The experimental Commonly Accepted and Practiced CMMC Operation Matrix (CAPCOM) serves as a repository for all CMMC Level 2 security requirements, assessment objectives, and AI-enhanced methodologies for evidence collection and evaluation.
Powered by Claude's advanced Large Language Model technology, CAPCOM provides guidance for evaluating information system compliance with the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) program. Security professionals and IT leaders can leverage this AI-enhanced model to systematically identify gaps between their organizational infrastructure and CMMC requirements, enabling strategic remediation planning and implementation.
DISCLAIMER: The LLM-based AI is pretty cool, but it can also create erroneous responses. Always double-check a response before using it.
For inquiries and reporting errors on this wiki, please contact us. Thank you.
Access Control (AC)
AC.L2-3.1.1 – Authorized Access Control [CUI Data]
AC.L2-3.1.2 – Transaction & Function Control [CUI Data]
AC.L2-3.1.3 – Control CUI Flow
AC.L2-3.1.4 – Separation of Duties
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
Sample Prompt Template |
N/A
|
| [a] the duties of individuals requiring separation are defined. |
Sample Prompt |
Sample Response
|
| [b] responsibilities for duties that require separation are assigned to separate individuals. |
Sample Prompt |
Sample Response
|
| [c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
|
| More Practice Details...
|
AC.L2-3.1.5 – Least Privilege
AC.L2-3.1.6 – Non-Privileged Account Use
AC.L2-3.1.7 – Privileged Functions
AC.L2-3.1.8 – Unsuccessful Logon Attempts
AC.L2-3.1.9 – Privacy & Security Notices
AC.L2-3.1.10 – Session Lock
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. |
Sample Prompt Template |
N/A
|
| [a] the period of inactivity after which the system initiates a session lock is defined. |
Sample Prompt |
Sample Response
|
| [b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity. |
Sample Prompt |
Sample Response
|
| [c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.
|
| More Practice Details...
|
AC.L2-3.1.11 – Session Termination
AC.L2-3.1.12 – Control Remote Access
AC.L2-3.1.13 – Remote Access Confidentiality
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. |
Sample Prompt Template |
N/A
|
| [a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified. |
Sample Prompt |
Sample Response
|
| [b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
|
| More Practice Details...
|
AC.L2-3.1.14 – Remote Access Routing
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Route remote access via managed access control points. |
Sample Prompt Template |
N/A
|
[a] managed access control points are identified and implemented; and
- [b] remote access is routed through managed network access control points.
|
| More Practice Details...
|
AC.L2-3.1.15 – Privileged Remote Access
AC.L2-3.1.16 – Wireless Access Authorization
AC.L2-3.1.17 – Wireless Access Protection
AC.L2-3.1.18 – Mobile Device Connection
AC.L2-3.1.19 – Encrypt CUI on Mobile
AC.L2-3.1.20 – External Connections [CUI Data]
AC.L2-3.1.21 – Portable Storage Use
AC.L2-3.1.22 – Control Public Information [CUI Data]
Awareness and Training (AT)
AT.L2-3.2.1 – Role-Based Risk Awareness
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. |
Sample Prompt Template |
N/A
|
| [a] security risks associated with organizational activities involving CUI are identified. |
Sample Prompt |
Sample Response
|
| [b] policies, standards, and procedures related to the security of the system are identified. |
Sample Prompt |
Sample Response
|
| [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities. |
Sample Prompt |
Sample Response
|
| [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
|
| More Practice Details...
|
AT.L2-3.2.2 – Role-Based Training
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|-
|
| [a] information security-related duties, roles, and responsibilities are defined. |
Sample Prompt |
Sample Response
|
| [b] information security-related duties, roles, and responsibilities are assigned to designated personnel. |
Sample Prompt |
Sample Response
|
| [c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.
|
| More Practice Details...
|
AT.L2-3.2.3 – Insider Threat Awareness
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Provide security awareness training on recognizing and reporting potential indicators of insider threat. |
Sample Prompt Template |
N/A
|
[a] potential indicators associated with insider threats are identified; and
- [b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
|
| More Practice Details...
|
Audit and Accountability (AU)
AU.L2-3.3.1 – System Auditing
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. |
Sample Prompt Template |
N/A
|
| [a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified. |
Sample Prompt |
Sample Response
|
| [b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined. |
Sample Prompt |
Sample Response
|
| [c] audit records are created (generated). |
Sample Prompt |
Sample Response
|
| [d] audit records, once created, contain the defined content. |
Sample Prompt |
Sample Response
|
[e] retention requirements for audit records are defined; and
- [f] audit records are retained as defined.
|
| More Practice Details...
|
AU.L2-3.3.2 – User Accountability
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. |
Sample Prompt Template |
N/A
|
[a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined; and
- [b] audit records, once created, contain the defined content.
|
| More Practice Details...
|
AU.L2-3.3.3 – Event Review
AU.L2-3.3.4 – Audit Failure Alerting
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Alert in the event of an audit logging process failure. |
Sample Prompt Template |
N/A
|
| [a] personnel or roles to be alerted in the event of an audit logging process failure are identified. |
Sample Prompt |
Sample Response
|
[b] types of audit logging process failures for which alert will be generated are defined; and
- [c] identified personnel or roles are alerted in the event of an audit logging process failure.
|
| More Practice Details...
|
AU.L2-3.3.5 – Audit Correlation
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. |
Sample Prompt Template |
N/A
|
| [a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined. |
Sample Prompt |
Sample Response
|
| [b] defined audit record review, analysis, and reporting processes are correlated.
|
| More Practice Details...
|
AU.L2-3.3.6 – Reduction & Reporting
AU.L2-3.3.7 – Authoritative Time Source
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. |
Sample Prompt Template |
N/A
|
| [a] internal system clocks are used to generate time stamps for audit records. |
Sample Prompt |
Sample Response
|
| [b] an authoritative source with which to compare and synchronize internal system clocks is specified. |
Sample Prompt |
Sample Response
|
| [c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.
|
| More Practice Details...
|
AU.L2-3.3.8 – Audit Protection
AU.L2-3.3.9 – Audit Management
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Limit management of audit logging functionality to a subset of privileged users. |
Sample Prompt Template |
N/A
|
| [a] a subset of privileged users granted access to manage audit logging functionality is defined. |
Sample Prompt |
Sample Response
|
| [b] management of audit logging functionality is limited to the defined subset of privileged users.
|
| More Practice Details...
|
Configuration Management (CM)
CM.L2-3.4.1 – System Baselining
CM.L2-3.4.2 – Security Configuration Enforcement
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Establish and enforce security configuration settings for information technology products employed in organizational systems. |
Sample Prompt Template |
N/A
|
| [a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration. |
Sample Prompt |
Sample Response
|
| [b] security configuration settings for information technology products employed in the system are enforced.
|
| More Practice Details...
|
CM.L2-3.4.3 – System Change Management
CM.L2-3.4.4 – Security Impact Analysis
CM.L2-3.4.5 – Access Restrictions for Change
CM.L2-3.4.6 – Least Functionality
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. |
Sample Prompt Template |
N/A
|
| [a] essential system capabilities are defined based on the principle of least functionality. |
Sample Prompt |
Sample Response
|
| [b] the system is configured to provide only the defined essential capabilities.
|
| More Practice Details...
|
CM.L2-3.4.7 – Nonessential Functionality
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |
Sample Prompt Template |
N/A
|
| [a] essential programs are defined. |
Sample Prompt |
Sample Response
|
| [b] the use of nonessential programs is defined. |
Sample Prompt |
Sample Response
|
| [c] the use of nonessential programs is restricted, disabled, or prevented as defined. |
Sample Prompt |
Sample Response
|
| [d] essential functions are defined. |
Sample Prompt |
Sample Response
|
| [e] the use of nonessential functions is defined. |
Sample Prompt |
Sample Response
|
| [f] the use of nonessential functions is restricted, disabled, or prevented as defined. |
Sample Prompt |
Sample Response
|
| [g] essential ports are defined. |
Sample Prompt |
Sample Response
|
| [h] the use of nonessential ports is defined. |
Sample Prompt |
Sample Response
|
| [i] the use of nonessential ports is restricted, disabled, or prevented as defined. |
Sample Prompt |
Sample Response
|
| [j] essential protocols are defined. |
Sample Prompt |
Sample Response
|
| [k] the use of nonessential protocols is defined. |
Sample Prompt |
Sample Response
|
| [l] the use of nonessential protocols is restricted, disabled, or prevented as defined. |
Sample Prompt |
Sample Response
|
| [m] essential services are defined. |
Sample Prompt |
Sample Response
|
| [n] the use of nonessential services is defined. |
Sample Prompt |
Sample Response
|
| [o] the use of nonessential services is restricted, disabled, or prevented as defined.
|
| More Practice Details...
|
CM.L2-3.4.8 – Application Execution Policy
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. |
Sample Prompt Template |
N/A
|
| [a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified. |
Sample Prompt |
Sample Response
|
| [b] the software allowed to execute under whitelisting or denied use under blacklisting is specified. |
Sample Prompt |
Sample Response
|
| [c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
|
| More Practice Details...
|
CM.L2-3.4.9 – User-Installed Software
Identification and Authentication (IA)
IA.L2-3.5.1 – Identification [CUI Data]
IA.L2-3.5.2 – Authentication [CUI Data]
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. |
Sample Prompt Template |
N/A
|
| [a] the identity of each user is authenticated or verified as a prerequisite to system access. |
Sample Prompt |
Sample Response
|
| [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access. |
Sample Prompt |
Sample Response
|
| [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
|
| More Practice Details...
|
IA.L2-3.5.3 – Multifactor Authentication
IA.L2-3.5.4 – Replay-Resistant Authentication
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. |
Sample Prompt Template |
N/A
|
| [a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.
|
| More Practice Details...
|
IA.L2-3.5.5 – Identifier Reuse
IA.L2-3.5.6 – Identifier Handling
IA.L2-3.5.7 – Password Complexity
IA.L2-3.5.8 – Password Reuse
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Prohibit password reuse for a specified number of generations. |
Sample Prompt Template |
N/A
|
| [a] the number of generations during which a password cannot be reused is specified and [b] reuse of passwords is prohibited during the specified number of generations.
|
| More Practice Details...
|
IA.L2-3.5.9 – Temporary Passwords
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Allow temporary password use for system logons with an immediate change to a permanent password. |
Sample Prompt Template |
N/A
|
| [a] an immediate change to a permanent password is required when a temporary password is used for system logon.
|
| More Practice Details...
|
IA.L2-3.5.10 – Cryptographically-Protected Passwords
IA.L2-3.5.11 – Obscure Feedback
Incident Response (IR)
IR.L2-3.6.1 – Incident Handling
IR.L2-3.6.2 – Incident Reporting
IR.L2-3.6.3 – Incident Response Testing
Maintenance (MA)
MA.L2-3.7.1 – Perform Maintenance
MA.L2-3.7.2 – System Maintenance Control
MA.L2-3.7.3 – Equipment Sanitization
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Ensure equipment removed for off-site maintenance is sanitized of any CUI. |
Sample Prompt Template |
N/A
|
| [a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.
|
| More Practice Details...
|
MA.L2-3.7.4 – Media Inspection
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. |
Sample Prompt Template |
N/A
|
| [a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.
|
| More Practice Details...
|
MA.L2-3.7.5 – Nonlocal Maintenance
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. |
Sample Prompt Template |
N/A
|
| [a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections. |
Sample Prompt |
Sample Response
|
| [b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.
|
| More Practice Details...
|
MA.L2-3.7.6 – Maintenance Personnel
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Supervise the maintenance activities of maintenance personnel without required access authorization. |
Sample Prompt Template |
N/A
|
| [a] maintenance personnel without required access authorization are supervised during maintenance activities.
|
| More Practice Details...
|
Media Protection (MP)
MP.L2-3.8.1 – Media Protection
MP.L2-3.8.2 – Media Access
MP.L2-3.8.3 – Media Disposal [CUI Data]
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. |
Sample Prompt Template |
N/A
|
[a] system media containing CUI is sanitized or destroyed before disposal; and
- [b] system media containing CUI is sanitized before it is released for reuse.
|
| More Practice Details...
|
MP.L2-3.8.4 – Media Markings
MP.L2-3.8.5 – Media Accountability
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. |
Sample Prompt Template |
N/A
|
| [a] access to media containing CUI is controlled. |
Sample Prompt |
Sample Response
|
| [b] accountability for media containing CUI is maintained during transport outside of controlled areas.
|
| More Practice Details...
|
MP.L2-3.8.6 – Portable Storage Encryption
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. |
Sample Prompt Template |
N/A
|
| [a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.
|
| More Practice Details...
|
MP.L2-3.8.7 – Removable Media
MP.L2-3.8.8 – Shared Media
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Prohibit the use of portable storage devices when such devices have no identifiable owner.ASSESSMENT OBJECTIVES
|
| [a] the use of portable storage devices is prohibited when such devices have no identifiable owner.
|
| More Practice Details...
|
MP.L2-3.8.9 – Protect Backups
Personnel Security (PS)
PS.L2-3.9.1 – Screen Individuals
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Screen individuals prior to authorizing access to organizational systems containing CUI. |
Sample Prompt Template |
N/A
|
| [a] individuals are screened prior to authorizing access to organizational systems containing CUI.
|
| More Practice Details...
|
PS.L2-3.9.2 – Personnel Actions
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. |
Sample Prompt Template |
N/A
|
| [a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established. |
Sample Prompt |
Sample Response
|
| [b] system access and credentials are terminated consistent with personnel actions such as termination or transfer. |
Sample Prompt |
Sample Response
|
| [c] the system is protected during and after personnel transfer actions.
|
| More Practice Details...
|
Physical Protection (PE)
PE.L2-3.10.1 – Limit Physical Access [CUI Data]
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. |
Sample Prompt Template |
N/A
|
| [a] authorized individuals allowed physical access are identified. |
Sample Prompt |
Sample Response
|
| [b] physical access to organizational systems is limited to authorized individuals. |
Sample Prompt |
Sample Response
|
[c] physical access to equipment is limited to authorized individuals; and
- [d] physical access to operating environments is limited to authorized.
|
| More Practice Details...
|
PE.L2-3.10.2 – Monitor Facility
PE.L2-3.10.3 – Escort Visitors [CUI Data]
PE.L2-3.10.4 – Physical Access Logs [CUI Data]
PE.L2-3.10.5 – Manage Physical Access [CUI Data]
PE.L2-3.10.6 – Alternative Work Sites
Risk Assessment (RA)
RA.L2-3.11.1 – Risk Assessments
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. |
Sample Prompt Template |
N/A
|
| [a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined. |
Sample Prompt |
Sample Response
|
| [b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
|
| More Practice Details...
|
RA.L2-3.11.2 – Vulnerability Scan
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |
Sample Prompt Template |
N/A
|
| [a] the frequency to scan for vulnerabilities in organizational systems and applications is defined. |
Sample Prompt |
Sample Response
|
| [b] vulnerability scans are performed on organizational systems with the defined frequency. |
Sample Prompt |
Sample Response
|
| [c] vulnerability scans are performed on applications with the defined frequency. |
Sample Prompt |
Sample Response
|
| [d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified. |
Sample Prompt |
Sample Response
|
| [e] vulnerability scans are performed on applications when new vulnerabilities are
identified.
|
| More Practice Details...
|
RA.L2-3.11.3 – Vulnerability Remediation
Security Assessment (CA)
CA.L2-3.12.1 – Security Control Assessment
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. |
Sample Prompt Template |
N/A
|
| [a] the frequency of security control assessments is defined. |
Sample Prompt |
Sample Response
|
| [b] security controls are assessed with the defined frequency to determine if the controls are effective in their application.
|
| More Practice Details...
|
CA.L2-3.12.2 – Operational Plan of Action
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. |
Sample Prompt Template |
N/A
|
| [a] deficiencies and vulnerabilities to be addressed by the plan of action are identified. |
Sample Prompt |
Sample Response
|
| [b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities. |
Sample Prompt |
Sample Response
|
| [c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
|
| More Practice Details...
|
CA.L2-3.12.3 – Security Control Monitoring
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. |
Sample Prompt Template |
N/A
|
| [a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
|
| More Practice Details...
|
CA.L2-3.12.4 – System Security Plan =
System and Communications Protection (SC)
SC.L2-3.13.1 – Boundary Protection [CUI Data]
SC.L2-3.13.2 – Security Engineering
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |
Sample Prompt Template |
N/A
|
| [a] architectural designs that promote effective information security are identified. |
Sample Prompt |
Sample Response
|
| [b] software development techniques that promote effective information security are identified. |
Sample Prompt |
Sample Response
|
| [c] systems engineering principles that promote effective information security are identified. |
Sample Prompt |
Sample Response
|
| [d] identified architectural designs that promote effective information security are employed. |
Sample Prompt |
Sample Response
|
| [e] identified software development techniques that promote effective information security are employed. |
Sample Prompt |
Sample Response
|
| [f] identified systems engineering principles that promote effective information security are employed.
|
| More Practice Details...
|
SC.L2-3.13.3 – Role Separation
SC.L2-3.13.4 – Shared Resource Control
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Prevent unauthorized and unintended information transfer via shared system resources. |
Sample Prompt Template |
N/A
|
| [a] unauthorized and unintended information transfer via shared system resources is
prevented.
|
| More Practice Details...
|
SC.L2-3.13.5 – Public-Access System Separation [CUI Data]
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |
Sample Prompt Template |
N/A
|
[a] publicly accessible system components are identified; and
- [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.
|
| More Practice Details...
|
SC.L2-3.13.6 – Network Communication by Exception
SC.L2-3.13.7 – Split Tunneling
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). |
Sample Prompt Template |
N/A
|
| [a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).
|
| More Practice Details...
|
SC.L2-3.13.8 – Data in Transit
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
Sample Prompt Template |
N/A
|
| [a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified. |
Sample Prompt |
Sample Response
|
| [b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified. |
Sample Prompt |
Sample Response
|
| [c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.
|
| More Practice Details...
|
SC.L2-3.13.9 – Connections Termination
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. |
Sample Prompt Template |
N/A
|
| [a] a period of inactivity to terminate network connections associated with communications sessions is defined. |
Sample Prompt |
Sample Response
|
| [b] network connections associated with communications sessions are terminated at the end of the sessions. |
Sample Prompt |
Sample Response
|
| [c] network connections associated with communications sessions are terminated after the defined period of inactivity.
|
| More Practice Details...
|
SC.L2-3.13.10 – Key Management
SC.L2-3.13.11 – CUI Encryption
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. |
Sample Prompt Template |
N/A
|
| [a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
|
| More Practice Details...
|
SC.L2-3.13.12 – Collaborative Device Control
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. |
Sample Prompt Template |
N/A
|
| [a] collaborative computing devices are identified. |
Sample Prompt |
Sample Response
|
[b] collaborative computing devices provide indication to users of devices in use; and
- [c] remote activation of collaborative computing devices is prohibited.
|
| More Practice Details...
|
SC.L2-3.13.13 – Mobile Code
SC.L2-3.13.14 – Voice over Internet Protocol
SC.L2-3.13.15 – Communications Authenticity
SC.L2-3.13.16 – Data at Rest
System and Information Integrity (SI)
SI.L2-3.14.1 – Flaw Remediation [CUI Data]
SI.L2-3.14.2 – Malicious Code ProTection [CUI Data]
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Provide protection from malicious code at appropriate locations within organizational information systems. |
Sample Prompt Template |
N/A
|
[a] designated locations for malicious code protection are identified; and
- [b] protection from malicious code at designated locations is provided.
|
| More Practice Details...
|
SI.L2-3.14.3 – Security Alerts & Advisories
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Monitor system security alerts and advisories and take action in response. |
Sample Prompt Template |
N/A
|
| [a] response actions to system security alerts and advisories are identified. |
Sample Prompt |
Sample Response
|
[b] system security alerts and advisories are monitored; and
- [c] actions in response to system security alerts and advisories are taken.
|
| More Practice Details...
|
SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data]
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Update malicious code protection mechanisms when new releases are available. |
Sample Prompt Template |
N/A
|
| [a] malicious code protection mechanisms are updated when new releases are available.
|
| More Practice Details...
|
SI.L2-3.14.5 – System & File Scanning [CUI Data]
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. |
Sample Prompt Template |
N/A
|
| [a] the frequency for malicious code scans is defined. |
Sample Prompt |
Sample Response
|
[b] malicious code scans are performed with the defined frequency; and
- [c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
|
| More Practice Details...
|
SI.L2-3.14.6 – Monitor Communications for Attacks
| Practice and Assessment Objectives |
LLM Prompt |
LLM Response
|
| AC.L2-3.x.1 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. |
Sample Prompt Template |
N/A
|
| [a] the system is monitored to detect attacks and indicators of potential attacks. |
Sample Prompt |
Sample Response
|
| [b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks. |
Sample Prompt |
Sample Response
|
| [c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks.
|
| More Practice Details...
|
SI.L2-3.14.7 – Identify Unauthorized Use