
AU.L2-3.3.2 – User Accountability ....................................................................................................... 75
AU.L2-3.3.3 – Event Review ................................................................................................................. 77
AU.L2-3.3.4 – Audit Failure Alerting .................................................................................................... 79
AU.L2-3.3.5 – Audit Correlation ........................................................................................................... 81
AU.L2-3.3.6 – Reduction & Reporting .................................................................................................. 83
AU.L2-3.3.7 – Authoritative Time Source ............................................................................................ 85
AU.L2-3.3.8 – Audit Protection ............................................................................................................ 87
AU.L2-3.3.9 – Audit Management ....................................................................................................... 89

Configuration Management (CM) .......................................................................................... 91

CM.L2-3.4.1 – System Baselining ......................................................................................................... 91
CM.L2-3.4.2 – Security Configuration Enforcement ............................................................................ 94
CM.L2-3.4.3 – System Change Management ...................................................................................... 96
CM.L2-3.4.4 – Security Impact Analysis ............................................................................................... 98
CM.L2-3.4.5 – Access Restrictions for Change .................................................................................. 100
CM.L2-3.4.6 – Least Functionality ..................................................................................................... 103
CM.L2-3.4.7 – Nonessential Functionality ......................................................................................... 105
CM.L2-3.4.8 – Application Execution Policy ...................................................................................... 108
CM.L2-3.4.9 – User-Installed Software .............................................................................................. 110







CMMC Assessment Guide – Level 2 | Version 2.13

v

Identification and Authentication (IA) .................................................................................. 112

IA.L2-3.5.1 – Identification [CUI Data] ............................................................................................... 112
IA.L2-3.5.2 – Authentication [CUI Data] ............................................................................................ 114
IA.L2-3.5.3 – Multifactor Authentication ........................................................................................... 117
IA.L2-3.5.4 – Replay-Resistant Authentication .................................................................................. 120
IA.L2-3.5.5 – Identifier Reuse ............................................................................................................ 122
IA.L2-3.5.6 – Identifier Handling ........................................................................................................ 124
IA.L2-3.5.7 – Password Complexity ................................................................................................... 126
IA.L2-3.5.8 – Password Reuse ............................................................................................................ 128
IA.L2-3.5.9 – Temporary Passwords .................................................................................................. 130
IA.L2-3.5.10 – Cryptographically-Protected Passwords .................................................................... 132
IA.L2-3.5.11 – Obscure Feedback ...................................................................................................... 134

Incident Response (IR) .......................................................................................................... 136

IR.L2-3.6.1 – Incident Handling .......................................................................................................... 136
IR.L2-3.6.2 – Incident Reporting ........................................................................................................ 139
IR.L2-3.6.3 – Incident Response Testing ............................................................................................ 142

Maintenance (MA) ............................................................................................................... 144

MA.L2-3.7.1 – Perform Maintenance ................................................................................................ 144
MA.L2-3.7.2 – System Maintenance Control ..................................................................................... 146
MA.L2-3.7.3 – Equipment Sanitization .............................................................................................. 148
MA.L2-3.7.4 – Media Inspection ........................................................................................................ 150
MA.L2-3.7.5 – Nonlocal Maintenance ............................................................................................... 152
MA.L2-3.7.6 – Maintenance Personnel ............................................................................................. 155

Media Protection (MP) ......................................................................................................... 157

MP.L2-3.8.1 – Media Protection ........................................................................................................ 157
MP.L2-3.8.2 – Media Access .............................................................................................................. 159
MP.L2-3.8.3 – Media Disposal [CUI Data] .......................................................................................... 161
MP.L2-3.8.4 – Media Markings .......................................................................................................... 163
MP.L2-3.8.5 – Media Accountability ................................................................................................. 165
MP.L2-3.8.6 – Portable Storage Encryption ...................................................................................... 167
MP.L2-3.8.7 – Removeable Media ..................................................................................................... 169
MP.L2-3.8.8 – Shared Media ............................................................................................................. 171







CMMC Assessment Guide – Level 2 | Version 2.13

vi

MP.L2-3.8.9 – Protect Backups .......................................................................................................... 173

Personnel Security (PS) ......................................................................................................... 175

PS.L2-3.9.1 – Screen Individuals ........................................................................................................ 175
PS.L2-3.9.2 – Personnel Actions ........................................................................................................ 177

Physical Protection (PE) ........................................................................................................ 180

PE.L2-3.10.1 – Limit Physical Access [CUI Data] ................................................................................ 180
PE.L2-3.10.2 – Monitor Facility .......................................................................................................... 182
PE.L2-3.10.3 – Escort Visitors [CUI Data] ........................................................................................... 184
PE.L2-3.10.4 – Physical Access Logs [CUI Data] ................................................................................. 186
PE.L2-3.10.5 – Manage Physical Access [CUI Data] ........................................................................... 188
PE.L2-3.10.6 – Alternative Work Sites ............................................................................................... 190

Risk Assessment (RA)............................................................................................................ 192

RA.L2-3.11.1 – RIsk Assessments ....................................................................................................... 192
RA.L2-3.11.2 – Vulnerability Scan ...................................................................................................... 195
RA.L2-3.11.3 – Vulnerability Remediation ......................................................................................... 198

Security Assessment (CA) ..................................................................................................... 200

CA.L2-3.12.1 – Security Control Assessment ..................................................................................... 200
CA.L2-3.12.2 – operational Plan of Action ......................................................................................... 203
CA.L2-3.12.3 – Security Control Monitoring ...................................................................................... 206
CA.L2-3.12.4 – System Security Plan ................................................................................................. 208

System and Communications Protection (SC) ....................................................................... 211

SC.L2-3.13.1 – Boundary Protection [CUI Data] ................................................................................ 211
SC.L2-3.13.2 – Security Engineering .................................................................................................. 214
SC.L2-3.13.3 – Role Separation .......................................................................................................... 217
SC.L2-3.13.4 – Shared Resource Control ........................................................................................... 219
SC.L2-3.13.5 – Public-Access System Separation [CUI Data] ............................................................. 221
SC.L2-3.13.6 – Network Communication by Exception ..................................................................... 223
SC.L2-3.13.7 – Split Tunneling ........................................................................................................... 225
SC.L2-3.13.8 – Data in Transit ............................................................................................................ 227
SC.L2-3.13.9 – Connections Termination ........................................................................................... 229
SC.L2-3.13.10 – Key Management ..................................................................................................... 231







CMMC Assessment Guide – Level 2 | Version 2.13

vii

SC.L2-3.13.11 – CUI Encryption ......................................................................................................... 234
SC.L2-3.13.12 – Collaborative Device Control ................................................................................... 236
SC.L2-3.13.13 – Mobile Code ............................................................................................................. 238
SC.L2-3.13.14 – Voice over Internet Protocol.................................................................................... 240
SC.L2-3.13.15 – Communications Authenticity ................................................................................. 242
SC.L2-3.13.16 – Data at Rest .............................................................................................................. 244

System and Information Integrity (SI) ................................................................................... 246

SI.L2-3.14.1 – Flaw Remediation [CUI Data] ...................................................................................... 246
SI.L2-3.14.2 – Malicious Code Protection [CUI Data] ........................................................................ 249
SI.L2-3.14.3 – Security Alerts & Advisories ........................................................................................ 252
SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data] ........................................................... 254
SI.L2-3.14.5 – System & File Scanning [CUI Data] .............................................................................. 256
SI.L2-3.14.6 – Monitor Communications for Attacks......................................................................... 258
SI.L2-3.14.7 – Identify Unauthorized Use .......................................................................................... 261

Appendix A – Acronyms and Abbreviations .......................................................................... 264









CMMC Assessment Guide – Level 2 | Version 2.13

viii


This page intentionally left blank.








Introduction

CMMC Assessment Guide – Level 2 | Version 2.13

1


Introduction
This document provides guidance in the preparation for and conduct of a Level 2 self-

assessment or Level 2 certification assessment under the Cybersecurity Maturity Model

Certification (CMMC) Program as set forth in section 170.16 of title 32, Code of Federal

Regulations (CFR) and 32 CFR § 170.17 respectively. Certification at each CMMC level occurs

independently. Guidance for conducting a Level 1 self-assessment can be found in CMMC

Assessment Guide – Level 1. Guidance for conducting a Level 3 certification assessment can

be found in CMMC Assessment Guide – Level 3. More details on the model can be found in the

CMMC Model Overview document.
An Assessment as defined in 32 CFR § 170.4 means the testing or evaluation of security

controls to determine the extent to which the controls are implemented correctly, operating as

intended, and producing the desired outcome with respect to meeting the security requirements

for an information system or organization as defined in 32 CFR § 170.15 to 32 CFR § 170.18.

For Level 2 there are two types of assessments: 

 A self-assessment is the term for the activity performed by an entity to evaluate its own

CMMC Level, as applied to Level 1 and some Level 2. 

 A Level 2 certification assessment is the term for the activity performed by a Certified

Third-Party Assessment Organization (C3PAO)to evaluate the CMMC level of an OSC.

32 CFR § 170.16(b) describes contract or subcontract eligibility for any contract with a Level

2 self-assessment requirement, and 32 CFR § 170.17(b) describes contract or subcontract

eligibility for any contract with a Level 2 certification assessment requirement. Level 2

certification assessment requires the Organization Seeking Assessment (OSA) achieve the

CMMC Status of either Conditional Level 2 (C3PAO) or Final Level 2 (C3PAO), as described

in 32 § CFR 170.4, obtained through an assessment by an accredited C3PAO.

Level 2 Description

Level 2 incorporates the security requirements specified in National Institute of Standards

and Technology (NIST) Special Publication (SP) 800-171 Revision 2, Protecting Controlled

Unclassified Information in Nonfederal Systems and Organizations.
Level 2 addresses the protection of Controlled Unclassified Information (CUI), as defined in

32 CFR § 2002.4(h):

Information the Government creates or possesses, or that an entity creates or

possesses for or on behalf of the Government, that a law, regulation, or

Government-wide policy requires or permits an agency to handle using

safeguarding or dissemination controls. However, CUI does not include classified

information (see paragraph (e) of this section) or information a non-executive

branch entity possesses and maintains in its own systems that did not come from,

or was not created or possessed by or for, an executive branch agency or an entity

acting for an agency. Law, regulation, or Government-wide policy may require

or permit safeguarding or dissemination controls in three ways: Requiring or






Introduction

CMMC Assessment Guide – Level 2 | Version 2.13

2


permitting agencies to control or protect the information but providing no

specific controls, which makes the information CUI Basic; requiring or

permitting agencies to control or protect the information and providing specific

controls for doing so, which makes the information CUI Specified; or requiring or

permitting agencies to control the information and specifying only some of those

controls, which makes the information CUI Specified, but with CUI Basic controls

where the authority does not specify.

Level 2 certification assessments provides increased assurance to the DoD that an OSA can

adequately protect CUI at a level commensurate with the adversarial risk, including

protecting information flow with subcontractors in a multi-tier supply chain.

Purpose and Audience

This guide is intended for assessors, OSAs, cybersecurity professionals, and individuals and

companies that support CMMC efforts. This document can be used as part of preparation for

and conducting a Level 2 self-assessment or a Level 2 certification assessment. The term

Level 2 assessment encompasses both Level 2 self-assessment and Level 2 certification

assessment.
Document Organization
This document is organized into the following sections: 

 Assessment and Certification:  provides an overview of the Level 2  self-assessment

processes set forth in 32 CFR §170.16 as well as the Level 2 certification assessment

processes set forth in 32 CFR § 170.17. It provides guidance regarding the scope

requirements set forth in 32 CFR § 170.19(c). 

 CMMC-Custom Terms: incorporates definitions from 32 CFR § 170.4 and definitions

included by reference from 32 CFR § 170.2, and provides clarification of the intent and

scope of custom terms as used in the context of CMMC. 

 Assessment Criteria and Methodology:  provides guidance on the criteria and

methodology (i.e., interview, examine, and test) to be employed during a Level 2

assessment, as well as on assessment findings. 

 Requirement  Descriptions:  provides  guidance specific to  each  Level  2  security

requirement.






Assessment and Certification

CMMC Assessment Guide – Level 2 | Version 2.13

3


Assessment and Certification
Certified Assessors as described in 32 CFR § 170.11 will use the assessment methods defined

in NIST SP 800-171A1, Assessing Security Requirements for Controlled Unclassified

Information, along with the supplemental information in this guide, to conduct Level 2

certification assessments. Certified Assessors will review information and evidence to verify

that an OSC meets the stated assessment objectives for all of the requirements.
An OSC can obtain a Level 2 certification assessment for an entire enterprise network or for

a specific enclave(s), depending upon how the CMMC Assessment Scope is defined in

accordance with 32 CFR § 170.19(c).
OSAs conducting self-assessments in accordance with 32 CFR § 170.16 are expected to

evaluate their compliance with CMMC requirements using the same criteria established in

NIST SP 800-171A and this assessment guide and used for third-party assessments.

Assessment Scope

The CMMC Assessment Scope must be specified prior to assessment in accordance with the

requirements of 32 CFR § 170.19. The CMMC Assessment Scope is the set of all assets in the

OSA’s environment that will be assessed against CMMC security requirements.
Because the scoping of a Level 2 certification assessment is not the same as the scoping of a

Level 3 certification assessment, before determining the CMMC Assessment Scope it is

important to first consider whether the goal is a Level 2 or Level 3 CMMC Status. If the intent

is not to achieve a CMMC Status of Final Level 3 (DIBCAC) as defined in 32 CFR § 170.18,

refer to the guidance provided in the CMMC Scoping Guide – Level 2 document which

summarizes 32 CFR § 170.19(c). If the intent is to achieve a CMMC Status of Final Level 3

(DIBCAC), refer to the guidance provided in the CMMC Scoping Guide – Level 3 document

which summarizes 32 CFR § 170.19(d). Both documents are available on the official CMMC

documentation site at https://dodcio.defense.gov/CMMC/Documentation/.


1 

NIST SP 800-171A, June 2018






CMMC-Custom Terms

CMMC Assessment Guide – Level 2 | Version 2.13

4


CMMC-Custom Terms
The CMMC Program has custom terms that align with program requirements. Although some

terms may have other definitions in open forums, it is important to understand these terms

as they apply to the CMMC Program.
The specific terms as associated with Level 2 are: 

 Assessment: As defined in 32 CFR § 170.4 means the testing or evaluation of security

controls to determine the extent to which the controls are implemented correctly,

operating as intended, and producing the desired outcome with respect to meeting the

security requirements for an information system or organization, as defined in 32 CFR §

170.15 to 32 CFR § 170.18.

o Level 2 self-assessment is the term for the activity performed by an OSA to evaluate

its own information system when seeking a CMMC Status of Level 2 (Self).

o Level 2 certification assessment is the term for the activity performed by a C3PAO

to evaluate the information system of an OSC when seeking a CMMC Status of

Level 2 (C3PAO).

o POA&M closeout self-assessment is the term for the activity performed by an OSA

to evaluate only the NOT MET requirements that were identified with POA&M

during the initial assessment, when seeking a CMMC Status of Final Level 2 (Self).

o POA&M closeout certification assessment is the term for the activity performed by

a C3PAO or DCMA DIBCAC to evaluate only the NOT MET requirements that were

identified with POA&M during the initial assessment, when seeking a CMMC

Status of Final Level 2 (C3PAO) or Final Level 3 (DIBCAC) respectively. 

 Assessment Objective: As defined in 32 CFR § 170.4 means a set of determination

statements that, taken together, expresses the desired outcome for the assessment of a

security requirement. Successful implementation of the corresponding CMMC security

requirement requires meeting all applicable assessment objectives defined in NIST SP

800–171A or NIST SP 800-172A. 

 Asset: An item of value to stakeholders. An asset may be tangible (e.g., a physical item

such as hardware, firmware, computing platform, network device, or other technology

component) or intangible (e.g., humans, data, information, software, capability, function,

service, trademark, copyright, patent, intellectual property, image, or reputation). The

value of an asset is determined by stakeholders in consideration of loss concerns across

the entire system life cycle. Such concerns include but are not limited to business or

mission concerns, as defined in NIST SP 800-160 Rev 1. 

 CMMC Assessment Scope: As defined in 32 CFR § 170.4 means the set of all assets in the

OSA’s environment that will be assessed against CMMC security requirements. 

 CMMC Status: As defined in 32 CFR § 170.4 is the result of meeting or exceeding the

minimum required score for the corresponding assessment. The CMMC Status of an OSA

information system is officially stored in SPRS and additionally issued on a Certificate of

CMMC Status, if the assessment was conducted by a C3PAO or DCMA DIBCAC.






CMMC-Custom Terms

CMMC Assessment Guide – Level 2 | Version 2.13

5


o Conditional Level 2 (Self) is defined in § 170.16(a)(1)(ii). The OSA has conducted

a Level 2 self-assessment, submitted compliance results in the Supplier

Performance Risk System (SPRS), and created a CMMC POA&M that meets all

CMMC POA&M requirements listed in 32 CFR §170.16(a)(1)(ii).

o Final Level 2 (Self) is defined in § 170.16(a)(1)(iii). The OSA will achieve a CMMC

Status of Final Level 2 (Self) for the information system(s) within the CMMC

Assessment Scope upon implementation of all security requirements and close

out of the POA&M, as applicable.

o Conditional Level 2 (C3PAO) is defined in § 170.17(a)(1)(ii). The OSC will achieve

a CMMC Status of Conditional Level 2 (C3PAO) if a POA&M exists upon completion

of the assessment and the POA&M meets all Level 2 POA&M requirements listed

in 32 CFR § 170.21(a)(2).

o Final Level 2 (C3PAO) is defined in § 170.17(a)(1)(iii). The OSC will achieve a

CMMC Status of Final Level 2 (C3PAO) for the information systems within the

CMMC Assessment Scope upon implementation of all security requirements and

as applicable, a POA&M closeout assessment conducted by the C3PAO within 180

days. Additional guidance can be found in 32 CFR § 170.21. 

 Component:  A discrete identifiable information technology asset  that represents a

building block of a system and may include hardware, software, and firmware2. A

component is one type of asset. 

 Enduring Exception: As defined in 32 CFR § 170.4 means a special circumstance or

system where remediation and full compliance with CMMC security requirements is not

feasible. Examples include systems required to replicate the configuration of ‘fielded’

systems, medical devices, test equipment, OT, and IoT. No operational plan of action is

required but the circumstance must be documented within a system security plan.

Specialized Assets and GFE may be Enduring Exceptions. 

 Event: Any observable occurrence in a system3. As described in NIST SP 800-171A4, the

terms “information system” and “system” can be used interchangeably. Events sometimes

provide indication that an incident is occurring. 

 Incident:  An occurrence that actually or potentially jeopardizes the confidentiality,

integrity, or availability of a system or the information the system processes, stores, or

transmits or that constitutes a violation or imminent threat of violation of security

policies, security procedures, or acceptable use policies.5 

 Information System  (IS):  As  defined  in  32  CFR  §  170.4  means a  discrete set of

information resources organized for the collection, processing, maintenance, use,

sharing, dissemination, or disposition of information. An IS is one type of asset.


2 

NIST SP 800-171 Rev 2, p 59 under system component

3 

NIST SP 800-53 Rev. 5, p. 402

4 

NIST SP 800-171A, p. v

5 

NIST SP 800-171 Rev. 2, Appendix B, p. 54 (adapted)






CMMC-Custom Terms

CMMC Assessment Guide – Level 2 | Version 2.13

6 


 Monitoring:  The act of continually  checking, supervising, critically observing, or

determining the status in order to identify change from the performance level required

or expected at an organization-defined frequency and rate.6 

 Operational plan of action: As used in security requirement CA.L2-3.12.2, means the

formal artifact which identifies temporary vulnerabilities and temporary deficiencies in

implementation of requirements and documents how and when they will be mitigated,

corrected, or eliminated. The OSA defines the format (e.g., document, spreadsheet,

database) and specific content of its operational plan of action. An operational plan of

action is not the same as a POA&M associated with an assessment. 

 Organization-defined: As determined by the OSA being assessed except as defined in

the case of Organization-Defined Parameter (ODP). This can be applied to a frequency or

rate at which something occurs within a given time period, or it could be associated with

describing the configuration of an OSA’s solution. 

 Periodically: Occurring at a regular interval as determined by the OSA that may not

exceed one year. As used in many requirements within CMMC, the interval length is

organization-defined to provide OSA flexibility, with an interval length of no more than

one year. 

 Security Protection Data (SPD): As defined in 32 CFR § 170.4 means data stored or

processed by Security Protection Assets (SPA) that are used to protect an OSC's assessed

environment. SPD is security relevant information and includes, but is not limited to:

configuration data required to operate an SPA, log files generated by or ingested by an

SPA, data related to the configuration or vulnerability status of in-scope assets, and

passwords that grant access to the in-scope environment. 

 System Security Plan (SSP): As defined in 32 CFR § 170.4 means the formal document

that provides an overview of the security requirements for an information system or an

information security program and describes the security controls in place or planned for

meeting those requirements. The system security plan describes the system components

that are included within the system, the environment in which the system operates, how

the security requirements are implemented, and the relationships with or connections to

other systems, as defined in NIST SP 800-53 Rev 5. 

 Temporary deficiency: As defined in 32 CFR § 170.4 means a condition where

remediation of a discovered deficiency is feasible and a known fix is available or is in

process. The deficiency must be documented in an operational plan of action. A

temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC

security requirement but arises after implementation. A temporary deficiency may

apply during the initial implementation of a security requirement if, during roll-out,

specific issues with a very limited subset of equipment is discovered that must be

separately addressed. There is no standard duration for which a temporary deficiency

may be active. For example, FIPS-validated cryptography that requires a patch and the

patched version is no longer the validated version may be a temporary deficiency.



6 

NIST SP 800-160 Vol. 1 R1, Engineering Trustworthy Secure Systems, 2022, Appendix B., p. 55






Assessment Criteria and Methodology

CMMC Assessment Guide – Level 2 | Version 2.13

7


Assessment Criteria and Methodology
The CMMC Assessment Guide – Level 2 leverages the assessment procedure described in NIST

SP 800-171A Section 2.17:

An assessment procedure consists of an assessment objective and a set of

potential assessment methods and assessment objects that can be used to

conduct the assessment. Each assessment objective includes a determination

statement related to the requirement that is the subject of the assessment. The

determination statements are linked to the content of the requirement to ensure

traceability of the assessment results to the requirements. The application of an

assessment procedure to a requirement produces assessment findings. These

findings reflect, or are subsequently used, to help determine if the requirement

has been satisfied.
Assessment objects identify the specific items being assessed and can include

specifications, mechanisms, activities, and individuals. 

 Specifications are the document-based artifacts (e.g., policies, procedures,

security plans, security requirements, functional specifications, architectural

designs) associated with a system. 

 Mechanisms are the specific hardware, software, or firmware safeguards

employed within a system. 

 Activities are the protection-related actions supporting a system that involve

people (e.g., conducting system backup operations, exercising a contingency

plan, and monitoring network traffic). 

 Individuals, or groups of individuals, are people applying the specifications,

mechanisms, or activities described above.

The assessment methods define the nature and the extent of the assessor’s

actions. The methods include examine, interview, and test. 

 The  examine  method is the process of reviewing, inspecting, observing,

studying, or analyzing assessment objects (i.e., specifications, mechanisms,

activities). The purpose of the examine method is to facilitate understanding,

achieve clarification, or obtain evidence. 

 The interview method is the process of holding discussions with individuals

or groups of individuals to facilitate understanding, achieve clarification, or

obtain evidence. 

 And finally, the test method is the process of exercising assessment objects

(i.e., activities, mechanisms) under specified conditions to compare actual

with expected behavior.


7 

NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, June 2018, pp. 4-

5 .






Assessment Criteria and Methodology

CMMC Assessment Guide – Level 2 | Version 2.13

8


In all three assessment methods, the results are used in making specific

determinations called for in the determination statements and thereby achieving

the objectives for the assessment procedure.

Criteria

Assessment objectives are provided for each requirement and are based on existing criteria

from NIST SP 800-171A. The criteria are authoritative and provide a basis for the assessment

of a requirement.

Methodology

To verify and validate that an OSA is meeting CMMC requirements, evidence needs to exist

demonstrating that the OSA has fulfilled the objectives of the Level 2 requirements. Because

different assessment objectives can be met in different ways (e.g., through documentation,

computer configuration, network configuration, or training), a variety of techniques may be

used to determine if the OSA meets the Level 2 requirements, including any of the three

assessment methods from NIST SP 800-171A.
The assessor will follow the guidance in NIST SP 800-171A when determining which

assessment methods to use:

Organizations [Certified Assessors] are not expected to employ all assessment methods

and objects contained within the assessment procedures identified in this publication.

Rather, organizations [Certified Assessors] have the flexibility to determine the level of

effort needed and the assurance required for an assessment (e.g., which assessment

methods and assessment objects are deemed to be the most useful in obtaining the

desired results). This determination is made based on how the organization

[contractor] can accomplish the assessment objectives in the most cost-effective

manner and with sufficient confidence to support the determination that the CUI

requirements have been satisfied.8

The primary deliverable of an assessment is a compliance score and accompanying report

that contains the findings associated with each requirement. For more detailed information

on assessment methods, see Appendix D of NIST SP 800-171A, incorporated by reference

per 32 CFR § 170.2.


8 

NIST SP 800-171A, p. 5.






Assessment Criteria and Methodology

CMMC Assessment Guide – Level 2 | Version 2.13

9


Who Is Interviewed

Interviews of applicable staff (possibly at different organizational levels) may provide

information to help an assessor determine if security requirements have been implemented,

as well as if adequate resourcing, training, and planning have occurred for individuals to

perform the requirements.

What Is Examined

Examination includes reviewing, inspecting, observing, studying, or analyzing assessment

objects. The objects can be documents, mechanisms, or activities.
For some security requirements, review of documentation may assist assessors in

determining if the assessment objectives have been met. Interviews with staff may help

identify relevant documents. Documents need to be in their final forms; drafts of policies or

documentation are not eligible to be used as evidence because they are not yet official and

still subject to change. Common types of documents that may be used as evidence include: 

 policy, process, and procedure documents; 


 training materials; 


 plans and planning documents; and 


 system, network, and data flow diagrams.

This list of documents is not exhaustive or prescriptive. An OSA may not have these specific

documents, and other documents may be reviewed.
In other cases, the security requirement is best self-assessed by observing that safeguards

are in place by viewing hardware, associated configuration information, or observing staff

following a process.

What Is Tested

Testing is an important part of the self-assessment process. Interviews provide information

about what the OSA staff believe to be true, documentation provides evidence of

implementing policies and procedures, and testing demonstrates what has or has not been

done. For example, OSA staff may talk about how users are identified, documentation may

provide details on how users are identified, but seeing a demonstration of identifying users

provides evidence that the requirement is met. The assessor will determine which

requirements or objectives within a requirement need demonstration or testing. Most

objectives will require testing.

Assessment Findings

The assessment of a CMMC requirement results in one of three possible findings: MET, NOT

MET, or NOT APPLICABLE as defined in 32 CFR § 170.24. To achieve a Final Level 2 (Self) or






Assessment Criteria and Methodology

CMMC Assessment Guide – Level 2 | Version 2.13

10


Final Level 2 (C3PAO) CMMC Status, the OSA will need a finding of MET or NOT APPLICABLE

on all Level 2 security requirements. 

 MET:  All applicable assessment  objectives for the security requirement are satisfied

based on evidence. All evidence must be in final form and not draft. Unacceptable forms

of evidence include working papers, drafts, and unofficial or unapproved policies. For

each security requirement marked MET, it is best practice to record statements that

indicate the response conforms to all objectives and document the appropriate evidence

to support the response.

o Enduring Exceptions when described, along with any mitigations, in the system

security plan shall be assessed as MET.

o Temporary deficiencies that are appropriately addressed in operational plans of

action (i.e., include deficiency reviews, milestones, and show progress towards

the implementation of corrections to reduce or eliminate identified

vulnerabilities) shall be assessed as MET. 

 NOT MET: One or more objectives for the security requirement is not satisfied. For each

security requirement marked NOT MET, it is best practice to record statements that

explain why and document the appropriate evidence showing that the OSA does not

conform fully to all of the objectives. During Level 2 certification assessments, for each

requirement objective marked NOT MET, the assessor will document why the evidence

does not conform. 

 NOT APPLICABLE (N/A): A security requirement and/or objective does not apply at the

time of the assessment. For each security requirement marked N/A, it is best practice to

record a statement that explains why the requirement does not apply to the OSA. For

example, Public-Access System Separation (SC.L2-3.13.5) might be N/A if there are no

publicly accessible systems within the CMMC Assessment Scope. During an assessment,

an assessment objective assessed as N/A is equivalent to the same assessment objective

being assessed as MET.
If an OSC previously received a favorable adjudication from the DoD CIO indicating that

a requirement is not applicable or that an alternative security measure is equally

effective, the DoD CIO adjudication must be included in the system security plan to

receive consideration during an assessment. Implemented security measures

adjudicated by the DoD CIO as equally effective are assessed as MET if there have been

no changes in the environment.
Each assessment objective in NIST SP 800-171A must yield a finding of MET or NOT

APPLICABLE in order for the overall security requirement to be scored as MET. Assessors

exercise judgment in determining when sufficient and adequate evidence has been

presented to make an assessment finding.
CMMC assessments are conducted and results are captured at the assessment objective

level. One NOT MET assessment objective results in a failure of the entire security

requirement.






Assessment Criteria and Methodology

CMMC Assessment Guide – Level 2 | Version 2.13

11


A security requirement can be applicable even when assessment objectives included in

the security requirement are scored as N/A. The security requirement is NOT MET when

one or more applicable assessment objectives is NOT MET.
Satisfaction of security requirements may be accomplished by other parts of the

enterprise or an External Service Provider (ESP), as defined in 32 CFR § 170.4. A security

requirement is considered MET if adequate evidence is provided that the enterprise or

External Service Provider (ESP), implements the requirement objectives. An ESP may be

external people, technology, or facilities that the OSA uses, including cloud service

providers, managed service providers, managed security service providers, or

cybersecurity-as-a-service providers.






Requirement Descriptions

CMMC Assessment Guide – Level 2 | Version 2.13

12


Requirement Descriptions
Introduction
This section provides detailed information and guidance for assessing each Level 2 security

requirement. The section is organized first by domain and then by individual security

requirement. Each requirement description contains the following elements as described in

32 CFR § 170.14(c): 

 Requirement Number, Name, and Statement: Headed by the requirement identification

number in the format, DD.L#-REQ (e.g., AC.L2-3.1.1); followed by the requirement short

name identifier, meant to be used for quick reference only; and finally followed by the

complete CMMC security requirement statement. 

 Assessment Objectives [NIST SP 800-171A]: Identifies the specific set of objectives that

must be met to receive MET for the requirement as defined in NIST SP 800-171A.9 

 Potential Assessment Methods and Objects [NIST SP 800-171A]: Describes the nature

and the extent of the assessment actions as set forth in NIST SP 800-171A. The methods

include examine, interview, and test. Assessment objects identify the items being assessed

and can include specifications, mechanisms, activities, and individuals.10 

 Discussion [NIST SP 800-171 Rev. 2]: Contains discussion from the associated NIST SP

800-171 security requirement. 

 Further Discussion:

o Expands upon the NIST SP 800-171 Rev. 2 discussion content to provide additional

guidance.

o Contains examples illustrating application of the requirements. These examples are

intended to provide insight but are not prescriptive of how the requirement must

be implemented, nor are they comprehensive of all assessment objectives

necessary to achieve the requirement. The assessment objectives met within the

example are referenced by letter in a bracket (e.g., [a, d] for objectives “a” and “d”)

within the text.

o Examples are written from the perspective of an organization or an employee of an

organization implementing solutions or researching approaches to satisfy CMMC

requirements. The objective is to put the reader into the role of implementing or

maintaining alternatives to satisfy security requirements. Examples are not all-

inclusive or prescriptive and do not imply any personal responsibility for

complying with CMMC requirements.

o Provides potential assessment considerations. These may include common

considerations for assessing the requirement and potential questions that may be

asked when assessing the objectives.


9 

NIST SP 800-171A, p. 4.

10 

NIST SP 800-171A, pp. 4-5.






Requirement Descriptions

CMMC Assessment Guide – Level 2 | Version 2.13

13 


 Key References: Lists the basic safeguarding requirement from NIST SP 800-171 Rev. 2.






AC.L2-3.1.1 – Authorized Access Control [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

14


Access Control (AC)
AC.L2-3.1.1 – AUTHORIZED ACCESS CONTROL [CUI DATA]

Limit system access to authorized users, processes acting on behalf of authorized users, and

devices (including other systems).

ASSESSMENT OBJECTIVES [NIST SP 800-171A]11

Determine if:
[a] authorized users are identified;
[b] processes acting on behalf of authorized users are identified;
[c] devices (and other systems) authorized to connect to the system are identified;
[d] system access is limited to authorized users;
[e] system access is limited to processes acting on behalf of authorized users; and
[f] system access is limited to authorized devices (including other systems).

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A] 11

Examine
[SELECT FROM: Access control policy; procedures addressing account management; system

security plan; system design documentation; system configuration settings and associated

documentation; list of active system accounts and the name of the individual associated with

each account; notifications or records of recently transferred, separated, or terminated

employees; list of conditions for group and role membership; list of recently disabled system

accounts along with the name of the individual associated with each account; access

authorization records; account management compliance reviews; system monitoring

records; system audit logs and records; list of devices and systems authorized to connect to

organizational systems; other relevant documents or records].

Interview
[SELECT FROM: Personnel with account management responsibilities; system or network

administrators; personnel with information security responsibilities].

Test
[SELECT FROM: Organizational processes for managing system accounts; mechanisms for

implementing account management].


11 

NIST SP 800-171A, p. 9.






AC.L2-3.1.1 – Authorized Access Control [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

15


DISCUSSION [NIST SP 800-171 REV. 2]12
Access control policies (e.g., identity- or role-based policies, control matrices, and

cryptography) control access between active entities or subjects (i.e., users or processes

acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and

domains) in systems. Access enforcement mechanisms can be employed at the application

and service level to provide increased information security. Other systems include systems

internal and external to the organization. This requirement focuses on account management

for systems and applications. The definition of and enforcement of access authorizations,

other than those determined by account type (e.g., privileged verses [sic] non-privileged) are

addressed in requirement 3.1.2 (AC.L2-3.1.2).

FURTHER DISCUSSION
Identify users, processes, and devices that are allowed to use company computers and can

log on to the company network. Automated updates and other automatic processes should

be associated with the user who initiated (authorized) the process. Limit the devices (e.g.,

printers) that can be accessed by company computers. Set up your system so that only

authorized users, processes, and devices can access the company network.
This requirement, AC.L2-3.1.1, controls system access based on user, process, or device

identity. AC.L2-3.1.1 leverages IA.L2-3.5.1 which provides a vetted and trusted identity for

access control.

Example 1
Your company maintains a list of all personnel authorized to use company information

systems, including those that store, process, and transmit CUI [a]. This list is used to support

identification and authentication activities conducted by IT when authorizing access to

systems [a,d].

Example 2
A coworker wants to buy a new multi-function printer/scanner/fax device and make it

available on the company network within the CUI enclave. You explain that the company

controls system and device access to the network and will prevent network access by

unauthorized systems and devices [c]. You help the coworker submit a ticket that asks for

the printer to be granted access to the network, and appropriate leadership approves the

device [f].

Potential Assessment Considerations 

 Is a list of authorized users maintained that defines their identities and roles [a]? 


 Are account requests authorized before system access is granted [d,e,f]?


12 

NIST SP 800-171 Rev. 2, p. 10.






AC.L2-3.1.1 – Authorized Access Control [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

16


KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.1 


 FAR Clause 52.204-21 b.1.i







AC.L2-3.1.2 – Transaction & Function Control

CMMC Assessment Guide – Level 2 | Version 2.13

17


AC.L2-3.1.2 – TRANSACTION & FUNCTION CONTROL

Limit system access to the types of transactions and functions that authorized users are

permitted to execute.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]13

Determine if:
[a] the types of transactions and functions that authorized users are permitted to execute

are defined; and

[b] system access is limited to the defined types of transactions and functions for

authorized users.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]13

Examine
[SELECT FROM: Access control policy; procedures addressing access enforcement; system

security plan; system design documentation; list of approved authorizations including

remote access authorizations; system audit logs and records; system configuration settings

and associated documentation; other relevant documents or records].

Interview
[SELECT FROM: Personnel with access enforcement responsibilities; system or network

administrators; personnel with information security responsibilities; system developers].

Test
[SELECT FROM: Mechanisms implementing access control policy].

DISCUSSION [NIST SP 800-171 REV. 2]14

Organizations may choose to define access privileges or other attributes by account, by type

of account, or a combination of both. System account types include individual, shared, group,

system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary.

Other attributes required for authorizing access include restrictions on time-of-day, day-of-

week, and point-of-origin. In defining other account attributes, organizations consider

system-related requirements (e.g., system upgrades scheduled maintenance,) and mission

or business requirements, (e.g., time zone differences, customer requirements, remote

access to support travel requirements).


13 

NIST SP 800-171A, p. 9.

14 

NIST SP 800-171 Rev. 2, pp. 10-11.






AC.L2-3.1.2 – Transaction & Function Control

CMMC Assessment Guide – Level 2 | Version 2.13

18


FURTHER DISCUSSION

Limit users to only the information systems, roles, or applications they are permitted to use

and are needed for their roles and responsibilities. Limit access to applications and data

based on the authorized users’ roles and responsibilities. Common types of functions a user

can be assigned are create, read, update, and delete.

Example
Your team manages DoD contracts for your company. Members of your team need to access

the contract information to perform their work properly. Because some of that data contains

CUI, you work with IT to set up your group’s systems so that users can be assigned access

based on their specific roles [a]. Each role limits whether an employee has read-access or

create/read/delete/update -access [b]. Implementing this access control restricts access to

CUI information unless specifically authorized.

Potential Assessment Considerations 

 Are access control lists used to limit access to applications and data based on role and/or

identity [a]? 

 Is access for authorized users restricted to those parts of the system they are explicitly

permitted to use (e.g., a person who only performs word-processing cannot access

developer tools) [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.2 


 FAR Clause 52.204-21 b.1.ii







AC.L2-3.1.3 – Control CUI Flow

CMMC Assessment Guide – Level 2 | Version 2.13

19


AC.L2-3.1.3 – CONTROL CUI FLOW

Control the flow of CUI in accordance with approved authorizations.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]15

Determine if:
[a] information flow control policies are defined;
[b] methods and enforcement mechanisms for controlling the flow of CUI are defined;
[c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI

within the system and between interconnected systems are identified;

[d] authorizations for controlling the flow of CUI are defined; and
[e] approved authorizations for controlling the flow of CUI are enforced.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]15

Examine
[SELECT FROM: Access control policy; information flow control policies; procedures

addressing information flow enforcement; system security plan; system design

documentation; system configuration settings and associated documentation; list of

information flow authorizations; system baseline configuration; system audit logs and

records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developers].

Test
[SELECT FROM: Mechanisms implementing information flow enforcement policy].

DISCUSSION [NIST SP 800-171 REV. 2]16

Information flow control regulates where information can travel within a system and

between systems (versus who can access the information) and without explicit regard to

subsequent accesses to that information. Flow control restrictions include the following:

keeping export-controlled information from being transmitted in the clear to the internet;

blocking outside traffic that claims to be from within the organization; restricting requests

to the internet that are not from the internal web proxy server; and limiting information

transfers between organizations based on data structures and content.


15 

NIST SP 800-171A, p. 10.

16 

NIST SP 800-171 Rev. 2, p. 11.






AC.L2-3.1.3 – Control CUI Flow

CMMC Assessment Guide – Level 2 | Version 2.13

20


Organizations commonly use information flow control policies and enforcement

mechanisms to control the flow of information between designated sources and destinations

(e.g., networks, individuals, and devices) within systems and between interconnected

systems. Flow control is based on characteristics of the information or the information path.

Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards,

encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that

restrict system services, provide a packet-filtering capability based on header information,

or message-filtering capability based on message content (e.g., implementing key word

searches or using document characteristics). Organizations also consider the

trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and

software components) that are critical to information flow enforcement.
Transferring information between systems representing different security domains with

different security policies introduces risk that such transfers violate one or more domain

security policies.
Organizations consider the shared nature of commercial telecommunications services in the

implementation of security requirements associated with the use of such services.

Commercial telecommunications services are commonly based on network components and

consolidated management systems shared by all attached commercial customers and may

also include third party-provided access lines and other service elements. Such transmission

services may represent sources of increased risk despite contract security provisions. NIST

SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides

guidance on security for virtualization technologies.
In such situations, information owners or stewards provide guidance at designated policy

enforcement points between interconnected systems. Organizations consider mandating

specific architectural solutions when required to enforce specific security policies.

Enforcement includes: prohibiting information transfers between interconnected systems

(i.e., allowing access only); employing hardware mechanisms to enforce one-way

information flows; and implementing trustworthy regrading mechanisms to reassign

security attributes and security labels.

FURTHER DISCUSSION

Typically, companies will have a firewall between the internal network and the internet.

Often multiple firewalls or routing switches are used inside a network to create zones to

separate sensitive data, business units, or user groups. Proxy servers can be used to break

the connection between multiple networks. All traffic entering or leaving a network is

intercepted by the proxy, preventing direct access between networks. Companies should

also ensure by policy and enforcement mechanisms that all CUI allowed to flow across the

internet is encrypted.

Example 1
You configure a proxy device on your company’s network. CUI is stored within this

environment. Your goal is to better mask and protect the devices inside the network while

enforcing information flow policies. After the device is configured, information does not flow






AC.L2-3.1.3 – Control CUI Flow

CMMC Assessment Guide – Level 2 | Version 2.13

21


directly from the internal network to the internet. The proxy device intercepts the traffic and

analyzes it to determine if the traffic conforms to organization information flow control

policies. If it does, the device allows the information to pass to its destination [b]. The proxy

blocks traffic that does not meet policy requirements [e].

Example 2
As a subcontractor on a DoD contract, your organization sometimes needs to transmit CUI to

the prime contractor. You create a policy document that specifies who is allowed to transmit

CUI and that such transmission requires manager approval [a,c,d]. The policy instructs users

to encrypt any CUI transmitted via email or to use a designated secure file sharing utility

[b,d]. The policy states that users who do not follow appropriate procedures may be subject

to disciplinary action [e].

Potential Assessment Considerations 

 Are designated sources of regulated data identified within the system (e.g., internal

network and IP address) and between interconnected systems (e.g., external networks,

IP addresses, ports, and protocols) [c]? 

 Are designated destinations of regulated data identified within the system (e.g., internal

network and IP address) and between interconnected systems (external networks and

IP addresses) [c]? 

 Are authorizations defined for each source and destination within the system and

between interconnected systems (e.g., allow or deny rules for each combination of source

and destination) [d]? 

 Are approved authorizations for controlling the flow of regulated data enforced within

the system and between interconnected systems (e.g., traffic between authorized sources

and destinations is allowed and traffic between unauthorized sources and destinations

is denied) [e]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.3







AC.L2-3.1.4 – Separation of Duties

CMMC Assessment Guide – Level 2 | Version 2.13

22


AC.L2-3.1.4 – SEPARATION OF DUTIES

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]17

Determine if:
[a] the duties of individuals requiring separation are defined;
[b] responsibilities for duties that require separation are assigned to separate individuals;

and

[c] access privileges that enable individuals to exercise the duties that require separation

are granted to separate individuals.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]17

Examine
[SELECT FROM: Access control policy; procedures addressing divisions of responsibility and

separation of duties; system security plan; system configuration settings and associated

documentation; list of divisions of responsibility and separation of duties; system access

authorizations; system audit logs and records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with responsibilities for defining divisions of responsibility and

separation of duties; personnel with information security responsibilities; system or

network administrators].

Test
[SELECT FROM: Mechanisms implementing separation of duties policy].

DISCUSSION [NIST SP 800-171 REV. 2]18

Separation of duties addresses the potential for abuse of authorized privileges and helps to

reduce the risk of malevolent activity without collusion. Separation of duties includes

dividing mission functions and system support functions among different individuals or

roles; conducting system support functions with different individuals (e.g., configuration

management, quality assurance and testing, system management, programming, and

network security); and ensuring that security personnel administering access control

functions do not also administer audit functions. Because separation of duty violations can

span systems and application domains, organizations consider the entirety of organizational

systems and system components when developing policy on separation of duties.


17 

NIST SP 800-171A, p. 10.

18 

NIST SP 800-171 Rev. 2, p. 11.






AC.L2-3.1.4 – Separation of Duties

CMMC Assessment Guide – Level 2 | Version 2.13

23


FURTHER DISCUSSION

No one person should be in charge of an entire critical task from beginning to end.

Documenting and dividing elements of important duties and tasks between employees

reduces intentional or unintentional execution of malicious activities.

Example 1
You are responsible for the management of several key systems within your organization

including some that process CUI. You assign the task of reviewing the system logs to two

different people. This way, no one person is solely responsible for the execution of this

critical security function [c].
Example 2
You are a system administrator. Human Resources notifies you of a new hire, and you create

an account with general privileges, but you are not allowed to grant access to systems that

contain CUI [a,b]. The program manager contacts the team in your organization that has

system administration authority over the CUI systems and informs them which CUI the new

hire will need to access. Subsequently, a second system administrator grants access

privileges to the new hire [c].

Potential Assessment Considerations 

 Does system documentation identify the system functions or processes that require

separation of duties (e.g., function combinations that represent a conflict of interest or

an over-allocation of security privilege for one individual) [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.4








AC.L2-3.1.5 – Least Privilege

CMMC Assessment Guide – Level 2 | Version 2.13

24


AC.L2-3.1.5 – LEAST PRIVILEGE

Employ the principle of least privilege, including for specific security functions and

privileged accounts.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]19

Determine if:
[a] privileged accounts are identified;
[b] access to privileged accounts is authorized in accordance with the principle of least

privilege;

[c] security functions are identified; and
[d] access to security functions is authorized in accordance with the principle of least

privilege.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]19

Examine
[SELECT FROM: Access control policy; procedures addressing account management; system

security plan; system design documentation; system configuration settings and associated

documentation; list of active system accounts and the name of the individual associated with

each account; list of conditions for group and role membership; notifications or records of

recently transferred, separated, or terminated employees; list of recently disabled system

accounts along with the name of the individual associated with each account; access

authorization records; account management compliance reviews; system monitoring/audit

records; procedures addressing least privilege; list of security functions (deployed in

hardware, software, and firmware) and security-relevant information for which access is to

be explicitly authorized; list of system-generated privileged accounts; list of system

administration personnel; other relevant documents or records].

Interview
[SELECT FROM: Personnel with account management responsibilities; system or network

administrators; personnel with information security responsibilities; personnel with

responsibilities for defining least privileges necessary to accomplish specified tasks].

Test
[SELECT FROM: Organizational processes for managing system accounts; mechanisms for

implementing account management; mechanisms implementing least privilege functions;

mechanisms prohibiting privileged access to the system].


19 

NIST SP 800-171A, p. 11.






AC.L2-3.1.5 – Least Privilege

CMMC Assessment Guide – Level 2 | Version 2.13

25


DISCUSSION [NIST SP 800-171 REV. 2]20
Organizations employ the principle of least privilege for specific duties and authorized

accesses for users and processes. The principle of least privilege is applied with the goal of

authorized privileges no higher than necessary to accomplish required organizational

missions or business functions. Organizations consider the creation of additional processes,

roles, and system accounts as necessary, to achieve least privilege. Organizations also apply

least privilege to the development, implementation, and operation of organizational systems.

Security functions include establishing system accounts, setting events to be logged, setting

intrusion detection parameters, and configuring access authorizations (i.e., permissions,

privileges).
Privileged accounts, including super user accounts, are typically described as system

administrator for various types of commercial off-the-shelf operating systems. Restricting

privileged accounts to specific personnel or roles prevents day-to-day users from having

access to privileged information or functions. Organizations may differentiate in the

application of this requirement between allowed privileges for local accounts and for domain

accounts provided organizations retain the ability to control system configurations for key

security parameters and as otherwise necessary to sufficiently mitigate risk.
FURTHER DISCUSSION
The principle of least privilege applies to all users and processes on all systems, but it is

critical to systems containing or accessing CUI. Least privilege: 

 restricts user access to only the machines and information needed to fulfill job

responsibilities; and 

 limits what system configuration settings users can change, only allowing individuals

with a business need to change them.

Example
You create accounts for an organization that processes CUI. By default, everyone is assigned

a basic user role, which prevents a user from modifying system configurations. Privileged

access is only assigned to users and processes that require it to carry out job functions, such

as IT staff, and is very selectively granted [b,d].

Potential Assessment Considerations 

 Are privileged accounts documented and is when they may be used defined [a]? 


 Are users assigned privileged accounts to perform their job functions only when it is

necessary [b]? 

 Are necessary security functions identified (e.g., access control configuration, system

configuration settings, or privileged account lists) that must be managed through the use

of privileged accounts [c]?


20 

NIST SP 800-171 Rev. 2, p. 12.






AC.L2-3.1.5 – Least Privilege

CMMC Assessment Guide – Level 2 | Version 2.13

26 


 Is access to privileged functions and security information restricted to authorized

employees [d]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.5







AC.L2-3.1.6 – Non-Privileged Account Use

CMMC Assessment Guide – Level 2 | Version 2.13

27


AC.L2-3.1.6 – NON-PRIVILEGED ACCOUNT USE

Use non-privileged accounts or roles when accessing nonsecurity functions.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]21

Determine if:
[a] nonsecurity functions are identified; and
[b] users are required to use non-privileged accounts or roles when accessing nonsecurity

functions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]21

Examine
[SELECT FROM: Access control policy; procedures addressing least privilege; system

security plan; list of system-generated security functions assigned to system accounts or

roles; system configuration settings and associated documentation; system audit logs and

records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with responsibilities for defining least privileges necessary to

accomplish specified organizational tasks; personnel with information security

responsibilities; system or network administrators].

Test
[SELECT FROM: Mechanisms implementing least privilege functions].

DISCUSSION [NIST SP 800-171 REV. 2]22

This requirement limits exposure when operating from within privileged accounts or roles.

The inclusion of roles addresses situations where organizations implement access control

policies such as role-based access control and where a change of role provides the same

degree of assurance in the change of access authorizations for the user and all processes

acting on behalf of the user as would be provided by a change between a privileged and non-

privileged account.

FURTHER DISCUSSION

A user with a privileged account can perform more tasks and access more information than

a person with a non-privileged account. Tasks (including unauthorized tasks orchestrated

by attackers) performed when using the privileged account can have a greater impact on the


21 

NIST SP 800-171A, p. 11.

22 

NIST SP 800-171 Rev. 2, p. 12.






AC.L2-3.1.6 – Non-Privileged Account Use

CMMC Assessment Guide – Level 2 | Version 2.13

28


system. System administrators and users with privileged accounts must be trained not to use

their privileged accounts for everyday tasks, such as browsing the internet or connecting

unnecessarily to other systems or services.

Example
You are logged in using your privileged account and you need to look up how to reset a non-

functioning application which processes CUI. You should log on to another computer with

your non-privileged account before you connect to the web and start searching for the reset

information [b]. That way, if your account is compromised during the search, it will be your

regular user account rather than an account with elevated privileges.

Potential Assessment Considerations 

 Are nonsecurity functions and non-privileged roles defined [a,b]? 


 Is it required that nonsecurity functions only be accessed with the use of non-privileged

accounts? How is this verified [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.6








AC.L2-3.1.7 – Privileged Functions

CMMC Assessment Guide – Level 2 | Version 2.13

29


AC.L2-3.1.7 – PRIVILEGED FUNCTIONS

Prevent non-privileged users from executing privileged functions and capture the execution

of such functions in audit logs.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]23

Determine if:
[a] privileged functions are defined;
[b] non-privileged users are defined;
[c] non-privileged users are prevented from executing privileged functions; and
[d] the execution of privileged functions is captured in audit logs.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]23

Examine
[SELECT FROM: Privacy and security policies, procedures addressing system use

notification; documented approval of system use notification messages or banners; system

audit logs and records; system design documentation; user acknowledgements of

notification message or banner; system security plan; system use notification messages;

system configuration settings and associated documentation; other relevant documents or

records].

Interview
[SELECT FROM: Personnel with responsibilities for defining least privileges necessary to

accomplish specified tasks; personnel with information security responsibilities; system

developers].

Test
[SELECT FROM: Mechanisms implementing least privilege functions for non-privileged

users; mechanisms auditing the execution of privileged functions].

DISCUSSION [NIST SP 800-171 REV. 2]24

Privileged functions include establishing system accounts, performing system integrity

checks, conducting patching operations, or administering cryptographic key management

activities. Non-privileged users are individuals that do not possess appropriate

authorizations. Circumventing intrusion detection and prevention mechanisms or malicious

code protection mechanisms are examples of privileged functions that require protection


23 

NIST SP 800-171A, p. 12.

24 

NIST SP 800-171 Rev. 2, p. 12.






AC.L2-3.1.7 – Privileged Functions

CMMC Assessment Guide – Level 2 | Version 2.13

30


from non-privileged users. Note that this requirement represents a condition to be achieved

by the definition of authorized privileges in 3.1.2 (AC.L2-3.1.2).
Misuse of privileged functions, either intentionally or unintentionally by authorized users,

or by unauthorized external entities that have compromised system accounts, is a serious

and ongoing concern and can have significant adverse impacts on organizations. Logging the

use of privileged functions is one way to detect such misuse, and in doing so, help mitigate

the risk from insider threats and the advanced persistent threat.

FURTHER DISCUSSION

Non-privileged users should receive only those permissions required to perform their basic

job functions. Privileged users are granted additional permissions because their jobs require

them. Privileged functions typically involve the control, monitoring, or administration of the

system and its security measures. When these special privileged functions are performed,

the activity must be captured in an audit log, which can be used to identify abuse. Non-

privileged employees must not be granted permission to perform any of the functions of a

privileged user.
This requirement, AC.L2-3.1.7, manages non-privileged users by logging any attempts to

execute privileged functions. AC.L2-3.1.7 leverages AU.L2-3.3.2, which ensures logging and

traceability of user actions. AC.L2-3.1.7 also extends AC.L2-3.1.2, which defines a

requirement to limit types of transactions and functions to those that authorized users are

permitted to execute.

Example
Your organization handles CUI and has put security controls in place that prevent non-

privileged users from performing privileged activities [a,b,c]. However, a standard user was

accidentally given elevated system administrator privileges. The organization has

implemented an endpoint detection and response solution that provides visibility into the

use of privileged activities. The monitoring system logs a security misconfiguration because

the use of administrative privileges was performed by a user who was not known to have

that ability. This allows you to correct the error [d].

Potential Assessment Considerations 

 Is it possible to identify who enabled privileges at any particular time [d]? 


 Are the privileged system functions documented (e.g., functions that involve the control,

monitoring or administration of the system, including security functions and log

management) [a]? 

 Do documented procedures describe the configuration of the system to ensure system

roles do not grant non-privileged users the ability to execute privileged functions [c]? 

 Do procedures describe the configuration of system settings to capture the execution of

all privileged functions in audit logs [d]?






AC.L2-3.1.7 – Privileged Functions

CMMC Assessment Guide – Level 2 | Version 2.13

31


KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.7







AC.L2-3.1.8 – Unsuccessful Logon Attempts

CMMC Assessment Guide – Level 2 | Version 2.13

32


AC.L2-3.1.8 – UNSUCCESSFUL LOGON ATTEMPTS

Limit unsuccessful logon attempts.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]25

Determine if:
[a] the means of limiting unsuccessful logon attempts is defined; and
[b] the defined means of limiting unsuccessful logon attempts is implemented.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]25

Examine
[SELECT FROM: Access control policy; procedures addressing unsuccessful logon attempts;

system security plan; system design documentation; system configuration settings and

associated documentation; system audit logs and records; other relevant documents or

records].

Interview
[SELECT FROM: Personnel with information security responsibilities; system developers;

system or network administrators].

Test
[SELECT FROM: Mechanisms implementing access control policy for unsuccessful logon

attempts].

DISCUSSION [NIST SP 800-171 REV. 2]26

This requirement applies regardless of whether the logon occurs via a local or network

connection. Due to the potential for denial of service, automatic lockouts initiated by systems

are, in most cases, temporary and automatically release after a predetermined period

established by the organization (i.e., a delay algorithm). If a delay algorithm is selected,

organizations may employ different algorithms for different system components based on

the capabilities of the respective components. Responses to unsuccessful logon attempts

may be implemented at the operating system and application levels.

FURTHER DISCUSSION

Consecutive unsuccessful logon attempts may indicate malicious activity. OSAs can mitigate

these attacks by limiting the number of unsuccessful logon attempts, typically by locking the

account. A defined number of consecutive unsuccessful logon attempts is a common


25 

NIST SP 800-171A, p. 12.

26 

NIST SP 800-171 Rev. 2, pp. 12-13.






AC.L2-3.1.8 – Unsuccessful Logon Attempts

CMMC Assessment Guide – Level 2 | Version 2.13

33


configuration setting. OSAs are expected to set this number at a level that fits their risk

profile with the knowledge that fewer unsuccessful attempts provide higher security.
After an unsuccessful login attempt threshold is exceeded and the system locks an account,

the account may either remain locked until an administrator takes action to unlock it, or it

may be locked for a predefined time after which it unlocks automatically.

Example
You attempt to log on to your work computer, which stores CUI. You mistype your password

three times in a row, and an error message is generated telling you the account is locked [b].

You call your IT help desk or system administrator to request assistance. The system

administrator explains that the account is locked as a result of three unsuccessful logon

attempts [a]. The administrator offers to unlock the account and notes that you can wait 30

minutes for the account to unlock automatically.

Potential Assessment Considerations 

 Is there a defined threshold for the number of unsuccessful logon attempts for which the

system takes action to prevent additional attempts [a]? 

 Is a mechanism for limiting the number of unsuccessful logon attempts implemented and

does it use the defined threshold [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.8








AC.L2-3.1.9 – Privacy & Security Notices

CMMC Assessment Guide – Level 2 | Version 2.13

34


AC.L2-3.1.9 – PRIVACY & SECURITY NOTICES

Provide privacy and security notices consistent with applicable CUI rules.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]27

Determine if:
[a] privacy and security notices required by CUI-specified rules are identified, consistent,

and associated with the specific CUI category; and

[b] privacy and security notices are displayed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]27

Examine
[SELECT FROM: Privacy and security policies, procedures addressing system use

notification; documented approval of system use notification messages or banners; system

audit logs and records; system design documentation; user acknowledgements of

notification message or banner; system security plan; system use notification messages;

system configuration settings and associated documentation; other relevant documents or

records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; personnel with responsibility for providing legal advice; system

developers].

Test
[SELECT FROM: Mechanisms implementing system use notification].

DISCUSSION [NIST SP 800-171 REV. 2]28

System use notifications can be implemented using messages or warning banners displayed

before individuals log in to organizational systems. System use notifications are used only

for access via logon interfaces with human users and are not required when such human

interfaces do not exist. Based on a risk assessment, organizations consider whether a

secondary system use notification is needed to access applications or other system resources

after the initial network logon. Where necessary, posters or other printed materials may be

used in lieu of an automated system banner. Organizations consult with the Office of General

Counsel for legal review and approval of warning banner content.


27 

NIST SP 800-171A, pp. 12-13.

28 

NIST SP 800-171 Rev. 2, p. 13.






AC.L2-3.1.9 – Privacy & Security Notices

CMMC Assessment Guide – Level 2 | Version 2.13

35


FURTHER DISCUSSION

Every system containing or providing access to CUI has legal requirements concerning user

privacy and security notices. One method of addressing this requirement is the use of a

system-use notification banner that displays the legal requirements of using the system.

Users may be required to click to agree to the displayed requirements of using the system

each time they log on to the machine. This agreement can be used in the civil and/or criminal

prosecution of an attacker that violates the terms.
The legal notification should meet all applicable requirements. At a minimum, the notice

should inform the user that: 

 information system usage may be monitored or recorded, and is subject to audit; 


 unauthorized use of the information systems is prohibited; 


 unauthorized use is subject to criminal and civil penalties;  


 use of the information system affirms consent to monitoring and recording; 


 the information system contains CUI with specific requirements imposed  by the

Department of Defense; and 

 use of the information system may be subject to other specified requirements associated

with certain types of CUI such as Export Controlled information.

Example
You are setting up IT equipment including a database server that will contain CUI. You have

worked with legal counsel to draft a notification. It contains both general and specific CUI

security and privacy requirements [a]. The system displays the required security and privacy

information before anyone logs on to your organization’s computers that contain or provide

access to CUI [b].

Potential Assessment Considerations 

 Are objectives identified for privacy and security notices, and does the implementation

satisfy the required objectives [a,b]? Discrepancies may indicate a deficient process

and/or an incomplete objective for the overall requirement. 

 Are there any special requirements associated with the specific CUI category [a]? 


 Are appropriate notices displayed in areas where paper-based CUI is stored and

processed [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.9








AC.L2-3.1.10 – Session Lock

CMMC Assessment Guide – Level 2 | Version 2.13

36


AC.L2-3.1.10 – SESSION LOCK

Use session lock with pattern-hiding displays to prevent access and viewing of data after a

period of inactivity.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]29

Determine if:
[a] the period of inactivity after which the system initiates a session lock is defined;
[b] access to the system and viewing of data is prevented by initiating a session lock after

the defined period of inactivity; and

[c] previously visible information is concealed via a pattern-hiding display after the

defined period of inactivity.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]29

Examine
[SELECT FROM: Access control policy; procedures addressing session lock; procedures

addressing identification and authentication; system design documentation; system

configuration settings and associated documentation; system security plan; other relevant

documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developers].

Test
[SELECT FROM: Mechanisms implementing access control policy for session lock].

DISCUSSION [NIST SP 800-171 REV. 2]30

Session locks are temporary actions taken when users stop work and move away from the

immediate vicinity of the system but do not want to log out because of the temporary nature

of their absences. Session locks are implemented where session activities can be determined,

typically at the operating system level (but can also be at the application level). Session locks

are not an acceptable substitute for logging out of the system, for example, if organizations

require users to log out at the end of the workday.
Pattern-hiding displays can include static or dynamic images, for example, patterns used

with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank


29 

NIST SP 800-171A, p. 13.

30 

NIST SP 800-171 Rev. 2, p. 13.






AC.L2-3.1.10 – Session Lock

CMMC Assessment Guide – Level 2 | Version 2.13

37


screen, with the additional caveat that none of the images convey controlled unclassified

information.

FURTHER DISCUSSION

Session locks can be initiated by the user or, more fundamentally, enabled automatically

when the system has been idle for a period of time, for example, five minutes. Session locks

are a quick way to prevent unauthorized use of the systems without having a user log off.

Minimum configuration requirements are left up to the organization to define.
A locked session shows pattern-hiding information on the screen to mask the data on the

display.

Example
You manage systems for an organization that stores, processes, and transmits CUI. You

notice that employees leave their offices without locking their computers. Sometimes their

screens display sensitive company information. You configure all machines to lock after five

minutes of inactivity [a,b]. You also remind your coworkers to lock their systems when they

walk away [a].

Potential Assessment Considerations 

 Does the session lock hide previously visible information (e.g., replacing what was visible

with a lock screen or screensaver that does not include sensitive information) [c]? 

 If session locks are not managed centrally, how are all computer users made aware of the

requirements and how to configure them [a,b,c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.10








AC.L2-3.1.11 – Session Termination

CMMC Assessment Guide – Level 2 | Version 2.13

38


AC.L2-3.1.11 – SESSION TERMINATION

Terminate (automatically) a user session after a defined condition.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]31

Determine if:
[a] conditions requiring a user session to terminate are defined; and
[b] a user session is automatically terminated after any of the defined conditions occur.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]31

Examine
[SELECT FROM: Access control policy; procedures addressing session termination; system

design documentation; system security plan; system configuration settings and associated

documentation; list of conditions or trigger events requiring session disconnect; system

audit logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developers].

Test
[SELECT FROM: Mechanisms implementing user session termination].

DISCUSSION [NIST SP 800-171 REV. 2]32

This requirement addresses the termination of user-initiated logical sessions in contrast to

the termination of network connections that are associated with communications sessions

(i.e., disconnecting from the network). A logical session (for local, network, and remote

access) is initiated whenever a user (or process acting on behalf of a user) accesses an

organizational system. Such user sessions can be terminated (and thus terminate user

access) without terminating network sessions. Session termination terminates all processes

associated with a user’s logical session except those processes that are specifically created

by the user (i.e., session owner) to continue after the session is terminated. Conditions or

trigger events requiring automatic session termination can include organization-defined

periods of user inactivity, targeted responses to certain types of incidents, and time-of-day

restrictions on system use.


31 

NIST SP 800-171A, pp. 13-14.

32 

NIST SP 800-171 Rev. 2, p. 13.






AC.L2-3.1.11 – Session Termination

CMMC Assessment Guide – Level 2 | Version 2.13

39


FURTHER DISCUSSION

Configure the system to terminate user sessions based on the organization’s policy. Session

termination policies can be simple or sophisticated. Examples are inactivity (end the session

after a specified duration (e.g., one hour33) of inactivity), day/time (all sessions are

terminated at the end of the established workday), misbehavior (end the session due to an

attempted policy violation), and maintenance (terminate sessions to prevent issues with an

upgrade or service outage). If there is no automatic control of user sessions, an attacker can

take advantage of an unattended session.

Example 1
You manage systems containing CUI for your organization and configure the system to

terminate all user sessions after 1 hour of inactivity [a]. As the session timeout approaches,

the system prompts users with a warning banner asking if they want to continue the session.

When the session timeout does occur, the login page pops up, and the users must log in to

start a new session [b].

Example 2
A user is logged into a corporate database containing CUI but is not authorized to view CUI.

The user has submitted a series of queries that unintentionally violate policy, as they attempt

to extract CUI that the user is not authorized to view [a]. The session terminates with a

warning as a result of a violation of corporate policy [b]. The user must reestablish the

session before being able to submit additional legitimate queries.

Potential Assessment Considerations 

 Are the conditions in which a user session must be terminated described (e.g., after a

period of inactivity or after a defined time limit) [a]? 

 Are procedures documented that describe how to configure the system to enable

automatic termination of user sessions after any of the defined conditions occur [b]? 

 Are user sessions terminated based on organization-defined conditions [a,b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.11




33 

Review DoD Cybersecurity FAQ Q53.2 for information on minimum values.






AC.L2-3.1.12 – Control Remote Access

CMMC Assessment Guide – Level 2 | Version 2.13

40


AC.L2-3.1.12 – CONTROL REMOTE ACCESS

Monitor and control remote access sessions.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]34

Determine if:
[a] remote access sessions are permitted;
[b] the types of permitted remote access are identified;
[c] remote access sessions are controlled; and
[d] remote access sessions are monitored.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]34

Examine
[SELECT FROM: Access control policy; procedures addressing remote access

implementation and usage (including restrictions); configuration management plan; system

security plan; system design documentation; system configuration settings and associated

documentation; remote access authorizations; system audit logs and records; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with responsibilities for managing remote access connections;

system or network administrators; personnel with information security responsibilities].

Test
[SELECT FROM: Remote access management capability for the system].

DISCUSSION [NIST SP 800-171 REV. 2]35

Remote access is access to organizational systems by users (or processes acting on behalf of

users) communicating through external networks (e.g., the internet). Remote access

methods include dial-up, broadband, and wireless. Organizations often employ encrypted

virtual private networks (VPNs) to enhance confidentiality over remote connections. The use

of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when

adequately provisioned with appropriate control (e.g., employing encryption techniques for

confidentiality protection), may provide sufficient assurance to the organization that it can

effectively treat such connections as internal networks. VPNs with encrypted tunnels can

affect the capability to adequately monitor network communications traffic for malicious

code.


34 

NIST SP 800-171A, p. 14.

35 

NIST SP 800-171 Rev. 2, pp. 13-14.






AC.L2-3.1.12 – Control Remote Access

CMMC Assessment Guide – Level 2 | Version 2.13

41


Automated monitoring and control of remote access sessions allows organizations to detect

cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing

connection activities of remote users on a variety of system components (e.g., servers,

workstations, notebook computers, smart phones, and tablets).
NIST SP 800-46, SP 800-77, and SP 800-113 provide guidance on secure remote access and

virtual private networks.

FURTHER DISCUSSION

Remote access connections pass through untrusted networks and therefore require proper

security controls such as encryption to ensure data confidentiality. Initialization of all remote

sessions should ensure that only authorized users and devices are connecting. After the

remote session is established, the connection is monitored to track who is accessing the

network remotely and what files are being accessed during the session.
Remote access sessions can encompass more than just remote connections back to a

headquarters network. Access to cloud-based email providers or server infrastructures also

are relevant to this requirement if those environments contain CUI.
This requirement, AC.L2-3.1.12, requires the control of remote access sessions and

complements five other requirements dealing with remote access (AC.L2-3.1.14, AC.L2-

3.1.13, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5): 

 AC.L2-3.1.14 limits remote access to specific access control points. 


 AC.L2-3.1.13  requires the use of cryptographic mechanisms when enabling remote

sessions. 

 AC.L2-3.1.15 requires authorization for privileged commands executed during a remote

session. 

 IA.L2-3.5.3  requires multifactor authentication for network access to non-privileged

accounts. 

 Finally,  MA.L2-3.7.5  requires the addition of multifactor authentication for remote

maintenance sessions.

Example
You often need to work from remote locations, such as your home or client sites, and you are

permitted to access your organization’s internal networks (including a network containing

CUI) from those remote locations [a]. A system administrator issues you a company laptop

with VPN software installed, which is required to connect to the networks remotely [b]. After

the laptop connects to the VPN server, you must accept a privacy notice that states that the

company’s security department may monitor the connection. This monitoring is achieved

through the analysis of data from sensors on the network notifying IT if issues arise. The

security department may also review audit logs to see who is connecting remotely, when,

and what information they are accessing [d]. During session establishment, the message

“Verifying Compliance” means software like a Device Health Check (DHC) application is

checking the remote device to ensure it meets the established requirements to connect [c].






AC.L2-3.1.12 – Control Remote Access

CMMC Assessment Guide – Level 2 | Version 2.13

42


Potential Assessment Considerations 

 Do policies identify when remote access is permitted and what methods must be used

[a,b]? 

 Are systems configured to permit only approved remote access sessions (e.g., disallow

remote access sessions by default) [c]? 

 Are automated or manual mechanisms employed for monitoring remote connections? If

the monitoring is manual, does it occur at a frequency commensurate with the level of

risk [d]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.12








AC.L2-3.1.13 – Remote Access Confidentiality

CMMC Assessment Guide – Level 2 | Version 2.13

43


AC.L2-3.1.13 – REMOTE ACCESS CONFIDENTIALITY

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]36

Determine if:
[a] cryptographic mechanisms to protect the confidentiality of remote access sessions are

identified; and

[b] cryptographic mechanisms to protect the confidentiality of remote access sessions are

implemented.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]36

Examine
[SELECT FROM: Access control policy; procedures addressing remote access to the system;

system security plan; system design documentation; system configuration settings and

associated documentation; cryptographic mechanisms and associated configuration

documentation; system audit logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developers].

Test
[SELECT FROM: Cryptographic mechanisms protecting remote access sessions].

DISCUSSION [NIST SP 800-171 REV. 2]37

Cryptographic standards include FIPS-validated cryptography and NSA-approved

cryptography.

FURTHER DISCUSSION

A remote access session involves logging into the organization’s systems such as its internal

network or a cloud service provider from a remote location such as home or an alternate

work site. Because the use of cryptography in this requirement is to protect the

confidentiality of CUI, the cryptography used must meet the criteria specified in requirement

SC.L2-3.13.11. Although not explicitly required to meet AC.L2-3.1.13 requirements, this

remote access session must be secured using FIPS-validated cryptography to provide

confidentiality and prevent anyone from deciphering session information exchanges.


36 

NIST SP 800-171A, p. 14.

37 

NIST SP 800-171 Rev. 2, p. 14.






AC.L2-3.1.13 – Remote Access Confidentiality

CMMC Assessment Guide – Level 2 | Version 2.13

44


This requirement, AC.L2-3.1.13, requires the use of cryptographic mechanisms when

enabling remote sessions and complements five other requirements dealing with remote

access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5): 

 AC.L2-3.1.12 requires the control of remote access sessions. 


 AC.L2-3.1.14 limits remote access to specific access control points. 


 AC.L2-3.1.15 requires authorization for privileged commands executed during a remote

session. 

 IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged

accounts. 

 Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote

maintenance sessions.

Example
You are responsible for implementing a remote network access capability for users who

access CUI remotely. In order to provide session confidentiality, you decide to implement a

VPN mechanism and select a product that has completed FIPS 140 validation [a,b].

Potential Assessment Considerations 

 Are cryptographic mechanisms used for remote access sessions (e.g., Transport Layer

Security (TLS) and Internet Protocol Security (IPSec) using FIPS-validated encryption

algorithms) defined and implemented [a,b]? Note that simply using an approved

algorithm is not sufficient – the module (software and/or hardware) used to implement

the algorithm must be separately validated under FIPS 140.

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.13








AC.L2-3.1.14 – Remote Access Routing

CMMC Assessment Guide – Level 2 | Version 2.13

45


AC.L2-3.1.14 – REMOTE ACCESS ROUTING

Route remote access via managed access control points.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]38

Determine if:
[a] managed access control points are identified and implemented; and
[b] remote access is routed through managed network access control points.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]38

Examine
[SELECT FROM: Access control policy; procedures addressing remote access to the system;

system security plan; system design documentation; list of all managed network access

control points; system configuration settings and associated documentation; system audit

logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities].

Test
[SELECT FROM: Mechanisms routing all remote accesses through managed network access

control points].

DISCUSSION [NIST SP 800-171 REV. 2]39

Routing remote access through managed access control points enhances explicit,

organizational control over such connections, reducing the susceptibility to unauthorized

access to organizational systems resulting in the unauthorized disclosure of CUI.

FURTHER DISCUSSION

The OSA can route all remote access through a limited number of remote access control

points to reduce the attack surface and simplify network management. This allows for better

monitoring and control of the remote connections.
This requirement, AC.L2-3.1.14, limits remote access to specific access control points and

complements five other requirements dealing with remote access (AC.L2-3.1.12, AC.L2-

3.1.13, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5):


38 

NIST SP 800-171A, p. 15.

39 

NIST SP 800-171 Rev. 2, p. 14.






AC.L2-3.1.14 – Remote Access Routing

CMMC Assessment Guide – Level 2 | Version 2.13

46 


 AC.L2-3.1.12 requires the control of remote access sessions. 


 AC.L2-3.1.13  requires the use of cryptographic mechanisms when enabling remote

sessions. 

 AC.L2-3.1.15 requires authorization for privileged commands executed during a remote

session. 

 IA.L2-3.5.3  requires multifactor  authentication for network access to non-privileged

accounts. 

 Finally,  MA.L2-3.7.5  requires the addition of multifactor authentication for remote

maintenance sessions.

Example
You manage systems for a company that processes CUI at multiple locations, and several

employees at different locations need to connect to the organization’s networks while

working remotely. Because each company location has a direct connection to headquarters,

you decide to route all remote access through the headquarters location [a]. All remote traffic

is routed through a single location to simplify monitoring [b].

Potential Assessment Considerations 

 How many managed access control points are implemented [a]? 


 Is all remote access routed through the managed access control points [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.14








AC.L2-3.1.15 – Privileged Remote Access

CMMC Assessment Guide – Level 2 | Version 2.13

47


AC.L2-3.1.15 – PRIVILEGED REMOTE ACCESS

Authorize remote execution of privileged commands and remote access to security-relevant

information.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]40

Determine if:
[a] privileged commands authorized for remote execution are identified;
[b] security-relevant information authorized to be accessed remotely is identified;
[c] the execution of the identified privileged commands via remote access is authorized;

and

[d] access to the identified security-relevant information via remote access is authorized.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]40

Examine
[SELECT FROM: Access control policy; procedures addressing remote access to the system;

system configuration settings and associated documentation; system security plan; system

audit logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities].

Test
[SELECT FROM: Mechanisms implementing remote access management].

DISCUSSION [NIST SP 800-171 REV. 2]41

A privileged command is a human-initiated (interactively or via a process operating on

behalf of the human) command executed on a system involving the control, monitoring, or

administration of the system including security functions and associated security-relevant

information. Security-relevant information is any information within the system that can

potentially impact the operation of security functions or the provision of security services in

a manner that could result in failure to enforce the system security policy or maintain

isolation of code and data. Privileged commands give individuals the ability to execute

sensitive, security-critical, or security-relevant system functions. Controlling such access

from remote locations helps to ensure that unauthorized individuals are not able to execute

such commands freely with the potential to do serious or catastrophic damage to


40 

NIST SP 800-171A, p. 15.

41 

NIST SP 800-171 Rev. 2, p. 14.






AC.L2-3.1.15 – Privileged Remote Access

CMMC Assessment Guide – Level 2 | Version 2.13

48


organizational systems. Note that the ability to affect the integrity of the system is considered

security-relevant as that could enable the means to by-pass security functions although not

directly impacting the function itself.

FURTHER DISCUSSION

Privileged users are not necessarily allowed to perform their job functions from a remote

location. Likewise, not all privileged commands may be executed remotely. Allowing remote

execution of privileged commands or remote access to security-relevant information should

be avoided if possible. If absolutely necessary, the privileged commands authorized for

remote execution should be identified and documented. Document which user roles have

permissions to remotely execute privileged commands to make changes and to access

security relevant information. Documentation must be used to establish security

mechanisms that enforce the policy.
This requirement, AC.L2-3.1.15, requires authorization for privileged commands executed

during a remote session and complements five other requirements dealing with remote

access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.13, IA.L2-3.5.3, and MA.L2-3.7.5): 

 AC.L2-3.1.12 requires the control of remote access sessions. 


 AC.L2-3.1.14 limits remote access to specific access control points. 


 AC.L2-3.1.13  requires the use of cryptographic mechanisms when enabling remote

sessions. 

 IA.L2-3.5.3  requires multifactor authentication for network access to non-privileged

accounts. 

 Finally,  MA.L2-3.7.5  requires the addition of multifactor authentication for remote

maintenance sessions.

This requirement, AC.L2-3.1.15, also extends AC.L2-3.1.2, which limits the types of

transactions and functions that authorized users are permitted to execute.

Example
Your company’s Access Control Policy permits certain work roles to remotely perform a

limited set of privileged commands from company-owned computers [a]. You implement

controls to enforce who can remotely execute a privileged command, which privileged

commands they can execute, and who is allowed access to security relevant information such

as audit log configuration settings [a,c,d].

Potential Assessment Considerations 

 Does system documentation identify system administration or security functions that

can be executed remotely [a]? 

 Is execution of the identified privileged commands via remote access only authorized for

documented operational needs [c]?






AC.L2-3.1.15 – Privileged Remote Access

CMMC Assessment Guide – Level 2 | Version 2.13

49


KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.15








AC.L2-3.1.16 – Wireless Access Authorization

CMMC Assessment Guide – Level 2 | Version 2.13

50


AC.L2-3.1.16 – WIRELESS ACCESS AUTHORIZATION

Authorize wireless access prior to allowing such connections.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]42

Determine if:
[a] wireless access points are identified; and
[b] wireless access is authorized prior to allowing such connections.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]42

Examine
[SELECT FROM: Access control policy; configuration management plan; procedures

addressing wireless access implementation and usage (including restrictions); system

security plan; system design documentation; system configuration settings and associated

documentation; wireless access authorizations; system audit logs and records; other

relevant documents or records].

Interview
[SELECT FROM: Personnel with responsibilities for managing wireless access connections;

personnel with information security responsibilities].

Test
[SELECT FROM: Wireless access management capability for the system].

DISCUSSION [NIST SP 800-171 REV. 2]43

Establishing usage restrictions and configuration/connection requirements for wireless

access to the system provides criteria for organizations to support wireless access

authorization decisions. Such restrictions and requirements reduce the susceptibility to

unauthorized access to the system through wireless technologies. Wireless networks use

authentication protocols that provide credential protection and mutual authentication.

FURTHER DISCUSSION

Guidelines from management form the basis for the requirements that must be met prior to

authorizing a wireless connection. These guidelines may include the following: 

 types of devices, such as corporate or privately owned equipment; 


 configuration requirements of the devices; and


42 

NIST SP 800-171A, pp. 15-16.

43 

NIST SP 800-171 Rev. 2, p. 14.






AC.L2-3.1.16 – Wireless Access Authorization

CMMC Assessment Guide – Level 2 | Version 2.13

51 


 authorization requirements before granting such connections.

AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they

all establish control for the connection of mobile devices and wireless devices through the

use of authentication, authorization, and encryption mechanisms.

Example
Your company is implementing a wireless network at its headquarters. CUI may be

transmitted on this network. You work with management to draft a policy about the use of

the wireless network. The policy states that only company-approved devices that contain

verified security configuration settings are allowed to connect. The policy also includes

usage restrictions that must be followed for anyone who wants to use the wireless network.

Authorization is required before devices are allowed to connect to the wireless network [b].

Potential Assessment Considerations 

 Is an updated list of approved network devices providing wireless access to the system

maintained [a]? 

 Are network devices providing wireless access configured to require users or devices be

authorized prior to permitting a wireless connection [b]? 

 Is wireless access to the system authorized and managed [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.16







AC.L2-3.1.17 – Wireless Access Protection

CMMC Assessment Guide – Level 2 | Version 2.13

52


AC.L2-3.1.17 – WIRELESS ACCESS PROTECTION

Protect wireless access using authentication and encryption.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]44

Determine if:
[a] wireless access to the system is protected using authentication; and
[b] wireless access to the system is protected using encryption.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]44

Examine
[SELECT FROM: Access control policy; system design documentation; procedures addressing

wireless implementation and usage (including restrictions); system security plan; system

configuration settings and associated documentation; system audit logs and records; other

relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developers].

Test
[SELECT FROM: Mechanisms implementing wireless access protections to the system].

DISCUSSION [NIST SP 800-171 REV. 2]45

Organizations authenticate individuals and devices to help protect wireless access to the

system. Special attention is given to the wide variety of devices that are part of the Internet

of Things with potential wireless access to organizational systems.

FURTHER DISCUSSION

Use a combination of authentication and encryption methods to protect the access to

wireless networks. Authenticating users to a wireless access point can be achieved in

multiple ways. The most common authentication and encryption methods used include: 

 WPA2-PSK (WiFi Protected Access-Pre-shared Key) – This method uses a password or

passphrase known by the wireless access point and the client (user device). It is common

in small companies that have little turnover because the key must be changed each time

an employee leaves in order to prevent the terminated employee from connecting to the


44 

NIST SP 800-171A, p. 16.

45 

NIST SP 800-171 Rev. 2, pp. 14-15.






AC.L2-3.1.17 – Wireless Access Protection

CMMC Assessment Guide – Level 2 | Version 2.13

53


network without authorization. WPA2 is typically configured to use Advanced

Encryption Standard (AES) encryption. 

 WPA2 Enterprise –  This method may be better for larger companies  and enterprise

networks because authentication is based on the identity of the individual user or device

rather than a shared password or passphrase. It typically requires a Remote

Authentication Dial-in User Service (RADIUS) server for authentication and can provide

higher security than WPA2-PSK.

Open authentication must not be used because it authenticates any user and lacks security

capabilities.
Because the use of cryptography in this requirement is to protect the confidentiality of CUI,

the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11.
AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they

all establish control for the connection of mobile devices and wireless devices through the

use of authentication, authorization, and encryption mechanisms.

Example 1
You manage the wireless network at a small company and are installing a new wireless

solution that may transmit CUI. You start by selecting a product that employs encryption

validated against the FIPS 140 standard. You configure the wireless solution to use WPA2,

requiring users to enter a pre-shared key to connect to the wireless network [a,b].

Example 2
You manage the wireless network at a large company and are installing a new wireless

solution that may transmit CUI. You start by selecting a product that employs encryption that

is validated against the FIPS 140 standard. Because of the size of your workforce, you

configure the wireless system to authenticate users with a RADIUS server. Users must

provide the wireless system with their domain usernames and passwords to be able to

connect, and the RADIUS server verifies those credentials. Users unable to authenticate are

denied access [a,b].

Potential Assessment Considerations 

 Is wireless access limited only to authenticated and authorized users (e.g., required to

supply a username and password) [a]? 

 If the organization is securing its wireless network with a pre-shared key, is access to

that key restricted to only authorized users [a]? 

 Is wireless access encrypted using FIPS-validated cryptography? Note that simply using

an approved algorithm is not sufficient; the module (software and/or hardware) used to

implement the algorithm must be separately validated under FIPS 140 [b].

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.17







AC.L2-3.1.18 – Mobile Device Connection

CMMC Assessment Guide – Level 2 | Version 2.13

54


AC.L2-3.1.18 – MOBILE DEVICE CONNECTION

Control connection of mobile devices.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]46

Determine if:
[a] mobile devices that process, store, or transmit CUI are identified;
[b] mobile device connections are authorized; and
[c] mobile device connections are monitored and logged.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]46

Examine
[SELECT FROM: Access control policy; authorizations for mobile device connections to

organizational systems; procedures addressing access control for mobile device usage

(including restrictions); system design documentation; configuration management plan;

system security plan; system audit logs and records; system configuration settings and

associated documentation; other relevant documents or records].

Interview
[SELECT FROM: Personnel using mobile devices to access organizational systems; system or

network administrators; personnel with information security responsibilities].

Test
[SELECT FROM: Access control capability authorizing mobile device connections to

organizational systems].

DISCUSSION [NIST SP 800-171 REV. 2]47

A mobile device is a computing device that has a small form factor such that it can easily be

carried by a single individual; is designed to operate without a physical connection (e.g.,

wirelessly transmit or receive information); possesses local, non-removable or removable

data storage; and includes a self-contained power source. Mobile devices may also include

voice communication capabilities, on-board sensors that allow the device to capture

information, or built-in features for synchronizing local data with remote locations.

Examples of mobile devices include smart phones, e-readers, and tablets.
Due to the large variety of mobile devices with different technical characteristics and

capabilities, organizational restrictions may vary for the different types of devices. Usage

restrictions and implementation guidance for mobile devices include: device identification


46 

NIST SP 800-171A, p. 16.

47 

NIST SP 800-171 Rev. 2, p. 15.






AC.L2-3.1.18 – Mobile Device Connection

CMMC Assessment Guide – Level 2 | Version 2.13

55


and authentication; configuration management; implementation of mandatory protective

software (e.g., malicious code detection, firewall); scanning devices for malicious code;

updating virus protection software; scanning for critical software updates and patches;

conducting primary operating system (and possibly other resident software) integrity

checks; and disabling unnecessary hardware (e.g., wireless, infrared). The need to provide

adequate security for mobile devices goes beyond this requirement. Many controls for

mobile devices are reflected in other CUI security requirements. NIST SP 800-124 provides

guidance on mobile device security.

FURTHER DISCUSSION

Establish guidelines and acceptable requirements for proper configuration, use, and

management of mobile devices. Devices that process, store, or transmit CUI must be

identified with a device-specific identifier. There are many different types of identifiers, and

it is important to select one that can accommodate all devices and be used in a consistent

manner. These identifiers are important for facilitating the required monitoring and logging

function.
In addition to smartphones, consider the security of other portable devices such as e-readers

and tablets.
AC.L2-3.1.16, AC.L2-3.1.17, and AC.L2-3.1.18 are complementary requirements in that they

all establish control for the connection of mobile devices and wireless devices through the

use of authentication, authorization, and encryption mechanisms.

Example
Your organization has a policy stating that all mobile devices, including iPads, tablets, mobile

phones, and Personal Digital Assistants (PDAs), must be approved and registered with the

IT department before connecting to the network that contains CUI. The IT department uses

a Mobile Device Management solution to monitor mobile devices and enforce policies across

the enterprise [b,c].

Potential Assessment Considerations 

 Is a list of mobile devices that are permitted to process, store, or transmit CUI maintained

[a,b]? 

 Is the system configured to only permit connections from identified, authorized mobile

devices [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.18








AC.L2-3.1.19 – Encrypt CUI on Mobile

CMMC Assessment Guide – Level 2 | Version 2.13

56


AC.L2-3.1.19 – ENCRYPT CUI ON MOBILE

Encrypt CUI on mobile devices and mobile computing platforms.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]48

Determine if:
[a] mobile devices and mobile computing platforms that process, store, or transmit CUI are

identified; and

[b] encryption is employed to protect CUI on identified mobile devices and mobile

computing platforms.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]48

Examine
[SELECT FROM: Access control policy; procedures addressing access control for mobile

devices; system design documentation; system configuration settings and associated

documentation; encryption mechanisms and associated configuration documentation;

system security plan; system audit logs and records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with access control responsibilities for mobile devices; system or

network administrators; personnel with information security responsibilities].

Test
[SELECT FROM: Encryption mechanisms protecting confidentiality of information on mobile

devices].

DISCUSSION [NIST SP 800-171 REV. 2]49

Organizations can employ full-device encryption or container-based encryption to protect

the confidentiality of CUI on mobile devices and computing platforms. Container-based

encryption provides a more fine-grained approach to the encryption of data and information

including encrypting selected data structures such as files, records, or fields.

FURTHER DISCUSSION

Ensure CUI is encrypted on all mobile devices and mobile computing platforms that process,

store, or transmit CUI including smartphones, tablets, and e-readers.


48 

NIST SP 800-171A, p. 17.

49 

NIST SP 800-171 Rev. 2, p. 15.






AC.L2-3.1.19 – Encrypt CUI on Mobile

CMMC Assessment Guide – Level 2 | Version 2.13

57


Because the use of cryptography in this requirement is to protect the confidentiality of CUI,

the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11.
This requirement, AC.L2-3.1.19, specifies that CUI be encrypted on mobile devices and

extends three other CUI protection requirements (MP.L2-3.8.1, MP.L2-3.8.2, and SC.L2-

3.13.16): 

 MP.L2-3.8.1 requires that media containing CUI be protected. 


 MP.L2-3.8.2 limits access to CUI to authorized users. 


 Finally, SC.L2-3.13.16 requires confidentiality of CUI at rest.

This requirement, AC.L2-3.1.19, also leverages SC.L2-3.13.11, which specifies that the

algorithms used must be FIPS-validated cryptography, and SC.L2-3.13.10, which specifies

that any cryptographic keys in use must be protected.

Example
You are in charge of mobile device security for a company that processes CUI. You configure

all laptops to use the full-disk encryption technology built into the operating system. This

approach is FIPS-validated and encrypts all files, folders, and volumes.
Phones and tablets pose a greater technical challenge with their wide range of manufacturers

and operating systems. You select a proprietary mobile device management (MDM) solution

to enforce FIPS-validated encryption on those devices [a,b].

Potential Assessment Considerations 

 Is a list maintained of mobile devices and mobile computing platforms that are permitted

to process, store, or transmit CUI [a]? 

 Is CUI encrypted on mobile devices using FIPS-validated algorithms [b]?

KEY REFERENCE 

 NIST SP 800-171 Rev. 2 3.1.19








AC.L2-3.1.20 – External Connections [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

58


AC.L2-3.1.20 – EXTERNAL CONNECTIONS [CUI DATA]

Verify and control/limit connections to and use of external systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]50

Determine if:
[a] connections to external systems are identified;
[b] the use of external systems is identified;
[c] connections to external systems are verified;
[d] the use of external systems is verified;
[e] connections to external systems are controlled/limited; and
[f] the use of external systems is controlled/limited.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]50

Examine
[SELECT FROM: Access control policy; procedures addressing the use of external systems;

terms and conditions for external systems; system security plan; list of applications

accessible from external systems; system configuration settings and associated

documentation; system connection or processing agreements; account management

documents; other relevant documents or records].

Interview
[SELECT FROM: Personnel with responsibilities for defining terms and conditions for use of

external systems to access organizational systems; system or network administrators;

personnel with information security responsibilities].

Test
[SELECT FROM: Mechanisms implementing terms and conditions on use of external

systems].

DISCUSSION [NIST SP 800-171 REV. 2]51

External systems are systems or components of systems for which organizations typically

have no direct supervision and authority over the application of security requirements and

controls or the determination of the effectiveness of implemented controls on those systems.

External systems include personally owned systems, components, or devices and privately-

owned computing and communications devices resident in commercial or public facilities.


50 

NIST SP 800-171A, p. 17.

51 

NIST SP 800-171 Rev. 2, pp. 15-16.






AC.L2-3.1.20 – External Connections [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

59


This requirement also addresses the use of external systems for the processing, storage, or

transmission of CUI, including accessing cloud services (e.g., infrastructure as a service,

platform as a service, or software as a service) from organizational systems.
Organizations establish terms and conditions for the use of external systems in accordance

with organizational security policies and procedures. Terms and conditions address as a

minimum, the types of applications that can be accessed on organizational systems from

external systems. If terms and conditions with the owners of external systems cannot be

established, organizations may impose restrictions on organizational personnel using those

external systems.
This requirement recognizes that there are circumstances where individuals using external

systems (e.g., contractors, coalition partners) need to access organizational systems. In those

situations, organizations need confidence that the external systems contain the necessary

controls so as not to compromise, damage, or otherwise harm organizational systems.

Verification that the required controls have been effectively implemented can be achieved

by third-party, independent assessments, attestations, or other means, depending on the

assurance or confidence level required by organizations.
Note that while “external” typically refers to outside of the organization’s direct supervision

and authority, that is not always the case. Regarding the protection of CUI across an

organization, the organization may have systems that process CUI and others that do not.

And among the systems that process CUI there are likely access restrictions for CUI that

apply between systems. Therefore, from the perspective of a given system, other systems

within the organization may be considered “external" to that system.

FURTHER DISCUSSION

Control and manage connections between your company network and outside networks.

Outside networks could include the public internet, one of your own company’s networks

that falls outside of your CMMC Assessment Scope (e.g., an isolated lab), or a network that

does not belong to your company. Tools to accomplish include firewalls and connection

allow/deny lists. External systems not controlled by your company could be running

applications that are prohibited or blocked. Control and limit access to corporate networks

from personally owned devices such as laptops, tablets, and phones. You may choose to limit

how and when your network is connected to outside systems or only allow certain

employees to connect to outside systems from network resources.

Example
Your company has a project that contains CUI. You remind your coworkers of the policy

requirement to use their company laptops, not personal laptops or tablets, when working

remotely on the project [b,f]. You also remind everyone to work from the cloud environment

that is approved for processing and storing CUI rather than the other collaborative tools that

may be used for other projects [b,f].

Potential Assessment Considerations 

 Are all connections to external systems outside of the assessment scope identified [a]?






AC.L2-3.1.20 – External Connections [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

60 


 Are external systems (e.g., systems managed by OSAs, partners, or vendors; personal

devices) that are permitted to connect to or make use of organizational systems

identified [b]? 

 Are methods employed to ensure that only authorized connections are being made to

external systems (e.g., requiring log-ins or certificates, access from a specific IP address,

or access via Virtual Private Network (VPN)) [c,e]? 

 Are methods employed to confirm that only authorized external systems are connecting

(e.g., if employees are receiving company email on personal cell phones, is the OSA

checking to verify that only known/expected devices are connecting) [d]? 

 Is the use of external systems limited, including by policy or physical control [f]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.20 


 FAR Clause 52.204-21 b.1.iii







AC.L2-3.1.21 – Portable Storage Use

CMMC Assessment Guide – Level 2 | Version 2.13

61


AC.L2-3.1.21 – PORTABLE STORAGE USE

Limit use of portable storage devices on external systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]52

Determine if:
[a] the use of portable storage devices containing CUI on external systems is identified and

documented;

[b] limits on the use of portable storage devices containing CUI on external systems are

defined; and

[c] the use of portable storage devices containing CUI on external systems is limited as

defined.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]52

Examine
[SELECT FROM: Access control policy; procedures addressing the use of external systems;

system security plan; system configuration settings and associated documentation; system

connection or processing agreements; account management documents; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with responsibilities for restricting or prohibiting use of

organization-controlled storage devices on external systems; system or network

administrators; personnel with information security responsibilities].

Test
[SELECT FROM: Mechanisms implementing restrictions on use of portable storage devices].

DISCUSSION [NIST SP 800-171 REV. 2]53

Limits on the use of organization-controlled portable storage devices in external systems

include complete prohibition of the use of such devices or restrictions on how the devices

may be used and under what conditions the devices may be used. Note that while “external”

typically refers to outside of the organization’s direct supervision and authority that is not

always the case. Regarding the protection of CUI across an organization, the organization

may have systems that process CUI and others that do not. Among the systems that process

CUI there are likely access restrictions for CUI that apply between systems. Therefore, from


52 

NIST SP 800-171A, p. 18.

53 

NIST SP 800-171 Rev. 2, p. 16.






AC.L2-3.1.21 – Portable Storage Use

CMMC Assessment Guide – Level 2 | Version 2.13

62


the perspective of a given system, other systems within the organization may be considered

“external" to that system.

FURTHER DISCUSSION

A portable storage device is a system component that can be inserted or attached and easily

removed from a system. It is used to store data or information. Examples of portable storage

devices include: 

 compact/digital video disks (CDs/DVDs); 


 Universal Serial Bus (USB) drives; 


 external hard disk drives; 


 flash memory cards/drives; and 


 floppy disks.

This requirement can be implemented in two ways: 

 identifying the portable storage device usage restrictions, identifying portable storage

devices that may be used on external systems, identifying associated external systems on

which a portable storage device may be used, and administratively (through the use of a

written policy) limiting the usage of the devices to those systems; or 

 configuring devices to work only when connected  to a system to which the portable

storage device can authenticate, limiting the devices’ use on external systems to those

that the OSA has the ability to manage.

Example
Your organization, which stores and processes CUI, has a written portable device usage

restriction policy. It states that users can only use external storage devices such as thumb

dives or external hard disks that belong to the company. When needed for a specific business

function, a user checks the device out from IT and returns it to IT when no longer needed

[a,b].

Potential Assessment Considerations 

 Are the portable storage devices authorized for external use identified and documented

[a]? 

 Are the circumstances defined in which portable storage devices containing CUI may be

used on external systems (e.g., with management approval) [b]? 

 Are limitations stipulated for the use of portable storage devices containing CUI on

external systems (e.g., authorized personnel only, encrypted drives required) [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.21







AC.L2-3.1.22 – Control Public Information [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

63


AC.L2-3.1.22 – CONTROL PUBLIC INFORMATION [CUI DATA]

Control CUI posted or processed on publicly accessible systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]54

Determine if:
[a] individuals authorized to post or process information on publicly accessible systems

are identified;

[b] procedures to ensure CUI is not posted or processed on publicly accessible systems are

identified;

[c] a review process is in place prior to posting of any content to publicly accessible

systems;

[d] content on publicly accessible systems is reviewed to ensure that it does not include

CUI; and

[e] mechanisms are in place to remove and address improper posting of CUI.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]54

Examine
[SELECT FROM: Access control policy; procedures addressing publicly accessible content;

system security plan; list of users authorized to post publicly accessible content on

organizational systems; training materials and/or records; records of publicly accessible

information reviews; records of response to nonpublic information on public websites;

system audit logs and records; security awareness training records; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with responsibilities for managing publicly accessible

information posted on organizational systems; personnel with information security

responsibilities].

Test
[SELECT FROM: Mechanisms implementing management of publicly accessible content].

DISCUSSION [NIST SP 800-171 REV. 2]55

In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the

public is not authorized access to nonpublic information (e.g., information protected under

the Privacy Act, CUI, and proprietary information). This requirement addresses systems that


54 

NIST SP 800-171A, p. 18.

55 

NIST SP 800-171 Rev. 2, p. 16.






AC.L2-3.1.22 – Control Public Information [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

64


are controlled by the organization and accessible to the public, typically without

identification or authentication. Individuals authorized to post CUI onto publicly accessible

systems are designated. The content of information is reviewed prior to posting onto

publicly accessible systems to ensure that nonpublic information is not included.

FURTHER DISCUSSION

Only government officials can be authorized to release CUI to the public. Do not allow CUI to

become public – always safeguard the confidentiality of CUI by controlling the posting of CUI

on company-controlled websites or public forums, and the exposure of CUI in public

presentations or on public displays. It is important to know which users are allowed to

publish information on publicly accessible systems, like your company website, and

implement a review process before posting such information. If CUI is discovered on a

publicly accessible system, procedures should be in place to remove that information and

alert the appropriate parties.

Example
Your company decides to start issuing press releases about its projects in an effort to reach

more potential customers. Your company receives CUI from the government as part of its

DoD contract. Because you recognize the need to manage controlled information, including

CUI, you meet with the employees who write the releases and post information to establish

a review process [c]. It is decided that you will review press releases for CUI before posting

it on the company website [a,d]. Only certain employees will be authorized to post to the

website [a].

Potential Assessment Considerations 

 Does information on externally facing systems (i.e., publicly accessible) have a

documented approval chain for public release [c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.1.22 


 FAR Clause 52.204-21 b.1.iv






AT.L2-3.2.1 – Role-Based Risk Awareness

CMMC Assessment Guide – Level 2 | Version 2.13

65


Awareness and Training (AT)
AT.L2-3.2.1 – ROLE-BASED RISK AWARENESS

Ensure that managers, systems administrators, and users of organizational systems are

made aware of the security risks associated with their activities and of the applicable

policies, standards, and procedures related to the security of those systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]56

Determine if:
[a] security risks associated with organizational activities involving CUI are identified;
[b] policies, standards, and procedures related to the security of the system are identified;
[c] managers, systems administrators, and users of the system are made aware of the

security risks associated with their activities; and

[d] managers, systems administrators, and users of the system are made aware of the

applicable policies, standards, and procedures related to the security of the system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]56

Examine
[SELECT FROM: Security awareness and training policy; procedures addressing security

awareness training implementation; relevant codes of federal regulations; security

awareness training curriculum; security awareness training materials; system security plan;

training records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with responsibilities for security awareness training; personnel

with information security responsibilities; personnel composing the general system user

community; personnel with responsibilities for role-based awareness training].

Test
[SELECT FROM: Mechanisms managing security awareness training; mechanisms managing

role-based security training].

DISCUSSION [NIST SP 800-171 REV. 2]57
Organizations determine the content and frequency of security awareness training and

security awareness techniques based on the specific organizational requirements and the

systems to which personnel have authorized access. The content includes a basic


56 

NIST SP 800-171A, p. 19.

57 

NIST SP 800-171 Rev. 2, pp. 16-17.






AT.L2-3.2.1 – Role-Based Risk Awareness

CMMC Assessment Guide – Level 2 | Version 2.13

66


understanding of the need for information security and user actions to maintain security and

to respond to suspected security incidents. The content also addresses awareness of the

need for operations security. Security awareness techniques include: formal training;

offering supplies inscribed with security reminders; generating email advisories or notices

from organizational officials; displaying logon screen messages; displaying security

awareness posters; and conducting information security awareness events.
NIST SP 800-50 provides guidance on security awareness and training programs.

FURTHER DISCUSSION
Awareness training focuses user attention on security. Several techniques can be used, such

as: 

 synchronous or asynchronous training; 


 simulations (e.g., simulated phishing emails); 


 security awareness campaigns (posters, reminders, group discussions); and 


 communicating regular email advisories and notices to employees.

Awareness training and role-based training are different. This requirement, AT.L2-3.2.1,

covers awareness training, which provides general security training to influence user

behavior. This training can apply broadly or be tailored to a specific role. Role-based training

focuses on the knowledge, skills, and abilities needed to complete a specific job and is

covered by AT.L2-3.2.2.

Example
Your organization holds a DoD contract which requires the use of CUI. You want to provide

information to employees so they can identify phishing emails. To do this, you prepare a

presentation that highlights basic traits, including: 

 suspicious-looking email address or domain name; 


 a message that contains an attachment or URL; and 


 a message that is poorly written and often contains obvious misspelled words.

You encourage everyone to not click on attachments or links in a suspicious email [c]. You

tell employees to forward such a message immediately to IT security [d]. You download free

security awareness posters to hang in the office [c,d]. You send regular emails and tips to all

employees to ensure your message is not forgotten over time [c,d].

Potential Assessment Considerations 

 Do all users, managers, and system administrators receive initial and refresher training

commensurate with their roles and responsibilities [c,d]? 

 Do training materials identify the organization-defined security requirements that must

be met by users while interacting with the system as described in written policies,

standards, and procedures [d]?






AT.L2-3.2.1 – Role-Based Risk Awareness

CMMC Assessment Guide – Level 2 | Version 2.13

67


KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.2.1







AT.L2-3.2.2 – Role-Based Training

CMMC Assessment Guide – Level 2 | Version 2.13

68


AT.L2-3.2.2 – ROLE-BASED TRAINING

Ensure that personnel are trained to carry out their assigned information security-related

duties and responsibilities.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]58

Determine if:
[a] information security-related duties, roles, and responsibilities are defined;
[b] information security-related duties, roles, and responsibilities are assigned to

designated personnel; and

[c] personnel are adequately trained to carry out their assigned information security-

related duties, roles, and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]58

Examine
[SELECT FROM: Security awareness and training policy; procedures addressing security

training implementation; codes of federal regulations; security training curriculum; security

training materials; system security plan; training records; other relevant documents or

records].

Interview
[SELECT FROM: Personnel with responsibilities for role-based security training; personnel

with assigned system security roles and responsibilities; personnel with responsibilities for

security awareness training; personnel with information security responsibilities; personnel

representing the general system user community].

Test
[SELECT FROM: Mechanisms managing role-based security training; mechanisms managing

security awareness training].

DISCUSSION [NIST SP 800-171 REV. 2]59

Organizations determine the content and frequency of security training based on the

assigned duties, roles, and responsibilities of individuals and the security requirements of

organizations and the systems to which personnel have authorized access. In addition,

organizations provide system developers, enterprise architects, security architects,

acquisition/procurement officials, software developers, system developers, systems

integrators, system/network administrators, personnel conducting configuration

management and auditing activities, personnel performing independent verification and


58 

NIST SP 800-171A, pp. 19-20.

59 

NIST SP 800-171 Rev. 2, p. 17.






AT.L2-3.2.2 – Role-Based Training

CMMC Assessment Guide – Level 2 | Version 2.13

69


validation, security assessors, and other personnel having access to system-level software,

security-related technical training specifically tailored for their assigned duties.
Comprehensive role-based training addresses management, operational, and technical roles

and responsibilities covering physical, personnel, and technical controls. Such training can

include policies, procedures, tools, and artifacts for the security roles defined. Organizations

also provide the training necessary for individuals to carry out their responsibilities related

to operations and supply chain security within the context of organizational information

security programs.
NIST SP 800-181 provides guidance on role-based information security training in the

workplace. SP 800-161 provides guidance on supply chain risk management.

FURTHER DISCUSSION

Training imparts skills and knowledge to enable staff to perform a specific job function.

Training should be available to all employees for all organizational roles to accommodate

role changes without being constrained by the training schedule. Awareness training and

role-based training are different. Awareness training provides general security training to

influence user behavior and is covered by AT.L2-3.2.1. This requirement, AT.L2-3.2.2, covers

role-based training that focuses on the knowledge, skills, and abilities needed to complete a

specific job. Role-based training may include awareness topics specific to individual roles

such as ensuring systems administrators understand the risk associated with using an

administrative account.

Example
Your company upgraded the firewall to a newer, more advanced system to protect the CUI it

stores. You have been identified as an employee who needs training on the new device [a,b,c].

This will enable you to use the firewall effectively and efficiently. Your company considered

training resources when it planned for the upgrade and ensured that training funds were

available as part of the upgrade project [c].

Potential Assessment Considerations 

 Are the duties, roles,  and responsibilities that impact, directly or indirectly, the

information security of the company or its systems defined and documented [a]? 

 Do information security-related tasks have accountable owners, and is a strictly limited

group of individuals assigned to perform them [b]? 

 Are personnel who  are assigned information security-related duties, roles,  and

responsibilities trained on those responsibilities, including the security requirements

unique or inherent to their roles or responsibilities [c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.2.2








AT.L2-3.2.3 – Insider Threat Awareness

CMMC Assessment Guide – Level 2 | Version 2.13

70


AT.L2-3.2.3 – INSIDER THREAT AWARENESS

Provide security awareness training on recognizing and reporting potential indicators of

insider threat.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]60

Determine if:
[a] potential indicators associated with insider threats are identified; and
[b] security awareness training on recognizing and reporting potential indicators of insider

threat is provided to managers and employees.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]60

Examine
[SELECT FROM: Security awareness and training policy; procedures addressing security

awareness training implementation; security awareness training curriculum; security

awareness training materials; insider threat policy and procedures; system security plan;

other relevant documents or records].

Interview
[SELECT FROM: Personnel that participate in security awareness training; personnel with

responsibilities for basic security awareness training; personnel with information security

responsibilities].

Test
[SELECT FROM: Mechanisms managing insider threat training].

DISCUSSION [NIST SP 800-171 REV. 2]61

Potential indicators and possible precursors of insider threat include behaviors such as:

inordinate, long-term job dissatisfaction; attempts to gain access to information that is not

required for job performance; unexplained access to financial resources; bullying or sexual

harassment of fellow employees; workplace violence; and other serious violations of the

policies, procedures, directives, rules, or practices of organizations. Security awareness

training includes how to communicate employee and management concerns regarding

potential indicators of insider threat through appropriate organizational channels in

accordance with established organizational policies and procedures. Organizations may

consider tailoring insider threat awareness topics to the role (e.g., training for managers may

be focused on specific changes in behavior of team members, while training for employees

may be focused on more general observations).


60 

NIST SP 800-171A, p. 20.

61 

NIST SP 800-171 Rev. 2, p. 17.






AT.L2-3.2.3 – Insider Threat Awareness

CMMC Assessment Guide – Level 2 | Version 2.13

71


FURTHER DISCUSSION

An insider threat is the threat that an insider will use their authorized access, wittingly or

unwittingly, to do harm. Insider threat security awareness training focuses on recognizing

employee behaviors and characteristics that might be indicators of an insider threat and the

guidelines and procedures to handle and report it. Training for managers will provide

guidance on observing team members to identify all potential threat indicators, while

training for general employees will provide guidance for focusing on a smaller number of

indicators. Employee behaviors will vary depending on roles, team membership, and

associated information needs. The person responsible for specifying insider threat

indicators must be cognizant of these factors. Because of this, organizations may choose to

tailor the training for specific roles. This requirement does not require separate training

regarding insider threat. Organizations may choose to integrate these topics into their

standard security awareness training programs.

Example
You are responsible for training all employees on the awareness of high-risk behaviors that

can indicate a potential insider threat [b]. You educate yourself on the latest research on

insider threat indicators by reviewing a number of law enforcement bulletins [a]. You then

add the following example to the training package: A baseline of normal behavior for work

schedules has been created. One employee’s normal work schedule is 8:00 AM–5:00 PM, but

another employee noticed that the employee has been working until 9:00 PM every day even

though no projects requiring additional hours have been assigned [b]. The observing

employee reports the abnormal work schedule using the established reporting guidelines.

Potential Assessment Considerations 

 Do training materials include potential indicators associated with insider threats (e.g.,

repeated security violations, unusual work hours, unexpected significant transfers of

data, suspicious contacts, concerning behaviors outside the workplace) [a,b]? 

 Do training materials include methods of reporting potential indicators of insider threats

to management or responsible security personnel [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.2.3







AU.L2-3.3.1 – System Auditing

CMMC Assessment Guide – Level 2 | Version 2.13

72


Audit and Accountability (AU)
AU.L2-3.3.1 – SYSTEM AUDITING

Create and retain system audit logs and records to the extent needed to enable the

monitoring, analysis, investigation, and reporting of unlawful or unauthorized system

activity.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]62

Determine if:
[a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis,

investigation, and reporting of unlawful or unauthorized system activity are specified;

[b] the content of audit records needed to support monitoring, analysis, investigation, and

reporting of unlawful or unauthorized system activity is defined;

[c] audit records are created (generated);
[d] audit records, once created, contain the defined content;
[e] retention requirements for audit records are defined; and
[f] audit records are retained as defined.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]62

Examine
[SELECT FROM: Audit and accountability policy; procedures addressing auditable events;

system security plan; system design documentation; system configuration settings and

associated documentation; procedures addressing control of audit records; procedures

addressing audit record generation; system audit logs and records; system auditable events;

system incident reports; other relevant documents or records].

Interview
[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with

information security responsibilities; personnel with audit review, analysis and reporting

responsibilities; system or network administrators].

Test
[SELECT FROM: Mechanisms implementing system audit logging].


62 

NIST SP 800-171A, p. 21.






AU.L2-3.3.1 – System Auditing

CMMC Assessment Guide – Level 2 | Version 2.13

73


DISCUSSION [NIST SP 800-171 REV. 2]63

An event is any observable occurrence in a system, which includes unlawful or unauthorized

system activity. Organizations identify event types for which a logging functionality is

needed as those events which are significant and relevant to the security of systems and the

environments in which those systems operate to meet specific and ongoing auditing needs.

Event types can include password changes, failed logons or failed accesses related to

systems, administrative privilege usage, or third-party credential usage. In determining

event types that require logging, organizations consider the monitoring and auditing

appropriate for each of the CUI security requirements. Monitoring and auditing

requirements can be balanced with other system needs. For example, organizations may

determine that systems must have the capability to log every file access both successful and

unsuccessful, but not activate that capability except for specific circumstances due to the

potential burden on system performance.
Audit records can be generated at various levels of abstraction, including at the packet level

as information traverses the network. Selecting the appropriate level of abstraction is a

critical aspect of an audit logging capability and can facilitate the identification of root causes

to problems. Organizations consider in the definition of event types, the logging necessary to

cover related events such as the steps in distributed, transaction-based processes (e.g.,

processes that are distributed across multiple organizations) and actions that occur in

service-oriented or cloud-based architectures.
Audit record content that may be necessary to satisfy this requirement includes time stamps,

source and destination addresses, user or process identifiers, event descriptions, success or

failure indications, filenames involved, and access control or flow control rules invoked.

Event outcomes can include indicators of event success or failure and event-specific results

(e.g., the security state of the system after the event occurred).
Detailed information that organizations may consider in audit records includes full text

recording of privileged commands or the individual identities of group account users.

Organizations consider limiting the additional audit log information to only that information

explicitly needed for specific audit requirements. This facilitates the use of audit trails and

audit logs by not including information that could potentially be misleading or could make it

more difficult to locate information of interest. Audit logs are reviewed and analyzed as often

as needed to provide important information to organizations to facilitate risk-based decision

making. NIST SP 800-92 provides guidance on security log management.

FURTHER DISCUSSION

OSAs must ensure that all applicable systems create and retain audit logs that contain

enough information to identify and investigate potentially unlawful or unauthorized system

activity. OSAs must define the audit logs it needs to collect as well as the specific events to

capture within the selected logs. Captured audit records are checked to verify that they

contain the required events.


63 

NIST SP 800-171 Rev. 2, pp. 17-18.






AU.L2-3.3.1 – System Auditing

CMMC Assessment Guide – Level 2 | Version 2.13

74


In defining the audit log retention period, OSAs must ensure that logs are retained for a

sufficiently long period to allow for the investigation of a security event. The retention period

must take into account the delay of weeks or months that can occur between an initial

compromise and the discovery of attacker activity.

Example
You set up audit logging capability for your company. You determine that all systems that

contain CUI must have extra detail in the audit logs. Because of this, you configure these

systems to log the following information for all user actions [b,c]: 

 time stamps; 


 source and destination addresses; 


 user or process identifiers; 


 event descriptions; 


 success or fail indications; and 


 filenames.

Potential Assessment Considerations 

 Are audit log retention requirements appropriate to the system and its associated level

of risk [e]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.3.1








AU.L2-3.3.2 – User Accountability

CMMC Assessment Guide – Level 2 | Version 2.13

75


AU.L2-3.3.2 – USER ACCOUNTABILITY

Ensure that the actions of individual system users can be uniquely traced to those users so

they can be held accountable for their actions.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]64

Determine if:
[a] the content of the audit records needed to support the ability to uniquely trace users to

their actions is defined; and

[b] audit records, once created, contain the defined content.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]64

Examine
[SELECT FROM: Audit and accountability policy; procedures addressing audit records and

event types; system security plan; system design documentation; system configuration

settings and associated documentation; procedures addressing audit record generation;

procedures addressing audit review, analysis, and reporting; reports of audit findings;

system audit logs and records; system events; system incident reports; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with

information security responsibilities; system or network administrators].

Test
[SELECT FROM: Mechanisms implementing system audit logging].

DISCUSSION [NIST SP 800-171 REV. 2]65

This requirement ensures that the contents of the audit record include the information

needed to link the audit event to the actions of an individual to the extent feasible.

Organizations consider logging for traceability including results from monitoring of account

usage, remote access, wireless connectivity, mobile device connection, communications at

system boundaries, configuration settings, physical access, nonlocal maintenance, use of

maintenance tools, temperature and humidity, equipment delivery and removal, system

component inventory, use of mobile code, and use of VoIP.


64 

NIST SP 800-171A, pp. 21-22.

65 

NIST SP 800-171 Rev. 2, p. 18.






AU.L2-3.3.2 – User Accountability

CMMC Assessment Guide – Level 2 | Version 2.13

76


FURTHER DISCUSSION

Capturing the necessary information in audit logs ensures that you can trace actions to a

specific user. This may include capturing user IDs, source and destination addresses, and

time stamps. Logging from networks, servers, clients, and applications should be considered

in ensuring accountability.
This requirement, AU.L2-3.3.2, which ensures logging and traceability of user actions,

supports the control of non-privileged users required by AC.L2-3.1.7 as well as many other

auditing, configuration management, incident response, and situation awareness

requirements.

Example
You manage systems for a company that stores, processes, and transmits CUI. You want to

ensure that you can trace all remote access sessions to a specific user. You configure the VPN

device to capture the following information for all remote access connections: source and

destination IP address, user ID, machine name, time stamp, and user actions during the

remote session [b].

Potential Assessment Considerations 

 Are users uniquely traced and held responsible for unauthorized actions [a]? 


 Does the system protect against an individual denying having performed an action (non-

repudiation) [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.3.2







AU.L2-3.3.3 – Event Review

CMMC Assessment Guide – Level 2 | Version 2.13

77


AU.L2-3.3.3 – EVENT REVIEW

Review and update logged events.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]66

Determine if:
[a] a process for determining when to review logged events is defined;
[b] event types being logged are reviewed in accordance with the defined review process;

and

[c] event types being logged are updated based on the review.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]66

Examine
[SELECT FROM: Audit and accountability policy; procedures addressing audit records and

event types; system security plan; list of organization-defined event types to be logged;

reviewed and updated records of logged event types; system audit logs and records; system

incident reports; other relevant documents or records].

Interview
[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with

information security responsibilities].

Test
[SELECT FROM: Mechanisms supporting review and update of logged event types].

DISCUSSION [NIST SP 800-171 REV. 2]67

The intent of this requirement is to periodically re-evaluate which logged events will

continue to be included in the list of events to be logged. The event types that are logged by

organizations may change over time. Reviewing and updating the set of logged event types

periodically is necessary to ensure that the current set remains necessary and sufficient.

FURTHER DISCUSSION

This requirement is focused on the configuration of the auditing system, not the review of

the audit records produced by the selected events. The review of the audit logs is covered

under AU.L2-3.3.5 and AU.L2-3.3.6.


66 

NIST SP 800-171A, p. 22.

67 

NIST SP 800-171 Rev. 2, pp. 18-19.






AU.L2-3.3.3 – Event Review

CMMC Assessment Guide – Level 2 | Version 2.13

78


Example
You are in charge of IT operations for a company that processes CUI and are responsible for

identifying and documenting which events are relevant to the security of your company’s

systems. Your company has decided that this list of events should be updated annually or

when new security threats or events have been identified, which may require additional

events to be logged and reviewed [a]. The list of events you are capturing in your logs started

as the list of recommended events given by the manufacturers of your operating systems and

devices, but it has grown from experience.
Your company experiences a security incident, and a forensics review shows the logs appear

to have been deleted by a remote user. You notice that remote sessions are not currently

being logged [b]. You update the list of events to include logging all VPN sessions [c].

Potential Assessment Considerations 

 Do documented processes include methods for determining when to review logged event

types (i.e., regular frequency, after incidents, after major system changes) [a]? 

 Do documented processes include methods for reviewing event types being logged (i.e.,

based on specific threat, use case, retention capacity, current utilization, and/or newly

added system component or functionality) [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.3.3







AU.L2-3.3.4 – Audit Failure Alerting

CMMC Assessment Guide – Level 2 | Version 2.13

79


AU.L2-3.3.4 – AUDIT FAILURE ALERTING

Alert in the event of an audit logging process failure.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]68

Determine if:
[a] personnel or roles to be alerted in the event of an audit logging process failure are

identified;

[b] types of audit logging process failures for which alert will be generated are defined; and
[c] identified personnel or roles are alerted in the event of an audit logging process failure.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]68

Examine
[SELECT FROM: Audit and accountability policy; procedures addressing response to audit

logging processing failures; system design documentation; system security plan; system

configuration settings and associated documentation; list of personnel to be notified in case

of an audit logging processing failure; system incident reports; system audit logs and

records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with

information security responsibilities; system or network administrators; system

developers].

Test
[SELECT FROM: Mechanisms implementing system response to audit logging process

failures].

DISCUSSION [NIST SP 800-171 REV. 2]69

Audit logging process failures include software and hardware errors, failures in the audit

record capturing mechanisms, and audit record storage capacity being reached or exceeded.

This requirement applies to each audit record data storage repository (i.e., distinct system

component where audit records are stored), the total audit record storage capacity of

organizations (i.e., all audit record data storage repositories combined), or both.


68 

NIST SP 800-171A, p. 22.

69 

NIST SP 800-171 Rev. 2, p. 19.






AU.L2-3.3.4 – Audit Failure Alerting

CMMC Assessment Guide – Level 2 | Version 2.13

80


FURTHER DISCUSSION

Audit logging keeps track of activities occurring on the network, servers, user workstations,

and other components of the overall system. These logs must always be available and

functional. The company’s designated security personnel (e.g., system administrator and

security officer) need to be aware when the audit log process fails or becomes unavailable

[a]. Notifications (e.g., email, Short Message Service (SMS)) should to be sent to the

company’s designated security personnel to immediately take appropriate action. If security

personnel are unaware of the audit logging process failure, then they will be unaware of any

suspicious activity occurring at that time. Response to an audit logging process failure should

account for the extent of the failure (e.g., a single component’s audit logging versus failure of

the centralized logging solution), the risks involved in this loss of audit logging, and other

factors (e.g., the possibility that an adversary could have caused the audit logging process

failure).

Example
You are in charge of IT operations for a company that processes CUI, and your

responsibilities include managing the audit logging process. You configure your systems to

send you an email in the event of an audit log failure. One day, you receive one of these alerts.

You connect to the system, restart logging, and determine why the logging stopped [a,b,c].

Potential Assessment Considerations 

 Will the system alert personnel with security responsibilities in the event of an audit

processing failure?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.3.4







AU.L2-3.3.5 – Audit Correlation

CMMC Assessment Guide – Level 2 | Version 2.13

81


AU.L2-3.3.5 – AUDIT CORRELATION

Correlate audit record review, analysis, and reporting processes for investigation and

response to indications of unlawful, unauthorized, suspicious, or unusual activity.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]70

Determine if:
[a] audit record review, analysis, and reporting processes for investigation and response to

indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and

[b] defined audit record review, analysis, and reporting processes are correlated.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]70

Examine
[SELECT FROM: Audit and accountability policy; procedures addressing audit record review,

analysis, and reporting; system security plan; system design documentation; system

configuration settings and associated documentation; procedures addressing investigation

of and response to suspicious activities; system audit logs and records across different

repositories; other relevant documents or records].

Interview
[SELECT FROM: Personnel with audit record review, analysis, and reporting responsibilities;

personnel with information security responsibilities].

Test
[SELECT FROM: Mechanisms supporting analysis and correlation of audit records;

mechanisms integrating audit review, analysis and reporting].

DISCUSSION [NIST SP 800-171 REV. 2]71

Correlating audit record review, analysis, and reporting processes helps to ensure that they

do not operate independently, but rather collectively. Regarding the assessment of a given

organizational system, the requirement is agnostic as to whether this correlation is applied

at the system level or at the organization level across all systems.

FURTHER DISCUSSION

Companies must review, analyze, and report audit records to help detect and respond to

security incidents in a timely manner for the purpose of investigation and corrective actions.

Collection of audit logs into one or more central repositories may facilitate correlated review.


70 

NIST SP 800-171A, p. 23.

71 

NIST SP 800-171 Rev. 2, p. 19.






AU.L2-3.3.5 – Audit Correlation

CMMC Assessment Guide – Level 2 | Version 2.13

82


Small companies may be able to accomplish this manually with well-defined and -managed

procedures. Larger companies will use an automated system for analysis that correlates log

data from across the entire enterprise. Some companies may want to orchestrate the analysis

process to include the use of Application Programming Interfaces (APIs) for collection,

correlation, and the automation of responses based on programed rulesets.

Example
You are a member of a cyber defense team responsible for audit log analysis. You run an

automated tool that analyzes all the audit logs across a Local Area Network (LAN) segment

simultaneously looking for similar anomalies on separate systems at separate locations.

Some of these systems store CUI. After extracting anomalous information and performing a

correlation analysis [b], you determine that four different systems have had their event log

information cleared between 2:00 AM to 3:00 AM, although the associated dates are

different. The team monitors all systems on the same LAN segment between 2:00 AM to 3:00

AM for the next 30 days.

Potential Assessment Considerations 

 Are mechanisms used across different repositories to integrate audit review, analysis,

correlation, and reporting processes [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.3.5







AU.L2-3.3.6 – Reduction & Reporting

CMMC Assessment Guide – Level 2 | Version 2.13

83


AU.L2-3.3.6 – REDUCTION & REPORTING

Provide audit record reduction and report generation to support on-demand analysis and

reporting.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]72

Determine if:
[a] an audit record reduction capability that supports on-demand analysis is provided; and
[b] a report generation capability that supports on-demand reporting is provided.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]72

Examine
[SELECT FROM: Audit and accountability policy; procedures addressing audit record

reduction and report generation; system design documentation; system security plan;

system configuration settings and associated documentation; audit record reduction,

review, analysis, and reporting tools; system audit logs and records; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with audit record reduction and report generation

responsibilities; personnel with information security responsibilities].

Test
[SELECT FROM: Audit record reduction and report generation capability].

DISCUSSION [NIST SP 800-171 REV. 2]73

Audit record reduction is a process that manipulates collected audit information and

organizes such information in a summary format that is more meaningful to analysts. Audit

record reduction and report generation capabilities do not always emanate from the same

system or organizational entities conducting auditing activities. Audit record reduction

capability can include, for example, modern data mining techniques with advanced data

filters to identify anomalous behavior in audit records. The report generation capability

provided by the system can help generate customizable reports. Time ordering of audit

records can be a significant issue if the granularity of the time stamp in the record is

insufficient.


72 

NIST SP 800-171A, p. 23.

73 

NIST SP 800-171 Rev. 2, p. 19.






AU.L2-3.3.6 – Reduction & Reporting

CMMC Assessment Guide – Level 2 | Version 2.13

84


FURTHER DISCUSSION

Raw audit log data is difficult to review, analyze, and report because of the volume of data.

Audit record reduction is an automated process that interprets raw audit log data and

extracts meaningful and relevant information without altering the original logs. An example

of log reduction for files to be analyzed would be the removal of details associated with

nightly backups. Report generation on reduced log information allows you to create succinct

customized reports without the need to burden the reader with unimportant information. In

addition, the security-relevant audit information must be made available to personnel on

demand for immediate review, analysis, reporting, and event investigation support.

Performing audit log reduction and providing on-demand reports may allow the analyst to

take mitigating action before an adversary completes its malicious actions.

Example
You are in charge of IT operations in a company that processes CUI. You are responsible for

providing audit record reduction and report generation capability. To support this function,

you deploy an open-source solution that will collect and analyze data for signs of anomalies.

The solution queries your central log repository to extract relevant data and provide you

with a concise and comprehensive view for further analysis to identify potentially malicious

activity [a]. In addition to creating on-demand data sets for analysis, you create customized

reports explaining the contents of the data set [b].

Potential Assessment Considerations 

 Does the system support on-demand audit review, analysis, and reporting requirements

and after-the-fact security investigations [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.3.6








AU.L2-3.3.7 – Authoritative Time Source

CMMC Assessment Guide – Level 2 | Version 2.13

85


AU.L2-3.3.7 – AUTHORITATIVE TIME SOURCE

Provide a system capability that compares and synchronizes internal system clocks with an

authoritative source to generate time stamps for audit records.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]74

Determine if:
[a] internal system clocks are used to generate time stamps for audit records;
[b] an authoritative source with which to compare and synchronize internal system clocks

is specified; and

[c] internal system clocks used to generate time stamps for audit records are compared to

and synchronized with the specified authoritative time source.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]74

Examine
[SELECT FROM: Audit and accountability policy; procedures addressing time stamp

generation; system design documentation; system security plan; system configuration

settings and associated documentation; system audit logs and records; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with information security responsibilities; system or network

administrators; system developers].

Test
[SELECT FROM: Mechanisms implementing time stamp generation; mechanisms

implementing internal information system clock synchronization].

DISCUSSION [NIST SP 800-171 REV. 2]75

Internal system clocks are used to generate time stamps, which include date and time. Time

is expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich

Mean Time (GMT), or local time with an offset from UTC. The granularity of time

measurements refers to the degree of synchronization between system clocks and reference

clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of

milliseconds. Organizations may define different time granularities for different system

components. Time service can also be critical to other security capabilities such as access

control and identification and authentication, depending on the nature of the mechanisms


74 

NIST SP 800-171A, pp. 23-24.

75 

NIST SP 800-171 Rev. 2, p. 19.






AU.L2-3.3.7 – Authoritative Time Source

CMMC Assessment Guide – Level 2 | Version 2.13

86


used to support those capabilities. This requirement provides uniformity of time stamps for

systems with multiple system clocks and systems connected over a network.

FURTHER DISCUSSION

Each system must synchronize its time with a central time server to ensure that all systems

are recording audit logs using the same time source. Reviewing audit logs from multiple

systems can be a difficult task if time is not synchronized. Systems can be synchronized to a

network device or directory service or configured manually.

Example
You are setting up several new computers on your company’s network, which contains CUI.

You update the time settings on each machine to use the same authoritative time server on

the internet [b,c]. When you review audit logs, all your machines will have synchronized

time, which aids in any potential security investigations.

Potential Assessment Considerations 

 Can the records’ time stamps map to Coordinated Universal Time (UTC), compare system

clocks with authoritative Network Time Protocol (NTP) servers, and synchronize system

clocks when the time difference is greater than 1 second [c]? 

 Does the system synchronize internal system clocks on a defined frequency [c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.3.7







AU.L2-3.3.8 – Audit Protection

CMMC Assessment Guide – Level 2 | Version 2.13

87


AU.L2-3.3.8 – AUDIT PROTECTION

Protect audit information and audit logging tools from unauthorized access, modification,

and deletion.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]76

Determine if:
[a] audit information is protected from unauthorized access;
[b] audit information is protected from unauthorized modification;
[c] audit information is protected from unauthorized deletion;
[d] audit logging tools are protected from unauthorized access;
[e] audit logging tools are protected from unauthorized modification; and
[f] audit logging tools are protected from unauthorized deletion.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]76

Examine
[SELECT FROM: Audit and accountability policy; access control policy and procedures;

procedures addressing protection of audit information; system security plan; system design

documentation; system configuration settings and associated documentation, system audit

logs and records; audit logging tools; other relevant documents or records].

Interview
[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with

information security responsibilities; system or network administrators; system

developers].

Test
[SELECT FROM: Mechanisms implementing audit information protection].

DISCUSSION [NIST SP 800-171 REV. 2]77

Audit information includes all information (e.g., audit records, audit log settings, and audit

reports) needed to successfully audit system activity. Audit logging tools are those programs

and devices used to conduct audit and logging activities. This requirement focuses on the

technical protection of audit information and limits the ability to access and execute audit

logging tools to authorized individuals. Physical protection of audit information is addressed

by media protection and physical and environmental protection requirements.


76 

NIST SP 800-171A, p. 24.

77 

NIST SP 800-171 Rev. 2, p. 20.






AU.L2-3.3.8 – Audit Protection

CMMC Assessment Guide – Level 2 | Version 2.13

88


FURTHER DISCUSSION

Audit information is a critical record of what events occurred, the source of the events, and

the outcomes of the events; this information needs to be protected. The logs must be

properly secured so that the information may not be modified or deleted, either intentionally

or unintentionally. Only those with a legitimate need-to-know should have access to audit

information, whether that information is being accessed directly from logs or from audit

tools.

Example
You are in charge of IT operations in a company that handles CUI. Your responsibilities

include protecting audit information and audit logging tools. You protect the information

from modification or deletion by having audit log events forwarded to a central server and

by restricting the local audit logs to only be viewable by the system administrators [a,b,c].

Only a small group of security professionals can view the data on the central audit server

[b,c,d]. For an additional layer of protection, you back up the server daily and encrypt the

backups before sending them to a cloud data repository [a,b,c].

Potential Assessment Considerations 

 Is there a list of authorized users for audit systems and tools [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.3.8







AU.L2-3.3.9 – Audit Management

CMMC Assessment Guide – Level 2 | Version 2.13

89


AU.L2-3.3.9 – AUDIT MANAGEMENT

Limit management of audit logging functionality to a subset of privileged users.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]78

Determine if:
[a] a subset of privileged users granted access to manage audit logging functionality is

defined; and

[b] management of audit logging functionality is limited to the defined subset of privileged

users.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]78

Examine
[SELECT FROM: Audit and accountability policy; access control policy and procedures;

procedures addressing protection of audit information; system security plan; system design

documentation; system configuration settings and associated documentation; access

authorizations; system-generated list of privileged users with access to management of audit

logging functionality; access control list; system audit logs and records; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with audit and accountability responsibilities; personnel with

information security responsibilities; system or network administrators; system

developers].

Test
[SELECT FROM: Mechanisms managing access to audit logging functionality].

DISCUSSION [NIST SP 800-171 REV. 2]79

Individuals with privileged access to a system and who are also the subject of an audit by

that system, may affect the reliability of audit information by inhibiting audit logging

activities or modifying audit records. This requirement specifies that privileged access be

further defined between audit-related privileges and other privileges, thus limiting the users

with audit-related privileges.


78 

NIST SP 800-171A, pp. 24-25.

79 

NIST SP 800-171 Rev. 2, p. 20.






AU.L2-3.3.9 – Audit Management

CMMC Assessment Guide – Level 2 | Version 2.13

90


FURTHER DISCUSSION

Companies should restrict access to audit logging functions to a limited number of privileged

users who can modify audit logs and audit settings. General users should not be granted

permissions to perform audit management. All audit managers should be privileged users,

but only a small subset of privileged users will be given audit management responsibilities.

Functions performed by privileged users must be distinctly separate from the functions

performed by users who have audit-related responsibilities to reduce the potential of

fraudulent activities by privileged users not being detected or reported. When possible,

individuals who manage audit logs should not have access to other privileged functions.

Example
You are responsible for the administration of select company infrastructure that contains

CUI, but you are not responsible for managing audit information. You are not permitted to

review audit logs, delete audit logs, or modify audit log settings [b]. Full control of audit

logging functions has been given to senior system administrators [a,b]. This separation of

system administration duties from audit logging management is necessary to prevent

possible log file tampering.

Potential Assessment Considerations 

 Are audit records of nonlocal accesses to privileged accounts and the execution of

privileged functions protected [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.3.9






CM.L2-3.4.1 – System Baselining

CMMC Assessment Guide – Level 2 | Version 2.13

91


Configuration Management (CM)
CM.L2-3.4.1 – SYSTEM BASELINING

Establish and maintain baseline configurations and inventories of organizational systems

(including hardware, software, firmware, and documentation) throughout the respective

system development life cycles.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]80

Determine if:
[a] a baseline configuration is established;
[b] the baseline configuration includes hardware, software, firmware, and documentation;
[c] the baseline configuration is maintained (reviewed and updated) throughout the

system development life cycle;

[d] a system inventory is established;
[e] the system inventory includes hardware, software, firmware, and documentation; and
[f] the inventory is maintained (reviewed and updated) throughout the system

development life cycle.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]80

Examine
[SELECT FROM: Configuration management policy; procedures addressing the baseline

configuration of the system; procedures addressing system inventory; system security plan;

configuration management plan; system inventory records; inventory review and update

records; enterprise architecture documentation; system design documentation; system

architecture and configuration documentation; system configuration settings and associated

documentation; change control records; system component installation records; system

component removal records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with configuration management responsibilities; personnel with

responsibilities for establishing the system inventory; personnel with responsibilities for

updating the system inventory; personnel with information security responsibilities; system

or network administrators].


80 

NIST SP 800-171A, p. 26.






CM.L2-3.4.1 – System Baselining

CMMC Assessment Guide – Level 2 | Version 2.13

92


Test
[SELECT FROM: Organizational processes for managing baseline configurations;

mechanisms supporting configuration control of the baseline configuration; organizational

processes for developing and documenting an inventory of system components;

organizational processes for updating inventory of system components; mechanisms

supporting or implementing the system inventory; mechanisms implementing updating of

the system inventory].

DISCUSSION [NIST SP 800-171 REV. 2]81

This requirement establishes and maintains baseline configurations for systems and system

components including for system communications and connectivity. Baseline configurations

are documented, formally reviewed, and agreed-upon sets of specifications for systems or

configuration items within those systems. Baseline configurations serve as a basis for future

builds, releases, and changes to systems. Baseline configurations include information about

system components (e.g., standard software packages installed on workstations, notebook

computers, servers, network components, or mobile devices; current version numbers and

update and patch information on operating systems and applications; and configuration

settings and parameters), network topology, and the logical placement of those components

within the system architecture. Baseline configurations of systems also reflect the current

enterprise architecture. Maintaining effective baseline configurations requires creating new

baselines as organizational systems change over time. Baseline configuration maintenance

includes reviewing and updating the baseline configuration when changes are made based

on security risks and deviations from the established baseline configuration.
Organizations can implement centralized system component inventories that include

components from multiple organizational systems. In such situations, organizations ensure

that the resulting inventories include system-specific information required for proper

component accountability (e.g., system association, system owner). Information deemed

necessary for effective accountability of system components includes hardware inventory

specifications, software license information, software version numbers, component owners,

and for networked components or devices, machine names and network addresses.

Inventory specifications include manufacturer, device type, model, serial number, and

physical location.
NIST SP 800-128 provides guidance on security-focused configuration management.

FURTHER DISCUSSION

An effective cybersecurity program depends on consistent, secure system and component

configuration and management. Build and configure systems from a known, secure, and

approved configuration baseline. This includes: 

 documenting the software and configuration settings of a system;


81 

NIST SP 800-171 Rev. 2, p. 20.






CM.L2-3.4.1 – System Baselining

CMMC Assessment Guide – Level 2 | Version 2.13

93 


 placement within the network; and 


 other specifications as required by the organization.

Example
You are in charge of upgrading the computer operating systems of your office’s computers.

Some of these computers process, store, or transmit CUI. You research how to set up and

configure a workstation with the least functionality and highest security and use that as the

framework for creating a configuration that minimizes functionality while still allowing

users to do their tasks. After testing the new baseline on a single workstation, you document

this configuration and apply it to the other computers [a]. You then check to make sure that

the software changes are accurately reflected in your master system inventory [e]. Finally,

you set a calendar reminder to review the baseline in three months [f].

Potential Assessment Considerations 

 Do baseline configurations include software versions and patch level, configuration

parameters, network information, and communications with connected systems [a,b]? 

 Are baseline configurations updated as needed to accommodate security risks or

software changes [c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.4.1







CM.L2-3.4.2 – Security Configuration Enforcement

CMMC Assessment Guide – Level 2 | Version 2.13

94


CM.L2-3.4.2 – SECURITY CONFIGURATION ENFORCEMENT

Establish and enforce security configuration settings for information technology products

employed in organizational systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]82

Determine if:
[a] security configuration settings for information technology products employed in the

system are established and included in the baseline configuration; and

[b] security configuration settings for information technology products employed in the

system are enforced.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]82

Examine
[SELECT FROM: Configuration management policy; baseline configuration; procedures

addressing configuration settings for the system; configuration management plan; system

security plan; system design documentation; system configuration settings and associated

documentation; security configuration checklists; evidence supporting approved deviations

from established configuration settings; change control records; system audit logs and

records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with security configuration management responsibilities;

personnel with information security responsibilities; system or network administrators].

Test
[SELECT FROM: Organizational processes for managing configuration settings; mechanisms

that implement, monitor, and/or control system configuration settings; mechanisms that

identify and/or document deviations from established configuration settings; processes for

managing baseline configurations; mechanisms supporting configuration control of baseline

configurations].

DISCUSSION [NIST SP 800-171 REV. 2]83
Configuration settings are the set of parameters that can be changed in hardware, software,

or firmware components of the system that affect the security posture or functionality of the

system. Information technology products for which security-related configuration settings

can be defined include mainframe computers, servers, workstations, input and output

devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers,


82 

NIST SP 800-171A, pp. 26-27.

83 

NIST SP 800-171 Rev. 2, p. 21.






CM.L2-3.4.2 – Security Configuration Enforcement

CMMC Assessment Guide – Level 2 | Version 2.13

95


gateways, voice and data switches, wireless access points, network appliances, sensors),

operating systems, middleware, and applications.
Security parameters are those parameters impacting the security state of systems including

the parameters required to satisfy other security requirements. Security parameters include:

registry settings; account, file, directory permission settings; and settings for functions,

ports, protocols, and remote connections. Organizations establish organization-wide

configuration settings and subsequently derive specific configuration settings for systems.

The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists,

lockdown and hardening guides, security reference guides, security technical

implementation guides) provide recognized, standardized, and established benchmarks that

stipulate secure configuration settings for specific information technology

platforms/products and instructions for configuring those system components to meet

operational requirements. Common secure configurations can be developed by a variety of

organizations including information technology product developers, manufacturers,

vendors, consortia, academia, industry, federal agencies, and other organizations in the

public and private sectors.
NIST SP 800-70 and SP 800-128 provide guidance on security configuration settings.

FURTHER DISCUSSION
Information security is an integral part of a company’s configuration management process.

Security-related configuration settings are customized to satisfy the company’s security

requirements and are applied them to all systems once tested and approved. The

configuration settings must reflect the most restrictive settings that are appropriate for the

system. Any required deviations from the baseline are reviewed, documented, and approved.

Example
You manage baseline configurations for your company’s systems, including those that

process, store, and transmit CUI. As part of this, you download a secure configuration guide

for each of your asset types (servers, workstations, network components, operating systems,

middleware, and applications) from a well-known and trusted IT security organization. You

then apply all of the settings that you can while still ensuring the assets can perform the role

for which they are needed. Once you have the configuration settings identified and tested,

you document them to ensure all applicable machines can be configured the same way [a,b].

Potential Assessment Considerations 

 Do security settings reflect the most restrictive settings appropriate [a]? 


 Are changes or deviations to security settings documented [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.4.2







CM.L2-3.4.3 – System Change Management

CMMC Assessment Guide – Level 2 | Version 2.13

96


CM.L2-3.4.3 – SYSTEM CHANGE MANAGEMENT

Track, review, approve or disapprove, and log changes to organizational systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]84

Determine if:
[a] changes to the system are tracked;
[b] changes to the system are reviewed;
[c] changes to the system are approved or disapproved; and
[d] changes to the system are logged.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]84

Examine
[SELECT FROM: Configuration management policy; procedures addressing system

configuration change control; configuration management plan; system architecture and

configuration documentation; system security plan; change control records; system audit

logs and records; change control audit and review reports; agenda/minutes from

configuration change control oversight meetings; other relevant documents or records].

Interview
[SELECT FROM: Personnel with configuration change control responsibilities; personnel

with information security responsibilities; system or network administrators; members of

change control board or similar].

Test
[SELECT FROM: Organizational processes for configuration change control; mechanisms that

implement configuration change control].

DISCUSSION [NIST SP 800-171 REV. 2]85

Tracking, reviewing, approving/disapproving, and logging changes is called configuration

change control. Configuration change control for organizational systems involves the

systematic proposal, justification, implementation, testing, review, and disposition of

changes to the systems, including system upgrades and modifications. Configuration change

control includes changes to baseline configurations for components and configuration items

of systems, changes to configuration settings for information technology products (e.g.,

operating systems, applications, firewalls, routers, and mobile devices), unscheduled and

unauthorized changes, and changes to remediate vulnerabilities.


84 

NIST SP 800-171A, p. 27.

85 

NIST SP 800-171 Rev. 2, p. 21






CM.L2-3.4.3 – System Change Management

CMMC Assessment Guide – Level 2 | Version 2.13

97


Processes for managing configuration changes to systems include Configuration Control

Boards or Change Advisory Boards that review and approve proposed changes to systems.

For new development systems or systems undergoing major upgrades, organizations

consider including representatives from development organizations on the Configuration

Control Boards or Change Advisory Boards. Audit logs of changes include activities before

and after changes are made to organizational systems and the activities required to

implement such changes.
NIST SP 800-128 provides guidance on configuration change control.

FURTHER DISCUSSION

You must track, review, and approve configuration changes before committing to

production. Changes to computing environments can create unintended and unforeseen

issues that can affect the security and availability of the systems, including those that process

CUI. Relevant experts and stakeholders must review and approve proposed changes. They

should discuss potential impacts before the organization puts the changes in place. Relevant

items include changes to the physical environment and to the systems hosted within it.

Example
Once a month, the management and technical team leads join a change control board

meeting. During this meeting, everyone reviews all proposed changes to the environment

[b,c]. This includes changes to the physical and computing environments. The meeting

ensures that relevant subject-matter experts review changes and propose alternatives

where needed.

Potential Assessment Considerations 

 Are changes to the system authorized by company management and documented

[a,b,c,d]? 

 Are changes documented and tracked (e.g., manually written down or included in a

tracking service such as a ticketing system) [d]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.4.3







CM.L2-3.4.4 – Security Impact Analysis

CMMC Assessment Guide – Level 2 | Version 2.13

98


CM.L2-3.4.4 – SECURITY IMPACT ANALYSIS

Analyze the security impact of changes prior to implementation.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]86

Determine if:
[a] the security impact of changes to the system is analyzed prior to implementation.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]86

Examine
[SELECT FROM: Configuration management policy; procedures addressing security impact

analysis for system changes; configuration management plan; security impact analysis

documentation; system security plan; analysis tools and associated outputs; change control

records; system audit logs and records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with responsibility for conducting security impact analysis;

personnel with information security responsibilities; system or network administrators].

Test
[SELECT FROM: Organizational processes for security impact analysis].

DISCUSSION [NIST SP 800-171 REV. 2]87

Organizational personnel with information security responsibilities (e.g., system

administrators, system security officers, system security managers, and systems security

engineers) conduct security impact analyses. Individuals conducting security impact

analyses possess the necessary skills and technical expertise to analyze the changes to

systems and the associated security ramifications. Security impact analysis may include

reviewing security plans to understand security requirements and reviewing system design

documentation to understand the implementation of controls and how specific changes

might affect the controls. Security impact analyses may also include risk assessments to

better understand the impact of the changes and to determine if additional controls are

required.
NIST SP 800-128 provides guidance on configuration change control and security impact

analysis.


86 

NIST SP 800-171A, p. 27.

87 

NIST SP 800-171 Rev. 2, pp. 21-22.






CM.L2-3.4.4 – Security Impact Analysis

CMMC Assessment Guide – Level 2 | Version 2.13

99


FURTHER DISCUSSION

Changes to complex environments are reviewed for potential security impact before

implemented. Changes to IT systems can cause unforeseen problems and have unintended

consequences for both users and the security of the operating environment. Analyze the

security impact of changes prior to implementing them. This can uncover and mitigate

potential problems before they occur.

Example
You have been asked to deploy a new web browser plug-in. Your standard change

management process requires that you produce a detailed plan for the change, including a

review of its potential security impact. A subject-matter expert who did not submit the

change reviews the plan and tests the new plug-in for functionality and security. You update

the change plan based on the expert’s findings and submit it to the change control board for

final approval [a].

Potential Assessment Considerations 

 Are configuration changes tested, validated, and documented before installing them on

the operational system [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.4.4







CM.L2-3.4.5 – Access Restrictions for Change

CMMC Assessment Guide – Level 2 | Version 2.13

100


CM.L2-3.4.5 – ACCESS RESTRICTIONS FOR CHANGE

Define, document, approve, and enforce physical and logical access restrictions associated

with changes to organizational systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]88

Determine if:
[a] physical access restrictions associated with changes to the system are defined;
[b] physical access restrictions associated with changes to the system are documented;
[c] physical access restrictions associated with changes to the system are approved;
[d] physical access restrictions associated with changes to the system are enforced;
[e] logical access restrictions associated with changes to the system are defined;
[f] logical access restrictions associated with changes to the system are documented;
[g] logical access restrictions associated with changes to the system are approved; and
[h] logical access restrictions associated with changes to the system are enforced.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]88

Examine
[SELECT FROM: Configuration management policy; procedures addressing access

restrictions for changes to the system; system security plan; configuration management

plan; system design documentation; system architecture and configuration documentation;

system configuration settings and associated documentation; logical access approvals;

physical access approvals; access credentials; change control records; system audit logs and

records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with logical access control responsibilities; personnel with

physical access control responsibilities; personnel with information security

responsibilities; system or network administrators].

Test
[SELECT FROM: Organizational processes for managing access restrictions associated with

changes to the system; mechanisms supporting, implementing, and enforcing access

restrictions associated with changes to the system].


88 

NIST SP 800-171A, p. 28.






CM.L2-3.4.5 – Access Restrictions for Change

CMMC Assessment Guide – Level 2 | Version 2.13

101


DISCUSSION [NIST SP 800-171 REV. 2]89

Any changes to the hardware, software, or firmware components of systems can potentially

have significant effects on the overall security of the systems. Therefore, organizations

permit only qualified and authorized individuals to access systems for purposes of initiating

changes, including upgrades and modifications. Access restrictions for change also include

software libraries. Access restrictions include physical and logical access control

requirements, workflow automation, media libraries, abstract layers (e.g., changes

implemented into external interfaces rather than directly into systems), and change

windows (e.g., changes occur only during certain specified times). In addition to security

concerns, commonly-accepted due diligence for configuration management includes access

restrictions as an essential part in ensuring the ability to effectively manage the

configuration.
NIST SP 800-128 provides guidance on configuration change control.

FURTHER DISCUSSION

Define, identify, and document qualified individuals authorized to make physical and logical

changes to the organization’s hardware, software, software libraries, or firmware

components. Control of configuration management activities may involve: 

 physical access control that prohibits unauthorized users from gaining physical access to

an asset (e.g., requiring a special key card to enter a server room); 

 logical access control that prevents unauthorized users from logging onto a system to

make configuration changes (e.g., requiring specific credentials for modifying

configuration settings, patching software, or updating software libraries); 

 workflow automation in which configuration management workflow rules define human

tasks and data or files are routed between people authorized to do configuration

management based on pre-defined business rules (e.g., passing an electronic form to a

manager requesting approval of configuration change made by an authorized employee); 

 an abstraction layer for configuration management that requires changes be made from

an external system through constrained interface (e.g., software updates can only be

made from a patch management system with a specific IP address); and 

 utilization of a configuration management change window (e.g., software updates are

only allowed between 8:00 AM and 10:00 AM or between 6:00 PM and 8:00 PM).

Example
Your datacenter requires expanded storage capacity in a server. The change has been

approved, and security is planning to allow an external technician to access the building at a

specific date and time under the supervision of a manager [a,b,c,d]. A system administrator

creates a temporary privileged account that can be used to log into the server’s operating

system and update storage settings [e,f,g]. On the appointed day, the technician is escorted


89 

NIST SP 800-171 Rev. 2, p. 22.






CM.L2-3.4.5 – Access Restrictions for Change

CMMC Assessment Guide – Level 2 | Version 2.13

102


into the datacenter, upgrades the hardware, expands the storage in the operating system

(OS), and departs. The manager verifies the upgrade and disables the privileged account [h].

Potential Assessment Considerations 

 Are only employees who are approved to make physical or logical changes on systems

allowed to do so [a,d,e,h]? 

 Are authorized personnel approved and documented by the service owner and IT

security [a,e]? 

 Does all change documentation include the name of the authorized employee making the

change [b,d,f,h]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.4.5







CM.L2-3.4.6 – Least Functionality

CMMC Assessment Guide – Level 2 | Version 2.13

103


CM.L2-3.4.6 – LEAST FUNCTIONALITY

Employ the principle of least functionality by configuring organizational systems to provide

only essential capabilities.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]90

Determine if:
[a] essential system capabilities are defined based on the principle of least functionality;

and

[b] the system is configured to provide only the defined essential capabilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]90

Examine
[SELECT FROM: Configuration management policy; configuration management plan;

procedures addressing least functionality in the system; system security plan; system design

documentation; system configuration settings and associated documentation; security

configuration checklists; other relevant documents or records].

Interview
[SELECT FROM: Personnel with security configuration management responsibilities;

personnel with information security responsibilities; system or network administrators].

Test
[SELECT FROM: Organizational processes prohibiting or restricting functions, ports,

protocols, or services; mechanisms implementing restrictions or prohibition of functions,

ports, protocols, or services].

DISCUSSION [NIST SP 800-171 REV. 2]91

Systems can provide a wide variety of functions and services. Some of the functions and

services routinely provided by default, may not be necessary to support essential

organizational missions, functions, or operations. It is sometimes convenient to provide

multiple services from single system components. However, doing so increases risk over

limiting the services provided by any one component. Where feasible, organizations limit

component functionality to a single function per component.
Organizations review functions and services provided by systems or components of systems,

to determine which functions and services are candidates for elimination. Organizations

disable unused or unnecessary physical and logical ports and protocols to prevent

unauthorized connection of devices, transfer of information, and tunneling. Organizations


90 

NIST SP 800-171A, pp. 28-29.

91 

NIST SP 800-171 Rev. 2, p. 22.






CM.L2-3.4.6 – Least Functionality

CMMC Assessment Guide – Level 2 | Version 2.13

104


can utilize network scanning tools, intrusion detection and prevention systems, and end-

point protections such as firewalls and host-based intrusion detection systems to identify

and prevent the use of prohibited functions, ports, protocols, and services.

FURTHER DISCUSSION

You should customize organizational systems to remove non-essential applications and

disable unnecessary services. Systems come with many unnecessary applications and

settings enabled by default including unused ports and protocols. Leave only the fewest

capabilities necessary for the systems to operate effectively.

Example
You have ordered a new server, which has arrived with a number of free utilities installed in

addition to the operating system. Before you deploy the server, you research the utilities to

determine which ones can be eliminated without impacting functionality. You remove the

unneeded software, then move on to disable unused ports and services. The server that

enters production therefore has only the essential capabilities enabled for the system to

function in its role [a,b].

Potential Assessment Considerations 

 Are the roles and functions for each system identified along with the software and

services required to perform those functions [a]? 

 Are the software and services required for those defined functions identified [a]? 


 Is the information system configured to exclude any function not needed in the

operational environment [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.4.6







CM.L2-3.4.7 – Nonessential Functionality

CMMC Assessment Guide – Level 2 | Version 2.13

105


CM.L2-3.4.7 – NONESSENTIAL FUNCTIONALITY

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols,

and services.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]92

Determine if:
[a] essential programs are defined;
[b] the use of nonessential programs is defined;
[c] the use of nonessential programs is restricted, disabled, or prevented as defined;
[d] essential functions are defined;
[e] the use of nonessential functions is defined;
[f] the use of nonessential functions is restricted, disabled, or prevented as defined;
[g] essential ports are defined;
[h] the use of nonessential ports is defined;
[i] the use of nonessential ports is restricted, disabled, or prevented as defined;
[j] essential protocols are defined;
[k] the use of nonessential protocols is defined;
[l] the use of nonessential protocols is restricted, disabled, or prevented as defined;
[m] essential services are defined;
[n] the use of nonessential services is defined; and
[o] the use of nonessential services is restricted, disabled, or prevented as defined.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]92

Examine
[SELECT FROM: Configuration management policy; procedures addressing least

functionality in the system; configuration management plan; system security plan; system

design documentation; security configuration checklists; system configuration settings and

associated documentation; specifications for preventing software program execution;

documented reviews of programs, functions, ports, protocols, and/or services; change

control records; system audit logs and records; other relevant documents or records].


92 

NIST SP 800-171A, p. 29.






CM.L2-3.4.7 – Nonessential Functionality

CMMC Assessment Guide – Level 2 | Version 2.13

106


Interview
[SELECT FROM: Personnel with responsibilities for reviewing programs, functions, ports,

protocols, and services on the system; personnel with information security responsibilities;

system or network administrators; system developers].

Test
[SELECT FROM: Organizational processes for reviewing and disabling nonessential

programs, functions, ports, protocols, or services; mechanisms implementing review and

handling of nonessential programs, functions, ports, protocols, or services; organizational

processes preventing program execution on the system; organizational processes for

software program usage and restrictions; mechanisms supporting or implementing software

program usage and restrictions; mechanisms preventing program execution on the system].

DISCUSSION [NIST SP 800-171 REV. 2]93

Restricting the use of nonessential software (programs) includes restricting the roles

allowed to approve program execution; prohibiting auto-execute; program blacklisting and

whitelisting; or restricting the number of program instances executed at the same time. The

organization makes a security-based determination which functions, ports, protocols,

and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer

networking are examples of protocols organizations consider preventing the use of,

restricting, or disabling.

FURTHER DISCUSSION

Organizations should only use the minimum set of programs, services, ports, and protocols

required for to accomplish the organization’s mission. This has several implications: 

 All unnecessary programs and accounts are removed from all endpoints and servers. 


 The organization makes a policy decision to control the execution of programs through

either whitelisting or blacklisting. Whitelisting means a program can only run if the

software has been vetted in some way, and the executable name has been entered onto a

list of allowed software. Blacklisting means any software can execute as long it is not on

a list of known malicious software. Whitelisting provides far more security than

blacklisting, but the organization’s policy can direct the implementation of either

approach. Control of execution applies to both servers and endpoints. 

 The organization restricts the use of all unnecessary ports, protocols, and system services

in order to limit entry points that attackers can use. For example, the use of the FTP

service is eliminated from all computers, and the associated ports are blocked unless a

required service utilizes those ports. The elimination of nonessential functionality on the

network and systems provides a smaller attack surface for an attacker to gain access and

take control of your network or systems.

This requirement, CM.L2-3.4.7, which requires limiting functionality to essential programs,

ports, protocols, and services, extends CM.L2-3.4.6, which requires adherence to the


93 

NIST SP 800-171 Rev. 2, pp. 22-23.






CM.L2-3.4.7 – Nonessential Functionality

CMMC Assessment Guide – Level 2 | Version 2.13

107


principle of least functionality but does not specifically address which elements of a system

should be limited.

Example
You are responsible for purchasing new endpoint hardware, installing organizationally

required software to the hardware, and configuring the endpoint in accordance with the

organization’s policy. The organization has a system imaging capability that loads all

necessary software, but it does not remove unnecessary services, eliminate the use of certain

protocols, or close unused ports. After imaging the systems, you close all ports and block the

use of all protocols except the following: 

 TCP for SSH on port 22; 


 SMTP on port 25; 


 TCP and UDP on port 53; and 


 HTTP and HTTPS on port 443.

The use of any other ports or protocols are allowed by exception only [i,l,o].

Potential Assessment Considerations 

 Are only applications and services that are needed for the function of the system

configured and enabled [a,b,c,d,e,f]? 

 Are only those ports and protocols necessary to provide the service of the information

system configured for that system [g,h,i,j,k,l]? 

 Are systems services reviewed to determine what is essential for the function of that

system [m]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.4.7







CM.L2-3.4.8 – Application Execution Policy

CMMC Assessment Guide – Level 2 | Version 2.13

108


CM.L2-3.4.8 – APPLICATION EXECUTION POLICY

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software

or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized

software.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]94

Determine if:
[a] a policy specifying whether whitelisting or blacklisting is to be implemented is

specified;

[b] the software allowed to execute under whitelisting or denied use under blacklisting is

specified; and

[c] whitelisting to allow the execution of authorized software or blacklisting to prevent the

use of unauthorized software is implemented as specified.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]94

Examine
[SELECT FROM: Configuration management policy; procedures addressing least

functionality in the system; system security plan; configuration management plan; system

design documentation; system configuration settings and associated documentation; list of

software programs not authorized to execute on the system; list of software programs

authorized to execute on the system; security configuration checklists; review and update

records associated with list of authorized or unauthorized software programs; change

control records; system audit logs and records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with responsibilities for identifying software authorized or not

authorized to execute on the system; personnel with information security responsibilities;

system or network administrators].

Test
[SELECT FROM: Organizational process for identifying, reviewing, and updating programs

authorized or not authorized to execute on the system; process for implementing blacklisting

or whitelisting; mechanisms supporting or implementing blacklisting or whitelisting].

DISCUSSION [NIST SP 800-171 REV. 2]95

The process used to identify software programs that are not authorized to execute on

systems is commonly referred to as blacklisting. The process used to identify software


94 

NIST SP 800-171A, p. 30.

95 

NIST SP 800-171 Rev. 2, p. 23.






CM.L2-3.4.8 – Application Execution Policy

CMMC Assessment Guide – Level 2 | Version 2.13

109


programs that are authorized to execute on systems is commonly referred to as whitelisting.

Whitelisting is the stronger of the two policies for restricting software program execution.

In addition to whitelisting, organizations consider verifying the integrity of whitelisted

software programs using, for example, cryptographic checksums, digital signatures, or hash

functions. Verification of whitelisted software can occur either prior to execution or at

system startup.
NIST SP 800-167 provides guidance on application whitelisting.

FURTHER DISCUSSION

Organizations should determine their blacklisting or whitelisting policy and configure the

system to manage software that is allowed to run. Blacklisting or deny-by-exception allows

all software to run except if on an unauthorized software list such as what is maintained in

antivirus solutions. Whitelisting or permit-by-exception does not allow any software to run

except if on an authorized software list. The stronger policy of the two is whitelisting.
This requirement, CM.L2-3.4.8, requires the implementation of allow-lists and deny-lists for

application software. It leverages CM.L2-3.4.1, which requires the organization to establish

and maintain software inventories.
This requirement, CM.L2-3.4.8, also extends CM.L2-3.4.9, which only requires control and

monitoring of any user installed software.

Example
To improve your company’s protection from malware, you have decided to allow only

designated programs to run. With additional research you identify a capability within the

latest operating system that can control executables, scripts, libraries, or application

installers run in your environment [c]. To ensure success you begin by authorizing digitally

signed executables. Once they are deployed, you then plan to evaluate and deploy

whitelisting for software libraries and scripts [c].

Potential Assessment Considerations 

 Is the information system configured to only allow authorized software to run [a,b,c]? 


 Is the system configured to disallow running unauthorized software [a,b,c]? 


 Is there a defined list of software programs authorized to execute on the system [b]? 


 Is the authorization policy a deny-all, permit by exception for software allowed to execute

on the system [a,b,c]? 

 Are automated mechanisms used to prevent program execution in accordance with

defined lists (e.g., whitelisting) [a,b,c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.4.8







CM.L2-3.4.9 – User-Installed Software

CMMC Assessment Guide – Level 2 | Version 2.13

110


CM.L2-3.4.9 – USER-INSTALLED SOFTWARE

Control and monitor user-installed software.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]96

Determine if:
[a] a policy for controlling the installation of software by users is established;
[b] installation of software by users is controlled based on the established policy; and
[c] installation of software by users is monitored.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]96

Examine
[SELECT FROM: Configuration management policy; procedures addressing user installed

software; configuration management plan; system security plan; system design

documentation; system configuration settings and associated documentation; list of rules

governing user-installed software; system monitoring records; system audit logs and

records; continuous monitoring strategy; other relevant documents or records].

Interview
[SELECT FROM: Personnel with responsibilities for governing user-installed software;

personnel operating, using, or maintaining the system; personnel monitoring compliance

with user-installed software policy; personnel with information security responsibilities;

system or network administrators].

Test
[SELECT FROM: Organizational processes governing user-installed software on the system;

mechanisms enforcing rules or methods for governing the installation of software by users;

mechanisms monitoring policy compliance].

DISCUSSION [NIST SP 800-171 REV. 2]97

Users can install software in organizational systems if provided the necessary privileges. To

maintain control over the software installed, organizations identify permitted and

prohibited actions regarding software installation through policies. Permitted software

installations include updates and security patches to existing software and applications from

organization-approved “app stores.” Prohibited software installations may include software

with unknown or suspect pedigrees or software that organizations consider potentially

malicious. The policies organizations select governing user-installed software may be


96 

NIST SP 800-171A, p. 30.

97 

NIST SP 800-171 Rev. 2, p. 23.






CM.L2-3.4.9 – User-Installed Software

CMMC Assessment Guide – Level 2 | Version 2.13

111


organization-developed or provided by some external entity. Policy enforcement methods

include procedural methods, automated methods, or both.

FURTHER DISCUSSION

Software that users have the ability to install is limited to items that the organization

approves. When not controlled, users could install software that can create unnecessary risk.

This risk applies both to the individual machine and to the larger operating environment.

Policies and technical controls reduce risk to the organization by preventing users from

installing unauthorized software.

Example
You are a system administrator. A user calls you for help installing a software package. They

are receiving a message asking for a password because they do not have permission to install

the software. You explain that the policy prohibits users from installing software without

approval [a]. When you set up workstations for users, you do not provide administrative

privileges. After the call, you redistribute the policy to all users ensuring everyone in the

company is aware of the restrictions.

Potential Assessment Considerations 

 Are user controls in place to prohibit the installation of unauthorized software [a]? 


 Is all software in use on the information systems approved [b]? 


 Is there a mechanism in place to monitor the types of software a user is permitted to

download (e.g., is there a whitelist of approved software) [c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.4.9






IA.L2-3.5.1 – Identification [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

112


Identification and Authentication (IA)
IA.L2-3.5.1 – IDENTIFICATION [CUI DATA]

Identify system users, processes acting on behalf of users, and devices.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]98

Determine if:
[a] system users are identified;
[b] processes acting on behalf of users are identified; and
[c] devices accessing the system are identified.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]98

Examine
[SELECT FROM: Identification and authentication policy; procedures addressing user

identification and authentication; system security plan, system design documentation;

system configuration settings and associated documentation; system audit logs and records;

list of system accounts; other relevant documents or records].

Interview
[SELECT FROM: Personnel with system operations responsibilities; personnel with

information security responsibilities; system or network administrators; personnel with

account management responsibilities; system developers].

Test
[SELECT FROM: Organizational processes for uniquely identifying and authenticating users;

mechanisms supporting or implementing identification and authentication capability].

DISCUSSION [NIST SP 800-171 REV. 2]99

Common device identifiers include media access control (MAC), Internet Protocol (IP)

addresses, or device-unique token identifiers. Management of individual identifiers is not

applicable to shared system accounts. Typically, individual identifiers are the user names

associated with the system accounts assigned to those individuals. Organizations may

require unique identification of individuals in group accounts or for detailed accountability

of individual activity. In addition, this requirement addresses individual identifiers that are

not necessarily associated with system accounts. Organizational devices requiring


98 

NIST SP 800-171A, p. 31.

99 

NIST SP 800-171 Rev. 2, p. 23.






IA.L2-3.5.1 – Identification [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

113


identification may be defined by type, by device, or by a combination of type/device. NIST SP

800-63-3 provides guidance on digital identities.

FURTHER DISCUSSION

Make sure to assign individual, unique identifiers (e.g., user names) to all users and

processes that access company systems. Authorized devices also should have unique

identifiers. Unique identifiers can be as simple as a short set of alphanumeric characters (e.g.,

SW001 could refer to a network switch, SW002 could refer to a different network switch).
This requirement, IA.L2-3.5.1, provides a vetted and trusted identity that supports the access

control mechanism required by AC.L2-3.1.1.

Example
You want to make sure that all employees working on a project can access important

information about it. Because this is work for the DoD and may contain CUI, you also need to

prevent employees who are not working on that project from being able to access the

information. You assign each employee is assigned a unique user ID, which they use to log

into the system [a].

Potential Assessment Considerations 

 Are unique identifiers issued to individual users (e.g., usernames) [a]? 


 Are the processes and service accounts that an authorized user initiates identified (e.g.,

scripts, automatic updates, configuration updates, vulnerability scans) [b]? 

 Are unique device identifiers used for devices that access the system identified [c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.5.1 


 FAR Clause 52.204-21 b.1.v








IA.L2-3.5.2 – Authentication [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

114


IA.L2-3.5.2 – AUTHENTICATION [CUI DATA]

Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to

allowing access to organizational systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]100
Determine if:
[a] the identity of each user is authenticated or verified as a prerequisite to system access;
[b] the identity of each process acting on behalf of a user is authenticated or verified as a

prerequisite to system access; and

[c] the identity of each device accessing or connecting to the system is authenticated or

verified as a prerequisite to system access.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]100
Examine
[SELECT FROM: Identification and authentication policy; system security plan; procedures

addressing authenticator management; procedures addressing user identification and

authentication; system design documentation; list of system authenticator types; system

configuration settings and associated documentation; change control records associated

with managing system authenticators; system audit logs and records; other relevant

documents or records].
Interview
[SELECT FROM: Personnel with authenticator management responsibilities; personnel with

information security responsibilities; system or network administrators].
Test
[SELECT FROM: Mechanisms supporting or implementing authenticator management

capability].

DISCUSSION [NIST SP 800-171 REV. 2]101
Individual authenticators include the following: passwords, key cards, cryptographic

devices, and one-time password devices. Initial authenticator content is the actual content

of the authenticator, for example, the initial password. In contrast, the requirements about

authenticator content include the minimum password length. Developers ship system

components with factory default authentication credentials to allow for initial installation

and configuration. Default authentication credentials are often well known, easily

discoverable, and present a significant security risk.
Systems support authenticator management by organization-defined settings and

restrictions for various authenticator characteristics including minimum password length,


100 

NIST SP 800-171A, p. 31.

101 

NIST SP 800-171 Rev. 2, p. 24.






IA.L2-3.5.2 – Authentication [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

115


validation time window for time synchronous one-time tokens, and number of allowed

rejections during the verification stage of biometric authentication. Authenticator

management includes issuing and revoking, when no longer needed, authenticators for

temporary access such as that required for remote maintenance. Device authenticators

include certificates and passwords.
NIST SP 800-63-3 provides guidance on digital identities.

FURTHER DISCUSSION
Before a person or device is given system access, verify that the user or device is who or what

it claims to be. This verification is called authentication. The most common way to verify

identity is using a username and a hard-to-guess password.
Some devices ship with default usernames and passwords. Some devices ship with a default

username (e.g., admin) and password. A default username and password must be

immediately changed to something unique. Default passwords may be well known to the

public, easily found in a search, or easy to guess, allowing an unauthorized person to access

the system.

Example 1
You are in charge of purchasing. You know that some laptops come with a default username

and password. You notify IT that all default passwords should be reset prior to laptop use

[a]. You ask IT to explain the importance of resetting default passwords and convey how

easily they are discovered using internet searches during next week’s cybersecurity

awareness training.

Example 2
Your company decides to use cloud services for email and other capabilities. Upon reviewing

this requirement, you realize every user or device that connects to the cloud service must be

authenticated. As a result, you work with your cloud service provider to ensure that only

properly authenticated users and devices are allowed to connect to the system [a,c].

Potential Assessment Considerations 

 Are unique authenticators used to verify user identities (e.g., passwords) [a]? 


 An example of a process acting on behalf of users could be a script that logs in as a person

or service account [b]. Can the OSA show that it maintains a record of all of those service

accounts for use when reviewing log data or responding to an incident? 

 Are user credentials authenticated in system processes (e.g., credentials binding,

certificates, tokens) [b]? 

 Are device identifiers used in authentication processes (e.g., MAC address, non-

anonymous computer name, certificates) [c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.5.2






IA.L2-3.5.2 – Authentication [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

116 


 FAR Clause 52.204-21 b.1.vi








IA.L2-3.5.3 – Multifactor Authentication

CMMC Assessment Guide – Level 2 | Version 2.13

117


IA.L2-3.5.3 – MULTIFACTOR AUTHENTICATION

Use multifactor authentication for local and network access to privileged accounts and for

network access to non-privileged accounts.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]102

Determine if:
[a] privileged accounts are identified;
[b] multifactor authentication is implemented for local access to privileged accounts;
[c] multifactor authentication is implemented for network access to privileged accounts;

and

[d] multifactor authentication is implemented for network access to non-privileged

accounts.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]102

Examine
[SELECT FROM: Identification and authentication policy; procedures addressing user

identification and authentication; system security plan; system design documentation;

system configuration settings and associated documentation; system audit logs and records;

list of system accounts; other relevant documents or records].

Interview
[SELECT FROM: Personnel with authenticator management responsibilities; personnel with

information security responsibilities; system or network administrators].

Test
[SELECT FROM: Mechanisms supporting or implementing authenticator management

capability].

DISCUSSION [NIST SP 800-171 REV. 2]103

Multifactor authentication requires the use of two or more different factors to authenticate.

The factors are defined as something you know (e.g., password, personal identification

number [PIN]); something you have (e.g., cryptographic identification device, token); or

something you are (e.g., biometric). Multifactor authentication solutions that feature

physical authenticators include hardware authenticators providing time-based or challenge-

response authenticators and smart cards. In addition to authenticating users at the system

level (i.e., at logon), organizations may also employ authentication mechanisms at the


102 

NIST SP 800-171A, p. 32.

103 

NIST SP 800-171 Rev. 2, pp. 24-25.






IA.L2-3.5.3 – Multifactor Authentication

CMMC Assessment Guide – Level 2 | Version 2.13

118


application level, when necessary, to provide increased information security. Access to

organizational systems is defined as local access or network access. Local access is any access

to organizational systems by users (or processes acting on behalf of users) where such access

is obtained by direct connections without the use of networks. Network access is access to

systems by users (or processes acting on behalf of users) where such access is obtained

through network connections (i.e., nonlocal accesses). Remote access is a type of network

access that involves communication through external networks. The use of encrypted virtual

private networks for connections between organization-controlled and non-organization

controlled endpoints may be treated as internal networks with regard to protecting the

confidentiality of information.
NIST SP 800-63-3 provides guidance on digital identities.

FURTHER DISCUSSION

Implement a combination of two or more factors of authentication to verify privileged

account holders’ identity regardless of how the user is accessing the account. Implement a

combination of two or more factors for non-privileged users accessing the system over a

network.
The implementation of multi-factor authentication will depend on the environment and

business needs. Although two-factor authentication directly on the computer is most

common, there are situations (e.g., multi-factor identification for a mission system that

cannot be altered) where additional technical or physical solutions can provide security. If a

mobile device is used to access a system or application containing CUI, multi-factor

authentication is required.
This requirement, IA.L2-3.5.3, requires multifactor authentication for network access to

non-privileged accounts and complements five other requirements dealing with remote

access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.13, AC.L2-3.1.15, and MA.L2-3.7.5: 

 AC.L2-3.1.12 requires the control of remote access sessions. 


 AC.L2-3.1.14 limits remote access to specific access control points. 


 AC.L2-3.1.13  requires the use of cryptographic mechanisms when enabling remote

sessions. 

 AC.L2-3.1.15 requires authorization for privileged commands executed during a remote. 


 Finally,  MA.L2-3.7.5  requires the addition of multifactor authentication for remote

maintenance sessions.

This requirement, IA.L2-3.5.3, also enhances IA.L2-3.5.2, which is a requirement for a less

rigorous form of user authentication.

Example
You decide to implement multifactor authentication (MFA) to improve security of your

network. Your first step is enabling MFA on VPN access to your internal network [c,d]. When

users initiate remote access, they will be prompted for the additional authentication factor.






IA.L2-3.5.3 – Multifactor Authentication

CMMC Assessment Guide – Level 2 | Version 2.13

119


Because you also use a cloud-based email solution, you require MFA for access to that

resource as well [c,d]. Finally, you enable MFA for both local and network logins for the

system administrator accounts used to patch and manage servers [a,b,c].

Potential Assessment Considerations 

 Does the system uniquely identify and authenticate users, including privileged accounts

[b,c,d]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.5.3








IA.L2-3.5.4 – Replay-Resistant Authentication

CMMC Assessment Guide – Level 2 | Version 2.13

120


IA.L2-3.5.4 – REPLAY-RESISTANT AUTHENTICATION

Employ replay-resistant authentication mechanisms for network access to privileged and

non-privileged accounts.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]104

Determine if:
[a] replay-resistant authentication mechanisms are implemented for network account

access to privileged and non-privileged accounts.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]104

Examine
[SELECT FROM: Identification and authentication policy; procedures addressing user

identification and authentication; system security plan; system design documentation;

system configuration settings and associated documentation; system audit logs and records;

list of privileged system accounts; other relevant documents or records].

Interview
[SELECT FROM: Personnel with system operations responsibilities; personnel with account

management responsibilities; personnel with information security responsibilities; system

or network administrators; system developers].

Test
[SELECT FROM: Mechanisms supporting or implementing identification and authentication

capability or replay resistant authentication mechanisms].

DISCUSSION [NIST SP 800-171 REV. 2]105

Authentication processes resist replay attacks if it is impractical to successfully authenticate

by recording or replaying previous authentication messages. Replay-resistant techniques

include protocols that use nonces or challenges such as time synchronous or challenge-

response one-time authenticators.
NIST SP 800-63-3 provides guidance on digital identities.

FURTHER DISCUSSION

When insecure protocols are used for access to computing resources, an adversary may be

able to capture login information and immediately reuse (replay) it for other purposes. It is

important to use mechanisms that resist this technique.


104 

NIST SP 800-171A, p. 32.

105 

NIST SP 800-171 Rev. 2, p. 25.






IA.L2-3.5.4 – Replay-Resistant Authentication

CMMC Assessment Guide – Level 2 | Version 2.13

121


Example
To protect your IT infrastructure, you understand that the methods for authentication must

not be easily copied and re-sent to your systems by an adversary. You select Kerberos for

authentication because of its built-in resistance to replay attacks. As a next step you upgrade

all of your web applications to require Transport Layer Security (TLS), which also is replay-

resistant. Your use of MFA to protect remote access also confers some replay resistance.

Potential Assessment Considerations 

 Are only anti-replay authentication mechanisms used [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.5.4







IA.L2-3.5.5 – Identifier Reuse

CMMC Assessment Guide – Level 2 | Version 2.13

122


IA.L2-3.5.5 – IDENTIFIER REUSE

Prevent reuse of identifiers for a defined period.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]106

Determine if:
[a] a period within which identifiers cannot be reused is defined; and
[b] reuse of identifiers is prevented within the defined period.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]106

Examine
[SELECT FROM: Identification and authentication policy; system security plan; procedures

addressing authenticator management; procedures addressing user identification and

authentication; system design documentation; list of system authenticator types; system

configuration settings and associated documentation; change control records associated

with managing system authenticators; system audit logs and records; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with authenticator management responsibilities; personnel with

information security responsibilities; system or network administrators].

Test
[SELECT FROM: Mechanisms supporting or implementing authenticator management

capability].

DISCUSSION [NIST SP 800-171 REV. 2]107

Identifiers are provided for users, processes acting on behalf of users, or devices (IA.L2-

3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used

individual, group, role, or device identifiers to different individuals, groups, roles, or devices.

FURTHER DISCUSSION

Identifiers uniquely associate a user ID to an individual, group, role, or device. Establish

guidelines and implement mechanisms to prevent identifiers from being reused for the

period of time established in the policy.


106 

NIST SP 800-171A, pp. 32-33.

107 

NIST SP 800-171 Rev. 2, p. 25.






IA.L2-3.5.5 – Identifier Reuse

CMMC Assessment Guide – Level 2 | Version 2.13

123


Example
As a system administrator, you maintain a central directory/domain that holds the accounts

for users, computers, and network devices. As part of your job, you issue unique usernames

(e.g., riley@acme.com) for the staff to access resources. When you issue staff computers you

also rename the computer to reflect to whom it is assigned (e.g., riley-laptop01). Riley has

recently left the organization, so you must manage the former staff member’s account.

Incidentally, their replacement is also named Riley. In the directory, you do not assign the

previous account to the new user, as policy has defined an identifier reuse period of 24

months [a]. In accordance with policy, you create an account called riley02 [b]. This account

is assigned the appropriate permissions for the new user. A new laptop is also provided with

the identifier of riley02-laptop01.

Potential Assessment Considerations 

 Are accounts uniquely assigned to employees, contractors, and subcontractors [b]? 


 Are account identifiers reused [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.5.5







IA.L2-3.5.6 – Identifier Handling

CMMC Assessment Guide – Level 2 | Version 2.13

124


IA.L2-3.5.6 – IDENTIFIER HANDLING

Disable identifiers after a defined period of inactivity.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]108

Determine if:
[a] a period of inactivity after which an identifier is disabled is defined; and
[b] identifiers are disabled after the defined period of inactivity.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]108

Examine
[SELECT FROM: Identification and authentication policy; procedures addressing identifier

management; procedures addressing account management; system security plan; system

design documentation; system configuration settings and associated documentation; list of

system accounts; list of identifiers generated from physical access control devices; other

relevant documents or records].

Interview
[SELECT FROM: Personnel with identifier management responsibilities; personnel with

information security responsibilities; system or network administrators; system

developers].

Test
[SELECT FROM: Mechanisms supporting or implementing identifier management].

DISCUSSION [NIST SP 800-171 REV. 2]109

Inactive identifiers pose a risk to organizational information because attackers may exploit

an inactive identifier to gain undetected access to organizational devices. The owners of the

inactive accounts may not notice if unauthorized access to the account has been obtained.

FURTHER DISCUSSION

Identifiers are uniquely associated with an individual, account, process, or device. An

inactive identifier is one that has not been used for a defined extended period of time. For

example, a user account may be needed for a certain time to allow for transition of business

processes to existing or new staff. Once use of the identifier is no longer necessary, it should

be disabled as soon as possible. Failure to maintain awareness of accounts that are no longer

needed yet still active could allow an adversary to exploit IT services.


108 

NIST SP 800-171A, p. 33.

109 

NIST SP 800-171 Rev. 2, p. 25.






IA.L2-3.5.6 – Identifier Handling

CMMC Assessment Guide – Level 2 | Version 2.13

125


Example
One of your responsibilities is to enforce your company’s inactive account policy: any

account that has not been used in the last 45 days must be disabled [a]. You enforce this by

writing a script that runs once a day to check the last login date for each account and

generates a report of the accounts with no login records for the last 45 days. After reviewing

the report, you notify each inactive employee’s supervisor and disable the account [b].

Potential Assessment Considerations 

 Are user accounts or identifiers monitored for inactivity [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.5.6








IA.L2-3.5.7 – Password Complexity

CMMC Assessment Guide – Level 2 | Version 2.13

126


IA.L2-3.5.7 – PASSWORD COMPLEXITY

Enforce a minimum password complexity and change of characters when new passwords

are created.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]110

Determine if:
[a] password complexity requirements are defined;
[b] password change of character requirements are defined;
[c] minimum password complexity requirements as defined are enforced when new

passwords are created; and

[d] minimum password change of character requirements as defined are enforced when

new passwords are created.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]110

Examine
[SELECT FROM: Identification and authentication policy; password policy; procedures

addressing authenticator management; system security plan; system configuration settings

and associated documentation; system design documentation; password configurations and

associated documentation; other relevant documents or records].

Interview
[SELECT FROM: Personnel with authenticator management responsibilities; personnel with

information security responsibilities; system or network administrators].

Test
[SELECT FROM: Mechanisms supporting or implementing authenticator management

capability].

DISCUSSION [NIST SP 800-171 REV. 2]111

This requirement applies to single-factor authentication of individuals using passwords as

individual or group authenticators, and in a similar manner, when passwords are used as

part of multifactor authenticators. The number of changed characters refers to the number

of changes required with respect to the total number of positions in the current password.

To mitigate certain brute force attacks against passwords, organizations may also consider

salting passwords.


110 

NIST SP 800-171A, pp. 33-34.

111 

NIST SP 800-171 Rev. 2, p. 25.






IA.L2-3.5.7 – Password Complexity

CMMC Assessment Guide – Level 2 | Version 2.13

127


FURTHER DISCUSSION

Password complexity means using different types of characters as well as a specified number

of characters. This applies to both the creation of new passwords and the modification of

existing passwords. Characters to manage complexity include numbers, lowercase and

uppercase letters, and symbols. Minimum complexity requirements are left up to the

organization to define. Define the lowest level of password complexity required. Define the

number of characters that must be changed when an existing password is changed. Enforce

these rules for all passwords. Salting passwords adds a string of random characters (salt) to

a password prior to hashing. This ensures the randomness of the resulting hash value.

Example
You work with management to define password complexity rules and ensure they are listed

in the company’s security policy. You define and enforce a minimum number of characters

for each password and ensure that a certain number of characters must be changed when

updating passwords [a,b]. Characters include numbers, lowercase and uppercase letters, and

symbols [a]. These rules help create hard-to-guess passwords, which help to secure your

network.

Potential Assessment Considerations 

 Is  a degree of complexity  specified  for passwords, (e.g., are account passwords a

minimum of 12 characters and a mix of upper/lower case, numbers, and special

characters), including minimum requirements for each type [a,b,c]? 

 Is a change of characters required when new passwords are created [d]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.5.7







IA.L2-3.5.8 – Password Reuse

CMMC Assessment Guide – Level 2 | Version 2.13

128


IA.L2-3.5.8 – PASSWORD REUSE

Prohibit password reuse for a specified number of generations.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]112

Determine if:
[a] the number of generations during which a password cannot be reused is specified and
[b] reuse of passwords is prohibited during the specified number of generations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]112

Examine
[SELECT FROM: Identification and authentication policy; password policy; procedures

addressing authenticator management; system security plan; system design documentation;

system configuration settings and associated documentation; password configurations and

associated documentation; other relevant documents or records].

Interview
[SELECT FROM: Personnel with authenticator management responsibilities; personnel with

information security responsibilities; system or network administrators; system

developers].

Test
[SELECT FROM: Mechanisms supporting or implementing password-based authenticator

management capability].

DISCUSSION [NIST SP 800-171 REV. 2]113

Password lifetime restrictions do not apply to temporary passwords.

FURTHER DISCUSSION

Individuals may not reuse their passwords for a defined period of time and a set number of

passwords generated.

Example
You explain in your company’s security policy that changing passwords regularly provides

increased security by reducing the ability of adversaries to exploit stolen or purchased

passwords over an extended period. You define how often individuals can reuse their

passwords and the minimum number of password generations before reuse [a]. If a user


112 

NIST SP 800-171A, p. 34.

113 

NIST SP 800-171 Rev. 2, p. 25.






IA.L2-3.5.8 – Password Reuse

CMMC Assessment Guide – Level 2 | Version 2.13

129


tries to reuse a password before the number of password generations has been exceeded, an

error message is generated, and the user is required to enter a new password [b].

Potential Assessment Considerations 

 How many generations of password changes need to take place before a password can

be reused [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.5.8







IA.L2-3.5.9 – Temporary Passwords

CMMC Assessment Guide – Level 2 | Version 2.13

130


IA.L2-3.5.9 – TEMPORARY PASSWORDS

Allow temporary password use for system logons with an immediate change to a permanent

password.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]114

Determine if:
[a] an immediate change to a permanent password is required when a temporary password

is used for system logon.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]114

Examine
[SELECT FROM: Identification and authentication policy; password policy; procedures

addressing authenticator management; system security plan; system configuration settings

and associated documentation; system design documentation; password configurations and

associated documentation; other relevant documents or records].

Interview
[SELECT FROM: Personnel with authenticator management responsibilities; personnel with

information security responsibilities; system or network administrators; system

developers].

Test
[SELECT FROM: Mechanisms supporting or implementing password-based authenticator

management capability].

DISCUSSION [NIST SP 800-171 REV. 2]115

Changing temporary passwords to permanent passwords immediately after system logon

ensures that the necessary strength of the authentication mechanism is implemented at the

earliest opportunity, reducing the susceptibility to authenticator compromises.

FURTHER DISCUSSION

Users must change their temporary passwords the first time they log in. Temporary

passwords often follow a consistent style within an organization and can be more easily

guessed than passwords created by the unique user. This approach to temporary passwords

should be avoided.


114 

NIST SP 800-171A, p. 34.

115 

NIST SP 800-171 Rev. 2, p. 25.






IA.L2-3.5.9 – Temporary Passwords

CMMC Assessment Guide – Level 2 | Version 2.13

131


Example
One of your duties as a systems administrator is to create accounts for new users. You

configure all systems with user accounts to require users to change a temporary password

upon initial login to a permanent password [a]. When a user logs on for the first time, they

are prompted to create a unique password that meets all of the defined complexity rules.

Potential Assessment Considerations 

 Are temporary passwords only valid to allow a user to perform a password reset [a]? 


 Does the system enforce an immediate password change after logon when a temporary

password is issued [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.5.9







IA.L2-3.5.10 – Cryptographically-Protected Passwords

CMMC Assessment Guide – Level 2 | Version 2.13

132


IA.L2-3.5.10 – CRYPTOGRAPHICALLY-PROTECTED PASSWORDS

Store and transmit only cryptographically-protected passwords.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]116

Determine if:
[a] passwords are cryptographically protected in storage; and
[b] passwords are cryptographically protected in transit.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]116

Examine
[SELECT FROM: Identification and authentication policy; system security plan; procedures

addressing authenticator management; procedures addressing user identification and

authentication; system design documentation; list of system authenticator types; system

configuration settings and associated documentation; change control records associated

with managing system authenticators; system audit logs and records; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with authenticator management responsibilities; personnel with

information security responsibilities; system or network administrators].

Test
[SELECT FROM: Mechanisms supporting or implementing authenticator management

capability].

DISCUSSION [NIST SP 800-171 REV. 2]117

Cryptographically-protected passwords use salted one-way cryptographic hashes of

passwords.
See NIST Cryptographic Standards and Guidelines.

FURTHER DISCUSSION

All passwords must be cryptographically protected using a one-way function for storage and

transmission. This type of protection changes passwords into another form, or a hashed

password. A one-way transformation makes it theoretically impossible to turn the hashed


116 

NIST SP 800-171A, pp. 34-35.

117 

NIST SP 800-171 Rev. 2, pp. 25-26.






IA.L2-3.5.10 – Cryptographically-Protected Passwords

CMMC Assessment Guide – Level 2 | Version 2.13

133


password back into the original password, but inadequate complexity (IA.L2-3.5.7) may still

facilitate offline cracking of hashes.

Example
You are responsible for managing passwords for your organization. You protect all

passwords with a one-way transformation, or hashing, before storing them. Passwords are

never transmitted across a network unencrypted [a,b].

Potential Assessment Considerations 

 Are passwords prevented from being stored in reversible encryption form in any

company systems [a]? 

 Are passwords stored as one-way hashes constructed from passwords [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.5.10







IA.L2-3.5.11 – Obscure Feedback

CMMC Assessment Guide – Level 2 | Version 2.13

134


IA.L2-3.5.11 – OBSCURE FEEDBACK

Obscure feedback of authentication information.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]118

Determine if:
[a] authentication information is obscured during the authentication process.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]118

Examine
[SELECT FROM: Identification and authentication policy; procedures addressing

authenticator feedback; system security plan; system design documentation; system

configuration settings and associated documentation; system audit logs and records; other

relevant documents or records].

Interview
[SELECT FROM: Personnel with information security responsibilities; system or network

administrators; system developers].

Test
[SELECT FROM: Mechanisms supporting or implementing the obscuring of feedback of

authentication information during authentication].

DISCUSSION [NIST SP 800-171 REV. 2]119

The feedback from systems does not provide any information that would allow unauthorized

individuals to compromise authentication mechanisms. For some types of systems or system

components, for example, desktop or notebook computers with relatively large monitors,

the threat (often referred to as shoulder surfing) may be significant. For other types of

systems or components, for example, mobile devices with small displays, this threat may be

less significant, and is balanced against the increased likelihood of typographic input errors

due to the small keyboards. Therefore, the means for obscuring the authenticator feedback

is selected accordingly. Obscuring authenticator feedback includes displaying asterisks

when users type passwords into input devices or displaying feedback for a very limited time

before fully obscuring it.

FURTHER DISCUSSION

Authentication information includes passwords. When users enter a password, the system

displays a symbol, such as an asterisk, to obscure feedback preventing others from seeing


118 

NIST SP 800-171A, p. 35.

119 

NIST SP 800-171 Rev. 2, p. 26.






IA.L2-3.5.11 – Obscure Feedback

CMMC Assessment Guide – Level 2 | Version 2.13

135


the actual characters. Feedback is obscured based on a defined policy (e.g., smaller devices

may briefly show characters before obscuring).

Example
As a system administrator, you configure your systems to display an asterisk when users

enter their passwords into a computer system [a]. For mobile devices, the password

characters are briefly displayed to the user before being obscured. This prevents people from

figuring out passwords by looking over someone’s shoulder.

Potential Assessment Considerations 

 Is the feedback immediately obscured when the authentication is presented on a larger

display (e.g., desktop or notebook computers with relatively large monitors) [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.5.11






IR.L2-3.6.1 – Incident Handling

CMMC Assessment Guide – Level 2 | Version 2.13

136


Incident Response (IR)
IR.L2-3.6.1 – INCIDENT HANDLING

Establish an operational incident-handling capability for organizational systems that

includes preparation, detection, analysis, containment, recovery, and user response

activities.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]120

Determine if:
[a] an operational incident-handling capability is established;
[b] the operational incident-handling capability includes preparation;
[c] the operational incident-handling capability includes detection;
[d] the operational incident-handling capability includes analysis;
[e] the operational incident-handling capability includes containment;
[f] the operational incident-handling capability includes recovery; and
[g] the operational incident-handling capability includes user response activities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]120

Examine
[SELECT FROM: Incident response policy; contingency planning policy; procedures

addressing incident handling; procedures addressing incident response assistance; incident

response plan; contingency plan; system security plan; procedures addressing incident

response training; incident response training curriculum; incident response training

materials; incident response training records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with incident handling responsibilities; personnel with

contingency planning responsibilities; personnel with incident response training and

operational responsibilities; personnel with incident response assistance and support

responsibilities; personnel with access to incident response support and assistance

capability; personnel with information security responsibilities].

Test
[SELECT FROM: Incident-handling capability for the organization; organizational processes

for incident response assistance; mechanisms supporting or implementing incident

response assistance].


120 

NIST SP 800-171A, p. 36.






IR.L2-3.6.1 – Incident Handling

CMMC Assessment Guide – Level 2 | Version 2.13

137


DISCUSSION [NIST SP 800-171 REV. 2]121

Organizations recognize that incident handling capability is dependent on the capabilities of

organizational systems and the mission/business processes being supported by those

systems. Organizations consider incident handling as part of the definition, design, and

development of mission/business processes and systems. Incident-related information can

be obtained from a variety of sources including audit monitoring, network monitoring,

physical access monitoring, user and administrator reports, and reported supply chain

events. Effective incident handling capability includes coordination among many

organizational entities including mission/business owners, system owners, authorizing

officials, human resources offices, physical and personnel security offices, legal departments,

operations personnel, procurement offices, and the risk executive.
As part of user response activities, incident response training is provided by organizations

and is linked directly to the assigned roles and responsibilities of organizational personnel

to ensure that the appropriate content and level of detail is included in such training. For

example, regular users may only need to know who to call or how to recognize an incident

on the system; system administrators may require additional training on how to handle or

remediate incidents; and incident responders may receive more specific training on

forensics, reporting, system recovery, and restoration. Incident response training includes

user training in the identification/reporting of suspicious activities from external and

internal sources. User response activities also includes incident response assistance which

may consist of help desk support, assistance groups, and access to forensics services or

consumer redress services, when required.
NIST SP 800-61 provides guidance on incident handling. SP 800-86 and SP 800-101 provide

guidance on integrating forensic techniques into incident response. SP 800-161 provides

guidance on supply chain risk management.

FURTHER DISCUSSION

Incident handling capabilities prepare your organization to respond to incidents and may: 

 identify people inside and outside your organization you may need to contact during an

incident; 

 establish a way to report incidents, such as an email address or a phone number; 


 establish a system for tracking incidents; and 


 determine a place and a way to store evidence of an incident.

Software and hardware may be required to analyze incidents when they occur. Incident

prevention activities are also part of an incident-handling capability. The incident-handling

team provides input for such things as risk assessments and training.
OSAs detect incidents using different indicators. Indicators may include: 

 alerts from sensors or antivirus software;


121 

NIST SP 800-171 Rev. 2, p. 26.






IR.L2-3.6.1 – Incident Handling

CMMC Assessment Guide – Level 2 | Version 2.13

138 


 a filename that looks unusual; and 


 log entries that raise concern.

After detecting an incident, an incident response team performs analysis. This requires some

knowledge of normal network operations. The incident should be documented including all

the log entries associated with the incident.
Containment of the incident is a critical step to stop the damage the incident is causing to

your network. Containment activities should be based on previously defined organizational

priorities and assessment of risk.
Recovery activities restore systems to pre-incident functionality and address its underlying

causes. Organizations should use recovery activities as a means of improving their overall

resilience to future attacks.

Example
Your manager asks you to set up your company’s incident-response capability [a]. First, you

create an email address to collect information on possible incidents. Next, you draft a contact

list of all the people who need to know when an incident occurs. You document a procedure

for how to submit incidents that includes roles and responsibilities when a potential incident

is detected or reported. The procedure also explains how to track incidents, from initial

creation to closure [b].

Potential Assessment Considerations 

 Is there an incident response policy which specifically outlines requirements for handling

of incidents involving CUI [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.6.1








IR.L2-3.6.2 – Incident Reporting

CMMC Assessment Guide – Level 2 | Version 2.13

139


IR.L2-3.6.2 – INCIDENT REPORTING

Track, document, and report incidents to designated officials and/or authorities both

internal and external to the organization.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]122

Determine if:
[a] incidents are tracked;
[b] incidents are documented;
[c] authorities to whom incidents are to be reported are identified;
[d] organizational officials to whom incidents are to be reported are identified;
[e] identified authorities are notified of incidents; and
[f] identified organizational officials are notified of incidents.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]122

Examine
[SELECT FROM: Incident response policy; procedures addressing incident monitoring;

incident response records and documentation; procedures addressing incident reporting;

incident reporting records and documentation; incident response plan; system security plan;

other relevant documents or records].

Interview
[SELECT FROM: Personnel with incident monitoring responsibilities; personnel with

incident reporting responsibilities; personnel who have or should have reported incidents;

personnel (authorities) to whom incident information is to be reported; personnel with

information security responsibilities].

Test
[SELECT FROM: Incident monitoring capability for the organization; mechanisms supporting

or implementing tracking and documenting of system security incidents; organizational

processes for incident reporting; mechanisms supporting or implementing incident

reporting].

DISCUSSION [NIST SP 800-171 REV. 2]123

Tracking and documenting system security incidents includes maintaining records about

each incident, the status of the incident, and other pertinent information necessary for


122 

NIST SP 800-171A, pp. 36-37.

123 

NIST SP 800-171 Rev. 2, pp. 26-27.






IR.L2-3.6.2 – Incident Reporting

CMMC Assessment Guide – Level 2 | Version 2.13

140


forensics, evaluating incident details, trends, and handling. Incident information can be

obtained from a variety of sources including incident reports, incident response teams, audit

monitoring, network monitoring, physical access monitoring, and user/administrator

reports. Reporting incidents addresses specific incident reporting requirements within an

organization and the formal incident reporting requirements for the organization. Suspected

security incidents may also be reported and include the receipt of suspicious email

communications that can potentially contain malicious code. The types of security incidents

reported, the content and timeliness of the reports, and the designated reporting authorities

reflect applicable laws, Executive Orders, directives, regulations, and policies.
NIST SP 800-61 provides guidance on incident handling.

FURTHER DISCUSSION

Incident handling is the actions the organization takes to prevent or contain the impact of an

incident to the organization while it is occurring or shortly after it has occurred. The majority

of the process consists of incident identification, containment, eradication, and recovery.

During this process, it is essential to track the work processes required in order to effectively

respond. Designate a central hub to serve as the point to coordinate, communicate, and track

activities. The hub should receive and document information from system administrators,

incident handlers, and others involved throughout the process. As the incident process

moves toward eradication, executives, affected business units, and any required external

stakeholders should be kept aware of the incident in order to make decisions affecting the

business. Report to designated authorities, taking into account applicable laws, directives,

regulations, and other guidance. Specify staff responsible for communicating about the

incident to internal and external stakeholders.

Example
You notice unusual activity on a server and determine a potential security incident has

occurred. You open a tracking ticket with the Security Operations Center (SOC), which

assigns an incident handler to work the ticket [a]. The handler investigates and documents

initial findings, which lead to a determination that unauthorized access occurred on the

server [b]. The SOC establishes an incident management team consisting of security,

database, network, and system administrators. The team meets daily to update progress and

plan courses of action to contain the incident [a]. At the end of the day, the team provides a

status report to IT executives [d,f]. Two days later, the team declares the incident contained.

The team produces a final report as the database system is rebuilt and placed back into

operation.

Potential Assessment Considerations 

 Is there an incident response policy that directs the establishment of requirements for

tracking and reporting of incidents involving CUI to appropriate officials [a,d]? 

 Is cybersecurity incident information promptly reported to management [e,f]?






IR.L2-3.6.2 – Incident Reporting

CMMC Assessment Guide – Level 2 | Version 2.13

141


KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.6.2








IR.L2-3.6.3 – Incident Response Testing

CMMC Assessment Guide – Level 2 | Version 2.13

142


IR.L2-3.6.3 – INCIDENT RESPONSE TESTING

Test the organizational incident response capability.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]124

Determine if:
[a] the incident response capability is tested.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]124

Examine
[SELECT FROM: Incident response policy; contingency planning policy; procedures

addressing incident response testing; procedures addressing contingency plan testing;

incident response testing material; incident response test results; incident response test

plan; incident response plan; contingency plan; system security plan; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with incident response testing responsibilities; personnel with

information security responsibilities; personnel with responsibilities for testing plans

related to incident response].

Test
[SELECT FROM: Mechanisms and processes for incident response].

DISCUSSION [NIST SP 800-171 REV. 2]125

Organizations test incident response capabilities to determine the effectiveness of the

capabilities and to identify potential weaknesses or deficiencies. Incident response testing

includes the use of checklists, walk-through or tabletop exercises, simulations (both parallel

and full interrupt), and comprehensive exercises. Incident response testing can also include

a determination of the effects on organizational operations (e.g., reduction in mission

capabilities), organizational assets, and individuals due to incident response.
NIST SP 800-84 provides guidance on testing programs for information technology

capabilities.

FURTHER DISCUSSION

Testing incident response capability validates existing plans and highlights potential

deficiencies. The test should address questions such as what happens during an incident;


124 

NIST SP 800-171A, p. 37.

125 

NIST SP 800-171 Rev. 2, p. 27.






IR.L2-3.6.3 – Incident Response Testing

CMMC Assessment Guide – Level 2 | Version 2.13

143


who is responsible for incident management; what tasks are assigned within the IT

organization; what support is needed from legal, public affairs, or other business

components; how resources are added if needed during the incident; and how law

enforcement is involved. Any negative impacts to the normal day-to-day operations when

responding to an incident should also be identified and documented.

Example
You decide to conduct an incident response table top exercise that simulates an attacker

gaining access to the network through a compromised server. You include relevant IT staff

such as security, database, network, and system administrators as participants. You also

request representatives from legal, human resources, and communications. You provide a

scenario to the group and have prepared key questions aligned with the response plans to

guide the exercise. During the exercise, you focus on how the team executes the incident

response plan. Afterward, you conduct a debrief with everyone that was involved to provide

feedback and develop improvements to the incident response plan [a].

Potential Assessment Considerations 

 Does the incident response policy outline requirements for regular incident response

plan testing and reviews of incident response capabilities [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.6.3







MA.L2-3.7.1 – Perform Maintenance

CMMC Assessment Guide – Level 2 | Version 2.13

144


Maintenance (MA)
MA.L2-3.7.1 – PERFORM MAINTENANCE

Perform maintenance on organizational systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]126

Determine if:
[a] system maintenance is performed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]126

Examine
[SELECT FROM: System maintenance policy; procedures addressing controlled system

maintenance; maintenance records; manufacturer or vendor maintenance specifications;

equipment sanitization records; media sanitization records; system security plan; other

relevant documents or records].

Interview
[SELECT FROM: Personnel with system maintenance responsibilities; personnel with

information security responsibilities; personnel responsible for media sanitization; system

or network administrators].

Test
[SELECT FROM: Organizational processes for scheduling, performing, documenting,

reviewing, approving, and monitoring maintenance and repairs for systems; organizational

processes for sanitizing system components; mechanisms supporting or implementing

controlled maintenance; mechanisms implementing sanitization of system components].

DISCUSSION [NIST SP 800-171 REV. 2]127

This requirement addresses the information security aspects of the system maintenance

program and applies to all types of maintenance to any system component (including

hardware, firmware, applications) conducted by any local or nonlocal entity. System

maintenance also includes those components not directly associated with information

processing and data or information retention such as scanners, copiers, and printers.


126 

NIST SP 800-171A, p. 38.

127 

NIST SP 800-171 Rev. 2, p. 27.






MA.L2-3.7.1 – Perform Maintenance

CMMC Assessment Guide – Level 2 | Version 2.13

145


FURTHER DISCUSSION

One common form of computer security maintenance is regular patching of discovered

vulnerabilities in software and operating systems, though there are others that require

attention.
System maintenance includes: 

 corrective maintenance (e.g., repairing problems with the technology); 


 preventative maintenance (e.g., updates to prevent potential problems); 


 adaptive maintenance (e.g., changes to the operative environment); and 


 perfective maintenance (e.g., improve operations).

Example
You are responsible for maintenance activities on your company’s machines. This includes

regular planned maintenance, unscheduled maintenance, reconfigurations when required,

and damage repairs [a]. You know that failing to conduct maintenance activities can impact

system security and availability, so you ensure that maintenance is regularly performed. You

track all maintenance performed to assist with troubleshooting later if needed.

Potential Assessment Considerations 

 Are systems, devices, and supporting systems maintained per manufacturer

recommendations or company defined schedules [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.7.1







MA.L2-3.7.2 – System Maintenance Control

CMMC Assessment Guide – Level 2 | Version 2.13

146


MA.L2-3.7.2 – SYSTEM MAINTENANCE CONTROL

Provide controls on the tools, techniques, mechanisms, and personnel used to conduct

system maintenance.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]128

Determine if:
[a] tools used to conduct system maintenance are controlled;
[b] techniques used to conduct system maintenance are controlled;
[c] mechanisms used to conduct system maintenance are controlled; and
[d] personnel used to conduct system maintenance are controlled.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]128

Examine
[SELECT FROM: System maintenance policy; procedures addressing system maintenance

tools and media; maintenance records; system maintenance tools and associated

documentation; maintenance tool inspection records; system security plan; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with system maintenance responsibilities; personnel with

information security responsibilities].

Test
[SELECT FROM: Organizational processes for approving, controlling, and monitoring

maintenance tools; mechanisms supporting or implementing approval, control, and

monitoring of maintenance tools; organizational processes for inspecting maintenance tools;

mechanisms supporting or implementing inspection of maintenance tools; organizational

process for inspecting media for malicious code; mechanisms supporting or implementing

inspection of media used for maintenance].

DISCUSSION [NIST SP 800-171 REV. 2]129

This requirement addresses security-related issues with maintenance tools that are not

within the organizational system boundaries that process, store, or transmit CUI, but are

used specifically for diagnostic and repair actions on those systems. Organizations have

flexibility in determining the controls in place for maintenance tools, but can include

approving, controlling, and monitoring the use of such tools. Maintenance tools are potential


128 

NIST SP 800-171A, p. 38.

129 

NIST SP 800-171 Rev. 2, pp. 27-28.






MA.L2-3.7.2 – System Maintenance Control

CMMC Assessment Guide – Level 2 | Version 2.13

147


vehicles for transporting malicious code, either intentionally or unintentionally, into a

facility and into organizational systems. Maintenance tools can include hardware, software,

and firmware items, for example, hardware and software diagnostic test equipment and

hardware and software packet sniffers.

FURTHER DISCUSSION

Tools used to perform maintenance must remain secure so they do not introduce viruses or

other malware into your system. Controlling your maintenance techniques prevents

intentional or unintentional harm to your network and systems. Additionally, the personnel

responsible for maintenance activities should be supervised considering their elevated

privilege on company assets.

Example
You are responsible for maintenance activities on your company’s machines. To avoid

introducing additional vulnerability into the systems you are maintaining, you make sure

that all maintenance tools are approved and their usage is monitored and controlled [a,b].

You ensure the tools are kept current and up-to-date [a]. You and your backup are the only

people authorized to use these tools and perform system maintenance [d].

Potential Assessment Considerations 

 Are  physical or logical access controls used  to limit access to maintenance tools to

authorized personnel [a]? 

 Are physical or logical access controls used to limit access to system documentation and

organizational maintenance process documentation to authorized personnel [b]? 

 Are physical or logical access controls used to limit access to automated mechanisms

(e.g., automated scripts, scheduled jobs) to authorized personnel [c]? 

 Are physical or logical access controls used to limit access to the system entry points that

enable maintenance (e.g., administrative portals, local and remote console access, and

physical equipment panels) to authorized personnel [d]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.7.2







MA.L2-3.7.3 – Equipment Sanitization

CMMC Assessment Guide – Level 2 | Version 2.13

148


MA.L2-3.7.3 – EQUIPMENT SANITIZATION

Ensure equipment removed for off-site maintenance is sanitized of any CUI.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]130

Determine if:
[a] equipment to be removed from organizational spaces for off-site maintenance is

sanitized of any CUI.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]130

Examine
[SELECT FROM: System maintenance policy; procedures addressing controlled system

maintenance; maintenance records; manufacturer or vendor maintenance specifications;

equipment sanitization records; media sanitization records; system security plan; other

relevant documents or records].

Interview
[SELECT FROM: Personnel with system maintenance responsibilities; personnel with

information security responsibilities; personnel responsible for media sanitization; system

or network administrators].

Test
[SELECT FROM: Organizational processes for scheduling, performing, documenting,

reviewing, approving, and monitoring maintenance and repairs for systems; organizational

processes for sanitizing system components; mechanisms supporting or implementing

controlled maintenance; mechanisms implementing sanitization of system components].

DISCUSSION [NIST SP 800-171 REV. 2]131

This requirement addresses the information security aspects of system maintenance that are

performed off-site and applies to all types of maintenance to any system component

(including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty,

in-house, software maintenance agreement).
NIST SP 800-88 provides guidance on media sanitization.

FURTHER DISCUSSION

Sanitization is a process that makes access to data infeasible on media such as a hard drive.

The process may overwrite the entire media with a fixed pattern such as binary zeros. In


130 

NIST SP 800-171A, p. 39.

131 

NIST SP 800-171 Rev. 2, p. 28.






MA.L2-3.7.3 – Equipment Sanitization

CMMC Assessment Guide – Level 2 | Version 2.13

149


addition to clearing the data an organization could purge (e.g., degaussing, secure erasing, or

disassembling) the data, or even destroy the media (e.g., incinerating, shredding, or

pulverizing). Performing one of these activities ensures that the data is extremely hard to

recover, thus ensuring its confidentiality.
For additional guidance on which specific sanitization actions should be taken on any specific

type of media, review the description of the Purge actions given in NIST SP 800-88 Revision

1 – Guidelines for Media Sanitization.

Example
You manage your organization’s IT equipment. A recent DoD project has been using a storage

array to house CUI. Recently, the array has experienced disk issues. After troubleshooting

with the vendor, they recommend several drives be replaced in the array. Knowing the drives

may contain CUI, you reference NIST 800-88 Rev. 1 and determine a strategy you can

implement on the defective equipment – processing the drives with a degaussing unit [a].

Once all the drives have been wiped, you document the action and ship the faulty drives to

the vendor.

Potential Assessment Considerations 

 Is there a process for sanitizing (e.g., erasing, wiping, degaussing) equipment that was

used to store, process, or transmit CUI before it is removed from the facility for off-site

maintenance (e.g., manufacturer or contracted maintenance support) [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.7.3








MA.L2-3.7.4 – Media Inspection

CMMC Assessment Guide – Level 2 | Version 2.13

150


MA.L2-3.7.4 – MEDIA INSPECTION

Check media containing diagnostic and test programs for malicious code before the media

are used in organizational systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]132

Determine if:
[a] media containing diagnostic and test programs are checked for malicious code before

being used in organizational systems that process, store, or transmit CUI.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]132

Examine

[SELECT FROM: System maintenance policy; procedures addressing system maintenance

tools; system maintenance tools and associated documentation; maintenance records;

system security plan; other relevant documents or records].

Interview
[SELECT FROM: Personnel with system maintenance responsibilities; personnel with

information security responsibilities].

Test
[SELECT FROM: Organizational process for inspecting media for malicious code;

mechanisms supporting or implementing inspection of media used for maintenance].

DISCUSSION [NIST SP 800-171 REV. 2]133

If, upon inspection of media containing maintenance diagnostic and test programs,

organizations determine that the media contain malicious code, the incident is handled

consistent with incident handling policies and procedures.

FURTHER DISCUSSION

As part of troubleshooting, a vendor may provide a diagnostic application to install on a

system. As this is executable code, there is a chance that the file is corrupt or infected with

malicious code. Implement procedures to scan any files prior to installation. The same level

of scrutiny must be made as with any file a staff member may download.
This requirement, MA.L2-3.7.4, extends both SI.L2-3.14.2 and SI.L2-3.14.4. SI.L2-3.14.2 and

SI.L2-3.14.4 require the implementation and updating of mechanisms to protect systems


132 

NIST SP 800-171A, p. 39.

133 

NIST SP 800-171 Rev. 2, p. 28.






MA.L2-3.7.4 – Media Inspection

CMMC Assessment Guide – Level 2 | Version 2.13

151


from malicious code, and MA.L2-3.7.4 extends this requirement to diagnostic and testing

tools.

Example
You have recently been experiencing performance issues on one of your servers. After

troubleshooting for much of the morning, the vendor has asked to install a utility that will

collect more data from the server. The file is stored on the vendor’s FTP server. The support

technician gives you the FTP site so you can anonymously download the utility file. You also

ask him for a hash of the utility file. As you download the file to your local computer, you

realize it is compressed. You unzip the file and perform a manual antivirus scan, which

reports no issues [a]. To verify the utility file has not been altered, you run an application to

see that the hash from the vendor matches.

Potential Assessment Considerations 

 Are media containing diagnostic and test programs (e.g., downloaded or copied utilities

or tools from manufacturer, third-party, or in-house support teams) checked for

malicious code (e.g., using antivirus or antimalware scans) before the media are used on

organizational systems [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.7.4








MA.L2-3.7.5 – Nonlocal Maintenance

CMMC Assessment Guide – Level 2 | Version 2.13

152


MA.L2-3.7.5 – NONLOCAL MAINTENANCE

Require multifactor authentication to establish nonlocal maintenance sessions via external

network connections and terminate such connections when nonlocal maintenance is

complete.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]134

Determine if:
[a] multifactor authentication is used to establish nonlocal maintenance sessions via

external network connections; and

[b] nonlocal maintenance sessions established via external network connections are

terminated when nonlocal maintenance is complete.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]134

Examine
[SELECT FROM: System maintenance policy; procedures addressing nonlocal system

maintenance; system security plan; system design documentation; system configuration

settings and associated documentation; maintenance records; diagnostic records; other

relevant documents or records].

Interview
[SELECT FROM: Personnel with system maintenance responsibilities; personnel with

information security responsibilities; system or network administrators].

Test
[SELECT FROM: Organizational processes for managing nonlocal maintenance; mechanisms

implementing, supporting, and managing nonlocal maintenance; mechanisms for strong

authentication of nonlocal maintenance diagnostic sessions; mechanisms for terminating

nonlocal maintenance sessions and network connections].

DISCUSSION [NIST SP 800-171 REV. 2]135

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals

communicating through an external network. The authentication techniques employed in

the establishment of these nonlocal maintenance and diagnostic sessions reflect the network

access requirements in IA.L2-3.5.3.


134 

NIST SP 800-171A, pp. 39-40.

135 

NIST SP 800-171 Rev. 2, p. 28.






MA.L2-3.7.5 – Nonlocal Maintenance

CMMC Assessment Guide – Level 2 | Version 2.13

153


FURTHER DISCUSSION

Nonlocal maintenance activities must use multifactor authentication. Multifactor

authentication requires at least two factors, such as: 

 something you know (e.g., password, personal identification number [PIN]); 


 something you have (e.g., cryptographic identification device, token); or 


 something you are (e.g., biometric fingerprint or facial scan).

Requiring two or more factors to prove your identity increases the security of the

connection. Nonlocal maintenance activities are activities conducted from external network

connections such as over the internet. After nonlocal maintenance activities are complete,

shut down the external network connection.
This requirement, MA.L2-3.7.5 specifies the addition of multifactor authentication for

remote maintenance sessions and complements five other requirements dealing with

remote access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.13, AC.L2-3.1.15, and IA.L2-3.5.3): 

 AC.L2-3.1.12 requires the control of remote access sessions. 


 AC.L2-3.1.14 limits remote access to specific access control points. 


 AC.L2-3.1.13  requires the use of cryptographic mechanisms when enabling remote

sessions. 

 AC.L2-3.1.15 requires authorization for privileged commands executed during a remote

session. 

 Finally,  IA.L2-3.5.3  requires multifactor authentication for network access to non-

privileged accounts.

Example
You are responsible for maintaining your company’s firewall. In order to conduct

maintenance while working remotely, you connect to the firewall’s management interface

and log in using administrator credentials. The firewall then sends a verification request to

the multifactor authentication app on your smartphone [a]. You need both of these things to

prove your identity [a]. After you respond to the multifactor challenge, you have access to

the maintenance interface. When you finish your activities, you shut down the remote

connection by logging out and quitting your web browser [b].

Potential Assessment Considerations 

 Is multifactor authentication required prior to maintenance of a system when connecting

remotely from outside the system boundary [a]? 

 Are personnel required to manually terminate remote maintenance sessions established

via external network connections when maintenance is complete, or are connections

terminated automatically through system session management mechanisms [b]?






MA.L2-3.7.5 – Nonlocal Maintenance

CMMC Assessment Guide – Level 2 | Version 2.13

154


KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.7.5








MA.L2-3.7.6 – Maintenance Personnel

CMMC Assessment Guide – Level 2 | Version 2.13

155


MA.L2-3.7.6 – MAINTENANCE PERSONNEL

Supervise the maintenance activities of maintenance personnel without required access

authorization.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]136

Determine if:
[a] maintenance personnel without required access authorization are supervised during

maintenance activities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]136

Examine
[SELECT FROM: System maintenance policy; procedures addressing maintenance personnel;

service provider contracts; service-level agreements; list of authorized personnel;

maintenance records; access control records; system security plan; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with system maintenance responsibilities; personnel with

information security responsibilities].

Test
[SELECT FROM: Organizational processes for authorizing and managing maintenance

personnel; mechanisms supporting or implementing authorization of maintenance

personnel].

DISCUSSION [NIST SP 800-171 REV. 2]137

This requirement applies to individuals who are performing hardware or software

maintenance on organizational systems, while PE.L2-3.10.1 addresses physical access for

individuals whose maintenance duties place them within the physical protection perimeter

of the systems (e.g., custodial staff, physical plant maintenance personnel). Individuals not

previously identified as authorized maintenance personnel, such as information technology

manufacturers, vendors, consultants, and systems integrators, may require privileged access

to organizational systems, for example, when required to conduct maintenance activities

with little or no notice. Organizations may choose to issue temporary credentials to these

individuals based on organizational risk assessments. Temporary credentials may be for

one-time use or for very limited time periods.


136 

NIST SP 800-171A, p. 40.

137 

NIST SP 800-171 Rev. 2, p. 28.






MA.L2-3.7.6 – Maintenance Personnel

CMMC Assessment Guide – Level 2 | Version 2.13

156


FURTHER DISCUSSION

Individuals without proper permissions must be supervised while conducting maintenance

on organizational machines. Consider creating temporary accounts with short-term

expiration periods rather than regular user accounts. Additionally, limit the permissions and

access these accounts have to the most restrictive settings possible.

Example
One of your software providers has to come on-site to update the software on your

company’s computers. You give the individual a temporary logon and password that expires

in 12 hours and is limited to accessing only the computers necessary to complete the work

[a]. This gives the technician access long enough to perform the update. You monitor the

individual’s physical and network activity while the maintenance is taking place [a] and

revoke access when the job is done.

Potential Assessment Considerations 

 Are there  processes  for escorting and supervising maintenance personnel without

required access authorization (e.g., vendor support personnel, short-term maintenance

contractors) during system maintenance [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.7.6







MP.L2-3.8.1 – Media Protection

CMMC Assessment Guide – Level 2 | Version 2.13

157


Media Protection (MP)
MP.L2-3.8.1 – MEDIA PROTECTION

Protect (i.e., physically control and securely store) system media containing CUI, both paper

and digital.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]138

Determine if:
[a] paper media containing CUI is physically controlled;
[b] digital media containing CUI is physically controlled;
[c] paper media containing CUI is securely stored; and
[d] digital media containing CUI is securely stored.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]138

Examine
[SELECT FROM: System media protection policy; procedures addressing media storage;

procedures addressing media access restrictions; access control policy and procedures;

physical and environmental protection policy and procedures; system security plan; media

storage facilities; access control records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with system media protection responsibilities; personnel with

information security responsibilities; system or network administrators].

Test
[SELECT FROM: Organizational processes for restricting information media; mechanisms

supporting or implementing media access restrictions].

DISCUSSION [NIST SP 800-171 REV. 2]139

System media includes digital and non-digital media. Digital media includes diskettes,

magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and

digital video disks. Non-digital media includes paper and microfilm. Protecting digital media

includes limiting access to design specifications stored on compact disks or flash drives in

the media library to the project leader and any individuals on the development team.

Physically controlling system media includes conducting inventories, maintaining


138 

NIST SP 800-171A, p. 41.

139 

NIST SP 800-171 Rev. 2, p. 29.






MP.L2-3.8.1 – Media Protection

CMMC Assessment Guide – Level 2 | Version 2.13

158


accountability for stored media, and ensuring procedures are in place to allow individuals to

check out and return media to the media library. Secure storage includes a locked drawer,

desk, or cabinet, or a controlled media library.
Access to CUI on system media can be limited by physically controlling such media, which

includes conducting inventories, ensuring procedures are in place to allow individuals to

check out and return media to the media library, and maintaining accountability for all

stored media.
NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.

FURTHER DISCUSSION

CUI can be contained on two types of physical media: 

 hardcopy (e.g., CD drives, USB drives, magnetic tape); and 


 digital devices (e.g., CD drives, USB drives, video).

You should store physical media containing CUI in a secure location. This location should be

accessible only to those people with the proper permissions. All who access CUI should

follow the process for checking it out and returning it.

Example
Your company has CUI for a specific Army contract contained on a USB drive. You store the

drive in a locked drawer, and you log it on an inventory [d]. You establish a procedure to

check out the USB drive so you have a history of who is accessing it. These procedures help

to maintain the confidentiality, integrity, and availability of the data.

Potential Assessment Considerations 

 Is hardcopy media containing CUI handled only by authorized personnel according to

defined procedures [a]? 

 Is  digital media containing CUI handled only by authorized personnel according to

defined procedures [b]? 

 Is paper media containing CUI physically secured (e.g., in a locked drawer or cabinet) [c]? 


 Is digital media containing CUI securely stored (e.g., in access-controlled repositories)

[d]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.8.1








MP.L2-3.8.2 – Media Access

CMMC Assessment Guide – Level 2 | Version 2.13

159


MP.L2-3.8.2 – MEDIA ACCESS

Limit access to CUI on system media to authorized users.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]140

Determine if:
[a] access to CUI on system media is limited to authorized users.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]140

Examine
[SELECT FROM: System media protection policy; procedures addressing media storage;

physical and environmental protection policy and procedures; access control policy and

procedures; system security plan; system media; designated controlled areas; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with system media protection and storage responsibilities;

personnel with information security responsibilities].

Test
[SELECT FROM: Organizational processes for storing media; mechanisms supporting or

implementing secure media storage and media protection].

DISCUSSION [NIST SP 800-171 REV. 2]141

Access can be limited by physically controlling system media and secure storage areas.

Physically controlling system media includes conducting inventories, ensuring procedures

are in place to allow individuals to check out and return system media to the media library,

and maintaining accountability for all stored media. Secure storage includes a locked drawer,

desk, or cabinet, or a controlled media library.

FURTHER DISCUSSION

Limit physical access to CUI to people permitted to access CUI. Use locked or controlled

storage areas and limit access to only those allowed to access CUI. Keep track of who accesses

physical CUI in an audit log.


140 

NIST SP 800-171A, p. 41.

141 

NIST SP 800-171 Rev. 2, p. 29.






MP.L2-3.8.2 – Media Access

CMMC Assessment Guide – Level 2 | Version 2.13

160


Example
Your company has CUI for a specific Army contract contained on a USB drive. In order to

control the data, you establish specific procedures for handling the drive. You designate the

project manager as the owner of the data and require anyone who needs access to the data

to get permission from the data owner [a]. The data owner maintains a list of users that are

authorized to access the information. Before an authorized individual can get access to the

USB drive that contains the CUI they have to fill out a log and check out the drive. When they

are done with the data, they check in the drive and return it to its secure storage location.

Potential Assessment Considerations 

 Is  a list of users who are authorized to access the CUI contained on system media

maintained [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.8.2








MP.L2-3.8.3 – Media Disposal [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

161


MP.L2-3.8.3 – MEDIA DISPOSAL [CUI DATA]

Sanitize or destroy system media containing CUI before disposal or release for reuse.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]142

Determine if:
[a] system media containing CUI is sanitized or destroyed before disposal; and
[b] system media containing CUI is sanitized before it is released for reuse.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]142

Examine
[SELECT FROM: System media protection policy; procedures addressing media sanitization

and disposal; applicable standards and policies addressing media sanitization; system

security plan; media sanitization records; system audit logs and records; system design

documentation; system configuration settings and associated documentation; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with media sanitization responsibilities; personnel with

information security responsibilities; system or network administrators].

Test
[SELECT FROM: Organizational processes for media sanitization; mechanisms supporting or

implementing media sanitization].

DISCUSSION [NIST SP 800-171 REV. 2]143

This requirement applies to all system media, digital and non-digital, subject to disposal or

reuse. Examples include: digital media found in workstations, network components,

scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media

such as paper and microfilm. The sanitization process removes information from the media

such that the information cannot be retrieved or reconstructed. Sanitization techniques,

including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of

information to unauthorized individuals when such media is released for reuse or disposal.

Organizations determine the appropriate sanitization methods, recognizing that destruction

may be necessary when other methods cannot be applied to the media requiring sanitization.
Organizations use discretion on the employment of sanitization techniques and procedures

for media containing information that is in the public domain or publicly releasable or

deemed to have no adverse impact on organizations or individuals if released for reuse or


142 

NIST SP 800-171A, pp. 41-42.

143 

NIST SP 800-171 Rev. 2, p. 29.






MP.L2-3.8.3 – Media Disposal [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

162


disposal. Sanitization of non-digital media includes destruction, removing CUI from

documents, or redacting selected sections or words from a document by obscuring the

redacted sections or words in a manner equivalent in effectiveness to removing the words

or sections from the document. NARA policy and guidance control sanitization processes.

NIST SP 800-88 provides guidance on media sanitization.

FURTHER DISCUSSION

“Media” refers to a broad range of items that store information, including paper documents,

disks, tapes, digital photography, USB drives, CDs, DVDs, and mobile phones. It is important

to know what information is on media so that you can handle it properly. If there is CUI, you

or someone in your company should either: 

 shred or destroy the device before disposal so it cannot be read; or  


 clean or purge the information, if you want to reuse the device.

See NIST Special Publication 800-88, Revision 1, Guidelines for Media Sanitization, for more

information.

Example
As you pack for an office move, you find some old CDs in a file cabinet. You determine that

one has information about an old project your company did for the DoD. You shred the CD

rather than simply throwing it in the trash [a].

Potential Assessment Considerations 

 Is all managed data storage erased, encrypted, or destroyed using mechanisms to ensure

that no usable data is retrievable [a,b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.8.3 


 FAR Clause 52.204-21 b.1.vii







MP.L2-3.8.4 – Media Markings

CMMC Assessment Guide – Level 2 | Version 2.13

163


MP.L2-3.8.4 – MEDIA MARKINGS

Mark media with necessary CUI markings and distribution limitations.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]144

Determine if:
[a] media containing CUI is marked with applicable CUI markings; and
[b] media containing CUI is marked with distribution limitations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]144

Examine
[SELECT FROM: System media protection policy; procedures addressing media marking;

physical and environmental protection policy and procedures; system security plan; list of

system media marking security attributes; designated controlled areas; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with system media protection and marking responsibilities;

personnel with information security responsibilities].

Test
[SELECT FROM: Organizational processes for marking information media; mechanisms

supporting or implementing media marking].

DISCUSSION [NIST SP 800-171 REV. 2]145

The term security marking refers to the application or use of human-readable security

attributes. System media includes digital and non-digital media. Marking of system media

reflects applicable federal laws, Executive Orders, directives, policies, and regulations.

FURTHER DISCUSSION

All media, hardcopy and digital, must be properly marked to alert individuals to the presence

of CUI stored on the media. The National Archives and Records Administration (NARA) has

published guidelines for labeling media of different sizes.146
MP.L2-3.8.8 requires that media have an identifiable owner, so organizations may find it

desirable to include ownership information on the device label as well.


144 

NIST SP 800-171A, p. 42.

145 

NIST SP 800-171 Rev. 2, p. 30.

146 

NARA, CUI Notice 2019-01: Controlled Unclassified Information (CUI) Coversheets and Labels






MP.L2-3.8.4 – Media Markings

CMMC Assessment Guide – Level 2 | Version 2.13

164


Example
You were recently contacted by the project team for a new DoD program. The team said they

wanted the CUI in use for the program to be properly protected. When speaking with them,

you realize that most of the protections will be provided as part of existing enterprise

cybersecurity capabilities. They also mentioned that the project team will use several USB

drives to share specific data. You explain that the team must ensure the USB drives are

externally marked to indicate the presence of CUI [a]. The project team labels the outside of

each USB drive with an appropriate CUI label following NARA guidance [a]. Further, the

labels indicate that distribution is limited to those employees supporting the DoD program

[a].

Potential Assessment Considerations 

 Are all media containing CUI identified [a,b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.8.4








MP.L2-3.8.5 – Media Accountability

CMMC Assessment Guide – Level 2 | Version 2.13

165


MP.L2-3.8.5 – MEDIA ACCOUNTABILITY

Control access to media containing CUI and maintain accountability for media during

transport outside of controlled areas.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]147

Determine if:
[a] access to media containing CUI is controlled; and
[b] accountability for media containing CUI is maintained during transport outside of

controlled areas.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]147

Examine
[SELECT FROM: System media protection policy; procedures addressing media storage;

physical and environmental protection policy and procedures; access control policy and

procedures; system security plan; system media; designated controlled areas; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with system media protection and storage responsibilities;

personnel with information security responsibilities; system or network administrators].

Test
[SELECT FROM: Organizational processes for storing media; mechanisms supporting or

implementing media storage and media protection].

DISCUSSION [NIST SP 800-171 REV. 2]148

Controlled areas are areas or spaces for which organizations provide physical or procedural

controls to meet the requirements established for protecting systems and information.

Controls to maintain accountability for media during transport include locked containers

and cryptography. Cryptographic mechanisms can provide confidentiality and integrity

protections depending upon the mechanisms used. Activities associated with transport

include the actual transport as well as those activities such as releasing media for transport

and ensuring that media enters the appropriate transport processes. For the actual

transport, authorized transport and courier personnel may include individuals external to

the organization. Maintaining accountability of media during transport includes restricting

transport activities to authorized personnel and tracking and obtaining explicit records of


147 

NIST SP 800-171A, p. 42.

148 

NIST SP 800-171 Rev. 2, p. 30.






MP.L2-3.8.5 – Media Accountability

CMMC Assessment Guide – Level 2 | Version 2.13

166


transport activities as the media moves through the transportation system to prevent and

detect loss, destruction, or tampering.

FURTHER DISCUSSION

CUI is protected in both physical and digital formats. Physical control can be accomplished

using traditional concepts like restricted access to physical locations or locking papers in a

desk or filing cabinet. The digitization of data makes access to CUI much easier. CUI can be

stored and transported on magnetic disks, tapes, USB drives, CD-ROMs, and so on. This

makes digital CUI data very portable. It is important for an organization to apply mechanisms

to prevent unauthorized access to CUI due to ease of transport.

Example
Your team has recently completed configuring a server for a DoD customer. The customer

has asked that it be ready to plug in and use. An application installed on the server contains

data that is considered CUI. You box the server for shipment using tamper-evident packaging

and label it with the specific recipient for the shipment [b]. You select a reputable shipping

service so you will get a tracking number to monitor the progress. Once the item is shipped,

you send the recipients the tracking number so they can monitor and ensure prompt delivery

at their facility.

Potential Assessment Considerations 

 Do only approved individuals have access to media containing CUI [a]? 


 Is access to the media containing CUI recorded in an audit log [b]? 


 Is all CUI data on media encrypted or physically locked prior to transport outside of

secure locations [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.8.5








MP.L2-3.8.6 – Portable Storage Encryption

CMMC Assessment Guide – Level 2 | Version 2.13

167


MP.L2-3.8.6 – PORTABLE STORAGE ENCRYPTION

Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital

media during transport unless otherwise protected by alternative physical safeguards.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]149

Determine if:
[a] the confidentiality of CUI stored on digital media is protected during transport using

cryptographic mechanisms or alternative physical safeguards.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]149

Examine
[SELECT FROM: System media protection policy; procedures addressing media transport;

system design documentation; system security plan; system configuration settings and

associated documentation; system media transport records; system audit logs and records;

other relevant documents or records].

Interview
[SELECT FROM: Personnel with system media transport responsibilities; personnel with

information security responsibilities].

Test
[SELECT FROM: Cryptographic mechanisms protecting information on digital media during

transportation outside controlled areas].

DISCUSSION [NIST SP 800-171 REV. 2]150

This requirement applies to portable storage devices (e.g., USB memory sticks, digital video

disks, compact disks, external or removable hard disk drives).
NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.

FURTHER DISCUSSION

CUI can be stored and transported on a variety of portable media, which increases the chance

that the CUI can be lost. When identifying the paths CUI flows through your company, identify

devices to include in this requirement.


149 

NIST SP 800-171A, p. 43.

150 

NIST SP 800-171 Rev. 2, p. 30.






MP.L2-3.8.6 – Portable Storage Encryption

CMMC Assessment Guide – Level 2 | Version 2.13

168


To mitigate the risk of losing or exposing CUI, implement an encryption scheme to protect

the data. Even if the media are lost, proper encryption renders the data inaccessible. When

encryption is not an option, apply alternative physical safeguards during transport.
Because the use of cryptography in this requirement is to protect the confidentiality of CUI,

the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11.
This requirement, MP.L2-3.8.6, provides additional protections to those provided by MP.L2-

3.8.5. This requirement is intended to protect against situations where control of media

access fails, such as through the loss of the media.

Example
You manage the backups for file servers in your datacenter. You know that in addition to the

company’s sensitive information, CUI is stored on the file servers. As part of a broader plan

to protect data, you send the backup tapes off site to a vendor. You are aware that your

backup software provides the option to encrypt data onto tape. You develop a plan to test

and enable backup encryption for the data sent off site. This encryption provides additional

protections for the data on the backup tapes during transport and offsite storage [a].

Potential Assessment Considerations 

 Are all CUI data on media encrypted or physically protected prior to transport outside of

controlled areas [a]? 

 Are cryptographic mechanisms used to protect digital media during transport outside of

controlled areas [a]? 

 Do cryptographic mechanisms comply with FIPS 140-2 [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.8.6








MP.L2-3.8.7 – Removeable Media

CMMC Assessment Guide – Level 2 | Version 2.13

169


MP.L2-3.8.7 – REMOVEABLE MEDIA

Control the use of removable media on system components.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]151

Determine if:
[a] the use of removable media on system components is controlled.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]151

Examine
[SELECT FROM: System media protection policy; system use policy; procedures addressing

media usage restrictions; system security plan; rules of behavior; system design

documentation; system configuration settings and associated documentation; system audit

logs and records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with system media use responsibilities; personnel with

information security responsibilities; system or network administrators].

Test
[SELECT FROM: Organizational processes for media use; mechanisms restricting or

prohibiting use of system media on systems or system components].

DISCUSSION [NIST SP 800-171 REV. 2]152

In contrast to requirement MP.L2-3.8.1, which restricts user access to media, this

requirement restricts the use of certain types of media on systems, for example, restricting

or prohibiting the use of flash drives or external hard disk drives. Organizations can employ

technical and nontechnical controls (e.g., policies, procedures, and rules of behavior) to

control the use of system media. Organizations may control the use of portable storage

devices, for example, by using physical cages on workstations to prohibit access to certain

external ports, or disabling or removing the ability to insert, read, or write to such devices.
Organizations may also limit the use of portable storage devices to only approved devices

including devices provided by the organization, devices provided by other approved

organizations, and devices that are not personally owned. Finally, organizations may control

the use of portable storage devices based on the type of device, prohibiting the use of

writeable, portable devices, and implementing this restriction by disabling or removing the

capability to write to such devices. Malicious code protection mechanisms include anti-virus

signature definitions and reputation-based technologies. Many technologies and methods


151 

NIST SP 800-171A, p. 43.

152 

NIST SP 800-171 Rev. 2, pp. 30-31.






MP.L2-3.8.7 – Removeable Media

CMMC Assessment Guide – Level 2 | Version 2.13

170


exist to limit or eliminate the effects of malicious code. Pervasive configuration management

and comprehensive software integrity controls may be effective in preventing execution of

unauthorized code. In addition to commercial off-the-shelf software, malicious code may also

be present in custom-built software. This could include logic bombs, back doors, and other

types of cyber-attacks that could affect organizational missions/business functions.

Traditional malicious code protection mechanisms cannot always detect such code. In these

situations, organizations rely instead on other safeguards including secure coding practices,

configuration management and control, trusted procurement processes, and monitoring

technologies to help ensure that software does not perform functions other than the

functions intended.

FURTHER DISCUSSION

Removable media are any type of media storage that you can remove from your computer

or machine (e.g., CDs, DVDs, diskettes, and USB drives). Write a specific policy for removable

media. The policy should cover the various types of removable media (e.g., write-once media

and rewritable media) and should discuss the company’s approach to removable media.

Ensure the following controls are considered and included in the policy: 

 limit the use of removable media to the smallest number needed; and 


 scan all removable media for viruses.

Example
You are in charge of IT operations. You establish a policy for removable media that includes

USB drives [a]. The policy information such as: 

 only USB drives issued by the organization may be used; and 


 USB drives are to be used for work purposes only [a].

You set up a separate computer to scan these drives before anyone uses them on the

network. This computer has anti-virus software installed that is kept up to date.

Potential Assessment Considerations 

 Are removable media allowed [a]? 


 Are policies and/or procedures in use to control the use of removable media [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.8.7







MP.L2-3.8.8 – Shared Media

CMMC Assessment Guide – Level 2 | Version 2.13

171


MP.L2-3.8.8 – SHARED MEDIA

Prohibit the use of portable storage devices when such devices have no identifiable owner.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]153

Determine if:
[a] the use of portable storage devices is prohibited when such devices have no identifiable

owner.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]153

Examine
[SELECT FROM: System media protection policy; system use policy; procedures addressing

media usage restrictions; system security plan; rules of behavior; system configuration

settings and associated documentation; system design documentation; system audit logs and

records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with system media use responsibilities; personnel with

information security responsibilities; system or network administrators].

Test
[SELECT FROM: Organizational processes for media use; mechanisms prohibiting use of

media on systems or system components].

DISCUSSION [NIST SP 800-171 REV. 2]154

Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable

storage devices reduces the overall risk of using such technologies by allowing organizations

to assign responsibility and accountability for addressing known vulnerabilities in the

devices (e.g., insertion of malicious code).

FURTHER DISCUSSION

A portable storage device is a system component that can be inserted into and removed from

a system and is used to store data or information. It typically plugs into a laptop or desktop

port (e.g., USB port). These devices can contain malicious files that can lead to a compromise

of a connected system. Therefore, use should be prohibited if the device cannot be traced to

an owner who is responsible and accountable for its security.


153 

NIST SP 800-171A, p. 43.

154 

NIST SP 800-171 Rev. 2, p. 31.






MP.L2-3.8.8 – Shared Media

CMMC Assessment Guide – Level 2 | Version 2.13

172


This requirement, MP.L2-3.8.8, furthers the protections provided by MP.L2-3.8.7 by

prohibiting unidentified media use even if that media type is allowable.

Example
You are the IT manager. One day, a staff member reports finding a USB drive in the parking

lot. You investigate and learn that there are no labels on the outside of the drive to indicate

who might be responsible for it. You send an email to all employees to remind them that IT

policies expressly prohibit plugging unknown devices into company computers. You also

direct staff members to turn in to the IT help desk any devices that have no identifiable

owner [a].

Potential Assessment Considerations 

 Do portable storage devices used have identifiable owners [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.8.8








MP.L2-3.8.9 – Protect Backups

CMMC Assessment Guide – Level 2 | Version 2.13

173


MP.L2-3.8.9 – PROTECT BACKUPS

Protect the confidentiality of backup CUI at storage locations.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]155

Determine if:
[a] the confidentiality of backup CUI is protected at storage locations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]155

Examine
[SELECT FROM: Procedures addressing system backup; system configuration settings and

associated documentation; security plan; backup storage locations; system backup logs or

records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with system backup responsibilities; personnel with information

security responsibilities].

Test
[SELECT FROM: Organizational processes for conducting system backups; mechanisms

supporting or implementing system backups].

DISCUSSION [NIST SP 800-171 REV. 2]156

Organizations can employ cryptographic mechanisms or alternative physical controls to

protect the confidentiality of backup information at designated storage locations. Backed-up

information containing CUI may include system-level information and user-level

information. System-level information includes system-state information, operating system

software, application software, and licenses. User-level information includes information

other than system-level information.

FURTHER DISCUSSION

You protect CUI to ensure that it remains private (confidentiality) and unchanged (integrity).

Methods to ensure confidentiality may include: 

 encrypting files or media; 


 managing who has access to the information; and 


 physically securing devices and media that contain CUI.


155 

NIST SP 800-171A, p. 44.

156 

NIST SP 800-171 Rev. 2, p. 31.






MP.L2-3.8.9 – Protect Backups

CMMC Assessment Guide – Level 2 | Version 2.13

174


Storage locations for information are varied, and may include: 

 external hard drives; 


 USB drives; 


 magnetic media (tape cartridge); 


 optical disk (CD, DVD); 


 Networked Attached Storage (NAS); 


 servers; and 


 cloud backup.

This requirement, MP.L2-3.8.9, requires the confidentiality of backup information at storage

locations.

Example
You are in charge of protecting CUI for your company. Because the company’s backups

contain CUI, you work with IT to protect the confidentiality of backup data. You agree to

encrypt all CUI data as it is saved to an external hard drive [a].

Potential Assessment Considerations 

 Are data backups encrypted on media before removal from a secured facility [a]? 


 Are cryptographic mechanisms FIPS validated [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.8.9






PS.L2-3.9.1 – Screen Individuals

CMMC Assessment Guide – Level 2 | Version 2.13

175


Personnel Security (PS)
PS.L2-3.9.1 – SCREEN INDIVIDUALS

Screen individuals prior to authorizing access to organizational systems containing CUI.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]157

Determine if:
[a] individuals are screened prior to authorizing access to organizational systems

containing CUI.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]157

Examine
[SELECT FROM: Personnel security policy; procedures addressing personnel screening;

records of screened personnel; system security plan; other relevant documents or records].

Interview
[SELECT FROM: Personnel with personnel security responsibilities; personnel with

information security responsibilities].

Test
[SELECT FROM: Organizational processes for personnel screening].

DISCUSSION [NIST SP 800-171 REV. 2]158

Personnel security screening (vetting) activities involve the evaluation/assessment of

individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the

trustworthiness of the individual) prior to authorizing access to organizational systems

containing CUI. The screening activities reflect applicable federal laws, Executive Orders,

directives, policies, regulations, and specific criteria established for the level of access

required for assigned positions.

FURTHER DISCUSSION

Ensure all employees who need access to CUI undergo organization-defined screening before

being granted access. Base the types of screening on the requirements for a given position

and role.


157 

NIST SP 800-171A, p. 45.

158 

NIST SP 800-171 Rev. 2, p. 31.






PS.L2-3.9.1 – Screen Individuals

CMMC Assessment Guide – Level 2 | Version 2.13

176


The effective screening of personnel provided by this requirement, PS.L2-3.9.1, improves

upon the effectiveness of authentication performed in IA.L2-3.5.2.

Example
You are in charge of security at your organization. You complete standard criminal

background and credit checks of all individuals you hire before they can access CUI [a]. Your

screening program follows appropriate laws, policies, regulations, and criteria for the level

of access required for each position.

Potential Assessment Considerations 

 Are appropriate background checks completed prior granting access to organizational

systems containing CUI [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.9.1








PS.L2-3.9.2 – Personnel Actions

CMMC Assessment Guide – Level 2 | Version 2.13

177


PS.L2-3.9.2 – PERSONNEL ACTIONS

Ensure that organizational systems containing CUI are protected during and after personnel

actions such as terminations and transfers.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]159

Determine if:
[a] a policy and/or process for terminating system access and any credentials coincident

with personnel actions is established;

[b] system access and credentials are terminated consistent with personnel actions such as

termination or transfer; and

[c] the system is protected during and after personnel transfer actions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]159

Examine
[SELECT FROM: Personnel security policy; procedures addressing personnel transfer and

termination; records of personnel transfer and termination actions; list of system accounts;

records of terminated or revoked authenticators and credentials; records of exit interviews;

other relevant documents or records].

Interview
[SELECT FROM: Personnel with personnel security responsibilities; personnel with account

management responsibilities; system or network administrators; personnel with

information security responsibilities].

Test
[SELECT FROM: Organizational processes for personnel transfer and termination;

mechanisms supporting or implementing personnel transfer and termination notifications;

mechanisms for disabling system access and revoking authenticators].

DISCUSSION [NIST SP 800-171 REV. 2]160

Protecting CUI during and after personnel actions may include returning system-related

property and conducting exit interviews. System-related property includes hardware

authentication tokens, identification cards, system administration technical manuals, keys,

and building passes. Exit interviews ensure that individuals who have been terminated

understand the security constraints imposed by being former employees and that proper

accountability is achieved for system-related property. Security topics of interest at exit

interviews can include reminding terminated individuals of nondisclosure agreements and


159 

NIST SP 800-171A, p. 45.

160 

NIST SP 800-171 Rev. 2, pp. 31-32.






PS.L2-3.9.2 – Personnel Actions

CMMC Assessment Guide – Level 2 | Version 2.13

178


potential limitations on future employment. Exit interviews may not be possible for some

terminated individuals, for example, in cases related to job abandonment, illnesses, and non-

availability of supervisors. For termination actions, timely execution is essential for

individuals terminated for cause. In certain situations, organizations consider disabling the

system accounts of individuals that are being terminated prior to the individuals being

notified.
This requirement applies to reassignments or transfers of individuals when the personnel

action is permanent or of such extended durations as to require protection. Organizations

define the CUI protections appropriate for the types of reassignments or transfers, whether

permanent or extended. Protections that may be required for transfers or reassignments to

other positions within organizations include returning old and issuing new keys,

identification cards, and building passes; changing system access authorizations (i.e.,

privileges); closing system accounts and establishing new accounts; and providing for access

to official records to which individuals had access at previous work locations and in previous

system accounts.

FURTHER DISCUSSION

Employee access to CUI is removed when they change jobs or leave the company. When

employment or program access is terminated for any reason, the following actions may occur

within the defined time frame: 

 all company IT equipment (e.g., laptops, cell phones, storage devices) is returned; 


 all identification, access cards, and keys are returned; and 


 an exit interview is conducted to remind the employee of their obligations to not discuss

CUI, even after employment.

Additionally, perform the following: 

 remove access to all accounts granting access to CUI or modify access to CUI as

appropriate for a new work role; 

 disable or close employee accounts for departing employees; and 


 limit access to physical spaces with CUI for departing employees or those who transition

to a work role that does not require access to CUI.

This requirement, PS.L2-3.9.2, leverages the identification of system users required by IA.L2-

3.5.1 in order to ensure that all accesses are identified and removed.

Example 1
You are in charge of IT operations. Per organizational policies, when workers leave the

company, you remove them from any physical CUI access lists. If you are not their supervisor,

you contact their supervisor or human resources immediately and ask them to: 

 turn in the former employees’ computers for proper handling;






PS.L2-3.9.2 – Personnel Actions

CMMC Assessment Guide – Level 2 | Version 2.13

179 


 inform help desk or system administrators to have the former employees’ system access

revoked; 

 retrieve the former employees’ identification and access cards; and 


 have the former employees attend an exit interview where you or human  resources

remind them of their obligations to not discuss CUI [b].

Example 2
An employee transfers from one working group in your company to another. Human

resources team notifies IT of the transfer date, and the employee’s new manager follows

procedure by submitting a ticket to the IT help desk to provide information on the access

rights the employee will require in their new role. IT implements the rights for the new

position and revokes the access for the prior position on the official date of the transfer [c].

Potential Assessment Considerations 

 Is information system access disabled upon employee termination or transfer [c]? 


 Are authenticators/ credentials associated with the employee revoked upon termination

or transfer within a certain time frame [b,c]? 

 Is all company information system-related property retrieved from the terminated or

transferred employee within a certain timeframe [a,c]? 

 Is access to company information and information systems formerly controlled by the

terminated or transferred employee retained for a certain timeframe [a,c]? 

 Is the information security office and data owner of the change in authorization notified

within a certain timeframe [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.9.2







PE.L2-3.10.1 – Limit Physical Access [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

180


Physical Protection (PE)
PE.L2-3.10.1 – LIMIT PHYSICAL ACCESS [CUI DATA]

Limit physical access to organizational systems, equipment, and the respective operating

environments to authorized individuals.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]161

Determine if:
[a] authorized individuals allowed physical access are identified;
[b] physical access to organizational systems is limited to authorized individuals;
[c] physical access to equipment is limited to authorized individuals; and
[d] physical access to operating environments is limited to authorized individuals.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]161

Examine
[SELECT FROM: Physical and environmental protection policy; procedures addressing

physical access authorizations; system security plan; authorized personnel access list;

authorization credentials; physical access list reviews; physical access termination records

and associated documentation; other relevant documents or records].

Interview
[SELECT FROM: Personnel with physical access authorization responsibilities; personnel

with physical access to system facility; personnel with information security responsibilities].

Test
[SELECT FROM: Organizational processes for physical access authorizations; mechanisms

supporting or implementing physical access authorizations].

DISCUSSION [NIST SP 800-171 REV. 2]162

This requirement applies to employees, individuals with permanent physical access

authorization credentials, and visitors. Authorized individuals have credentials that include

badges, identification cards, and smart cards. Organizations determine the strength of

authorization credentials needed consistent with applicable laws, directives, policies,


161 

NIST SP 800-171A, p. 46.

162 

NIST SP 800-171 Rev. 2, p. 32.






PE.L2-3.10.1 – Limit Physical Access [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

181


regulations, standards, procedures, and guidelines. This requirement applies only to areas

within facilities that have not been designated as publicly accessible.
Limiting physical access to equipment may include placing equipment in locked rooms or

other secured areas and allowing access to authorized individuals only, and placing

equipment in locations that can be monitored by organizational personnel. Computing

devices, external disk drives, networking devices, monitors, printers, copiers, scanners,

facsimile machines, and audio devices are examples of equipment.

FURTHER DISCUSSION

This addresses the company’s physical space (e.g., office, testing environments, equipment

rooms), technical assets, and non-technical assets that need to be protected from

unauthorized physical access. Specific environments are limited to authorized employees,

and access is controlled with badges, electronic locks, physical key locks, etc.
Output devices, such as printers, are placed in areas where their use does not expose data to

unauthorized individuals. Lists of personnel with authorized access are developed and

maintained, and personnel are issued appropriate authorization credentials.

Example
You manage a DoD project that requires special equipment used only by project team

members [b,c]. You work with the facilities manager to put locks on the doors to the areas

where the equipment is stored and used [b,c,d]. Project team members are the only

individuals issued with keys to the space. This restricts access to only those employees who

work on the DoD project and require access to that equipment.

Potential Assessment Considerations 

 Are lists of personnel with authorized access developed and maintained, and are

appropriate authorization credentials issued [a]? 

 Has the facility/building manager designated building areas as “sensitive” and designed

physical security protections (e.g., guards, locks, cameras, card readers) to limit physical

access to the area to only authorized employees [b,c,d]? 

 Are output devices such as printers placed in areas where their use does not expose data

to unauthorized individuals [c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.10.1 


 FAR Clause 52.204-21 b.1.viii








PE.L2-3.10.2 – Monitor Facility

CMMC Assessment Guide – Level 2 | Version 2.13

182


PE.L2-3.10.2 – MONITOR FACILITY

Protect and monitor the physical facility and support infrastructure for organizational

systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]

Determine if:

[a] the physical facility where organizational systems reside is protected;
[b] the support infrastructure for organizational systems is protected;
[c] the physical facility where organizational systems reside is monitored; and
[d] the support infrastructure for organizational systems is monitored.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]

Examine
[SELECT FROM: Physical and environmental protection policy; procedures addressing

physical access monitoring; system security plan; physical access logs or records; physical

access monitoring records; physical access log reviews; other relevant documents or

records].

Interview
[SELECT FROM: Personnel with physical access monitoring responsibilities; personnel with

incident response responsibilities; personnel with information security responsibilities].

Test
[SELECT FROM: Organizational processes for monitoring physical access; mechanisms

supporting or implementing physical access monitoring; mechanisms supporting or

implementing the review of physical access logs].

DISCUSSION [NIST SP 800-171 R2]

Monitoring of physical access includes publicly accessible areas within organizational

facilities. This can be accomplished, for example, by the employment of guards; the use of

sensor devices; or the use of video surveillance equipment such as cameras. Examples of

support infrastructure include system distribution, transmission, and power lines. Security

controls applied to the support infrastructure prevent accidental damage, disruption, and

physical tampering. Such controls may also be necessary to prevent eavesdropping or

modification of unencrypted transmissions. Physical access controls to support

infrastructure include locked wiring closets; disconnected or locked spare jacks; protection

of cabling by conduit or cable trays; and wiretapping sensors.






PE.L2-3.10.2 – Monitor Facility

CMMC Assessment Guide – Level 2 | Version 2.13

183


FURTHER DISCUSSION

The infrastructure inside of a facility, such as power and network cables, is protected so that

visitors and unauthorized employees cannot access it. The protection is also monitored by

security guards, video cameras, sensors, or alarms.

Example

You are responsible for protecting your IT facilities. You install video cameras at each

entrance and exit, connect them to a video recorder, and show the camera feeds on a display

at the reception desk [c,d]. You also make sure there are secure locks on all entrances, exits,

and windows to the facilities [a,b].

Potential Assessment Considerations 

 Is physical access monitored to detect and respond to physical security incidents [c, d]?

KEY REFERENCES 

 NIST SP 800-171 Rev 2 3.10.2









PE.L2-3.10.3 – Escort Visitors [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

184


PE.L2-3.10.3 – ESCORT VISITORS [CUI DATA]

Escort visitors and monitor visitor activity.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]163

Determine if:
[a] visitors are escorted; and
[b] visitor activity is monitored.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]163

Examine
[SELECT FROM: Physical and environmental protection policy; procedures addressing

physical access control; system security plan; physical access control logs or records;

inventory records of physical access control devices; system entry and exit points; records

of key and lock combination changes; storage locations for physical access control devices;

physical access control devices; list of security safeguards controlling access to designated

publicly accessible areas within facility; other relevant documents or records].

Interview
[SELECT FROM: Personnel with physical access control responsibilities; personnel with

information security responsibilities].

Test
[SELECT FROM: Organizational processes for physical access control; mechanisms

supporting or implementing physical access control; physical access control devices].

DISCUSSION [NIST SP 800-171 REV. 2]164

Individuals with permanent physical access authorization credentials are not considered

visitors. Audit logs can be used to monitor visitor activity.

FURTHER DISCUSSION

Do not allow visitors, even those people you know well, to walk around your facility without

an escort. Make sure that all non-employees wear special visitor badges and/or are escorted

by an employee at all times while on the property.


163 

NIST SP 800-171A, p. 47.

164 

NIST SP 800-171 Rev. 2, p. 32.






PE.L2-3.10.3 – Escort Visitors [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

185


Example
Coming back from a meeting, you see the friend of a coworker walking down the hallway

near your office. You know this person well and trust them, but are not sure why they are in

the building. You stop to talk, and the person explains that they are meeting a coworker for

lunch, but cannot remember where the lunchroom is. You walk the person back to the

reception area to get a visitor badge and wait until someone can escort them to the lunch

room [a]. You report this incident and the company decides to install a badge reader at the

main door so visitors cannot enter without an escort [a].

Potential Assessment Considerations 

 Are personnel required to accompany visitors to areas in a facility with physical access

to organizational systems [a]? 

 Are visitors clearly distinguishable from regular personnel [b]? 


 Is visitor activity monitored (e.g., use of cameras or guards, reviews of secure areas upon

visitor departure, review of visitor audit logs) [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.10.3 


 FAR Clause 52.204-21 Partial b.1.ix







PE.L2-3.10.4 – Physical Access Logs [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

186


PE.L2-3.10.4 – PHYSICAL ACCESS LOGS [CUI DATA]

Maintain audit logs of physical access.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]165

Determine if:
[a] audit logs of physical access are maintained.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]165

Examine
[SELECT FROM: Physical and environmental protection policy; procedures addressing

physical access control; system security plan; physical access control logs or records;

inventory records of physical access control devices; system entry and exit points; records

of key and lock combination changes; storage locations for physical access control devices;

physical access control devices; list of security safeguards controlling access to designated

publicly accessible areas within facility; other relevant documents or records].

Interview
[SELECT FROM: Personnel with physical access control responsibilities; personnel with

information security responsibilities].

Test
[SELECT FROM: Organizational processes for physical access control; mechanisms

supporting or implementing physical access control; physical access control devices].

DISCUSSION [NIST SP 800-171 REV. 2]166

Organizations have flexibility in the types of audit logs employed. Audit logs can be

procedural (e.g., written log of individuals accessing the facility), automated (e.g., capturing

ID provided by a PIV card), or some combination thereof. Physical access points can include

facility access points, interior access points to systems or system components requiring

supplemental access controls, or both. System components (e.g., workstations, notebook

computers) may be in areas designated as publicly accessible with organizations

safeguarding access to such devices.

FURTHER DISCUSSION

Make sure you have a record of who accesses your facility (e.g., office, plant, factory). You can

do this in writing by having employees and visitors sign in and sign out or by electronic


165 

NIST SP 800-171A, p. 47.

166 

NIST SP 800-171 Rev. 2, pp. 32-33.






PE.L2-3.10.4 – Physical Access Logs [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

187


means such as badge readers. Whatever means you use, you need to retain the access records

for the time period that your company has defined.

Example
You and your coworkers like to have friends and family join you for lunch at the office on

Fridays. Your small company has just signed a contract with the DoD, however, and you now

need to document who enters and leaves your facility. You work with the reception staff to

ensure that all non-employees sign in at the reception area and sign out when they leave [a].

You retain those paper sign-in sheets in a locked filing cabinet for one year. Employees

receive badges or key cards that enable tracking and logging access to company facilities.

Potential Assessment Considerations 

 Are logs of physical access to sensitive areas (both authorized access and visitor access)

maintained per retention requirements [a]? 

 Are visitor access records retained for as long as required [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.10.4 


 FAR Clause 52.204-21 Partial b.1.ix








PE.L2-3.10.5 – Manage Physical Access [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

188


PE.L2-3.10.5 – MANAGE PHYSICAL ACCESS [CUI DATA]

Control and manage physical access devices.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]167

Determine if:
[a] physical access devices are identified;
[b] physical access devices are controlled; and
[c] physical access devices are managed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]167

Examine
[SELECT FROM: Physical and environmental protection policy; procedures addressing

physical access control; system security plan; physical access control logs or records;

inventory records of physical access control devices; system entry and exit points; records

of key and lock combination changes; storage locations for physical access control devices;

physical access control devices; list of security safeguards controlling access to designated

publicly accessible areas within facility; other relevant documents or records].

Interview
[SELECT FROM: Personnel with physical access control responsibilities; personnel with

information security responsibilities].

Test
[SELECT FROM: Organizational processes for physical access control; mechanisms

supporting or implementing physical access control; physical access control devices].

DISCUSSION [NIST SP 800-171 REV. 2]168

Physical access devices include keys, locks, combinations, and card readers.

FURTHER DISCUSSION

Identifying and controlling physical access devices (e.g., locks, badges, key cards) is just as

important as monitoring and limiting who is able to physically access certain equipment.

Physical access devices are only strong protection if you know who has them and what access

they allow. Physical access devices can be managed using manual or automatic processes


167 

NIST SP 800-171A, pp. 47-48.

168 

NIST SP 800-171 Rev. 2, p. 33.






PE.L2-3.10.5 – Manage Physical Access [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

189


such a list of who is assigned what key, or updating the badge access system as personnel

change roles.

Example
You are a facility manager. A team member retired today and returns their company keys to

you. The project on which they were working requires access to areas that contain

equipment with CUI. You receive the keys, check your electronic records against the serial

numbers on the keys to ensure all have been returned, and mark each key returned [c].

Potential Assessment Considerations 

 Are lists or inventories of physical access devices maintained (e.g., keys, facility badges,

key cards) [a]? 

 Is  access to physical access devices  limited  (e.g.,  granted to, and accessible only by,

authorized individuals) [b]? 

 Are physical access devices managed (e.g., revoking key card access when necessary,

changing locks as needed, maintaining access control devices and systems) [c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.10.5 


 FAR Clause 52.204-21 Partial b.1.ix








PE.L2-3.10.6 – Alternative Work Sites

CMMC Assessment Guide – Level 2 | Version 2.13

190


PE.L2-3.10.6 – ALTERNATIVE WORK SITES

Enforce safeguarding measures for CUI at alternate work sites.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]169

Determine if:
[a] safeguarding measures for CUI are defined for alternate work sites; and
[b] safeguarding measures for CUI are enforced for alternate work sites.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]169

Examine
[SELECT FROM: Physical and environmental protection policy; procedures addressing

alternate work sites for personnel; system security plan; list of safeguards required for

alternate work sites; assessments of safeguards at alternate work sites; other relevant

documents or records].

Interview
[SELECT FROM: Personnel approving use of alternate work sites; personnel using alternate

work sites; personnel assessing controls at alternate work sites; personnel with information

security responsibilities].

Test
[SELECT FROM: Organizational processes for security at alternate work sites; mechanisms

supporting alternate work sites; safeguards employed at alternate work sites; means of

communications between personnel at alternate work sites and security personnel].

DISCUSSION [NIST SP 800-171 REV. 2]170

Alternate work sites may include government facilities or the private residences of

employees. Organizations may define different security requirements for specific alternate

work sites or types of sites depending on the work-related activities conducted at those sites.
NIST SP 800-46 and NIST SP 800-114 provide guidance on enterprise and user security

when teleworking.

FURTHER DISCUSSION

Many people work from home or travel as part of their job. Define and implement safeguards

to account for protection of information beyond the enterprise perimeter. Safeguards may


169 

NIST SP 800-171A, p. 48.

170 

NIST SP 800-171 Rev. 2, p. 33.






PE.L2-3.10.6 – Alternative Work Sites

CMMC Assessment Guide – Level 2 | Version 2.13

191


include physical protections, such as locked file drawers, as well as electronic protections

such as encryption, audit logging, and proper access controls.

Example
Many of your company’s project managers work remotely as they often travel to sponsor

locations or even work from home. Because the projects on which they work require access

to CUI, you must ensure the same level of protection is afforded as when they work in the

office. You ensure that each laptop is deployed with patch management and anti-virus

software protection [b]. Because data may be stored on the local hard drive, you have

enabled full-disk encryption on their laptops [b]. When a remote staff member needs access

to the internal network you require VPN connectivity that also disconnects the laptop from

the remote network (i.e., prevents split tunneling) [b]. The VPN requires multifactor

authentication to verify remote users are who they claim to be [b].

Potential Assessment Considerations 

 Do all alternate sites where CUI data is stored or processed meet the same physical

security requirements as the main site [b]? 

 Does the alternate processing site provide information security measures equivalent to

those of the primary site [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.10.6







RA.L2-3.11.1 – RIsk Assessments

CMMC Assessment Guide – Level 2 | Version 2.13

192


Risk Assessment (RA)
RA.L2-3.11.1 – RISK ASSESSMENTS

Periodically assess the risk to organizational operations (including mission, functions, image,

or reputation), organizational assets, and individuals, resulting from the operation of

organizational systems and the associated processing, storage, or transmission of CUI.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]171

Determine if:
[a] the frequency to assess risk to organizational operations, organizational assets, and

individuals is defined; and

[b] risk to organizational operations, organizational assets, and individuals resulting from

the operation of an organizational system that processes, stores, or transmits CUI is

assessed with the defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]171

Examine
[SELECT FROM: Risk assessment policy; security planning policy and procedures;

procedures addressing organizational risk assessments; system security plan; risk

assessment; risk assessment results; risk assessment reviews; risk assessment updates;

other relevant documents or records].

Interview
[SELECT FROM: Personnel with risk assessment responsibilities; personnel with

information security responsibilities].

Test
[SELECT FROM: Organizational processes for risk assessment; mechanisms supporting or

for conducting, documenting, reviewing, disseminating, and updating the risk assessment].

DISCUSSION [NIST SP 800-171 REV. 2]172

Clearly defined system boundaries are a prerequisite for effective risk assessments. Such risk

assessments consider threats, vulnerabilities, likelihood, and impact to organizational

operations, organizational assets, and individuals based on the operation and use of

organizational systems. Risk assessments also consider risk from external parties (e.g.,

service providers, contractor operating systems on behalf of the organization, individuals


171 

NIST SP 800-171A, p. 49.

172 

NIST SP 800-171 Rev. 2, p. 33.






RA.L2-3.11.1 – RIsk Assessments

CMMC Assessment Guide – Level 2 | Version 2.13

193


accessing organizational systems, outsourcing entities). Risk assessments, either formal or

informal, can be conducted at the organization level, the mission or business process level,

or the system level, and at any phase in the system development life cycle.
NIST SP 800-30 provides guidance on conducting risk assessments.

FURTHER DISCUSSION

Risk arises from anything that can reduce an organization’s assurance of mission/business

success; cause harm to image or reputation; or harm individuals, other organizations, or the

Nation.
Organizations assess the risk to their operations and assets at regular intervals. Areas where

weakness or vulnerabilities could lead to risk may include: 

 poorly designed and executed business processes; 


 inadvertent actions of people, such as disclosure or modification of information; 


 intentional actions of people inside and outside the organization; 


 failure of systems to perform as intended; 


 failures of technology; and 


 external events, such as natural disasters, public infrastructure and supply chain failures.

When conducting risk assessments use established criteria and procedures. The results of

formal risk assessments are documented. It is important to note that risk assessments differ

from vulnerability assessments (see RA.L2-3.11.2). A vulnerability assessment provides

input to a risk assessment along with other information such as results from likelihood

analysis and analysis of potential treat sources.
Risk assessments should be performed at defined regular intervals. Mission risks include

anything that will keep an organization from meeting its mission. Function risk is anything

that will prevent the performance of a function. Image and reputation risks refer to

intangible risks that have value and could cause damage to potential or future trust

relationships.173
This requirement, RA.L2-3.11.1, which requires periodically assessing the risk to

organization systems, assets, and individuals, is a baseline Risk Assessment requirement.

RA.L2-3.11.1 enables other Risk Assessment requirements (e.g., RA.L2-3.11.3, Vulnerability

Remediation), as well as CA.L2-3.12.2, Plan of Action.

Example
You are a system administrator. You and your team members are working on a big

government contract requiring you to store CUI. As part of your periodic (e.g., annual) risk

assessment exercise, you evaluate the new risk involved with storing CUI [a,b]. When

conducting the assessment you consider increased legal exposure, financial requirements of

safeguarding CUI, potentially elevated attention from external attackers, and other factors.


173 

NIST SP 800-30, Guide for Conducting Risk Assessments, September 2012.






RA.L2-3.11.1 – RIsk Assessments

CMMC Assessment Guide – Level 2 | Version 2.13

194


After determining how storing CUI affects your overall risk profile, you use that as a basis for

a conversation on how that risk should be mitigated.

Potential Assessment Considerations 

 Have initial and periodic risk assessments been conducted [b]? 


 Are methods defined for assessing risk (e.g., reviewing security assessments, incident

reports, and security advisories, identifying threat sources, threat events, and

vulnerabilities, and determining likelihood, impact, and overall risk to the confidentiality

of CUI) [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.11.1








RA.L2-3.11.2 – Vulnerability Scan

CMMC Assessment Guide – Level 2 | Version 2.13

195


RA.L2-3.11.2 – VULNERABILITY SCAN

Scan for vulnerabilities in organizational systems and applications periodically and when

new vulnerabilities affecting those systems and applications are identified.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]174

Determine if:
[a] the frequency to scan for vulnerabilities in organizational systems and applications is

defined;

[b] vulnerability scans are performed on organizational systems with the defined

frequency;

[c] vulnerability scans are performed on applications with the defined frequency;
[d] vulnerability scans are performed on organizational systems when new vulnerabilities

are identified; and

[e] vulnerability scans are performed on applications when new vulnerabilities are

identified.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]174

Examine
[SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk

assessment; system security plan; security assessment report; vulnerability scanning tools

and associated configuration documentation; vulnerability scanning results; patch and

vulnerability management records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with risk assessment, security assessment and vulnerability

scanning responsibilities; personnel with vulnerability scan analysis and remediation

responsibilities; personnel with information security responsibilities; system or network

administrators].

Test
[SELECT FROM: Organizational processes for vulnerability scanning, analysis, remediation,

and information sharing; mechanisms supporting or implementing vulnerability scanning,

analysis, remediation, and information sharing].


174 

NIST SP 800-171A, pp. 49-50.






RA.L2-3.11.2 – Vulnerability Scan

CMMC Assessment Guide – Level 2 | Version 2.13

196


DISCUSSION [NIST SP 800-171 REV. 2]175

Organizations determine the required vulnerability scanning for all system components,

ensuring that potential sources of vulnerabilities such as networked printers, scanners, and

copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new

vulnerabilities are discovered, announced, and scanning methods developed. This process

ensures that potential vulnerabilities in the system are identified and addressed as quickly

as possible. Vulnerability analyses for custom software applications may require additional

approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three

approaches. Organizations can employ these analysis approaches in source code reviews and

in a variety of tools (e.g., static analysis tools, web-based application scanners, binary

analyzers). Vulnerability scanning includes: scanning for patch levels; scanning for functions,

ports, protocols, and services that should not be accessible to users or devices; and scanning

for improperly configured or incorrectly operating information flow control mechanisms.
To facilitate interoperability, organizations consider using products that are Security

Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in

the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the

Open Vulnerability Assessment Language (OVAL) to determine the presence of system

vulnerabilities. Sources for vulnerability information include the Common Weakness

Enumeration (CWE) listing and the National Vulnerability Database (NVD).
Security assessments, such as red team exercises, provide additional sources of potential

vulnerabilities for which to scan. Organizations also consider using scanning tools that

express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain

situations, the nature of the vulnerability scanning may be more intrusive or the system

component that is the subject of the scanning may contain highly sensitive information.

Privileged access authorization to selected system components facilitates thorough

vulnerability scanning and protects the sensitive nature of such scanning.
NIST SP 800-40 provides guidance on vulnerability management.

FURTHER DISCUSSION

A vulnerability scanner is an application that identifies vulnerabilities in organizational

assets. Most scanners can create a prioritized list of vulnerabilities ordered by their level of

severity. Scan for vulnerabilities on all devices connected to the network including servers,

desktops, laptops, virtual machines, containers, firewalls, switches, and printers. All assets

that are within the scope of the CMMC assessment must be scanned, including assets such as

laptop computers that may not routinely connect to an organization’s network.
Perform reviews of your organization’s custom-developed software. Vulnerability analysis

of a custom-made solution may require a penetration tester to properly test and validate

findings. Automated vulnerability scanners may not be as thorough when scanning custom

developed applications. Source code scanners can help identify weaknesses and

vulnerabilities within code prior to compilation and use.


175 

NIST SP 800-171 Rev. 2, pp. 33-34.






RA.L2-3.11.2 – Vulnerability Scan

CMMC Assessment Guide – Level 2 | Version 2.13

197


The vulnerability scanning process is a regular activity, not a single occurrence.

Organizations put in place a vulnerability scanner that updates its database each time it

performs a scan so it can identify the most current known vulnerabilities. Schedule scans

with consideration of the potential for impact to normal operations and use caution when

scanning critical assets.
This requirement, RA.L2-3.11.2, which ensures scanning for vulnerabilities in

organizational systems and application, is a baseline Risk Assessment requirement. RA.L2-

3.11.2, contributes to performing risk assessments as described in RA.L2-3.11.1.

Example
You are a system administrator. Your organization has assessed its risk and determined that

it needs to scan for vulnerabilities in systems and applications once each quarter [a]. You

conduct some tests and decide that it is important to be able to schedule scans after standard

business hours. You also realize that you have remote workers and that you will need to be

sure to scan their remote computers as well [b]. After some final tests, you integrate the scans

into normal IT operations, running as scheduled [b,c]. You verify that the scanner application

receives the latest updates on vulnerabilities and that those are included in future scans [d,e].

Potential Assessment Considerations 

 Is  the frequency specified for vulnerability scans to be performed in organizational

systems and applications (e.g., continuous passive scanning, scheduled active scans) [a]? 

 Are vulnerability scans performed on a defined frequency or randomly in accordance

with company policy [a,b,c]? 

 Are systems periodically scanned for common and new vulnerabilities [d,e]? 


 Is the list of scanned system vulnerabilities updated on a defined frequency or when new

vulnerabilities are identified and reported [d,e]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.11.2








RA.L2-3.11.3 – Vulnerability Remediation

CMMC Assessment Guide – Level 2 | Version 2.13

198


RA.L2-3.11.3 – VULNERABILITY REMEDIATION

Remediate vulnerabilities in accordance with risk assessments.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]176

Determine if:
[a] vulnerabilities are identified; and
[b] vulnerabilities are remediated in accordance with risk assessments.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]176

Examine
[SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk

assessment; system security plan; security assessment report; vulnerability scanning tools

and associated configuration documentation; vulnerability scanning results; patch and

vulnerability management records; other relevant documents or records].

Interview
[SELECT FROM: Personnel with risk assessment, security assessment and vulnerability

scanning responsibilities; personnel with vulnerability scan analysis responsibilities;

personnel with vulnerability remediation responsibilities; personnel with information

security responsibilities; system or network administrators].

Test
[SELECT FROM: Organizational processes for vulnerability scanning, analysis, remediation,

and information sharing; mechanisms supporting or implementing vulnerability scanning,

analysis, remediation, and information sharing].

DISCUSSION [NIST SP 800-171 REV. 2]177

Vulnerabilities discovered, for example, via the scanning conducted in response to RA.L2-

3.11.2, are remediated with consideration of the related assessment of risk. The

consideration of risk influences the prioritization of remediation efforts and the level of

effort to be expended in the remediation for specific vulnerabilities.

FURTHER DISCUSSION

Not all vulnerabilities captured in a vulnerability scanner may pose the same level of risk to

an organization. Prioritize mitigation efforts to close the most critical vulnerabilities first.


176 

NIST SP 800-171A, p. 50.

177 

NIST SP 800-171 Rev. 2, p. 34.






RA.L2-3.11.3 – Vulnerability Remediation

CMMC Assessment Guide – Level 2 | Version 2.13

199


Track all vulnerability remediation to ensure completion; also track vulnerabilities that you

have determined not to remediate.
This requirement, RA.L2-3.11.3, benefits from CA.L2-3.12.2. RA.L2-3.11.3 allows

remediation of vulnerabilities to take place based on the developed plans of actions for

vulnerabilities from CA.L2-3.12.2.

Example
You are a system administrator. Each quarter you receive a list of vulnerabilities generated

by your company’s vulnerability scanner [a]. You prioritize that list and note which

vulnerabilities should be targeted as soon as possible as well as which vulnerabilities you

can safely defer addressing at this time. You document the reasoning behind accepting the

risk of the unremediated flaws and note to continue to monitor these vulnerabilities in case

you need to revise the decision at a later date [b].

Potential Assessment Considerations 

 Are the results of risk assessments used to prioritize vulnerabilities for remediation [b]? 


 For any given vulnerability is action taken for remediation, acceptance, avoidance, or

transference of the vulnerability risk [b]? 

 Are all high risk vulnerabilities prioritized [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.11.3







CA.L2-3.12.1 – Security Control Assessment

CMMC Assessment Guide – Level 2 | Version 2.13

200


Security Assessment (CA)
CA.L2-3.12.1 – SECURITY CONTROL ASSESSMENT

Periodically assess the security controls in organizational systems to determine if the

controls are effective in their application.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]178

Determine if:
[a] the frequency of security control assessments is defined; and
[b] security controls are assessed with the defined frequency to determine if the controls

are effective in their application.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]178

Examine
[SELECT FROM: Security assessment and authorization policy; procedures addressing

security assessment planning; procedures addressing security assessments; security

assessment plan; system security plan; other relevant documents or records].

Interview
[SELECT FROM: Personnel with security assessment responsibilities; personnel with

information security responsibilities].

Test
[SELECT FROM: Mechanisms supporting security assessment, security assessment plan

development, and security assessment reporting].
DISCUSSION [NIST SP 800-171 REV. 2]179

Organizations assess security controls in organizational systems and the environments in

which those systems operate as part of the system development life cycle. Security controls

are the safeguards or countermeasures organizations implement to satisfy security

requirements. By assessing the implemented security controls, organizations determine if

the security safeguards or countermeasures are in place and operating as intended. Security

control assessments ensure that information security is built into organizational systems;

identify weaknesses and deficiencies early in the development process; provide essential

information needed to make risk-based decisions; and ensure compliance to vulnerability


178 

NIST SP 800-171A, p. 51.

179 

NIST SP 800-171 Rev. 2, pp. 34-35.






CA.L2-3.12.1 – Security Control Assessment

CMMC Assessment Guide – Level 2 | Version 2.13

201


mitigation procedures. Assessments are conducted on the implemented security controls as

documented in system security plans.
Security assessment reports document assessment results in sufficient detail as deemed

necessary by organizations, to determine the accuracy and completeness of the reports and

whether the security controls are implemented correctly, operating as intended, and

producing the desired outcome with respect to meeting security requirements. Security

assessment results are provided to the individuals or roles appropriate for the types of

assessments being conducted.
Organizations ensure that security assessment results are current, relevant to the

determination of security control effectiveness, and obtained with the appropriate level of

assessor independence. Organizations can choose to use other types of assessment activities

such as vulnerability scanning and system monitoring to maintain the security posture of

systems during the system life cycle.
NIST SP 800-53 provides guidance on security and privacy controls for systems and

organizations. SP 800-53A provides guidance on developing security assessment plans and

conducting assessments.
FURTHER DISCUSSION

Avoid a “set it and forget it” mentality when implementing security controls. The security

landscape is constantly changing. Reassess existing controls at periodic intervals in order to

validate their effectiveness in your environment. Set the assessment schedule according to

organizational needs. Consider regulatory obligations and internal policies when assessing

the controls.
Outputs from security control assessments typically include: 

 documented assessment results; 


 proposed new controls, or updates to existing controls; 


 remediation plans; and 


 newly identified risks.

This requirement, CA.L2-3.12.1, which ensures determining security controls are

implemented properly, promotes effective security assessments for organizational systems

mandated by CA.L2-3.12.3.

Example
You are in charge of IT operations. You need to ensure that the security controls

implemented within the system are achieving their objectives [b]. Taking the requirements

outlined in your SSP as a guide, you conduct annual written reviews of the security controls

to ensure they meet your organization’s needs. When you find controls that do not meet

requirements, you propose updated or new controls, develop a written implementation plan,

document new risks, and execute the changes.






CA.L2-3.12.1 – Security Control Assessment

CMMC Assessment Guide – Level 2 | Version 2.13

202


Potential Assessment Considerations 

 Are security controls assessed at least annually [a]? 


 Is the output of the security controls assessment documented [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.12.1







CA.L2-3.12.2 – operational Plan of Action

CMMC Assessment Guide – Level 2 | Version 2.13

203


CA.L2-3.12.2 – OPERATIONAL PLAN OF ACTION

Develop and implement plans of action designed to correct deficiencies and reduce or

eliminate vulnerabilities in organizational systems.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]180

Determine if:
[a] deficiencies and vulnerabilities to be addressed by the plan of action are identified;
[b] a plan of action is developed to correct identified deficiencies and reduce or eliminate

identified vulnerabilities; and

[c] the plan of action is implemented to correct identified deficiencies and reduce or

eliminate identified vulnerabilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]180

Examine
[SELECT FROM: Security assessment and authorization policy; procedures addressing plan

of action; system security plan; security assessment plan; security assessment report;

security assessment evidence; plan of action; other relevant documents or records].

Interview
[SELECT FROM: Personnel with plan of action development and implementation

responsibilities; personnel with information security responsibilities].

Test
[SELECT FROM: Mechanisms for developing, implementing, and maintaining plan of action].
DISCUSSION [NIST SP 800-171 REV. 2]181

The plan of action is a key document in the information security program. Organizations

develop plans of action that describe how any unimplemented security requirements will be

met and how any planned mitigations will be implemented. Organizations can document the

system security plan and plan of action as separate or combined documents and in any

chosen format.
Federal agencies may consider the submitted system security plans and plans of action as

critical inputs to an overall risk management decision to process, store, or transmit CUI on a

system hosted by a nonfederal organization and whether it is advisable to pursue an

agreement or contract with the nonfederal organization.


180 

NIST SP 800-171A, p. 51.

181 

NIST SP 800-171 Rev. 2, p. 35.






CA.L2-3.12.2 – operational Plan of Action

CMMC Assessment Guide – Level 2 | Version 2.13

204


FURTHER DISCUSSION

When you write a plan of action, define the clear goal or objective of the plan. You may

include the following in the action plan: 

 ownership of who is accountable for ensuring the plan’s performance; 


 specific steps or milestones that are clear and actionable; 


 assigned responsibility for each step or milestone; 


 milestones to measure plan progress; and 


 completion dates.

This requirement, CA.L2-3.12.2, which ensures developing and implementing operational

plans of action to correct and reduce vulnerabilities in systems, is driven by risk management

requirement RA.L2-3.11.1, which promotes periodically assessing risk to organizational

systems. CA.L2-3.12.2 promotes monitoring security controls on an ongoing basis as defined

in requirement CA.L2-3.12.3.
An operational plan of action in accordance with CA.L2-3.12.2 differs from a CMMC

assessment POA&M as described in 32 CFR § 170.21. The assessment POA&M places

conditions on which security requirements can be assessed as NOT MET and allows the OSA

to qualify for a CMMC Status of Conditional Level 2 (Self), Conditional Level 2 (C3PAO), or

Conditional Level 3 (DIBCAC). Operational plans of action are not subject to the 180 day

POA&M closeout requirement. Severity, availability of remediation, and business

requirements are among the factors to consider when creating and maintaining operational

plans of action.

Example
As IT director, one of your duties is to develop action plans when you discover that your

company is not meeting security requirements or when a security issue arises [b]. A recent

vulnerability scan identified several items that need to be addressed so you develop a plan

to fix them [b]. Your plan identifies the people responsible for fixing the issues, how to do it,

and when the remediation will be completed [b]. You also define how to verify that the

person responsible has fixed the vulnerability [b]. You document this in an operational plan

of action that is updated as milestones are reached [b]. You have a separate resource review

the modifications after they have been completed to ensure the plan has been implemented

correctly [c].

Potential Assessment Considerations 

 Is there an action plan to remediate identified weaknesses or deficiencies [a]? 


 Is the action plan maintained as remediation is performed [b]? 


 Does the action plan designate remediation dates and milestones for each item [c]?






CA.L2-3.12.2 – operational Plan of Action

CMMC Assessment Guide – Level 2 | Version 2.13

205


KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.12.2








CA.L2-3.12.3 – Security Control Monitoring

CMMC Assessment Guide – Level 2 | Version 2.13

206


CA.L2-3.12.3 – SECURITY CONTROL MONITORING

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the

controls.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]182

Determine if:
[a] security controls are monitored on an ongoing basis to ensure the continued

effectiveness of those controls.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]182

Examine
[SELECT FROM: Security planning policy; organizational procedures addressing system

security plan development and implementation; procedures addressing system security

plan reviews and updates; enterprise architecture documentation; system security plan;

records of system security plan reviews and updates; other relevant documents or records].

Interview
[SELECT FROM: Personnel with security planning and system security plan implementation

responsibilities; personnel with information security responsibilities].

Test
[SELECT FROM: Organizational processes for system security plan development, review,

update, and approval; mechanisms supporting the system security plan].

DISCUSSION [NIST SP 800-171 REV. 2]183

Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities,

and information security to support organizational risk management decisions. The terms

continuous and ongoing imply that organizations assess and analyze security controls and

information security-related risks at a frequency sufficient to support risk-based decisions.

The results of continuous monitoring programs generate appropriate risk response actions

by organizations. Providing access to security information on a continuing basis through

reports or dashboards gives organizational officials the capability to make effective and

timely risk management decisions. Automation supports more frequent updates to

hardware, software, firmware inventories, and other system information. Effectiveness is

further enhanced when continuous monitoring outputs are formatted to provide

information that is specific, measurable, actionable, relevant, and timely. Monitoring


182 

NIST SP 800-171A, p. 52.

183 

NIST SP 800-171 Rev. 2, p. 35.






CA.L2-3.12.3 – Security Control Monitoring

CMMC Assessment Guide – Level 2 | Version 2.13

207


requirements, including the need for specific monitoring, may also be referenced in other

requirements.
NIST SP 800-137 provides guidance on continuous monitoring.

FURTHER DISCUSSION

Provide a plan for monitoring the state of security controls on a recurring basis that occurs

more frequently than the periodic assessments discussed in CA.L2-3.12.1. This process

provides a mechanism to assess the overall security posture of your organization, which

directly relates to activities discussed in CA.L2-3.12.4. As a result, the process not only

maintains awareness of vulnerabilities and threats, but it also informs management of the

effectiveness of the security controls in determining if security controls are current and for

management to make an acceptable risk decision.

Example
You are responsible for ensuring your company fulfills all cybersecurity requirements for its

DoD contracts. You review those requirements and the security controls your company has

put in place to meet them. You then create a plan to evaluate each control regularly over the

next year. You mark several controls to be evaluated by a third-party security assessor. You

assign other IT resources in the organization to evaluate controls within their area of

responsibility. To ensure progress you establish recurring meetings with the accountable IT

staff to assess continuous monitoring progress, review security information, evaluate risks

from gaps in continuous monitoring, and produce reports for your management [a].

Potential Assessment Considerations 

 Are the security controls that need to be continuously monitored identified [a]? 


 Is the timeframe for continuous monitoring activities to support risk-based decision

making defined [a]? 

 Is the output of continuous monitoring activities provided to stakeholders [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.12.3






CA.L2-3.12.4 – System Security Plan

CMMC Assessment Guide – Level 2 | Version 2.13

208


CA.L2-3.12.4 – SYSTEM SECURITY PLAN

Develop, document, and periodically update system security plans that describe system

boundaries, system environments of operation, how security requirements are

implemented, and the relationships with or connections to other systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]184

Determine if:
[a] a system security plan is developed;
[b] the system boundary is described and documented in the system security plan;
[c] the system environment of operation is described and documented in the system

security plan;

[d] the security requirements identified and approved by the designated authority as

non-applicable are identified;

[e] the method of security requirement implementation is described and documented in

the system security plan;

[f] the relationship with or connection to other systems is described and documented in

the system security plan;

[g] the frequency to update the system security plan is defined; and
[h] system security plan is updated with the defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]184

Examine
[SELECT FROM: Security planning policy; procedures addressing system security plan

development and implementation; procedures addressing system security plan reviews and

updates; enterprise architecture documentation; system security plan; records of system

security plan reviews and updates; other relevant documents or records].

Interview
[SELECT FROM: Personnel with security planning and system security plan implementation

responsibilities; personnel with information security responsibilities].

Test
[SELECT FROM: Organizational processes for system security plan development, review,

update, and approval; mechanisms supporting the system security plan].


184 

NIST SP 800-171A, p. 52.






CA.L2-3.12.4 – System Security Plan

CMMC Assessment Guide – Level 2 | Version 2.13

209


DISCUSSION [NIST SP 800-171 REV. 2]185

System security plans relate security requirements to a set of security controls. System

security plans also describe, at a high level, how the security controls meet those security

requirements, but do not provide detailed, technical descriptions of the design or

implementation of the controls. System security plans contain sufficient information to

enable a design and implementation that is unambiguously compliant with the intent of the

plans and subsequent determinations of risk if the plan is implemented as intended. Security

plans need not be single documents; the plans can be a collection of various documents

including documents that already exist. Effective security plans make extensive use of

references to policies, procedures, and additional documents (e.g., design and

implementation specifications) where more detailed information can be obtained. This

reduces the documentation requirements associated with security programs and maintains

security-related information in other established management/operational areas related to

enterprise architecture, system development life cycle, systems engineering, and acquisition.
Federal agencies may consider the submitted system security plans and plans of action as

critical inputs to an overall risk management decision to process, store, or transmit CUI on a

system hosted by a nonfederal organization and whether it is advisable to pursue an

agreement or contract with the nonfederal organization.
NIST SP 800-18 provides guidance on developing security plans.

FURTHER DISCUSSION

A system security plan (SSP) is a document that outlines how an organization implements

its security requirements. OSAs must have an SSP in place at the time of assessment to

describe each information system within the CMMC Assessment Scope. The absence of an

up-to-date SSP at the time of the assessment would result in a finding that an assessment

could not be completed due to incomplete information and noncompliance with DFARS

clause 252.204-7012. OSAs are free to choose the format of their SSP. At a minimum, an SSP

must include: 

 Description of the CMMC Assessment Scope; 


 CMMC Assessment Scope  Description: high-level description of the assets  within the

assessment scope186; 

 Description of the Environment of Operation: physical surroundings in which an

information system processes, stores, and transmits information; 

 Identified and Approved Security Requirements: requirements levied on an information

system that are derived from applicable laws, Executive Orders, directives, policies,

standards, instructions, regulations, procedures, or organizational mission/business

case needs to ensure the confidentiality, integrity, and availability of the information

being processed, stored, or transmitted;


185 

NIST SP 800-171 Rev. 2, pp. 35-36.

186 

There is no requirement to embed every asset in the SSP. .






CA.L2-3.12.4 – System Security Plan

CMMC Assessment Guide – Level 2 | Version 2.13

210 


 Implementation Method for Security Requirements: description of how the identified

and approved security requirements are implemented with the system or environment; 

 Connections and Relationships to Other Systems and Networks: description of related,

dependent, and interconnected systems; and 

 Defined Frequency of Updates: at least annually.

In addition to the requirements above, an SSP often includes: 

 general information system description: technical and functional description; 


 design  philosophies:  defense-in-depth strategies and allowed interfaces and network

protocols; and 

 roles and responsibilities: description of the roles and responsibilities for key personnel,

which may include the system owner, system custodian, authorizing officials, and other

stakeholders

This requirement, CA.L2-3.12.4, which requires developing, documenting, and updating

system security plans, promotes effective information security within organizational

systems required by SC.L2-3.13.2, as well as other system and communications protection

requirements.

Example
You are in charge of system security. You develop an SSP and have senior leadership formally

approve the document [a]. The SSP explains how your organization handles CUI and defines

how that data is stored, transmitted, and protected [d,e]. The criteria outlined in the SSP is

used to guide configuration of the network and other information resources to meet your

company’s goals. Knowing that it is important to keep the SSP current, you establish a policy

that requires a formal review and update of the SSP each year [g,h].

Potential Assessment Considerations 

 Do mechanisms exist to develop and periodically update an SSP [a,g]? 


 Are security requirements identified and approved by the designated authority as

non-applicable documented [d]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.12.4







SC.L2-3.13.1 – Boundary Protection [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

211


System and Communications Protection (SC)
SC.L2-3.13.1 – BOUNDARY PROTECTION [CUI DATA]

Monitor, control, and protect communications (i.e., information transmitted or received by

organizational systems) at the external boundaries and key internal boundaries of

organizational systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]187

Determine if:
[a] the external system boundary is defined;
[b] key internal system boundaries are defined;
[c] communications are monitored at the external system boundary;
[d] communications are monitored at key internal boundaries;
[e] communications are controlled at the external system boundary;
[f] communications are controlled at key internal boundaries;
[g] communications are protected at the external system boundary; and
[h] communications are protected at key internal boundaries.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]187

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

boundary protection; system security plan; list of key internal boundaries of the system;

system design documentation; boundary protection hardware and software; enterprise

security architecture documentation; system audit logs and records; system configuration

settings and associated documentation; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developers; personnel with boundary protection responsibilities].

Test
[SELECT FROM: Mechanisms implementing boundary protection capability].


187 

NIST SP 800-171A, p. 53.






SC.L2-3.13.1 – Boundary Protection [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

212


DISCUSSION [NIST SP 800-171 REV. 2]188

Communications can be monitored, controlled, and protected at boundary components and

by restricting or prohibiting interfaces in organizational systems. Boundary components

include gateways, routers, firewalls, guards, network-based malicious code analysis and

virtualization systems, or encrypted tunnels implemented within a system security

architecture (e.g., routers protecting firewalls or application gateways residing on protected

subnetworks). Restricting or prohibiting interfaces in organizational systems includes

restricting external web communications traffic to designated web servers within managed

interfaces and prohibiting external traffic that appears to be spoofing internal addresses.
Organizations consider the shared nature of commercial telecommunications services in the

implementation of security requirements associated with the use of such services.

Commercial telecommunications services are commonly based on network components and

consolidated management systems shared by all attached commercial customers and may

also include third party-provided access lines and other service elements. Such transmission

services may represent sources of increased risk despite contract security provisions. NIST

SP 800-41 provides guidance on firewalls and firewall policy. NIST SP 800-125B provides

guidance on security for virtualization technologies.

FURTHER DISCUSSION

Fences, locks, badges, and key cards help keep non-employees out of your physical facilities.

Similarly, your company’s IT network or system has boundaries that must be protected.

Many companies use a web proxy and a firewall.
When an employee uses a company computer to go to a website, a web proxy makes the

request on the user’s behalf, looks at the web request, and decides if it should let the

employee go to the website.
A firewall controls access from the inside and outside, protecting valuable information and

resources stored on the company’s network. A firewall stops unwanted traffic on the internet

from passing through an outside “fence” to the company’s networks and information

systems. Internal boundaries determine where data can flow, for instance a software

development environment may have its own boundary controlling, monitoring, and

protecting the data that can leave that boundary.
It may be wise to monitor, control, or protect one part of the company network from another.

This can also be accomplished with a firewall and limits the ability of attackers and

disgruntled employees from entering sensitive parts of your internal network and causing

damage.

Example
You are setting up the new network and want to keep your company’s information and

resources safe. You start by sketching out a simple diagram that identifies the external

boundary of your network and any internal boundaries that are needed [a,b]. The first piece


188 

NIST SP 800-171 Rev. 2, p. 36.






SC.L2-3.13.1 – Boundary Protection [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

213


of equipment you install is the firewall, a device to separate your internal network from the

internet. The firewall also has a feature that allows you to block access to potentially

malicious websites, and you configure that service as well [a,c,e,g]. Some of your coworkers

complain that they cannot get onto certain websites [c,e,g]. You explain that the new network

blocks websites that are known for spreading malware. The firewall sends you a daily digest

of blocked activity so that you can monitor the system for attack trends [c,d].

Potential Assessment Considerations 

 What are the external system boundary components that make up the entry and exit

points for data flow (e.g., firewalls, gateways, cloud service boundaries), behind which all

system components that handle regulated data are contained? What are the supporting

system components necessary for the protection of regulated data [a]? 

 What are the internal system boundary components that make up the entry and exit

points for key internal data flow (e.g., internal firewalls, routers, any devices that can

bridge the connection between one segment of the system and another) that separate

segments of the internal network – including devices that separate internal network

segments such as development and production networks as well as a traditional

Demilitarized Zone (DMZ) at the edge of the network [b]? 

 Is data flowing in and out of the external and key internal system boundaries monitored

(e.g., connections are logged and able to be reviewed, suspicious traffic generates alerts)

[c,d]? 

 Is  data  traversing  the external and internal system  boundaries  controlled  such that

connections are denied by default and only authorized connections are allowed [e,f]? 

 Is data flowing in and out of the external and key internal system boundaries protected

(e.g., applying encryption when required or prudent, tunneling traffic as needed) [g,h]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.1 


 FAR Clause 52.204-21 b.1.x








SC.L2-3.13.2 – Security Engineering

CMMC Assessment Guide – Level 2 | Version 2.13

214


SC.L2-3.13.2 – SECURITY ENGINEERING

Employ architectural designs, software development techniques, and systems engineering

principles that promote effective information security within organizational systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]189

Determine if:
[a] architectural designs that promote effective information security are identified;
[b] software development techniques that promote effective information security are

identified;

[c] systems engineering principles that promote effective information security are

identified;

[d] identified architectural designs that promote effective information security are

employed;

[e] identified software development techniques that promote effective information

security are employed; and

[f] identified systems engineering principles that promote effective information security

are employed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]189

Examine
[SELECT FROM: Security planning policy; procedures addressing system security plan

development and implementation; procedures addressing system security plan reviews and

updates; enterprise architecture documentation; system security plan; records of system

security plan reviews and updates; system and communications protection policy;

procedures addressing security engineering principles used in the specification, design,

development, implementation, and modification of the system; security architecture

documentation; security requirements and specifications for the system; system design

documentation; system configuration settings and associated documentation; other relevant

documents or records].

Interview
[SELECT FROM: Personnel with responsibility for determining information system security

requirements; personnel with information system design, development, implementation,

and modification responsibilities; personnel with security planning and system security plan

implementation responsibilities; personnel with information security responsibilities].


189 

NIST SP 800-171A, pp. 53-54.






SC.L2-3.13.2 – Security Engineering

CMMC Assessment Guide – Level 2 | Version 2.13

215


Test
[SELECT FROM: Organizational processes for system security plan development, review,

update, and approval; mechanisms supporting the system security plan; processes for

applying security engineering principles in system specification, design, development,

implementation, and modification; automated mechanisms supporting the application of

security engineering principles in information system specification, design, development,

implementation, and modification].

DISCUSSION [NIST SP 800-171 REV. 2]190

Organizations apply systems security engineering principles to new development systems

or systems undergoing major upgrades. For legacy systems, organizations apply systems

security engineering principles to system upgrades and modifications to the extent feasible,

given the current state of hardware, software, and firmware components within those

systems. The application of systems security engineering concepts and principles helps to

develop trustworthy, secure, and resilient systems and system components and reduce the

susceptibility of organizations to disruptions, hazards, and threats. Examples of these

concepts and principles include developing layered protections; establishing security

policies, architecture, and controls as the foundation for design; incorporating security

requirements into the system development life cycle; delineating physical and logical

security boundaries; ensuring that developers are trained on how to build secure software;

and performing threat modeling to identify use cases, threat agents, attack vectors and

patterns, design patterns, and compensating controls needed to mitigate risk. Organizations

that apply security engineering concepts and principles can facilitate the development of

trustworthy, secure systems, system components, and system services; reduce risk to

acceptable levels; and make informed risk-management decisions.
NIST SP 800-160-1 provides guidance on systems security engineering.

FURTHER DISCUSSION

Familiarity with security engineering principles and their successful application to your

infrastructure will increase the security of your environment. NIST SP 800-160 System

Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of

Trustworthy Secure Systems can serve as a source of security engineering and design

principles.
Decide which designs and principles to apply. Some will not be possible or appropriate for a

given company or for specific systems or components.
Designs and principles should be applied to policies and security standards. Starting with

the baseline configuration, they should be extended through all layers of the technology

stack (e.g., hardware, software, firmware) and throughout all the components of the

infrastructure. The application of these chosen designs and principles should drive you


190 

NIST SP 800-171 Rev. 2, pp. 36-37.






SC.L2-3.13.2 – Security Engineering

CMMC Assessment Guide – Level 2 | Version 2.13

216


towards a secure architecture with the required security capabilities and intrinsic behaviors

present throughout the lifecycle of your technology.
As legacy components age, it may become increasingly difficult for those components to meet

security principles and requirements. This should factor into life-cycle decisions for those

components (e.g., replacing legacy hardware, upgrading or re-writing software, upgrading

run-time environments).

Example
You are responsible for developing strategies to protect data and harden your infrastructure.

You are on a team responsible for performing a major upgrade to a legacy system. You refer

to your documented security engineering principles [c]. Reviewing each, you decide which

are appropriate and applicable [c]. You apply the chosen designs and principles when

creating your design for the upgrade [f].
You document the security requirements for the software and hardware changes to ensure

the principles are followed. You review the upgrade at critical points in the workflow to

ensure the requirements are met. You assist in updating the policies covering the use of the

upgraded system so user behavior stays aligned with the principles.

Potential Assessment Considerations 

 Does the organization have a defined system architecture [a,d]? 


 Are system security engineering principles applied in the specification, design,

development and implementation of the systems [d,e,f]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.2








SC.L2-3.13.3 – Role Separation

CMMC Assessment Guide – Level 2 | Version 2.13

217


SC.L2-3.13.3 – ROLE SEPARATION

Separate user functionality from system management functionality.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]191

Determine if:
[a] user functionality is identified;
[b] system management functionality is identified; and
[c] user functionality is separated from system management functionality.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]191

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

application partitioning; system design documentation; system configuration settings and

associated documentation; system security plan; system audit logs and records; other

relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developer].

Test
[SELECT FROM: Separation of user functionality from system management functionality].

DISCUSSION [NIST SP 800-171 REV. 2]192

System management functionality includes functions necessary to administer databases,

network components, workstations, or servers, and typically requires privileged user access.

The separation of user functionality from system management functionality is physical or

logical. Organizations can implement separation of system management functionality from

user functionality by using different computers, different central processing units, different

instances of operating systems, or different network addresses; virtualization techniques; or

combinations of these or other methods, as appropriate. This type of separation includes

web administrative interfaces that use separate authentication methods for users of any

other system resources. Separation of system and user functionality may include isolating

administrative interfaces on different domains and with additional access controls.


191 

NIST SP 800-171A, p. 54.

192 

NIST SP 800-171 Rev. 2, p. 37.






SC.L2-3.13.3 – Role Separation

CMMC Assessment Guide – Level 2 | Version 2.13

218


FURTHER DISCUSSION

Prevent users and user services from accessing system management functionality on IT

components (e.g., databases, network components, workstations, servers). This reduces the

attack surface to those critical interfaces by limiting who can access and how they can be

accessed. By separating the user functionality from system management functionality, the

administrator or privileged functions are not available to the general user.
The intent of this requirement is to ensure: 

 general users are not permitted to perform system administration functions; and 


 system administrators only perform system administration functions from their

privileged account.

This can be accomplished using separation like VLANs or logical separation using strong

access control methods.

Example
As a system administrator, you are responsible for managing a number of core systems.

Policy prevents you from conducting any administration from the computer or system

account you use for day-to-day work [a,b]. The servers you manage also are isolated from

the main corporate network. To work with them you use a special unique account to connect

to a “jump” server that has access to the systems you routinely administer.

Potential Assessment Considerations 

 Are physical or logical controls used to separate user functionality from system

management-related functionality (e.g., to ensure that administration (e.g., privilege)

options are not available to general users) [c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.3








SC.L2-3.13.4 – Shared Resource Control

CMMC Assessment Guide – Level 2 | Version 2.13

219


SC.L2-3.13.4 – SHARED RESOURCE CONTROL

Prevent unauthorized and unintended information transfer via shared system resources.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]193

Determine if:
[a] unauthorized and unintended information transfer via shared system resources is

prevented.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]193

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

application partitioning; system security plan; system design documentation; system

configuration settings and associated documentation; system audit logs and records; other

relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developer].

Test
[SELECT FROM: Separation of user functionality from system management functionality].

DISCUSSION [NIST SP 800-171 REV. 2]194

The control of information in shared system resources (e.g., registers, cache memory, main

memory, hard disks) is also commonly referred to as object reuse and residual information

protection. This requirement prevents information produced by the actions of prior users or

roles (or the actions of processes acting on behalf of prior users or roles) from being available

to any current users or roles (or current processes acting on behalf of current users or roles)

that obtain access to shared system resources after those resources have been released back

to the system. This requirement also applies to encrypted representations of information.

This requirement does not address information remnants, which refers to residual

representation of data that has been nominally deleted; covert channels (including storage

or timing channels) where shared resources are manipulated to violate information flow

restrictions; or components within systems for which there are only single users or roles.


193 

NIST SP 800-171A, pp. 54-55.

194 

NIST SP 800-171 Rev. 2, p. 37.






SC.L2-3.13.4 – Shared Resource Control

CMMC Assessment Guide – Level 2 | Version 2.13

220


FURTHER DISCUSSION

No shared system resource, such as cache memory, hard disks, registers, or main memory

may pass information from one user to another user. In other words, when objects are

reused no residual information should exist on that object. This protects the confidentiality

of the information. This is typically a feature provided by operating system and software

vendors.

Example
You are a system administrator responsible for creating and deploying the system hardening

procedures for your company’s computers. You ensure that the computer baselines include

software patches to prevent attackers from exploiting flaws in the processor architecture to

read data (e.g., the Meltdown and Spectre exploits). You also verify that the computer

operating system is configured to prevent users from accessing other users’ folders [a].

Potential Assessment Considerations 

 Are shared system resources identified and documented [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.4








SC.L2-3.13.5 – Public-Access System Separation [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

221


SC.L2-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION [CUI DATA]

Implement subnetworks for publicly accessible system components that are physically or

logically separated from internal networks.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]195

Determine if:
[a] publicly accessible system components are identified; and
[b] subnetworks for publicly accessible system components are physically or logically

separated from internal networks.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]195

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

boundary protection; system security plan; list of key internal boundaries of the system;

system design documentation; boundary protection hardware and software; system

configuration settings and associated documentation; enterprise security architecture

documentation; system audit logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developers; personnel with boundary protection responsibilities].

Test
[SELECT FROM: Mechanisms implementing boundary protection capability].

DISCUSSION [NIST SP 800-171 REV. 2]

Subnetworks that are physically or logically separated from internal networks are referred

to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control

devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-

based technologies.
NIST SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides

guidance on security for virtualization technologies.


195 

NIST SP 800-171A, p. 55.






SC.L2-3.13.5 – Public-Access System Separation [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

222


FURTHER DISCUSSION196

Separate the publicly accessible systems from the internal systems that need to be protected.

Do not place internal systems on the same network as the publicly accessible systems and

block access by default from DMZ networks to internal networks.
One method of accomplishing this is to create a DMZ network, which enhances security by

providing public access to a specific set of resources while preventing connections from

those resources to the rest of the IT environment. Some OSAs achieve a similar result through

the use of a cloud computing environment that is separated from the rest of the company’s

infrastructure.

Example
The head of recruiting at your company wants to launch a website to post job openings and

allow the public to download an application form [a]. After some discussion, your team

realizes it needs to use a firewall to create a perimeter network to do this [b]. You host the

server separately from the company’s internal network and make sure the network on which

it resides is isolated with the proper firewall rules [b].

Potential Assessment Considerations 

 Are any system components reachable by the public (e.g., internet-facing web servers,

VPN gateways, publicly accessible cloud services) [a]? 

 Are  publicly accessible system components on physically or logically separated

subnetworks (e.g., isolated subnetworks using separate, dedicated VLAN segments such

as DMZs) [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.5 


 FAR Clause 52.204-21 b.1.xi



196 

NIST SP 800-171 Rev. 2, pp. 37-38.






SC.L2-3.13.6 – Network Communication by Exception

CMMC Assessment Guide – Level 2 | Version 2.13

223


SC.L2-3.13.6 – NETWORK COMMUNICATION BY EXCEPTION

Deny network communications traffic by default and allow network communications traffic

by exception (i.e., deny all, permit by exception).

ASSESSMENT OBJECTIVES [NIST SP 800-171A]197

Determine if:
[a] network communications traffic is denied by default; and
[b] network communications traffic is allowed by exception.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]197

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

boundary protection; system security plan; system design documentation; system

configuration settings and associated documentation; system audit logs and records; other

relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developer; personnel with boundary protection responsibilities].

Test
[SELECT FROM: Mechanisms implementing traffic management at managed interfaces].

DISCUSSION [NIST SP 800-171 REV. 2]198

This requirement applies to inbound and outbound network communications traffic at the

system boundary and at identified points within the system. A deny-all, permit-by-exception

network communications traffic policy ensures that only those connections which are

essential and approved are allowed.

FURTHER DISCUSSION

Block all traffic entering and leaving the network, but permit specific traffic based on

organizational policies, exceptions, or criteria. This process of permitting only authorized

traffic to the network is called whitelisting and limits the number of unintentional

connections to the network.


197 

NIST SP 800-171A, p. 55.

198 

NIST SP 800-171 Rev. 2, p. 38.






SC.L2-3.13.6 – Network Communication by Exception

CMMC Assessment Guide – Level 2 | Version 2.13

224


This requirement, SC.L2-3.13.6, requires a deny-all permit by exception approach for all

network communications. In doing so, it adds specifics for SC.L2-3.13.1, which only requires

monitoring, control, and protection of communication channels.

Example
You are setting up a new environment to house CUI. To properly isolate the CUI network, you

install a firewall between it and other networks and set the firewall rules to deny all traffic

[a]. You review each service and application that runs in the new environment and determine

that you only need to allow http and https traffic outbound [b]. You test the functionality of

the required services and make some needed adjustments, then comment each firewall rule

so there is documentation of why it is required. You review the firewall rules on a regular

basis to make sure no unauthorized changes were made.

Potential Assessment Considerations 

 Are network communications traffic on relevant system components  (e.g., host and

network firewalls, routers, gateways) denied by default (e.g., configured with an implicit

deny rule that takes effect in the absence of any other matching traffic rules) [a]? 

 Are network communications traffic on relevant system components (e.g., host and

network firewalls, routers, gateways) allowed by exception (e.g., configured with explicit

allow rules that takes effect only when network traffic matches one or more rules) [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.6








SC.L2-3.13.7 – Split Tunneling

CMMC Assessment Guide – Level 2 | Version 2.13

225


SC.L2-3.13.7 – SPLIT TUNNELING

Prevent remote devices from simultaneously establishing non-remote connections with

organizational systems and communicating via some other connection to resources in

external networks (i.e., split tunneling).

ASSESSMENT OBJECTIVES [NIST SP 800-171A]199

Determine if:
[a] remote devices are prevented from simultaneously establishing non-remote

connections with the system and communicating via some other connection to

resources in external networks (i.e., split tunneling).

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]199

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

boundary protection; system security plan; system design documentation; system hardware

and software; system architecture; system configuration settings and associated

documentation; system audit logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developer; personnel with boundary protection responsibilities].

Test
[SELECT FROM: Mechanisms implementing boundary protection capability; mechanisms

supporting or restricting non-remote connections].

DISCUSSION [NIST SP 800-171 REV. 2]200

Split tunneling might be desirable by remote users to communicate with local system

resources such as printers or file servers. However, split tunneling allows unauthorized

external connections, making the system more vulnerable to attack and to exfiltration of

organizational information. This requirement is implemented in remote devices (e.g.,

notebook computers, smart phones, and tablets) through configuration settings to disable

split tunneling in those devices, and by preventing configuration settings from being readily

configurable by users. This requirement is implemented in the system by the detection of

split tunneling (or of configuration settings that allow split tunneling) in the remote device,

and by prohibiting the connection if the remote device is using split tunneling.


199 

NIST SP 800-171A, p. 56.

200 

NIST SP 800-171 Rev. 2, p. 38.






SC.L2-3.13.7 – Split Tunneling

CMMC Assessment Guide – Level 2 | Version 2.13

226


FURTHER DISCUSSION

Split tunneling for a remote user utilizes two connections: accessing resources on the

internal network via a VPN and simultaneously accessing an external network such as a

public network or the internet.
Split tunneling presents a potential opportunity where an open unencrypted connection

from a public network could allow an adversary to access resources on internal network. As

a mitigation strategy, the split tunneling setting should be disabled on all devices so that all

traffic, including traffic for external networks or the internet, goes through the VPN.

Example
You are a system administrator responsible for configuring the network to prevent remote

users from using split tunneling. You review the configuration of remote user laptops. You

discover that remote users are able to access files, email, database and other services

through the VPN connection while also being able to print and access resources on their local

network. You change the configuration settings for all company computers to disable split

tunneling [a]. You test a laptop that has had the new hardening procedures applied and verify

that all traffic from the laptop is now routed through the VPN connection.

Potential Assessment Considerations 

 Does the system prevent remote devices that have established connections (e.g., remote

laptops) with the system from communicating outside that communications path with

resources on uncontrolled/unauthorized networks [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.7








SC.L2-3.13.8 – Data in Transit

CMMC Assessment Guide – Level 2 | Version 2.13

227


SC.L2-3.13.8 – DATA IN TRANSIT

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during

transmission unless otherwise protected by alternative physical safeguards.
ASSESSMENT OBJECTIVES [NIST SP 800-171A]201

Determine if:
[a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are

identified;

[b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are

identified; and

[c] either cryptographic mechanisms or alternative physical safeguards are implemented

to prevent unauthorized disclosure of CUI during transmission.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]201

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

transmission confidentiality and integrity; system security plan; system design

documentation; system configuration settings and associated documentation; system audit

logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developer].

Test
[SELECT FROM: Cryptographic mechanisms or mechanisms supporting or implementing

transmission confidentiality; organizational processes for defining and implementing

alternative physical safeguards].
DISCUSSION [NIST SP 800-171 REV. 2]202

This requirement applies to internal and external networks and any system components that

can transmit information including servers, notebook computers, desktop computers,

mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths

outside the physical protection of controlled boundaries are susceptible to both interception

and modification. Organizations relying on commercial providers offering transmission

services as commodity services rather than as fully dedicated services (i.e., services which

can be highly specialized to individual customer needs), may find it difficult to obtain the

necessary assurances regarding the implementation of the controls for transmission


201 

NIST SP 800-171A, p. 56.

202 

NIST SP 800-171 Rev. 2, p. 38.






SC.L2-3.13.8 – Data in Transit

CMMC Assessment Guide – Level 2 | Version 2.13

228


confidentiality. In such situations, organizations determine what types of confidentiality

services are available in commercial telecommunication service packages. If it is infeasible

or impractical to obtain the necessary safeguards and assurances of the effectiveness of the

safeguards through appropriate contracting vehicles, organizations implement

compensating safeguards or explicitly accept the additional risk. An example of an

alternative physical safeguard is a protected distribution system (PDS) where the

distribution medium is protected against electronic or physical intercept, thereby ensuring

the confidentiality of the information being transmitted.

FURTHER DISCUSSION

The intent of this requirement is to ensure CUI is cryptographically protected during transit,

particularly on the internet. The most common way to accomplish this is to establish a TLS

tunnel between the source and destination using the most current version of TLS. This

requirement does not specify a mutually authenticated handshake, but mutual

authentication is the most secure approach to creating a tunnel.
Because the use of cryptography in this requirement is to protect the confidentiality of CUI,

the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11.
This requirement, SC.L2-3.13.8, requires cryptographic mechanisms be used to prevent the

disclosure of CUI in-transit and leverages SC.L2-3.13.11, which specifies that the algorithms

used must be FIPS-validated cryptography.
Example
You are a system administrator responsible for configuring encryption on all devices that

contain CUI. Because your users regularly store CUI on laptops and take them out of the

office, you encrypt the hard drives with a FIPS-validated encryption tool built into the

operating system. For users who need to share CUI, you install a Secure FTP server to allow

CUI to be transmitted in a compliant manner [a]. You verify that the server is using a FIPS-

validated encryption module by checking the NIST Cryptographic Module Validation

Program website [c]. You turn on the “FIPS Compliance” setting for the server during

configuration because that is what is required for this product in order to use only FIPS-

validated cryptography [c].
Potential Assessment Considerations 

 Are cryptographic mechanisms used to prevent unauthorized disclosure of information

during transmission unless otherwise protected by alternative physical measures (e.g.,

PDS) [c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.8







SC.L2-3.13.9 – Connections Termination

CMMC Assessment Guide – Level 2 | Version 2.13

229


SC.L2-3.13.9 – CONNECTIONS TERMINATION

Terminate network connections associated with communications sessions at the end of the

sessions or after a defined period of inactivity.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]203

Determine if:
[a] a period of inactivity to terminate network connections associated with

communications sessions is defined;

[b] network connections associated with communications sessions are terminated at the

end of the sessions; and

[c] network connections associated with communications sessions are terminated after the

defined period of inactivity.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]203

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

network disconnect; system design documentation; system security plan; system

configuration settings and associated documentation; system audit logs and records; other

relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developer].

Test
[SELECT FROM: Mechanisms supporting or implementing network disconnect capability].

DISCUSSION [NIST SP 800-171 REV. 2]204

This requirement applies to internal and external networks. Terminating network

connections associated with communications sessions include de-allocating associated

TCP/IP address or port pairs at the operating system level, or de-allocating networking

assignments at the application level if multiple application sessions are using a single,

operating system-level network connection. Time periods of user inactivity may be

established by organizations and include time periods by type of network access or for

specific network accesses.


203 

NIST SP 800-171A, p. 57.

204 

NIST SP 800-171 Rev. 2, pp. 38-39.






SC.L2-3.13.9 – Connections Termination

CMMC Assessment Guide – Level 2 | Version 2.13

230


FURTHER DISCUSSION

Prevent malicious actors from taking advantage of an open network session or an

unattended computer at the end of the connection. Balance user work patterns and needs

against security to determine the length of inactivity that will force a termination.
This requirement, SC.L2-3.13.9, specifies network connections be terminated under certain

conditions, which complements AC.L2-3.1.18 that specifies control of mobile device

connections.

Example
You are an administrator of a server that provides remote access. Your company’s policies

state that network connections must be terminated after being idle for 60 minutes [a]. You

edit the server configuration file and set the timeout to 60 minutes and restart the remote

access software [c]. You test the software and verify that the connection is terminated

appropriately.

Potential Assessment Considerations 

 Are the network connections requiring management and time-out for inactivity

documented [a]? 

 Are  the network connections requiring management and time-out for inactivity

configured and implemented [c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.9








SC.L2-3.13.10 – Key Management

CMMC Assessment Guide – Level 2 | Version 2.13

231


SC.L2-3.13.10 – KEY MANAGEMENT

Establish and manage cryptographic keys for cryptography employed in organizational

systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]205
Determine if:
[a] cryptographic keys are established whenever cryptography is employed; and
[b] cryptographic keys are managed whenever cryptography is employed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]205

Examine

[SELECT FROM: System and communications protection policy; procedures addressing

cryptographic key establishment and management; system security plan; system design

documentation; cryptographic mechanisms; system configuration settings and associated

documentation; system audit logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; personnel with responsibilities for cryptographic key establishment and

management].

Test
[SELECT FROM: Mechanisms supporting or implementing cryptographic key establishment

and management].

DISCUSSION [NIST SP 800-171 REV. 2]206
Cryptographic key management and establishment can be performed using manual

procedures or mechanisms supported by manual procedures. Organizations define key

management requirements in accordance with applicable federal laws, Executive Orders,

policies, directives, regulations, and standards specifying appropriate options, levels, and

parameters.
NIST SP 800-56A and NIST SP 800-57-1 provide guidance on cryptographic key management

and key establishment.

FURTHER DISCUSSION
Develop processes and technical mechanisms to protect the cryptographic keys’

confidentiality, authenticity, and authorized use in accordance with industry standards and


205 

NIST SP 800-171A, p. 57.

206 

NIST SP 800-171 Rev. 2, p. 39.






SC.L2-3.13.10 – Key Management

CMMC Assessment Guide – Level 2 | Version 2.13

232


regulations. Key management systems provide oversight, assurance, and the capability to

demonstrate the cryptographic keys are created in a secure manner and protected from loss

or misuse throughout their lifecycle (e.g., active, expired, revoked). For a small number of

keys, this can be accomplished with manual procedures and mechanisms. As the number of

keys and cryptographic units increase, automation and tool support will be required.
The first intent of this requirement is to ensure cryptographic keys are properly created in a

secure manner that prevents them from being reproduced by an adversary. The second

intent of this requirement is to ensure cryptographic keys are managed in a secure manner

that prevents them from being stolen by an adversary.
Key establishment involves the creation of keys and coordination among parties that will use

the keys of the methodology for generating the final keying material. This is discussed in

detail in SP 800-56A, B, and C.
Key management involves protecting keys when they are distributed, when they are stored,

when they are being used, and when they are being recovered.
Key establishment best practices are identified in NIST SP 800-56A, B, and C. Key

management best practices are identified in NIST SP 800-57 Parts 1, 2, and 3.
This requirement, SC.L2-3.13.10, complements AC.L2-3.1.19 by specifying that any

cryptographic keys in use must be protected.
Example 1
You are a system administrator responsible for providing key management. You have

generated a public-private key pair to exchange CUI [a]. You require all system

administrators to read the key management policy before you allow them to install the

private key on their machines [b]. No one else is allowed to know or have a copy of the private

key per the policy. You provide the public key to the other parties who will be sending you

CUI and test the Public Key Infrastructure (PKI) to ensure the encryption is working [a]. You

set a revocation period of one year on all your certificates per organizational policy [b].
Example 2
You encrypt all of your company’s computers using the disk encryption utility built into the

operating system. As you configure encryption on each device, it generates a cryptographic

key. You associate each key with the correct computer in your inventory spreadsheet and

restrict access to the spreadsheet to the system administrators whose work role requires

them to manage the computers [b].
Potential Assessment Considerations 

 Are cryptographic keys established whenever cryptography is employed (e.g., digital

signatures, authentication, authorization, transport, or other cryptographic

mechanisms) [a]? 

 Are cryptographic keys maintained whenever cryptography is employed (e.g., key

storage, backup, recovery, revocation, destruction, etc.) [b]?






SC.L2-3.13.10 – Key Management

CMMC Assessment Guide – Level 2 | Version 2.13

233


KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.10







SC.L2-3.13.11 – CUI Encryption

CMMC Assessment Guide – Level 2 | Version 2.13

234


SC.L2-3.13.11 – CUI ENCRYPTION

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]207

Determine if:
[a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]207

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

cryptographic protection; system security plan; system design documentation; system

configuration settings and associated documentation; cryptographic module validation

certificates; list of FIPS-validated cryptographic modules; system audit logs and records; any

other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developers; personnel with responsibilities for cryptographic

protection].

Test
[SELECT FROM: Mechanisms supporting or implementing cryptographic protection].

DISCUSSION [NIST SP 800-171 REV. 2]208

Cryptography can be employed to support many security solutions including the protection

of controlled unclassified information, the provision of digital signatures, and the

enforcement of information separation when authorized individuals have the necessary

clearances for such information but lack the necessary formal access approvals.

Cryptography can also be used to support random number generation and hash generation.

Cryptographic standards include FIPS-validated cryptography and/or NSA-approved

cryptography.

FURTHER DISCUSSION

FIPS-validated cryptography means the cryptographic module has to have been tested and

validated to meet FIPS 140-2 requirements. Simply using an approved algorithm is not

sufficient – the module (software and/or hardware) used to implement the algorithm must

be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is


207 

NIST SP 800-171A, pp. 57-58.

208 

NIST SP 800-171 Rev. 2, p. 39.






SC.L2-3.13.11 – CUI Encryption

CMMC Assessment Guide – Level 2 | Version 2.13

235


required to protect CUI when transmitted or stored outside the protected environment of

the covered OSA information system (including wireless/remote access). Encryption used

for other purposes, such as within applications or devices within the protected environment

of the covered OSA information system, would not need to use FIPS-validated cryptography.
This requirement, SC.L2-3.13.11, complements AC.L2-3.1.19, MP.L2-3.8.6, SC.L2-3.13.8, and

SC.L2-3.13.16 by specifying that FIPS-validated cryptography must be used. While FIPS-

validated modules and algorithms are critical for protecting CUI, in limited cases Enduring

Exceptions and temporary deficiencies may apply when implementing such cryptographic

mechanisms.

Example
You are a system administrator responsible for deploying encryption on all devices that

contain CUI. You must ensure that the encryption you use on the devices is FIPS-validated

cryptography [a]. An employee informs you of a need to carry a large volume of CUI offsite

and asks for guidance on how to do so. You provide the user with disk encryption software

that you have verified via the NIST website that uses a CMVP-validated encryption module

[a]. Once the encryption software is active, the user copies the CUI data onto the drive for

transport.

Potential Assessment Considerations 

 Is cryptography implemented to protect the confidentiality of CUI at rest and in transit,

through the configuration of systems and applications or through the use of encryption

tools [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.11








SC.L2-3.13.12 – Collaborative Device Control

CMMC Assessment Guide – Level 2 | Version 2.13

236


SC.L2-3.13.12 – COLLABORATIVE DEVICE CONTROL

Prohibit remote activation of collaborative computing devices and provide indication of

devices in use to users present at the device.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]209

Determine if:
[a] collaborative computing devices are identified;
[b] collaborative computing devices provide indication to users of devices in use; and
[c] remote activation of collaborative computing devices is prohibited.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]209

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

collaborative computing; access control policy and procedures; system security plan; system

design documentation; system audit logs and records; system configuration settings and

associated documentation; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developer; personnel with responsibilities for managing

collaborative computing devices].

Test
[SELECT FROM: Mechanisms supporting or implementing management of remote activation

of collaborative computing devices; mechanisms providing an indication of use of

collaborative computing devices].

DISCUSSION [NIST SP 800-171 REV. 2]210

Collaborative computing devices include networked white boards, cameras, and

microphones. Indication of use includes signals to users when collaborative computing

devices are activated. Dedicated video conferencing systems, which rely on one of the

participants calling or connecting to the other party to activate the video conference, are

excluded.


209 

NIST SP 800-171A, p. 58.

210 

NIST SP 800-171 Rev. 2, p. 39.






SC.L2-3.13.12 – Collaborative Device Control

CMMC Assessment Guide – Level 2 | Version 2.13

237


FURTHER DISCUSSION

Notification that a device is in use can include an indicator light that turns on or a specific

text window that appears on screen. If a device does not have the means to alert a user when

in use, the organization should provide manual means. Manual means can include, as

necessary: 

 paper notification on entryways; and 


 locking entryways when a collaborative computing device is in use.

This requirement is not intended to include technologies that enable users to share the

contents of their computer screens via the internet.
Example
A group of remote employees at your company routinely collaborate using cameras and

microphones attached to their computers [a]. To prevent the misuse of these devices, you

disable the ability to turn on cameras or microphones remotely [c]. You ensure the machines

alert users when the camera or microphone are in use with a light beside the camera and an

onscreen notification [b]. Although remote activation is blocked, this enables users to see if

the devices are active.

Potential Assessment Considerations 

 Are the collaborative computing devices configured to provide indication to users when

in use (e.g., a light, text notification, or audio tone) or are users alerted before entering a

space (e.g., written notice posted outside the space) where they are in use [b]? 

 Are the collaborative computing devices configured to prevent them from being turned

on without user interaction or consent [c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.12








SC.L2-3.13.13 – Mobile Code

CMMC Assessment Guide – Level 2 | Version 2.13

238


SC.L2-3.13.13 – MOBILE CODE

Control and monitor the use of mobile code.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]211

Determine if:
[a] use of mobile code is controlled; and
[b] use of mobile code is monitored.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]211

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

mobile code; mobile code usage restrictions, mobile code implementation policy and

procedures; system audit logs and records; system security plan; list of acceptable mobile

code and mobile code technologies; list of unacceptable mobile code and mobile

technologies; authorization records; system monitoring records; system audit logs and

records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; personnel with responsibilities for managing mobile code].

Test
[SELECT FROM: Organizational process for controlling, authorizing, monitoring, and

restricting mobile code; mechanisms supporting or implementing the management of

mobile code; mechanisms supporting or implementing the monitoring of mobile code].

DISCUSSION [NIST SP 800-171 REV. 2]212

Mobile code technologies include Java, JavaScript, ActiveX, Postscript, PDF, Flash animations,

and VBScript. Decisions regarding the use of mobile code in organizational systems are based

on the potential for the code to cause damage to the systems if used maliciously. Usage

restrictions and implementation guidance apply to the selection and use of mobile code

installed on servers and mobile code downloaded and executed on individual workstations,

notebook computers, and devices (e.g., smart phones). Mobile code policy and procedures

address controlling or preventing the development, acquisition, or introduction of

unacceptable mobile code in systems, including requiring mobile code to be digitally signed

by a trusted source.


211 

NIST SP 800-171A, pp. 58-59.

212 

NIST SP 800-171 Rev. 2, pp. 39-40.






SC.L2-3.13.13 – Mobile Code

CMMC Assessment Guide – Level 2 | Version 2.13

239


FURTHER DISCUSSION

Ensure mobile code is authorized to execute in company systems only in accordance with

policy and technical configuration, and that unauthorized mobile code is not. Monitor the use

of mobile code through boundary devices (e.g., firewalls), audit logs, or security utilities (e.g.,

mobile device management, advanced endpoint protection) and implement remediation

activities as needed.
The first intent of this requirement is to ensure the limits of mobile code usage and usage

restrictions are documented and enforced. This includes documenting all authorizations for

the use of mobile code and ensuring it is not used in other ways. Usage restrictions and

implementation guidance apply to the selection and use of mobile code installed on servers

and mobile code downloaded and executed on individual workstations and devices to

include all mobile devices and smart phones.
The second intent is to monitor the use of mobile code and implement remediation steps if

its use does not align with policy.

Example
Your company has decided to prohibit the use of Flash, ActiveX, and Java plug-ins for web

browsers on all of its computers [a]. To enforce this policy you configure the computer

baseline configuration to disable and deny the execution of mobile code [a]. You implement

an exception process to re-enable mobile code execution only for those users with a

legitimate business need [a].
One department complains that a web application they need to perform their job no longer

works. You meet with them and verify that the web application uses ActiveX in the browser.

You submit a change request with the Change Review Board. Once the change is approved,

you reconfigure the department’s computers to allow the running of ActiveX in the browser.

You also configure the company firewall to alert you if ActiveX is used by any website but the

allowed one [b]. You set a reminder for yourself to check in with the department at the end

of the year to verify they still need that web application.

Potential Assessment Considerations 

 Are there defined limits of mobile code usage and established usage restrictions, which

specifically authorize use of mobile code (e.g., Java, JavaScript, ActiveX, PDF, Flash,

Shockwave, Postscript, VBScript) within the information system [a]? 

 Is the use of mobile code documented, monitored, and managed (e.g., Java, JavaScript,

ActiveX, PDF, Flash, Shockwave, Postscript, VBScript) [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.13







SC.L2-3.13.14 – Voice over Internet Protocol

CMMC Assessment Guide – Level 2 | Version 2.13

240


SC.L2-3.13.14 – VOICE OVER INTERNET PROTOCOL

Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]213

Determine if:
[a] use of Voice over Internet Protocol (VoIP) technologies is controlled; and
[b] use of Voice over Internet Protocol (VoIP) technologies is monitored.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]213

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

VoIP; VoIP usage restrictions; VoIP implementation guidance; system security plan; system

design documentation; system audit logs and records; system configuration settings and

associated documentation; system monitoring records; other relevant documents or

records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; personnel with responsibilities for managing VoIP].

Test
[SELECT FROM: Organizational process for authorizing, monitoring, and controlling VoIP;

mechanisms supporting or implementing authorizing, monitoring, and controlling VoIP].

DISCUSSION [NIST SP 800-171 REV. 2]214

VoIP has different requirements, features, functionality, availability, and service limitations

when compared with the Plain Old Telephone Service (POTS) (i.e., the standard telephone

service). In contrast, other telephone services are based on high-speed, digital

communications lines, such as Integrated Services Digital Network (ISDN) and Fiber

Distributed Data Interface (FDDI). The main distinctions between POTS and non-POTS

services are speed and bandwidth. To address the threats associated with VoIP, usage

restrictions and implementation guidelines are based on the potential for the VoIP

technology to cause damage to the system if it is used maliciously. Threats to VoIP are similar

to those inherent with any Internet-based application.
NIST SP 800-58 provides guidance on Voice Over IP Systems.


213 

NIST SP 800-171A, p. 59.

214 

NIST SP 800-171 Rev. 2, p. 40.






SC.L2-3.13.14 – Voice over Internet Protocol

CMMC Assessment Guide – Level 2 | Version 2.13

241


FURTHER DISCUSSION

Controlling VoIP technologies starts with establishing guidelines and enforcing the

appropriate usage that is described in organizational policies. Monitoring should include the

users’ activity for anything other than what is permitted and authorized and detection of

insecure or unauthorized use of the VoIP technology. Security concerns for VoIP include

eavesdropping on calls and using ID spoofing to impersonate trusted individuals.
Selecting a solution that can encrypt VoIP traffic is helpful in maintaining the confidentiality

and integrity of the voice data.

Example
You are a system administrator responsible for the VoIP system. You configure VoIP for new

users after being notified that they have signed the Acceptable Use Policy for VoIP technology

[a]. You verify that the VoIP solution is configured to use encryption and have enabled

requirements for passwords on voice mailboxes and on phone extension management. You

require phone system administrators to log in using multifactor authentication when

managing the system [a]. You add the VoIP software to the list of applications that are

patched monthly as needed [a,b]. Finally, you configure the VoIP system to send logs to your

log aggregator so that they can be correlated with those from other systems and examined

for signs of suspicious activity [b].

Potential Assessment Considerations 

 Are VoIP technologies (e.g., approved and managed products or solutions) that may or

may not be used in the system defined [a]? 

 Is monitoring for unapproved VoIP technologies or unapproved use of the allowed VoIP

solutions employed [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.14








SC.L2-3.13.15 – Communications Authenticity

CMMC Assessment Guide – Level 2 | Version 2.13

242


SC.L2-3.13.15 – COMMUNICATIONS AUTHENTICITY

Protect the authenticity of communications sessions.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]215

Determine if:
[a] the authenticity of communications sessions is protected.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]215

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

session authenticity; system security plan; system design documentation; system

configuration settings and associated documentation; system audit logs and records; other

relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities].

Test

[SELECT FROM: Mechanisms supporting or implementing session authenticity]

DISCUSSION [NIST SP 800-171 REV. 2]216

Authenticity protection includes protecting against man-in-the-middle attacks, session

hijacking, and the insertion of false information into communications sessions. This

requirement addresses communications protection at the session versus packet level (e.g.,

sessions in service-oriented architectures providing web-based services) and establishes

grounds for confidence at both ends of communications sessions in ongoing identities of

other parties and in the validity of information transmitted.
NIST SP 800-77, NIST SP 800-95, and NIST SP 800-113 provide guidance on secure

communications sessions.

FURTHER DISCUSSION

The intent of this requirement is to ensure a trust relationship is established between both

ends of a communication session. Each end can be assured that the other end is who it is

supposed to be. This is often implemented using a mutual authentication handshake when

the session is established, especially between devices. Session authenticity is usually


215 

NIST SP 800-171A, p. 59.

216 

NIST SP 800-171 Rev. 2, p. 40.






SC.L2-3.13.15 – Communications Authenticity

CMMC Assessment Guide – Level 2 | Version 2.13

243


provided by a security protocol enforced for a communication session. Choosing and

enforcing a protocol will provide authenticity throughout a communications session.

Example
You are a system administrator responsible for ensuring that the two-factor user

authentication mechanism for the servers is configured correctly. You purchase and

maintain the digital certificate and replace it with a new one before the old one expires. You

ensure the TLS configuration settings on the web servers, VPN solution, and other

components that use TLS are correct, using secure settings that address risks against attacks

on the encrypted sessions [a].

Potential Assessment Considerations 

 Is a communications protocol used that ensures the sending and receiving parties do not

change during a communications session [a]? 

 Are controls in place to validate the identities and information transmitted to protect

against man-in-the-middle attacks, session hijacking, and insertion of false information

into communications sessions [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.15








SC.L2-3.13.16 – Data at Rest

CMMC Assessment Guide – Level 2 | Version 2.13

244


SC.L2-3.13.16 – DATA AT REST

Protect the confidentiality of CUI at rest.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]217

Determine if:
[a] the confidentiality of CUI at rest is protected.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]217

Examine
[SELECT FROM: System and communications protection policy; procedures addressing

protection of information at rest; system security plan; system design documentation; list of

information at rest requiring confidentiality protections; system configuration settings and

associated documentation; cryptographic mechanisms and associated configuration

documentation; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; system developer].

Test
[SELECT FROM: Mechanisms supporting or implementing confidentiality protections for

information at rest].

DISCUSSION [NIST SP 800-171 REV. 2]218

Information at rest refers to the state of information when it is not in process or in transit

and is located on storage devices as specific components of systems. The focus of protection

at rest is not on the type of storage device or the frequency of access but rather the state of

the information. Organizations can use different mechanisms to achieve confidentiality

protections, including the use of cryptographic mechanisms and file share scanning.

Organizations may also use other controls including secure off-line storage in lieu of online

storage when adequate protection of information at rest cannot otherwise be achieved or

continuous monitoring to identify malicious code at rest.

FURTHER DISCUSSION

CUI at rest means information that is not moving through the network; typically this means

data currently stored on hard drives, media, and mobile devices. Implement the necessary

security controls to protect the confidentiality of CUI at rest. Although an approved


217 

NIST SP 800-171A, pp. 59-60.

218 

NIST SP 800-171 Rev. 2, p. 40.






SC.L2-3.13.16 – Data at Rest

CMMC Assessment Guide – Level 2 | Version 2.13

245


encryption method protects data stored at rest, there are other technical and physical

solutions. The methods chosen should depend on the environment and business needs.
Implementing encryption for CUI is one approach to this requirement, but it is not

mandatory. Physical security is often employed to restrict access to CUI, particularly when it

resides on servers within a company’s offices. Other approaches for protecting CUI include

system-related protections such as configurations and rule sets for firewalls, gateways,

intrusion detection/prevention systems, filtering routers, and authenticator content that

eliminate attempts at exfiltration. You may also employ other security requirements

including secure off-line storage.
Because the use of cryptography in this requirement is to protect the confidentiality of CUI,

the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11.
This requirement, SC.L2-3.13.16, specifies confidentially be provided for CUI at rest and

complements MP.L2-3.8.9, which specifies confidentially of CUI at backup storage locations.

This requirement, SC.L2-3.13.16, also leverages SC.L2-3.13.11, which specifies that the

algorithms used must be FIPS-validated cryptography.

Example 1
Your company has a policy stating CUI must be protected at rest and you work to enforce

that policy. You research Full Disk Encryption (FDE) products that meet the FIPS encryption

requirement. After testing, you deploy the encryption to all computers to protect CUI at rest

[a].

Example 2
You have used encryption to protect the CUI on most of the computers at your company, but

you have some devices that do not support encryption. You create a policy requiring these

devices to be signed out when needed, stay in possession of the signer when checked out,

and to be signed back in and locked up in a secured closet when the user is done with the

device [a]. At the end of the day each Friday, you audit the sign-out sheet and make sure all

devices are returned to the closet.

Potential Assessment Considerations 

 Is the confidentiality of CUI at rest protected using encryption of storage devices and/or

appropriate physical methods [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.13.16







SI.L2-3.14.1 – Flaw Remediation [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

246


System and Information Integrity (SI)
SI.L2-3.14.1 – FLAW REMEDIATION [CUI DATA]

Identify, report, and correct system flaws in a timely manner.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]219

Determine if:
[a] the time within which to identify system flaws is specified;
[b] system flaws are identified within the specified time frame;
[c] the time within which to report system flaws is specified;
[d] system flaws are reported within the specified time frame;
[e] the time within which to correct system flaws is specified; and
[f] system flaws are corrected within the specified time frame.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]219

Examine
[SELECT FROM: System and information integrity policy; procedures addressing flaw

remediation; procedures addressing configuration management; system security plan; list

of flaws and vulnerabilities potentially affecting the system; list of recent security flaw

remediation actions performed on the system (e.g., list of installed patches, service packs,

hot fixes, and other software updates to correct system flaws); test results from the

installation of software and firmware updates to correct system flaws; installation/change

control records for security-relevant software and firmware updates; other relevant

documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; personnel installing, configuring, and maintaining the system; personnel

with responsibility for flaw remediation; personnel with configuration management

responsibility].

Test
[SELECT FROM: Organizational processes for identifying, reporting, and correcting system

flaws; organizational process for installing software and firmware updates; mechanisms


219 

NIST SP 800-171A, p. 61.







SI.L2-3.14.1 – Flaw Remediation [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

247


supporting or implementing reporting, and correcting system flaws; mechanisms supporting

or implementing testing software and firmware updates].

DISCUSSION [NIST SP 800-171 REV. 2]220

Organizations identify systems that are affected by announced software and firmware flaws

including potential vulnerabilities resulting from those flaws and report this information to

designated personnel with information security responsibilities. Security-relevant updates

include patches, service packs, hot fixes, and anti-virus signatures. Organizations address

flaws discovered during security assessments, continuous monitoring, incident response

activities, and system error handling. Organizations can take advantage of available

resources such as the Common Weakness Enumeration (CWE) database or Common

Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in

organizational systems.
Organization-defined time periods for updating security-relevant software and firmware

may vary based on a variety of factors including the criticality of the update (i.e., severity of

the vulnerability related to the discovered flaw). Some types of flaw remediation may require

more testing than other types of remediation. NIST SP 800-40 provides guidance on patch

management technologies.

FURTHER DISCUSSION

All software and firmware have potential flaws. Many vendors work to remedy those flaws

by releasing vulnerability information and updates to their software and firmware. OSAs

must have a process to review relevant vendor notifications and updates about problems or

weaknesses. After reviewing the information, the OSA must implement a patch management

process that allows for software and firmware flaws to be fixed without adversely affecting

the system functionality. OSAs must define the time frames within which flaws are identified,

reported, and corrected for all systems. OSAs should consider purchasing support from their

vendors to ensure timely access to updates.

Example
You know that software vendors typically release patches, service packs, hot fixes, etc. and

want to make sure your software is up to date. You develop a policy that requires checking

vendor websites for flaw notifications every week [a]. The policy further requires that those

flaws be assessed for severity and patched on end-user computers once each week and

servers once each month [c,e]. Consistent with that policy, you configure the system to check

for updates weekly or daily depending on the criticality of the software [b,e]. Your team

reviews available updates and implements the applicable ones according to the defined

schedule [f].


220 

NIST SP 800-171 Rev. 2, pp. 40-41.






SI.L2-3.14.1 – Flaw Remediation [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

248


Potential Assessment Considerations 

 Is the time frame (e.g., a set number of days) within which system flaw identification

activities (e.g., vulnerability scans, configuration scans, manual review) must be

performed defined and documented [a]? 

 Are system flaws (e.g., vulnerabilities, misconfigurations) identified in accordance with

the specified time frame [b]? 

 Is the time frame (e.g., a set number of days dependent on the assessed severity of a flaw)

within which system flaws must be corrected defined and documented [e]? 

 Are  system flaws (e.g., applied security patches, made configuration changes, or

implemented workarounds or mitigations) corrected in accordance with the specified

time frame [f]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.14.1 


 FAR Clause 52.204-21 b.1.xii







SI.L2-3.14.2 – Malicious Code Protection [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

249


SI.L2-3.14.2 – MALICIOUS CODE PROTECTION [CUI DATA]

Provide protection from malicious code at designated locations within organizational

systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]221

Determine if:
[a] designated locations for malicious code protection are identified; and
[b] protection from malicious code at designated locations is provided.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]221

Examine
[SELECT FROM: System and information integrity policy; configuration management policy

and procedures; procedures addressing malicious code protection; records of malicious

code protection updates; malicious code protection mechanisms; system security plan;

system configuration settings and associated documentation; record of actions initiated by

malicious code protection mechanisms in response to malicious code detection; scan results

from malicious code protection mechanisms; system design documentation; system audit

logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; personnel installing, configuring, and maintaining the system; personnel

with responsibility for malicious code protection; personnel with configuration management

responsibility].

Test
[SELECT FROM: Organizational processes for employing, updating, and configuring

malicious code protection mechanisms; organizational process for addressing false positives

and resulting potential impact; mechanisms supporting or implementing employing,

updating, and configuring malicious code protection mechanisms; mechanisms supporting

or implementing malicious code scanning and subsequent actions].

DISCUSSION [NIST SP 800-171 REV. 2]222

Designated locations include system entry and exit points which may include firewalls,

remote access servers, workstations, electronic mail servers, web servers, proxy servers,

notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan

horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE,


221 

NIST SP 800-171A, pp. 61-62.

222 

NIST SP 800-171 Rev. 2, p. 41.






SI.L2-3.14.2 – Malicious Code Protection [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

250


Unicode), contained within compressed or hidden files, or hidden in files using techniques

such as steganography. Malicious code can be inserted into systems in a variety of ways

including web accesses, electronic mail, electronic mail attachments, and portable storage

devices. Malicious code insertions occur through the exploitation of system vulnerabilities.
Malicious code protection mechanisms include anti-virus signature definitions and

reputation-based technologies. A variety of technologies and methods exist to limit or

eliminate the effects of malicious code. Pervasive configuration management and

comprehensive software integrity controls may be effective in preventing execution of

unauthorized code. In addition to commercial off-the-shelf software, malicious code may also

be present in custom-built software. This could include logic bombs, back doors, and other

types of cyber-attacks that could affect organizational missions/business functions.

Traditional malicious code protection mechanisms cannot always detect such code. In these

situations, organizations rely instead on other safeguards including secure coding practices,

configuration management and control, trusted procurement processes, and monitoring

technologies to help ensure that software does not perform functions other than the

functions intended. NIST SP 800-83 provides guidance on malware incident prevention.

FURTHER DISCUSSION

A designated location may be a network device such as a firewall or an end user’s computer.
Malicious code, which can be delivered by a range of means (e.g., email, removable media, or

websites), includes the following: 

 virus – program designed to damage, steal information, change data, send email, show

messages, or any combination of these things; 

 spyware – program designed to gather information about a person’s activity in secret

when they click on a link, usually installed without the person knowing ; 

 trojan horse – type of malware made to look like legitimate software and used by cyber

criminals to get access to a company’s systems; and 

 ransomware – type of malware that threatens to publish the victim’s data or perpetually

block access to it unless a ransom is paid.

Use anti-malware tools to stop or lessen the impact of malicious code.

Example
You are buying a new computer and want to protect your company’s information from

viruses, spyware, etc. You buy and install anti-malware software [a,b].

Potential Assessment Considerations 

 Are system components (e.g., workstations, servers, email gateways, mobile devices) for

which malicious code protection must be provided identified and documented [a]?






SI.L2-3.14.2 – Malicious Code Protection [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

251


KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.14.2 


 FAR Clause 52.204-21 b.1.xiii







SI.L2-3.14.3 – Security Alerts & Advisories

CMMC Assessment Guide – Level 2 | Version 2.13

252


SI.L2-3.14.3 – SECURITY ALERTS & ADVISORIES

Monitor system security alerts and advisories and take action in response.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]223

Determine if:
[a] response actions to system security alerts and advisories are identified;
[b] system security alerts and advisories are monitored; and
[c] actions in response to system security alerts and advisories are taken.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]223

Examine

[SELECT FROM: System and information integrity policy; procedures addressing security

alerts, advisories, and directives; system security plan; records of security alerts and

advisories; other relevant documents or records].

Interview
[SELECT FROM: Personnel with security alert and advisory responsibilities; personnel

implementing, operating, maintaining, and using the system; personnel, organizational

elements, and external organizations to whom alerts, advisories, and directives are to be

disseminated; system or network administrators; personnel with information security

responsibilities].

Test
[SELECT FROM: Organizational processes for defining, receiving, generating, disseminating,

and complying with security alerts, advisories, and directives; mechanisms supporting or

implementing definition, receipt, generation, and dissemination of security alerts,

advisories, and directives; mechanisms supporting or implementing security directives].

DISCUSSION [NIST SP 800-171 REV. 2]224

There are many publicly available sources of system security alerts and advisories. The

United States Computer Emergency Readiness Team (US-CERT) generates security alerts

and advisories to maintain situational awareness across the federal government and in

nonfederal organizations. Software vendors, subscription services, and relevant industry

information sharing and analysis centers (ISACs) may also provide security alerts and

advisories. Examples of response actions include notifying relevant external organizations,


223 

NIST SP 800-171A, p. 62.

224 

NIST SP 800-171 Rev. 2, p. 41.






SI.L2-3.14.3 – Security Alerts & Advisories

CMMC Assessment Guide – Level 2 | Version 2.13

253


for example, external mission/business partners, supply chain partners, external service

providers, and peer or supporting organizations.
NIST SP 800-161 provides guidance on supply chain risk management.

FURTHER DISCUSSION

Solicit and receive security alerts, advisories, and directives from reputable external

organizations. Identify sources relevant to the industry and technology used by your

company. Methods to receive alerts and advisories may include: 

 signing up for email distributions; 


 subscribing to RSS feeds; and 


 attending meetings.

Review alerts and advisories for applicability as they are received. The frequency of the

reviews should be based on the frequency of the alerts and advisories to ensure you have the

most up-to-date information.
External alerts and advisories may prompt you to generate internal security alerts,

advisories, or directives, and share these with all personnel with a need-to-know. The

individuals should assess the risk related to a given alert and act to respond as appropriate.

Sometimes it may require a configuration update. Other times, the information may also

require adjusting system architecture in order to thwart a threat described in an advisory.

Example
You monitor security advisories each week. You review the alert emails and online

subscription service alerts to determine which ones apply [b]. You create a list of the

applicable alerts and research what steps you need to take to address them. Next, you

generate a plan that you review with your change management group so that the work can

be scheduled [c].

Potential Assessment Considerations 

 Are the responses to system security alerts and advisories identified in relation to the

assessed severity of potential flaws (e.g., communicating with responsible personnel,

initiating vulnerability scans, initiating system flaw remediation activities) [a]? 

 Are system security alerts and advisories addressed (e.g., assessing potential severity or

likelihood, communicating with responsible personnel, initiating vulnerability scans,

initiating system flaw remediation activities) [a,c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.14.3







SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

254


SI.L2-3.14.4 – UPDATE MALICIOUS CODE PROTECTION [CUI DATA]

Update malicious code protection mechanisms when new releases are available.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]225

Determine if:
[a] malicious code protection mechanisms are updated when new releases are available.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]225

Examine
[SELECT FROM: System and information integrity policy; configuration management policy

and procedures; procedures addressing malicious code protection; malicious code

protection mechanisms; records of malicious code protection updates; system security plan;

system design documentation; system configuration settings and associated documentation;

scan results from malicious code protection mechanisms; record of actions initiated by

malicious code protection mechanisms in response to malicious code detection; system audit

logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; personnel installing, configuring, and maintaining the system; personnel

with responsibility for malicious code protection; personnel with configuration management

responsibility].

Test
[SELECT FROM: Organizational processes for employing, updating, and configuring

malicious code protection mechanisms; organizational process for addressing false positives

and resulting potential impact; mechanisms supporting or implementing malicious code

protection mechanisms (including updates and configurations); mechanisms supporting or

implementing malicious code scanning and subsequent actions].

DISCUSSION [NIST SP 800-171 REV. 2]226

Malicious code protection mechanisms include anti-virus signature definitions and

reputation-based technologies. A variety of technologies and methods exist to limit or

eliminate the effects of malicious code. Pervasive configuration management and

comprehensive software integrity controls may be effective in preventing execution of

unauthorized code. In addition to commercial off-the-shelf software, malicious code may also

be present in custom-built software. This could include logic bombs, back doors, and other

types of cyber-attacks that could affect organizational missions/business functions.


225 

NIST SP 800-171A, pp. 62-63.

226 

NIST SP 800-171 Rev. 2, pp. 41-42.






SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

255


Traditional malicious code protection mechanisms cannot always detect such code. In these

situations, organizations rely instead on other safeguards including secure coding practices,

configuration management and control, trusted procurement processes, and monitoring

technologies to help ensure that software does not perform functions other than the

functions intended.

FURTHER DISCUSSION

Malware changes on an hourly or daily basis, and it is important to update detection and

protection mechanisms frequently to maintain the effectiveness of the protection.

Example
You have installed anti-malware software to protect a computer from malicious code.

Knowing that malware evolves rapidly, you configure the software to automatically check

for malware definition updates every day and update as needed [a].

Potential Assessment Considerations 

 Is there a defined frequency by which malicious code protection mechanisms must be

updated (e.g., frequency of automatic updates or manual processes) [a]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.14.4 


 FAR Clause 52.204-21 b.1.xiv







SI.L2-3.14.5 – System & File Scanning [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

256


SI.L2-3.14.5 – SYSTEM & FILE SCANNING [CUI DATA]

Perform periodic scans of organizational systems and real-time scans of files from external

sources as files are downloaded, opened, or executed.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]227

Determine if:
[a] the frequency for malicious code scans is defined;
[b] malicious code scans are performed with the defined frequency; and
[c] real-time malicious code scans of files from external sources as files are downloaded,

opened, or executed are performed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]227

Examine
[SELECT FROM: System and information integrity policy; configuration management policy

and procedures; procedures addressing malicious code protection; malicious code

protection mechanisms; records of malicious code protection updates; system security plan;

system design documentation; system configuration settings and associated documentation;

scan results from malicious code protection mechanisms; record of actions initiated by

malicious code protection mechanisms in response to malicious code detection; system audit

logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; personnel installing, configuring, and maintaining the system; personnel

with responsibility for malicious code protection; personnel with configuration management

responsibility].

Test
[SELECT FROM: Organizational processes for employing, updating, and configuring

malicious code protection mechanisms; organizational process for addressing false positives

and resulting potential impact; mechanisms supporting or implementing malicious code

protection mechanisms (including updates and configurations); mechanisms supporting or

implementing malicious code scanning and subsequent actions].

DISCUSSION [NIST SP 800-171 REV. 2]228

Periodic scans of organizational systems and real-time scans of files from external sources

can detect malicious code. Malicious code can be encoded in various formats (e.g.,


227 

NIST SP 800-171A, p. 63.

228 

NIST SP 800-171 Rev. 2, p. 42.






SI.L2-3.14.5 – System & File Scanning [CUI Data]

CMMC Assessment Guide – Level 2 | Version 2.13

257


UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using

techniques such as steganography. Malicious code can be inserted into systems in a variety

of ways including web accesses, electronic mail, electronic mail attachments, and portable

storage devices. Malicious code insertions occur through the exploitation of system

vulnerabilities.

FURTHER DISCUSSION

Use anti-malware software to scan for and identify viruses in your computer systems and

determine how often scans are conducted. Real-time scans look at the system whenever new

files are downloaded, opened, and saved. Periodic scans check previously saved files against

updated malware information.

Example
You work with your company’s email provider to enable enhanced protections that will scan

all attachments to identify and quarantine those that may be harmful prior to a user opening

them [c]. In addition, you configure antivirus software on each computer to scan for

malicious code every day [a,b]. The software also scans files that are downloaded or copied

from removable media such as USB drives. It quarantines any suspicious files and notifies

the security team [c].

Potential Assessment Considerations 

 Are files from media (e.g., USB drives, CD-ROM) included in the definition of external

sources and are they being scanned [c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.14.5 


 FAR Clause 52.204-21 b.1.xv








SI.L2-3.14.6 – Monitor Communications for Attacks

CMMC Assessment Guide – Level 2 | Version 2.13

258


SI.L2-3.14.6 – MONITOR COMMUNICATIONS FOR ATTACKS

Monitor organizational systems, including inbound and outbound communications traffic, to

detect attacks and indicators of potential attacks.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]229

Determine if:
[a] the system is monitored to detect attacks and indicators of potential attacks;
[b] inbound communications traffic is monitored to detect attacks and indicators of

potential attacks; and

[c] outbound communications traffic is monitored to detect attacks and indicators of

potential attacks.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]229

Examine
[SELECT FROM: System and information integrity policy; procedures addressing system

monitoring tools and techniques; continuous monitoring strategy; system and information

integrity policy; procedures addressing system monitoring tools and techniques; facility

diagram or layout; system security plan; system monitoring tools and techniques

documentation; system design documentation; locations within system where monitoring

devices are deployed; system protocols; system configuration settings and associated

documentation; system audit logs and records; other relevant documents or records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; personnel installing, configuring, and maintaining the system; personnel

with responsibility monitoring the system; personnel with responsibility for the intrusion

detection system].

Test
[SELECT FROM: Organizational processes for system monitoring; mechanisms supporting or

implementing intrusion detection capability and system monitoring; mechanisms

supporting or implementing system monitoring capability; organizational processes for

intrusion detection and system monitoring; mechanisms supporting or implementing the

monitoring of inbound and outbound communications traffic].


229 

NIST SP 800-171A, pp. 63-64.






SI.L2-3.14.6 – Monitor Communications for Attacks

CMMC Assessment Guide – Level 2 | Version 2.13

259


DISCUSSION [NIST SP 800-171 REV. 2]230

System monitoring includes external and internal monitoring. External monitoring includes

the observation of events occurring at the system boundary (i.e., part of perimeter defense

and boundary protection). Internal monitoring includes the observation of events occurring

within the system. Organizations can monitor systems, for example, by observing audit

record activities in real time or by observing other system aspects such as access patterns,

characteristics of access, and other actions. The monitoring objectives may guide

determination of the events. System monitoring capability is achieved through a variety of

tools and techniques (e.g., intrusion detection systems, intrusion prevention systems,

malicious code protection software, scanning tools, audit record monitoring software,

network monitoring software). Strategic locations for monitoring devices include selected

perimeter locations and near server farms supporting critical applications, with such devices

being employed at managed system interfaces. The granularity of monitoring information

collected is based on organizational monitoring objectives and the capability of systems to

support such objectives.
System monitoring is an integral part of continuous monitoring and incident response

programs. Output from system monitoring serves as input to continuous monitoring and

incident response programs. A network connection is any connection with a device that

communicates through a network (e.g., local area network, Internet). A remote connection

is any connection with a device communicating through an external network (e.g., the

Internet). Local, network, and remote connections can be either wired or wireless.
Unusual or unauthorized activities or conditions related to inbound/outbound

communications traffic include internal traffic that indicates the presence of malicious code

in systems or propagating among system components, the unauthorized exporting of

information, or signaling to external systems. Evidence of malicious code is used to identify

potentially compromised systems or system components. System monitoring requirements,

including the need for specific types of system monitoring, may be referenced in other

requirements.
NIST SP 800-94 provides guidance on intrusion detection and prevention systems.

FURTHER DISCUSSION

Think of indicators of attack as a set of footprints an adversary leaves during an attack.

Indicators of attack provide information on the steps the adversary followed and its intent.

Indicators of attacks on organizational systems may include: 

 internal traffic that indicates the presence of malicious code; 


 anomalous activity detected during non-business hours; 


 unauthorized data leaving the organization; and 


 communicating to external information systems.


230 

NIST SP 800-171 Rev. 2, pp. 42-43.






SI.L2-3.14.6 – Monitor Communications for Attacks

CMMC Assessment Guide – Level 2 | Version 2.13

260


To detect attacks and indicators of attacks, deploy monitoring devices or agents. Place these

sensors at strategic points within the systems and networks to collect essential information.

Strategic points include internal and external system boundaries. Monitor both inbound

traffic and outbound traffic as well as actions on hosts.
This requirement, SI.L2-3.14.6, provides details for the communications of organizational

systems. SI.L2-3.14.6 supports the requirement AU.L2-3.3.1, which involves creating and

retaining records for monitoring, analysis, and investigations.

Example
It is your job to look for known indicators of attack or anomalous activity within your

systems and communications traffic [a,b,c]. Because these indicators can show up in a variety

of places on your network, you have created a checklist of places to check each week. These

include the office firewall logs, the audit logs of the file server where CUI is stored, and the

connection log for your VPN gateway [b].
You conduct additional reviews when you find an indicator, or something that does not

perform as it should [a].

Potential Assessment Considerations 

 Are details provided for the methodology of determining attacks and indicators of attack

[a]? 

 Are monitoring devices deployed within the information system to collect information

that may indicate an attack [a]? 

 Are communications traffic flows understood and is there a deployed capability to review

that traffic [b,c]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.14.6








SI.L2-3.14.7 – Identify Unauthorized Use

CMMC Assessment Guide – Level 2 | Version 2.13

261


SI.L2-3.14.7 – IDENTIFY UNAUTHORIZED USE

Identify unauthorized use of organizational systems.

ASSESSMENT OBJECTIVES [NIST SP 800-171A]231

Determine if:
[a] authorized use of the system is defined; and
[b] unauthorized use of the system is identified.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]231

Examine
[SELECT FROM: Continuous monitoring strategy; system and information integrity policy;

procedures addressing system monitoring tools and techniques; facility diagram/layout;

system security plan; system design documentation; system monitoring tools and

techniques documentation; locations within system where monitoring devices are deployed;

system configuration settings and associated documentation; other relevant documents or

records].

Interview
[SELECT FROM: System or network administrators; personnel with information security

responsibilities; personnel installing, configuring, and maintaining the system; personnel

with responsibility for monitoring the system].

Test
[SELECT FROM: Organizational processes for system monitoring; mechanisms supporting or

implementing system monitoring capability].

DISCUSSION [NIST SP 800-171 REV. 2]232

System monitoring includes external and internal monitoring. System monitoring can detect

unauthorized use of organizational systems. System monitoring is an integral part of

continuous monitoring and incident response programs. Monitoring is achieved through a

variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention

systems, malicious code protection software, scanning tools, audit record monitoring

software, network monitoring software). Output from system monitoring serves as input to

continuous monitoring and incident response programs.
Unusual/unauthorized activities or conditions related to inbound and outbound

communications traffic include internal traffic that indicates the presence of malicious code

in systems or propagating among system components, the unauthorized exporting of


231 

NIST SP 800-171A, p. 64.

232 

NIST SP 800-171 Rev. 2, p. 43.






SI.L2-3.14.7 – Identify Unauthorized Use

CMMC Assessment Guide – Level 2 | Version 2.13

262


information, or signaling to external systems. Evidence of malicious code is used to identify

potentially compromised systems or system components. System monitoring requirements,

including the need for specific types of system monitoring, may be referenced in other

requirements.
NIST SP 800-94 provides guidance on intrusion detection and prevention systems.

FURTHER DISCUSSION

Define authorized use of your systems. Create an acceptable use policy to establish the

baseline for how users access devices, internal network services, and the internet. Define

authorized use by specific roles such as: user, administrator, and technician. After authorized

use is defined, identify unauthorized use of systems.
Monitor systems by observing audit activities from the system logs. This can be

accomplished in real time using automated solutions or by manual means. To identify

unauthorized use, leverage existing tools and techniques, such as: 

 intrusion detection systems; 


 intrusion prevention systems; 


 malicious code protection software; 


 scanning tools; 


 audit record monitoring software; and 


 network monitoring software.

This requirement, SI.L2-3.14.7, which deals with identifying unauthorized use of

organizational systems, is related to requirements: AC.L2-3.1.1, AU.L2-3.3.1, IA.L2-3.5.1,

and IA.L2-3.5.2. All of these requirements help create the building blocks that support

SI.L2-3.14.7.

Example 1
You are in charge of IT operations. You need to ensure that everyone using an organizational

system is authorized to do so and conforms to the written authorized use policy. To do this,

you deploy an application that monitors user activity and records the information for later

analysis. You review the data from this application for signs of activity that does not conform

to the acceptable use policy [a,b].

Example 2
You are alerted through your Intrusion Detection System (IDS) that one of your users is

connecting to a server that is from a high-risk domain (based on your commercial domain

reputation service). You investigate and determine that it’s not the user, but instead an

unauthorized connection attempt [b]. You add the domain to your list of blocked domains

to prevent connections in the future.






SI.L2-3.14.7 – Identify Unauthorized Use

CMMC Assessment Guide – Level 2 | Version 2.13

263


Potential Assessment Considerations 

 Is authorized use of systems defined (e.g., data types permitted for storage or processing,

personnel authorized to access, times or days of permitted use, permitted software) [a]? 

 Is unauthorized use of systems defined (e.g., not authorized to use systems for bitcoin

mining, not authorized for pornographic content, not authorized to access gambling

games/content) [b]?

KEY REFERENCES 

 NIST SP 800-171 Rev. 2 3.14.7







Appendix A – Acronyms and Abbreviations

CMMC Assessment Guide – Level 2 | Version 2.13

264


Appendix A – Acronyms and Abbreviations

AC

Access Control

AES

Advanced Encryption Standard

API

Application Programming Interface

AT

Awareness and Training

AU

Audit and Accountability

C3PAO

CMMC Third-Party Assessment Organization

CA

Security Assessment

CD-ROM

Compact Disk Read-Only Memory

CFR

Code of Federal Regulations

CM

Configuration Management

CMMC

Cybersecurity Maturity Model Certification

CMVP

Cryptographic Module Validation Program

CUI

Controlled Unclassified Information

CVE

Common Vulnerabilities and Exposures

CWE

Common Weakness Enumeration

DCMA

Defense Contract Management Agency

DFARS

Defense Federal Acquisition Regulation Supplement

DHC

Device Health Check

DIBCAC

Defense Industrial Base Cybersecurity Assessment Center

DMZ

Demilitarized Zone

DoD

Department of Defense

DVD

Digital Versatile Disc or Digital Video Disc

ESP

External Service Provider

FAQ

Frequently Asked Question

FAR

Federal Acquisition Regulation

FDDI

Fiber Distributed Data Interface

FDE

Full Disk Encryption

FIPS

Federal Information Processing Standard

FTP

File Transfer Protocol

IA

Identification and Authentication

ID

Identification

IDS

Intrusion Detection System






Appendix A – Acronyms and Abbreviations

CMMC Assessment Guide – Level 2 | Version 2.13

265


IoT

Internet of Things

IP

Internet Protocol

IPSec

Internet Protocol Security

IR

Incident Response

ISAC

Information Sharing and Analysis Center

ISDN

Integrated Services Digital Network

IT

Information Technology

LAN

Local Area Network

MA

Maintenance

MAC

Media Access Control

MDM

Mobile Device Management

MFA

Multifactor Authentication

MP

Media Protection

NARA

National Archives and Records Administration

NAS

Networked Attached Storage

NIST

National Institute of Standards and Technology

NSA

National Security Agency

NTP

Network Time Protocol

OS

Operating System

OSA

Organization Seeking Assessment

OSC

Organization Seeking Certification

OT

Operational Technology

PDA

Personal Digital Assistant

PE

Physical Protection

PIV

Personal Identity Verification

PKI

Public Key Infrastructure

POTS

Plain Old Telephone Service

PS

Personnel Security

RADIUS

Remote Authentication Dial-in User Service

RA

Risk Assessment

SC

System and Communications Protection

SI

System and Information Integrity

SMS

Short Message Service

SOC

Security Operations Center






Appendix A – Acronyms and Abbreviations

CMMC Assessment Guide – Level 2 | Version 2.13

266


SP

Special Publication

SSP

System Security Plan

TLS

Transport Layer Security

URL

Universal Resource Locator (aka Uniform Resource Locator)

USB

Universal Serial Bus

UTC

Coordinated Universal Time

UUENCODE Unix-to-Unix Encode
VLAN

Virtual Local Area Network

VoIP

Voice over Internet Protocol

VPN

Virtual Private Network

WPA2-PSK WiFi Protected Access-Pre-shared Key







CMMC Assessment Guide – Level 2 | Version 2.13

267



This page intentionally left blank.











Document Outline


Original source: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2v2.pdf

Retrieved from "https://cmmcwiki.org/index.php?title=Level_2_Assessment_Guide&oldid=692"