Lesson Topic
|
Objective
|
Objective Description
|
3D
|
4.1.1
|
1. Methods and objects for determining evidence
|
3D
|
4.1.1.A
|
- A. Examine
|
3D
|
4.1.1.B
|
- B. Interview
|
3D
|
4.1.1.C
|
- C. Test
|
3D
|
4.1.2
|
2. Adequacy and sufficiency related to Evidence around all below practices
|
3D
|
4.1.2.A
|
- A. Characteristics of acceptable Evidence
|
3D
|
4.1.2.B
|
- B. Evidence of enabling persistent and habitual application of practices
|
3D
|
4.1.2.B(1)
|
- (1) Policy
|
3D
|
4.1.2.B(2)
|
- (2) Plan
|
3D
|
4.1.2.B(3)
|
- (3) Resourcing
|
3D
|
4.1.2.B(4)
|
- (4) Communication
|
3D
|
4.1.2.B(5)
|
- (5) Training
|
3D
|
4.1.2.C
|
- C. Characterization of evidence
|
2C, 3D
|
4.1.2.C(1)
|
- (1) Validate that evidence effectively meets intent of standard
|
3D
|
4.1.2.C(2)
|
- (2) An objective and systematic examination of evidence for the purpose of providing an independent assessment of the performance of CMMC
|
5A, 6A, 7A, 8A, 9A, 10A, 11A, 12A, 13A, 14A, 15A, 16, 17A, 18A
|
4.1.3
|
3. CMMC Level 2 Assessment Practice objectives including potential methods, objects, and assessment considerations (by domain):
(at a minimum the practices listed below must be evaluated for CCA candidates)
|
A. Access Control (AC)
|
5A
|
4.1.3.A(1)
|
- (1) AC.L2-3.1.3 – Control CUI Flow
|
5A
|
4.1.3.A(1)
|
- (2) AC.L2-3.1.4 – Separation of Duties
|
5A
|
4.1.3.A(1)
|
- (3) AC.L2-3.1.5 – Least Privilege
|
5A
|
4.1.3.A(1)
|
- (4) AC.L2-3.1.6 – Non-Privileged Account Use
|
5A
|
4.1.3.A(1)
|
- (5) AC.L2-3.1.7 – Privileged Functions
|
5A
|
4.1.3.A(1)
|
- (6) AC.L2-3.1.8 – Unsuccessful Logon Attempts
|
5A
|
4.1.3.A(1)
|
- (7) AC.L2-3.1.9 – Privacy & Security Notices
|
5A
|
4.1.3.A(1)
|
- (8) AC.L2-3.1.10 – Session Lock
|
5A
|
4.1.3.A(1)
|
- (9) AC.L2-3.1.11 – Session Termination
|
5A
|
4.1.3.A(1)
|
- (10) AC.L2-3.1.12 – Control Remote Access
|
5A
|
4.1.3.A(1)
|
- (11) AC.L2-3.1.13 – Remote Access Confidentiality
|
5A
|
4.1.3.A(1)
|
- (12) AC.L2-3.1.14 – Remote Access Routing
|
5A
|
4.1.3.A(1)
|
- (13) AC.L2-3.1.15 – Privileged Remote Access
|
5A
|
4.1.3.A(1)
|
- (14) AC.L2-3.1.16 – Wireless Access Authorization
|
5A
|
4.1.3.A(1)
|
- (15) AC.L2-3.1.17 – Wireless Access Protection
|
5A
|
4.1.3.A(1)
|
- (16) AC.L2-3.1.18 – Mobile Device Connection
|
5A
|
4.1.3.A(1)
|
- (17) AC.L2-3.1.19 – Encrypt CUI on Mobile
|
5A
|
4.1.3.A(1)
|
- (18) AC.L2-3.1.21 – Portable Storage Use
|
B. Awareness & Training (AT)
|
6A
|
4.1.3.B(1)
|
- (1) AT.L2-3.2.1 – Role-Based Risk Awareness
|
6A
|
4.1.3.B(1)
|
- (2) AT.L2-3.2.2 – Role-Based Training
|
6A
|
4.1.3.B(1)
|
- (3) AT.L2-3.2.3 – Insider Threat Awareness
|
C. Audit & Accountability (AU)
|
7A
|
4.1.3.C(1)
|
- (1) AU.L2-3.3.1 – System Auditing
|
7A
|
4.1.3.C(1)
|
- (2) AU.L2-3.3.2 – User Accountability
|
7A
|
4.1.3.C(1)
|
- (3) AU.L2-3.3.3 – Event Review
|
7A
|
4.1.3.C(1)
|
- (4) AU.L2-3.3.4 – Audit Failure Alerting
|
7A
|
4.1.3.C(1)
|
- (5) AU.L2-3.3.5 – Audit Correlation
|
7A
|
4.1.3.C(1)
|
- (6) AU.L2-3.3.6 – Reduction & Reporting
|
7A
|
4.1.3.C(1)
|
- (7) AU.L2-3.3.7 – Authoritative Time Source
|
7A
|
4.1.3.C(1)
|
- (8) AU.L2-3.3.8 – Audit Protection
|
7A
|
4.1.3.C(1)
|
- (9) AU.L2-3.3.9 – Audit Management
|
D. Configuration Management (CM)
|
9A
|
4.1.3.D(1)
|
- (1) CM.L2-3.4.1 – System Baselining
|
9A
|
4.1.3.D(1)
|
- (2) CM.L2-3.4.2 – Security Configuration Enforcement
|
9A
|
4.1.3.D(1)
|
- (3) CM.L2-3.4.3 – System Change Management
|
9A
|
4.1.3.D(1)
|
- (4) CM.L2-3.4.4 – Security Impact Analysis
|
9A
|
4.1.3.D(1)
|
- (5) CM.L2-3.4.5 – Access Restrictions for Change
|
9A
|
4.1.3.D(1)
|
- (6) CM.L2-3.4.6 – Least Functionality
|
9A
|
4.1.3.D(1)
|
- (7) CM.L2-3.4.7 – Nonessential Functionality
|
9A
|
4.1.3.D(1)
|
- (8) CM.L2-3.4.8 – Application Execution Policy
|
9A
|
4.1.3.D(1)
|
- (9) CM.L2-3.4.9 – User-Installed Software
|
E. Identification & Authentication (IA)
|
10A
|
4.1.3.E(1)
|
- (1) IA.L2-3.5.3 – Multifactor Authentication
|
10A
|
4.1.3.E(1)
|
- (2) IA.L2-3.5.4 – Replay-Resistant Authentication
|
10A
|
4.1.3.E(1)
|
- (3) IA.L2-3.5.5 – Identifier Reuse
|
10A
|
4.1.3.E(1)
|
- (4) IA.L2-3.5.6 – Identifier Handling
|
10A
|
4.1.3.E(1)
|
- (5) IA.L2-3.5.7 – Password Complexity
|
10A
|
4.1.3.E(1)
|
- (6) IA.L2-3.5.8 – Password Reuse
|
10A
|
4.1.3.E(1)
|
- (7) IA.L2-3.5.9 – Temporary Passwords
|
10A
|
4.1.3.E(1)
|
- (8) IA.L2-3.5.10 – Cryptographically-Protected Passwords
|
10A
|
4.1.3.E(1)
|
- (9) IA.L2-3.5.11 – Obscure Feedback
|
F. Incident Response (IR)
|
11A
|
4.1.3.F(1)
|
- (1) IR.L2-3.6.1 – Incident Handling
|
11A
|
4.1.3.F(1)
|
- (2) IR.L2-3.6.2 – Incident Reporting
|
11A
|
4.1.3.F(1)
|
- (3) IR.L2-3.6.3 – Incident Response Testing
|
G. Maintenance (MA)
|
12A
|
4.1.3.G(1)
|
- (1) MA.L2-3.7.1 – Perform Maintenance
|
12A
|
4.1.3.G(1)
|
- (2) MA.L2-3.7.2 – System Maintenance Control
|
12A
|
4.1.3.G(1)
|
- (3) MA.L2-3.7.3 – Equipment Sanitization
|
12A
|
4.1.3.G(1)
|
- (4) MA.L2-3.7.4 – Media Inspection
|
12A
|
4.1.3.G(1)
|
- (5) MA.L2-3.7.5 – Nonlocal Maintenance
|
12A
|
4.1.3.G(1)
|
- (6) MA.L2-3.7.6 – Maintenance Personnel
|
H. Media Protection (MP)
|
13A
|
4.1.3.H(1)
|
- (1) MP.L2-3.8.1 – Media Protection
|
13A
|
4.1.3.H(1)
|
- (2) MP.L2-3.8.2 – Media Access
|
13A
|
4.1.3.H(1)
|
- (3) MP.L2-3.8.4 – Media Markings
|
13A
|
4.1.3.H(1)
|
- (4) MP.L2-3.8.5 – Media Accountability
|
13A
|
4.1.3.H(1)
|
- (5) MP.L2-3.8.6 – Portable Storage Encryption
|
13A
|
4.1.3.H(1)
|
- (6) MP.L2-3.8.7 – Removeable Media
|
13A
|
4.1.3.H(1)
|
- (7) MP.L2-3.8.8 – Shared Media
|
13A
|
4.1.3.H(1)
|
- (8) MP.L2-3.8.9 – Protect Backups
|
I. Personnel Security (PS)
|
15A
|
4.1.3.I(1)
|
- (1) PS.L2-3.9.1 – Screen Individuals
|
15A
|
4.1.3.I(1)
|
- (2) PS.L2-3.9.2 – Personnel Actions
|
J. Physical Protection (PE)
|
14A
|
4.1.3.J(1)
|
- (1) PE.L2-3.10.2 – Monitor Facility
|
14A
|
4.1.3.J(1)
|
- (2) PE.L2-3.10.6 – Alternative Work Sites
|
K. Risk Assessment (RA)
|
16A
|
4.1.3.K(1)
|
- (1) RA.L2-3.11.1 – Risk Assessments
|
16A
|
4.1.3.K(1)
|
- (2) RA.L2-3.11.2 – Vulnerability Scan
|
16A
|
4.1.3.K(1)
|
- (3) RA.L2-3.11.3 – Vulnerability Remediation
|
L. Security Assessment (CA)
|
8A
|
4.1.3.L(1)
|
- (1) CA.L2-3.12.1 – Security Control Assessment
|
8A
|
4.1.3.L(1)
|
- (2) CA.L2-3.12.2 – Plan of Action
|
8A
|
4.1.3.L(1)
|
- (3) CA.L2-3.12.3 – Security Control Monitoring
|
8A
|
4.1.3.L(1)
|
- (4) CA.L2-3.12.4 – System Security Plan
|
M. System & Communications Protection (SC)
|
17A
|
4.1.3.M(1)
|
- (1) SC.L2-3.13.2 – Security Engineering
|
17A
|
4.1.3.M(1)
|
- (2) SC.L2-3.13.3 – Role Separation
|
17A
|
4.1.3.M(1)
|
- (3) SC.L2-3.13.4 – Shared Resource Control
|
17A
|
4.1.3.M(1)
|
- (4) SC.L2-3.13.6 – Network Communication by Exception
|
17A
|
4.1.3.M(1)
|
- (5) SC.L2-3.13.7 – Split Tunneling
|
17A
|
4.1.3.M(1)
|
- (6) SC.L2-3.13.8 – Data in Transit
|
17A
|
4.1.3.M(1)
|
- (7) SC.L2-3.13.9 – Connections Termination
|
17A
|
4.1.3.M(1)
|
- (8) SC.L2-3.13.10 – Key Management
|
17A
|
4.1.3.M(1)
|
- (9) SC.L2-3.13.11 – CUI Encryption
|
17A
|
4.1.3.M(1)
|
- (10) SC.L2-3.13.12 – Collaborative Device Control
|
17A
|
4.1.3.M(1)
|
- (11) SC.L2-3.13.13 – Mobile Code
|
17A
|
4.1.3.M(1)
|
- (12) SC.L2-3.13.14 – Voice over Internet Protocol
|
17A
|
4.1.3.M(1)
|
- (13) SC.L2-3.13.15 – Communications Authenticity
|
17A
|
4.1.3.M(1)
|
- (14) SC.L2-3.13.16 – Data at Rest
|
N. System & Information Integrity (SI)
|
18A
|
4.1.3.N(1)
|
- (1) SI.L2-3.14.3 – Security Alerts & Advisories
|
18A
|
4.1.3.N(1)
|
- (2) SI.L2-3.14.6 – Monitor Communications for Attacks
|
18A
|
4.1.3.N(1)
|
- (3) SI.L2-3.14.7 – Identify Unauthorized Use
|