Reference: The official CMMC Level 2 Assessment Guide from the Office of the Under Secretary of Defense Acquisition & Sustainment.
Access Control (AC)
Level 1 AC Practices
AC.L1-3.1.1 - Authorized Access Control
SECURITY REQUIREMENT
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
|
ASSESSMENT OBJECTIVES
- [a] authorized users are identified;
- [b] processes acting on behalf of authorized users are identified;
- [c] devices (and other systems) authorized to connect to the system are identified;
- [d] system access is limited to authorized users;
- [e] system access is limited to processes acting on behalf of authorized users; and
- [f] system access is limited to authorized devices (including other systems).
|
More Practice Details...
|
AC.L1-3.1.2 - Transaction & Function Control
SECURITY REQUIREMENT
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
|
ASSESSMENT OBJECTIVES
- [a] the types of transactions and functions that authorized users are permitted to execute are defined; and
- [b] system access is limited to the defined types of transactions and functions for authorized users.
|
More Practice Details...
|
AC.L1-3.1.20 - External Connections
SECURITY REQUIREMENT
Verify and control/limit connections to and use of external information systems.
|
ASSESSMENT OBJECTIVES
- [a] connections to external systems are identified;
- [b] the use of external systems is identified;
- [c] connections to external systems are verified;
- [d] the use of external systems is verified;
- [e] connections to external systems are controlled/limited; and
- [f] the use of external systems is controlled/limited.
|
More Practice Details...
|
AC.L1-3.1.22 - Control Public Information
SECURITY REQUIREMENT
Control information posted or processed on publicly accessible information systems.
|
ASSESSMENT OBJECTIVES
- [a] individuals authorized to post or process information on publicly accessible systems are identified;
- [b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;
- [c] a review process is in place prior to posting of any content to publicly accessible systems;
- [d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and
- [e] mechanisms are in place to remove and address improper posting of FCI.
|
More Practice Details...
|
Level 2 AC Practices
Awareness and Training (AT)
Level 2 AT Practices
Audit and Accountability (AU)
Level 2 AU Practices
Configuration Management (CM)
Level 2 CM Practices
Identification and Authentication (IA)
Level 1 IA Practices
Level 2 IA Practices
Incident Response (IR)
Level 2 IR Practices
Maintenance (MA)
Level 2 MA Practices
Media Protection (MP)
Level 1 MP Practices
Level 2 MP Practices
Personnel Security (PS)
Level 2 PS Practices
Physical Protection (PE)
Level 1 PE Practices
Level 2 PE Practices
Risk Assessment (RA)
Level 2 RA Practices
Security Assessment (CA)
Level 2 CA Practices
System and Communications Protection (SC)
Level 1 SC Practices
Level 2 SC Practices
System and Information Integrity (SI)
Level 1 SI Practices
Level 2 SI Practices