Level 2 Assessment Guide
Source of Reference: The official CMMC Level 2 Assessment Guide from the Office of the Under Secretary of Defense Acquisition & Sustainment.
For inquiries and reporting errors on this wiki, please contact us. Thank you.
Access Control (AC)
Level 1 AC Practices
AC.L1-3.1.1 - Authorized Access Control
SECURITY REQUIREMENT
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L1-3.1.2 - Transaction & Function Control
SECURITY REQUIREMENT
Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L1-3.1.20 - External Connections
SECURITY REQUIREMENT
Verify and control/limit connections to and use of external information systems. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L1-3.1.22 - Control Public Information
SECURITY REQUIREMENT
Control information posted or processed on publicly accessible information systems. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
Level 2 AC Practices
AC.L2-3.1.3 – Control CUI Flow
SECURITY REQUIREMENT
Control the flow of CUI in accordance with approved authorizations. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.4 – Separation of Duties
SECURITY REQUIREMENT
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.5 – Least Privilege
SECURITY REQUIREMENT
Employ the principle of least privilege, including for specific security functions and privileged accounts. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.6 – Non-Privileged Account Use
SECURITY REQUIREMENT
Use non-privileged accounts or roles when accessing nonsecurity functions. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.7 – Privileged Functions
SECURITY REQUIREMENT
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.8 – Unsuccessful Logon Attempts
SECURITY REQUIREMENT
Limit unsuccessful logon attempts. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.9 – Privacy & Security Notices
SECURITY REQUIREMENT
Provide privacy and security notices consistent with applicable CUI rules. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.10 – Session Lock
SECURITY REQUIREMENT
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.11 – Session Termination
SECURITY REQUIREMENT
Terminate (automatically) a user session after a defined condition. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.12 – Control Remote Access
SECURITY REQUIREMENT
Monitor and control remote access sessions. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.13 – Remote Access Confidentiality
SECURITY REQUIREMENT
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.14 – Remote Access Routing
SECURITY REQUIREMENT
Route remote access via managed access control points. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.15 – Privileged Remote Access
SECURITY REQUIREMENT
Authorize remote execution of privileged commands and remote access to security-relevant information. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.16 – Wireless Access Authorization
SECURITY REQUIREMENT
Authorize wireless access prior to allowing such connections. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.17 – Wireless Access Protection
SECURITY REQUIREMENT
Protect wireless access using authentication and encryption. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.18 – Mobile Device Connection
SECURITY REQUIREMENT
Control connection of mobile devices. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.19 – Encrypt CUI on Mobile
SECURITY REQUIREMENT
Encrypt CUI on mobile devices and mobile computing platforms. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AC.L2-3.1.21 – Portable Storage Use
SECURITY REQUIREMENT
Limit use of portable storage devices on external systems. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
Awareness and Training (AT)
Level 2 AT Practices
AT.L2-3.2.1 – ROLE-BASED RISK AWARENESS
SECURITY REQUIREMENT
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AT.L2-3.2.2 – ROLE-BASED TRAINING
SECURITY REQUIREMENT
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|- |
ASSESSMENT OBJECTIVES
designated personnel; and
|
More Practice Details... |
AT.L2-3.2.3 – INSIDER THREAT AWARENESS
SECURITY REQUIREMENT
Provide security awareness training on recognizing and reporting potential indicators of insider threat. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
Audit and Accountability (AU)
Level 2 AU Practices
AU.L2-3.3.1 – SYSTEM AUDITING
SECURITY REQUIREMENT
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. |
ASSESSMENT OBJECTIVES
investigation, and reporting of unlawful or unauthorized system activity are specified;[b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined;
|
More Practice Details... |
AU.L2-3.3.2 – USER ACCOUNTABILITY
SECURITY REQUIREMENT
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. |
ASSESSMENT OBJECTIVES
their actions is defined; and
|
More Practice Details... |
AU.L2-3.3.3 – EVENT REVIEW
SECURITY REQUIREMENT
Review and update logged events. |
ASSESSMENT OBJECTIVES
and
|
More Practice Details... |
AU.L2-3.3.4 – AUDIT FAILURE ALERTING
SECURITY REQUIREMENT
Alert in the event of an audit logging process failure. |
ASSESSMENT OBJECTIVES
identified;
|
More Practice Details... |
AU.L2-3.3.5 – AUDIT CORRELATION
SECURITY REQUIREMENT
Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. |
ASSESSMENT OBJECTIVES
indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and
|
More Practice Details... |
AU.L2-3.3.6 – REDUCTION & REPORTING
SECURITY REQUIREMENT
Provide audit record reduction and report generation to support on-demand analysis and reporting. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AU.L2-3.3.7 – AUTHORITATIVE TIME SOURCE
SECURITY REQUIREMENT
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. |
ASSESSMENT OBJECTIVES
is specified; and
and synchronized with the specified authoritative time source. |
More Practice Details... |
AU.L2-3.3.8 – AUDIT PROTECTION
SECURITY REQUIREMENT
Protect audit information and audit logging tools from unauthorized access, modification, and deletion. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
AU.L2-3.3.9 – AUDIT MANAGEMENT
SECURITY REQUIREMENT
Limit management of audit logging functionality to a subset of privileged users.ASSESSMENT OBJECTIVES
defined; and
users. |
More Practice Details... |
Configuration Management (CM)
Level 2 CM Practices
CM.L2-3.4.1 – SYSTEM BASELINING
SECURITY REQUIREMENT
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
ASSESSMENT OBJECTIVES
system development life cycle;
development life cycle. |
More Practice Details... |
CM.L2-3.4.2 – SECURITY CONFIGURATION ENFORCEMENT
SECURITY REQUIREMENT
Establish and enforce security configuration settings for information technology products employed in organizational systems. |
ASSESSMENT OBJECTIVES
system are established and included in the baseline configuration; and
system are enforced. |
More Practice Details... |
CM.L2-3.4.3 – SYSTEM CHANGE MANAGEMENT
SECURITY REQUIREMENT
Track, review, approve or disapprove, and log changes to organizational systems.ASSESSMENT OBJECTIVES
|
More Practice Details... |
CM.L2-3.4.4 – SECURITY IMPACT ANALYSIS
SECURITY REQUIREMENT
Analyze the security impact of changes prior to implementation. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
CM.L2-3.4.5 – ACCESS RESTRICTIONS FOR CHANGE
SECURITY REQUIREMENT
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
CM.L2-3.4.6 – LEAST FUNCTIONALITY
SECURITY REQUIREMENT
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. |
ASSESSMENT OBJECTIVES
and
|
More Practice Details... |
CM.L2-3.4.7 – NONESSENTIAL FUNCTIONALITY
SECURITY REQUIREMENT
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
CM.L2-3.4.8 – APPLICATION EXECUTION POLICY
SECURITY REQUIREMENT
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. |
ASSESSMENT OBJECTIVES
specified;
specified; and
use of unauthorized software is implemented as specified. |
More Practice Details... |
CM.L2-3.4.9 – USER-INSTALLED SOFTWARE
SECURITY REQUIREMENT
Control and monitor user-installed software. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
Identification and Authentication (IA)
Level 1 IA Practices
IA.L1-3.5.1 – IDENTIFICATION
SECURITY REQUIREMENT
Identify information system users, processes acting on behalf of users, or devices.ASSESSMENT OBJECTIVES
|
More Practice Details... |
IA.L1-3.5.2 – AUTHENTICATION
SECURITY REQUIREMENT
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. |
ASSESSMENT OBJECTIVES
prerequisite to system access; and
verified as a prerequisite to system access. |
More Practice Details... |
Level 2 IA Practices
IA.L2-3.5.3 – MULTIFACTOR AUTHENTICATION
SECURITY REQUIREMENT
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. |
ASSESSMENT OBJECTIVES
and
accounts. |
More Practice Details... |
IA.L2-3.5.4 – REPLAY-RESISTANT AUTHENTICATION
SECURITY REQUIREMENT
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. |
ASSESSMENT OBJECTIVES
access to privileged and non-privileged accounts. |
More Practice Details... |
IA.L2-3.5.5 – IDENTIFIER REUSE
SECURITY REQUIREMENT
Prevent reuse of identifiers for a defined period. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
IA.L2-3.5.6 – IDENTIFIER HANDLING
SECURITY REQUIREMENT
Disable identifiers after a defined period of inactivity. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
IA.L2-3.5.7 – PASSWORD COMPLEXITY
SECURITY REQUIREMENT
Enforce a minimum password complexity and change of characters when new passwords are created. |
ASSESSMENT OBJECTIVES
passwords are created; and
new passwords are created. |
More Practice Details... |
IA.L2-3.5.8 – PASSWORD REUSE
SECURITY REQUIREMENT
Prohibit password reuse for a specified number of generations. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
IA.L2-3.5.9 – TEMPORARY PASSWORDS
SECURITY REQUIREMENT
Allow temporary password use for system logons with an immediate change to a permanent password. |
ASSESSMENT OBJECTIVES
is used for system logon. |
More Practice Details... |
IA.L2-3.5.10 – CRYPTOGRAPHICALLY-PROTECTED PASSWORDS
SECURITY REQUIREMENT
Store and transmit only cryptographically-protected passwords. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
IA.L2-3.5.11 – OBSCURE FEEDBACK
SECURITY REQUIREMENT
Obscure feedback of authentication information. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
Incident Response (IR)
Level 2 IR Practices
IR.L2-3.6.1 – INCIDENT HANDLING
SECURITY REQUIREMENT
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
IR.L2-3.6.2 – INCIDENT REPORTING
SECURITY REQUIREMENT
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
IR.L2-3.6.3 – INCIDENT RESPONSE TESTING
SECURITY REQUIREMENT
Test the organizational incident response capability. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
Maintenance (MA)
Level 2 MA Practices
MA.L2-3.7.1 – PERFORM MAINTENANCE
SECURITY REQUIREMENT
Perform maintenance on organizational systems.ASSESSMENT OBJECTIVES
|
More Practice Details... |
MA.L2-3.7.2 – SYSTEM MAINTENANCE CONTROL
SECURITY REQUIREMENT
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
MA.L2-3.7.3 – EQUIPMENT SANITIZATION
SECURITY REQUIREMENT
Ensure equipment removed for off-site maintenance is sanitized of any CUI. |
ASSESSMENT OBJECTIVES
sanitized of any CUI. |
More Practice Details... |
MA.L2-3.7.4 – MEDIA INSPECTION
SECURITY REQUIREMENT
Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. |
ASSESSMENT OBJECTIVES
being used in organizational systems that process, store, or transmit CUI. |
More Practice Details... |
MA.L2-3.7.5 – NONLOCAL MAINTENANCE
SECURITY REQUIREMENT
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. |
ASSESSMENT OBJECTIVES
external network connections; and
terminated when nonlocal maintenance is complete. |
More Practice Details... |
MA.L2-3.7.6 – MAINTENANCE PERSONNEL
SECURITY REQUIREMENT
Supervise the maintenance activities of maintenance personnel without required access authorization. |
ASSESSMENT OBJECTIVES
maintenance activities. |
More Practice Details... |
Media Protection (MP)
Level 1 MP Practices
MP.L1-3.8.3 – MEDIA DISPOSAL
SECURITY REQUIREMENT
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
Level 2 MP Practices
MP.L2-3.8.1 – MEDIA PROTECTION
SECURITY REQUIREMENT
Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
MP.L2-3.8.2 – MEDIA ACCESS
SECURITY REQUIREMENT
Limit access to CUI on system media to authorized users. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
MP.L2-3.8.4 – MEDIA MARKINGS
SECURITY REQUIREMENT
Mark media with necessary CUI markings and distribution limitations. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
MP.L2-3.8.5 – MEDIA ACCOUNTABILITY
SECURITY REQUIREMENT
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. |
ASSESSMENT OBJECTIVES
controlled areas. |
More Practice Details... |
MP.L2-3.8.6 – PORTABLE STORAGE ENCRYPTION
SECURITY REQUIREMENT
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. |
ASSESSMENT OBJECTIVES
cryptographic mechanisms or alternative physical safeguards. |
More Practice Details... |
MP.L2-3.8.7 – REMOVEABLE MEDIA
SECURITY REQUIREMENT
Control the use of removable media on system components. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
==== MP.L2-3.8.8 – SHARED MEDIA Prohibit the use of portable storage devices when such devices have no identifiable owner.ASSESSMENT OBJECTIVES
- [a] the use of portable storage devices is prohibited when such devices have no identifiable
owner. |- |More Practice Details... |}
MP.L2-3.8.9 – PROTECT BACKUPS
SECURITY REQUIREMENT
Protect the confidentiality of backup CUI at storage locations. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
Personnel Security (PS)
Level 2 PS Practices
PS.L2-3.9.1 – SCREEN INDIVIDUALS
SECURITY REQUIREMENT
Screen individuals prior to authorizing access to organizational systems containing CUI.ASSESSMENT OBJECTIVES
containing CUI. |
More Practice Details... |
PS.L2-3.9.2 – PERSONNEL ACTIONS
SECURITY REQUIREMENT
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. |
ASSESSMENT OBJECTIVES
with personnel actions is established;
termination or transfer; and
|
More Practice Details... |
Physical Protection (PE)
Level 1 PE Practices
PE.L1-3.10.1 – LIMIT PHYSICAL ACCESS
SECURITY REQUIREMENT
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
PE.L1-3.10.3 – ESCORT VISITORS
SECURITY REQUIREMENT
Escort visitors and monitor visitor activity. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
PE.L1-3.10.4 – PHYSICAL ACCESS LOGS
SECURITY REQUIREMENT
Maintain audit logs of physical access. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
PE.L1-3.10.5 – MANAGE PHYSICAL ACCESS
SECURITY REQUIREMENT
Control and manage physical access devices. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
Level 2 PE Practices
PE.L2-3.10.2 – MONITOR FACILITY
SECURITY REQUIREMENT
Protect and monitor the physical facility and support infrastructure for organizational systems. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
PE.L2-3.10.6 – ALTERNATIVE WORK SITES
SECURITY REQUIREMENT
Enforce safeguarding measures for CUI at alternate work sites. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
Risk Assessment (RA)
Level 2 RA Practices
RA.L2-3.11.1 – RISK ASSESSMENTS
SECURITY REQUIREMENT
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. |
ASSESSMENT OBJECTIVES
individuals is defined; and
the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency. |
More Practice Details... |
RA.L2-3.11.2 – VULNERABILITY SCAN
SECURITY REQUIREMENT
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |
ASSESSMENT OBJECTIVES
defined;
frequency;
are identified; and
identified. |
More Practice Details... |
RA.L2-3.11.3 – VULNERABILITY REMEDIATION
SECURITY REQUIREMENT
Remediate vulnerabilities in accordance with risk assessments. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
Security Assessment (CA)
Level 2 CA Practices
CA.L2-3.12.1 – SECURITY CONTROL ASSESSMENT
SECURITY REQUIREMENT
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. |
ASSESSMENT OBJECTIVES
are effective in their application. |
More Practice Details... |
CA.L2-3.12.2 – PLAN OF ACTION
SECURITY REQUIREMENT
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. |
ASSESSMENT OBJECTIVES
identified vulnerabilities; and
eliminate identified vulnerabilities. |
More Practice Details... |
CA.L2-3.12.3 – SECURITY CONTROL MONITORING
SECURITY REQUIREMENT
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. |
ASSESSMENT OBJECTIVES
effectiveness of those controls. |
More Practice Details... |
CA.L2-3.12.4 – SYSTEM SECURITY PLAN
SECURITY REQUIREMENT
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. |
ASSESSMENT OBJECTIVES
security plan;
non-applicable are identified;
the system security plan;
the system security plan;
|
More Practice Details... |
System and Communications Protection (SC)
Level 1 SC Practices
SC.L1-3.13.1 – BOUNDARY PROTECTION
SECURITY REQUIREMENT
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION
SECURITY REQUIREMENT
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |
ASSESSMENT OBJECTIVES
separated from internal networks. |
More Practice Details... |
Level 2 SC Practices
SC.L2-3.13.2 – SECURITY ENGINEERING
SECURITY REQUIREMENT
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |
ASSESSMENT OBJECTIVES
identified;
identified;
employed;
security are employed; and
are employed. |
More Practice Details... |
SC.L2-3.13.3 – ROLE SEPARATION
SECURITY REQUIREMENT
Separate user functionality from system management functionality. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
SC.L2-3.13.4 – SHARED RESOURCE CONTROL
SECURITY REQUIREMENT
Prevent unauthorized and unintended information transfer via shared system resources.ASSESSMENT OBJECTIVES
prevented. |
More Practice Details... |
SC.L2-3.13.6 – NETWORK COMMUNICATION BY EXCEPTION
SECURITY REQUIREMENT
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
SC.L2-3.13.7 – SPLIT TUNNELING
SECURITY REQUIREMENT
Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). |
ASSESSMENT OBJECTIVES
connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling). |
More Practice Details... |
SC.L2-3.13.8 – DATA IN TRANSIT
SECURITY REQUIREMENT
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
ASSESSMENT OBJECTIVES
identified;
identified; and
to prevent unauthorized disclosure of CUI during transmission. |
More Practice Details... |
SC.L2-3.13.9 – CONNECTIONS TERMINATION
SECURITY REQUIREMENT
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. |
ASSESSMENT OBJECTIVES
communications sessions is defined;
end of the sessions; and
defined period of inactivity. |
More Practice Details... |
SC.L2-3.13.10 – KEY MANAGEMENT
SECURITY REQUIREMENT
Establish and manage cryptographic keys for cryptography employed in organizational systems. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
SC.L2-3.13.11 – CUI ENCRYPTION
SECURITY REQUIREMENT
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.ASSESSMENT OBJECTIVES
|
More Practice Details... |
SC.L2-3.13.12 – COLLABORATIVE DEVICE CONTROL
SECURITY REQUIREMENT
Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
SC.L2-3.13.13 – MOBILE CODE
SECURITY REQUIREMENT
Control and monitor the use of mobile code. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
SC.L2-3.13.14 – VOICE OVER INTERNET PROTOCOL
SECURITY REQUIREMENT
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.ASSESSMENT OBJECTIVES
|
More Practice Details... |
SC.L2-3.13.15 – COMMUNICATIONS AUTHENTICITY
SECURITY REQUIREMENT
Protect the authenticity of communications sessions. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
SC.L2-3.13.16 – DATA AT REST
SECURITY REQUIREMENT
Protect the confidentiality of CUI at rest. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
System and Information Integrity (SI)
Level 1 SI Practices
SI.L1-3.14.1 – FLAW REMEDIATION
SECURITY REQUIREMENT
Identify, report, and correct information and information system flaws in a timely manner.ASSESSMENT OBJECTIVES
|
More Practice Details... |
SI.L1-3.14.2 – MALICIOUS CODE PROTECTION
SECURITY REQUIREMENT
Provide protection from malicious code at appropriate locations within organizational information systems. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
SI.L1-3.14.4 – UPDATE MALICIOUS CODE PROTECTION
SECURITY REQUIREMENT
Update malicious code protection mechanisms when new releases are available.ASSESSMENT OBJECTIVES
|
More Practice Details... |
SI.L1-3.14.5 – SYSTEM & FILE SCANNING
SECURITY REQUIREMENT
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. |
ASSESSMENT OBJECTIVES
opened, or executed are performed. |
More Practice Details... |
Level 2 SI Practices
SI.L2-3.14.3 – SECURITY ALERTS & ADVISORIES
SECURITY REQUIREMENT
Monitor system security alerts and advisories and take action in response. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |
SI.L2-3.14.6 – MONITOR COMMUNICATIONS FOR ATTACKS
SECURITY REQUIREMENT
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. |
ASSESSMENT OBJECTIVES
potential attacks; and
potential attacks. |
More Practice Details... |
SI.L2-3.14.7 – IDENTIFY UNAUTHORIZED USE
SECURITY REQUIREMENT
Identify unauthorized use of organizational systems. |
ASSESSMENT OBJECTIVES
|
More Practice Details... |