CCA Blueprint: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
No edit summary
 
(26 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''Source of Reference: The [https://cyberab.org/Portals/0/cmmc-ab-cca-blueprint-04-05-22-Final%20v3%20%28Public%29_1.pdf CCA blueprint] from Cybersecurity Maturity Model Certification Accreditation Body, Inc.'''
'''Source of Reference: The CCA blueprint document from [https://cyberab.org/CMMC-Ecosystem/Ecosystem-roles/Assessing-and-Certification Cybersecurity Maturity Model Certification Accreditation Body, Inc.]'''


For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
Line 24: Line 24:
== Domain 1: Evaluating Organizations Seeking Certification (OSC) against CMMC Level 2 requirements ==
== Domain 1: Evaluating Organizations Seeking Certification (OSC) against CMMC Level 2 requirements ==
=== Task 1. Assess the various environmental considerations of Organizations Seeking Certification (OSCs) against CMMC L2 practices. ===
=== Task 1. Assess the various environmental considerations of Organizations Seeking Certification (OSCs) against CMMC L2 practices. ===
{|class="wikitable"
{|class="wikitable" style="width: 85%;"
|-
! style="width: 10%"|Lesson Topic
! style="width: 10%"|Objective
! style="width: 80%"|Objective Description
|-
|4C
|1.1.1
|# The difference between logical (virtual) and physical locations
|-
|4C
|1.1.2
|# The difference between professional and industrial environments
|-
|4C
|1.1.3
|# Single and multi-site environmental constraints and Evidence requirements
|-
|4C
|1.1.4
|# Cloud and hybrid environment constraints and Evidence requirements
|-
|4C
|1.1.5
|# On-premises environmental constraints
|-
|4C
|1.1.6
|# Environmental exclusions for a level 2 CMMC assessment
|}
 
== Domain 2: Scoping ==
=== Task 1. Analyze the CMMC Assessment Scope of Controlled Unclassified Information (CUI) Assets as they pertain to a CMMC assessment using the five categories of CUI assets as defined in the CMMC Level 2 Assessment Scoping Guide. ===
{|class="wikitable" style="width: 85%;"
|-
! style="width: 10%"|Lesson Topic
! style="width: 10%"|Objective
! style="width: 80%"|Objective Description
|-
|4B
|2.1.1
|1. Categorization of CUI data in the form of Assets that are in scope:
|-
|4B
|2.1.1.A
|
:A. #1: Controlled Unclassified Information (CUI) Assets
|-
|4B
|2.1.1.A(1)
|
::(1) Process, store, or transmit CUI
|-
|4B
|2.1.1.B
|
:B. #2: Security Protection Assets
|-
|4B
|2.1.1.B(1)
|
::(1) Assets that provide security functions and capabilities to contractor’s CMMC Assessment Scope
|-
|4B
|2.1.1.C
|
:C. #3: Contractor Risked Managed Assets
|-
|4B
|2.1.1.C(1)
|
::(1) Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
|-
|4B
|2.1.1.D
|
:D. #4: Specialized Assets
|-
|4B
|2.1.1.D(1)
|
::(1) Assets that may/may not process, store, or transmit CUI
|-
|4B
|2.1.1.D(2)
|
::(2) Assets include government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment
|-
|4B
|2.1.1.E
|
:E. #5: Out-of-Scope Assets
|-
|4B
|2.1.1.E(1)
|
|
# The difference between logical (virtual) and physical locations
::(1) Assets that cannot process, store, or transmit CUI
# The difference between professional and industrial environments
# Single and multi-site environmental constraints and Evidence requirements
# Cloud and hybrid environment constraints and Evidence requirements
# On-premises environmental constraints
# Environmental exclusions for a level 2 CMMC assessment
|}
|}


Domain 2: Scoping
=== Task 2. Given a scenario, analyze the CMMC Assessment Scope based on the predetermined CUI categories within the CMMC Level 2 Assessment Scoping Guide. ===
 
{|class="wikitable" style="width: 85%;"
Task 1. Analyze the CMMC Assessment Scope of Controlled Unclassified Information (CUI) Assets as
|-
they pertain to a CMMC assessment using the five categories of CUI assets as defined in the CMMC
! style="width: 10%"|Lesson Topic
Level 2 Assessment Scoping Guide.
! style="width: 10%"|Objective
 
! style="width: 80%"|Objective Description
1. Categorization of CUI data in the form of Assets that are in scope:
|-
A. #1: Controlled Unclassified Information (CUI) Assets
|4B
(1) Process, store, or transmit CUI
|2.2.1
 
|1. CMMC assessment asset categories (In-scope)
 
|-
 
|4B
B. #2: Security Protection Assets
|2.2.1.A
(1) Assets that provide security functions and capabilities to contractor’s
|
CMMC Assessment Scope
:A. CUI Assets
 
|-
 
|4B
 
|2.2.1.B
C. #3: Contractor Risked Managed Assets
|
(1) Assets that can, but are not intended to, process, store, or transmit CUI
:B. Security Protection Assets
because of security policy, procedures, and practices in place
|-
 
|4B
 
|2.2.1.C
 
|
D. #4: Specialized Assets
:C. Contractor Risked Managed Assets
(1) Assets that may/may not process, store, or transmit CUI
|-
(2) Assets include government property, Internet of Things (IoT) devices,
|4B
Operational Technology (OT), Restricted Information Systems, and test
|2.2.1.D
Equipment
|
 
:D. Specialized Assets
 
|-
 
|4B
E. #5: Out-of-Scope Assets
|2.2.2
(1) Assets that cannot process, store, or transmit CUI
|2. CMMC assessment asset categories (Out-of-scope)
 
|-
 
|4A
 
|2.2.3
 
|3. Separation Techniques
 
|-
 
|4A
 
|2.2.3.A
 
|
 
:A. Logical separation
 
|-
Task 2. Given a scenario, analyze the CMMC Assessment Scope based on the predetermined CUI
|4A
categories within the CMMC Level 2 Assessment Scoping Guide.
|2.2.3.A(1)
 
|
1. CMMC assessment asset categories (In-scope)
::(1) Firewalls; and
A. CUI Assets
|-
B. Security Protection Assets
|4A
C. Contractor Risked Managed Assets
|2.2.3.A(2)
D. Specialized Assets
|
 
::(2) Virtual Local Area Network (VLANs)
 
|-
 
|4A
2. CMMC assessment asset categories (Out-of-scope)
|2.2.3.B
3. Separation Techniques
|
A. Logical separation
:B. Physical separation
(1) Firewalls; and
|-
(2) Virtual Local Area Network (VLANs)
|4A
 
|2.2.3.B(1)
 
|
 
::(1) Gates;
B. Physical separation
|-
(1) gates;
|4A
(2) locks;
|2.2.3.B(2)
(3) badge access; and
|
(4) guards
::(2) Locks;
 
|-
 
|4A
 
|2.2.3.B(3)
 
|
 
::(3) Badge access; and
 
|-
 
|4A
 
|2.2.3.B(4)
 
|
 
::(4) Guards
|}
Task 3. Evaluate CMMC assessment scope considerations based on the CMMC Level 2 Assessment
Scoping Guide.
 
1. FCI and CUI within the same Assessment Scope:
A. Contractor defines FCI/CUI assets (In-scope), CMMC Assessor certifies implementation
of Level 1 & 2 practices.
 
 
 
2. FCI and CUI NOT within the same Assessment Scope:
A. Contractor defines Self-Assessment of FCI assets (In-scope)
B. Contractor defines CUI assets (In-scope), CMMC Assessor certifies implementation of
Level 1 & 2 practices
 
 
 
3. External Services Providers
A. Evaluation of responsibility matrix
B. Non-Duplication
C. Agreements, Service-Level Agreements (SLAs)
 
 
 
 
 
 
 
 
 
 
 
 
 
Domain 3: CMMC Assessment Process (CAP) v5.X
 
Task 1. Given a scenario, apply the appropriate phases and steps to plan, prepare, conduct, and report
on a CMMC Level 2 Assessment.
 
1. Phase 1—Plan and Prepare Assessments:
a. Analyze requirements
b. Develop assessment plan
c. Verify readiness to conduct assessment
 
 
 
2. Phase 2—Conduct assessment:
a. Collect and examine evidence
b. Score Practices and validate preliminary results
c. Generate final recommended assessment results
 
 
 
 
 
 
 
3. Phase 3—Report recommended assessment results:
a. Deliver recommended assessment results
 
 
 
 
 
 
 
 
 
 
 
 
 
Domain 4: CMMC Levels 2 Practices
 
Task 1. Identify evidence verification/validation methods and objects for Practices based on the
CMMC Level 2 Assessment Guide and CMMC Assessment Process (CAP) documentation.
 
1. Methods and objects for determining evidence
A. Examine
B. Interview
C. Test
 
 
 
 
2. Adequacy and sufficiency related to evidence around all below practices
A. Characteristics of acceptable evidence
B. Evidence of enabling persistent and habitual application of practices
(1) Policy
(2) Plan
(3) Resourcing
(4) Communication
(5) Training
 
 
 
C. Characterization of evidence
(1) Validate that evidence effectively meets intent of standard
(2) An objective and systematic examination of evidence for the purpose of
providing an independent assessment of the performance of CMMC
 
 
 
 
3. CMMC Level 2 Assessment Practice objectives including potential methods, objects, and
assessment considerations (by domain):
A. Access Control (AC)
(1) AC.L2-3.1.3 – Control CUI Flow
(2) AC.L2-3.1.4 – Separation of Duties
(3) AC.L2-3.1.5 – Least Privilege
(4) AC.L2-3.1.6 – Non-Privileged Account Use
(5) AC.L2-3.1.7 – Privileged Functions
(6) AC.L2-3.1.8 – Unsuccessful Logon Attempts
(7) AC.L2-3.1.9 – Privacy & Security Notices
(8) AC.L2-3.1.10 – Session Lock
(9) AC.L2-3.1.11 – Session Termination
(10) AC.L2-3.1.12 – Control Remote Access
(11) AC.L2-3.1.13 – Remote Access Confidentiality
(12) AC.L2-3.1.14 – Remote Access Routing
(13) AC.L2-3.1.15 – Privileged Remote Access
(14) AC.L2-3.1.16 – Wireless Access Authorization
(15) AC.L2-3.1.17 – Wireless Access Protection
(16) AC.L2-3.1.18 – Mobile Device Connection
(17) AC.L2-3.1.19 – Encrypt CUI on Mobile
 
 
 
 
 


=== Task 3. Evaluate CMMC assessment scope considerations based on the CMMC Level 2 Assessment Scoping Guide. ===
{|class="wikitable" style="width: 85%;"
|-
! style="width: 10%"|Lesson Topic
! style="width: 10%"|Objective
! style="width: 80%"|Objective Description
|-
|4E
|2.3.1
|1. FCI and CUI within the same Assessment Scope:
|-
|4E
|2.3.1.A
|
:A. Contractor defines FCI/CUI assets (In-scope)
|-
|4E
|2.3.1.B
|
:B. CMMC Assessor certifies implementation of Level 1 & 2 practices
|-
|4E
|2.3.2
|2. FCI and CUI NOT within the same Assessment Scope:
|-
|4E
|2.3.2.A
|
:A. Contractor defines Self-Assessment of FCI assets (In-scope)
|-
|4E
|2.3.2.B
|
:B. Contractor defines CUI assets (In-scope), CMMC Assessor certifies implementation of Level 1 & 2 practices
|-
|-
|4C, 4D
|2.3.3
|3. External Services Providers
|-
|4D
|2.3.3.A
|
:A. Evaluation of responsibility matrix
|-
|2C, 4E
|2.3.3.B
|
:B. Non-Duplication
|-
|4D
|2.3.3.C
|
:C. Agreements, Service-Level Agreements (SLAs)
|}


== Domain 3: CMMC Assessment Process (CAP) v5.X ==
=== Task 1. Given a scenario, apply the appropriate phases and steps to plan, prepare, conduct, and report on a CMMC Level 2 Assessment. ===
{|class="wikitable" style="width: 85%;"
|-
! style="width: 10%"|Lesson Topic
! style="width: 10%"|Objective
! style="width: 80%"|Objective Description
|-
|3A, 3B, 3C
|3.1.1
|1. Phase 1 - Plan and Prepare Assessments:
|-
|3B
|3.1.1.A
|
:A. Analyze requirements
|-
|3C
|3.1.1.B
|
:B. Develop Assessment plan
|-
|3B
|3.1.1.C
|
:C. Verify readiness to conduct assessment
|-
|3A, 3D
|3.1.2
|2. Phase 2 - Conduct assessment:
|-
|3D
|3.1.2.A
|
:a. Collect and examine Evidence
|-
|3D
|3.1.2.B
|
:b. Score practices and validate preliminary results
|-
|3D
|3.1.2.C
|
:c. Generate final recommended Assessment Results
|-
|3A
|3.1.3
|3. Phase 3 - Report Recommended Assessment Results:
|-
|3F
|3.1.3.A
|
:a. Deliver Recommended Assessment Results
|}


== Domain 4: CMMC Levels 2 Practices ==
=== Task 1. Identify evidence verification/validation methods and objects for Practices based on the CMMC Level 2 Assessment Guide and CMMC Assessment Process (CAP) documentation. ===
{|class="wikitable" style="width: 85%;"
|-
! style="width: 10%"|Lesson Topic
! style="width: 10%"|Objective
! style="width: 80%"|Objective Description
|-
|3D
|4.1.1
|1. Methods and objects for determining evidence
|-
|3D
|4.1.1.A
|
:A. Examine
|-
|3D
|4.1.1.B
|
:B. Interview
|-
|3D
|4.1.1.C
|
:C. Test
|-
|3D
|4.1.2
|2. Adequacy and sufficiency related to Evidence around all below practices
|-
|3D
|4.1.2.A
|
:A. Characteristics of acceptable Evidence
|-
|3D
|4.1.2.B
|
:B. Evidence of enabling persistent and habitual application of practices
|-
|3D
|4.1.2.B(1)
|
::(1) Policy
|-
|3D
|4.1.2.B(2)
|
::(2) Plan
|-
|3D
|4.1.2.B(3)
|
::(3) Resourcing
|-
|3D
|4.1.2.B(4)
|
::(4) Communication
|-
|3D
|4.1.2.B(5)
|
::(5) Training
|-
|3D
|4.1.2.C
|
:C. Characterization of evidence
|-
|2C, 3D
|4.1.2.C(1)
|
::(1) Validate that evidence effectively meets intent of standard
|-
|3D
|4.1.2.C(2)
|
::(2) An objective and systematic examination of evidence for the purpose of providing an independent assessment of the performance of CMMC
|-
|5A, 6A, 7A, 8A, 9A, 10A, 11A, 12A, 13A, 14A, 15A, 16, 17A, 18A
|4.1.3
|3. CMMC Level 2 Assessment Practice objectives including potential methods, objects, and assessment considerations (by domain):
(at a minimum the practices listed below must be evaluated for CCA candidates)
(at a minimum the practices listed below must be evaluated for CCA candidates)
 
|-
|5A, 5B
(18) AC.L2-3.1.21 Portable Storage Use
|4.1.3.A
 
|A. Access Control (AC)
 
|-
 
|5A
B. Awareness & Training (AT)
|4.1.3.A(1)
(1) AT.L2-3.2.1 Role-Based Risk Awareness
|
(2) AT.L2-3.2.2 – Role-Based Training
:(1) AC.L2-3.1.3 Control CUI Flow
(3) AT.L2-3.2.3 Insider Threat Awareness
|-
 
|5A
 
|4.1.3.A(2)
 
|
C. Audit & Accountability (AU)
:(2) AC.L2-3.1.4 Separation of Duties
(1) AU.L2-3.3.1 System Auditing
|-
(2) AU.L2-3.3.2 – User Accountability
|5A
(3) AU.L2-3.3.3 Event Review
|4.1.3.A(3)
(4) AU.L2-3.3.4 – Audit Failure Alerting
|
(5) AU.L2-3.3.5 Audit Correlation
:(3) AC.L2-3.1.5 Least Privilege
(6) AU.L2-3.3.6 – Reduction & Reporting
|-
(7) AU.L2-3.3.7 Authoritative Time Source
|5A
(8) AU.L2-3.3.8 – Audit Protection
|4.1.3.A(4)
(9) AU.L2-3.3.9 Audit Management
|
 
:(4) AC.L2-3.1.6 Non-Privileged Account Use
 
|-
 
|5A
D. Configuration Management (CM)
|4.1.3.A(5)
(1) CM.L2-3.4.1 – System Baselining
|
(2) CM.L2-3.4.2 Security Configuration Enforcement
:(5) AC.L2-3.1.7 Privileged Functions
(3) CM.L2-3.4.3 – System Change Management
|-
(4) CM.L2-3.4.4 – Security Impact Analysis
|5A
(5) CM.L2-3.4.5 – Access Restrictions for Change
|4.1.3.A(6)
(6) CM.L2-3.4.6 – Least Functionality
|
(7) CM.L2-3.4.7 Nonessential Functionality
:(6) AC.L2-3.1.8 Unsuccessful Logon Attempts
(8) CM.L2-3.4.8 – Application Execution Policy
|-
(9) CM.L2-3.4.9 User-Installed Software
|5A
 
|4.1.3.A(7)
 
|
 
:(7) AC.L2-3.1.9 Privacy & Security Notices
E. Identification & Authentication (IA)
|-
(1) IA.L2-3.5.3 Multifactor Authentication
|5A
(2) IA.L2-3.5.4 – Replay-Resistant Authentication
|4.1.3.A(8)
(3) IA.L2-3.5.5 Identifier Reuse
|
(4) IA.L2-3.5.6 – Identifier Handling
:(8) AC.L2-3.1.10 Session Lock
(5) IA.L2-3.5.7 Password Complexity
|-
(6) IA.L2-3.5.8 – Password Reuse
|5A
(7) IA.L2-3.5.9 Temporary Passwords
|4.1.3.A(9)
(8) IA.L2-3.5.10 – Cryptographically-Protected Passwords
|
(9) IA.L2-3.5.11 Obscure Feedback
:(9) AC.L2-3.1.11 – Session Termination
 
|-
 
|5A
 
|4.1.3.A(10)
 
|
 
:(10) AC.L2-3.1.12 Control Remote Access
 
|-
 
|5A
 
|4.1.3.A(11)
 
|
 
:(11) AC.L2-3.1.13 – Remote Access Confidentiality
|-
F. Incident Response (IR)
|5A
(1) IR.L2-3.6.1 Incident Handling
|4.1.3.A(12)
(2) IR.L2-3.6.2 – Incident Reporting
|
(3) IR.L2-3.6.3 – Incident Response Testing
:(12) AC.L2-3.1.14 Remote Access Routing
 
|-
 
|5A
 
|4.1.3.A(13)
G. Maintenance (MA)
|
(1) MA.L2-3.7.1 – Perform Maintenance
:(13) AC.L2-3.1.15 Privileged Remote Access
(2) MA.L2-3.7.2 – System Maintenance Control
|-
(3) MA.L2-3.7.3 – Equipment Sanitization
|5A
(4) MA.L2-3.7.4 Media Inspection
|4.1.3.A(14)
(5) MA.L2-3.7.5 – Nonlocal Maintenance
|
(6) MA.L2-3.7.6 Maintenance Personnel
:(14) AC.L2-3.1.16 Wireless Access Authorization
 
|-
 
|5A
 
|4.1.3.A(15)
H. Media Protection (MP)
|
(1) MP.L2-3.8.1 Media Protection
:(15) AC.L2-3.1.17 Wireless Access Protection
(2) MP.L2-3.8.2 – Media Access
|-
(3) MP.L2-3.8.4 Media Markings
|5A
(4) MP.L2-3.8.5 – Media Accountability
|4.1.3.A(16)
(5) MP.L2-3.8.6 – Portable Storage Encryption
|
(6) MP.L2-3.8.7 – Removeable Media
:(16) AC.L2-3.1.18 Mobile Device Connection
(7) MP.L2-3.8.8 Shared Media
|-
(8) MP.L2-3.8.9 – Protect Backups
|5A
 
|4.1.3.A(17)
 
|
 
:(17) AC.L2-3.1.19 Encrypt CUI on Mobile
I. Personnel Security (PS)
|-
(1) PS.L2-3.9.1 Screen Individuals
|5A
(2) PS.L2-3.9.2 Personnel Actions
|4.1.3.A(18)
 
|
 
:(18) AC.L2-3.1.21 Portable Storage Use
 
|-
J. Physical Protection (PE)
|6A, 6B
(1) PE.L2-3.10.2 – Monitor Facility
|4.1.3.B
(2) PE.L2-3.10.6 Alternative Work Sites
|B. Awareness & Training (AT)
 
|-
 
|6A
 
|4.1.3.B(1)
K. Risk Assessment (RA)
|
(1) RA.L2-3.11.1 Risk Assessments
:(1) AT.L2-3.2.1 Role-Based Risk Awareness
(2) RA.L2-3.11.2 – Vulnerability Scan
|-
(3) RA.L2-3.11.3 Vulnerability Remediation
|6A
 
|4.1.3.B(2)
 
|
 
:(2) AT.L2-3.2.2 Role-Based Training
L. Security Assessment (CA)
|-
(1) CA.L2-3.12.1 Security Control Assessment
|6A
(2) CA.L2-3.12.2 – Plan of Action
|4.1.3.B(3)
(3) CA.L2-3.12.3 Security Control Monitoring
|
(4) CA.L2-3.12.4 System Security Plan
:(3) AT.L2-3.2.3 – Insider Threat Awareness
 
|-
 
|7A, 7B
 
|4.1.3.C
 
|C. Audit & Accountability (AU)
 
|-
 
|7A
 
|4.1.3.C(1)
 
|
 
:(1) AU.L2-3.3.1 – System Auditing
 
|-
|7A
M. System & Communications Protection (SC)
|4.1.3.C(2)
(1) SC.L2-3.13.2 Security Engineering
|
(2) SC.L2-3.13.3 – Role Separation
:(2) AU.L2-3.3.2 User Accountability
(3) SC.L2-3.13.4 Shared Resource Control
|-
(4) SC.L2-3.13.6 – Network Communication by Exception
|7A
(5) SC.L2-3.13.7 – Split Tunneling
|4.1.3.C(3)
(6) SC.L2-3.13.8 Data in Transit
|
(7) SC.L2-3.13.9 – Connections Termination
:(3) AU.L2-3.3.3 Event Review
(8) SC.L2-3.13.10 Key Management
|-
(9) SC.L2-3.13.11 CUI Encryption
|7A
(10) SC.L2-3.13.12 – Collaborative Device Control
|4.1.3.C(4)
(11) SC.L2-3.13.13 Mobile Code
|
(12) SC.L2-3.13.14 Voice over Internet Protocol
:(4) AU.L2-3.3.4 Audit Failure Alerting
(13) SC.L2-3.13.15 – Communications Authenticity
|-
(14) SC.L2-3.13.16 Data at Rest
|7A
 
|4.1.3.C(5)
 
|
 
:(5) AU.L2-3.3.5 Audit Correlation
N. System & Information Integrity (SI)
|-
(1) SI.L2-3.14.3 – Security Alerts & Advisories
|7A
(2) SI.L2-3.14.6 Monitor Communications for Attacks
|4.1.3.C(6)
(3) SI.L2-3.14.7 Identify Unauthorized Use
|
:(6) AU.L2-3.3.6 – Reduction & Reporting
|-
|7A
|4.1.3.C(7)
|
:(7) AU.L2-3.3.7 Authoritative Time Source
|-
|7A
|4.1.3.C(8)
|
:(8) AU.L2-3.3.8 Audit Protection
|-
|7A
|4.1.3.C(9)
|
:(9) AU.L2-3.3.9 – Audit Management
|-
|9A, 9B
|4.1.3.D
|D. Configuration Management (CM)
|-
|9A
|4.1.3.D(1)
|
:(1) CM.L2-3.4.1 – System Baselining
|-
|9A
|4.1.3.D(2)
|
:(2) CM.L2-3.4.2 Security Configuration Enforcement
|-
|9A
|4.1.3.D(3)
|
:(3) CM.L2-3.4.3 System Change Management
|-
|9A
|4.1.3.D(4)
|
:(4) CM.L2-3.4.4 Security Impact Analysis
|-
|9A
|4.1.3.D(5)
|
:(5) CM.L2-3.4.5 Access Restrictions for Change
|-
|9A
|4.1.3.D(6)
|
:(6) CM.L2-3.4.6 Least Functionality
|-
|9A
|4.1.3.D(7)
|
:(7) CM.L2-3.4.7 Nonessential Functionality
|-
|9A
|4.1.3.D(8)
|
:(8) CM.L2-3.4.8 Application Execution Policy
|-
|9A
|4.1.3.D(9)
|
:(9) CM.L2-3.4.9 User-Installed Software
|-
|10A, 10B
|4.1.3.E
|E. Identification & Authentication (IA)
|-
|10A
|4.1.3.E(1)
|
:(1) IA.L2-3.5.3 Multifactor Authentication
|-
|10A
|4.1.3.E(2)
|
:(2) IA.L2-3.5.4 Replay-Resistant Authentication
|-
|10A
|4.1.3.E(3)
|
:(3) IA.L2-3.5.5 Identifier Reuse
|-
|10A
|4.1.3.E(4)
|
:(4) IA.L2-3.5.6 Identifier Handling
|-
|10A
|4.1.3.E(5)
|
:(5) IA.L2-3.5.7 Password Complexity
|-
|10A
|4.1.3.E(6)
|
:(6) IA.L2-3.5.8 Password Reuse
|-
|10A
|4.1.3.E(7)
|
:(7) IA.L2-3.5.9 – Temporary Passwords
|-
|10A
|4.1.3.E(8)
|
:(8) IA.L2-3.5.10 Cryptographically-Protected Passwords
|-
|10A
|4.1.3.E(9)
|
:(9) IA.L2-3.5.11 Obscure Feedback
|-
|11A, 11B
|4.1.3.F
|F. Incident Response (IR)
|-
|11A
|4.1.3.F(1)
|
:(1) IR.L2-3.6.1 – Incident Handling
|-
|11A
|4.1.3.F(2)
|
:(2) IR.L2-3.6.2 – Incident Reporting
|-
|11A
|4.1.3.F(3)
|
:(3) IR.L2-3.6.3 – Incident Response Testing
|-
|12A, 12B
|4.1.3.G
|G. Maintenance (MA)
|-
|12A
|4.1.3.G(1)
|
:(1) MA.L2-3.7.1 – Perform Maintenance
|-
|12A
|4.1.3.G(2)
|
:(2) MA.L2-3.7.2 – System Maintenance Control
|-
|12A
|4.1.3.G(3)
|
:(3) MA.L2-3.7.3 – Equipment Sanitization
|-
|12A
|4.1.3.G(4)
|
:(4) MA.L2-3.7.4 – Media Inspection
|-
|12A
|4.1.3.G(5)
|
:(5) MA.L2-3.7.5 – Nonlocal Maintenance
|-
|12A
|4.1.3.G(6)
|
:(6) MA.L2-3.7.6 – Maintenance Personnel
|-
|13A, 13B
|4.1.3.H
|H. Media Protection (MP)
|-
|13A
|4.1.3.H(1)
|
:(1) MP.L2-3.8.1 – Media Protection
|-
|13A
|4.1.3.H(2)
|
:(2) MP.L2-3.8.2 – Media Access
|-
|13A
|4.1.3.H(3)
|
:(3) MP.L2-3.8.4 – Media Markings
|-
|13A
|4.1.3.H(4)
|
:(4) MP.L2-3.8.5 – Media Accountability
|-
|13A
|4.1.3.H(5)
|
:(5) MP.L2-3.8.6 – Portable Storage Encryption
|-
|13A
|4.1.3.H(6)
|
:(6) MP.L2-3.8.7 – Removeable Media
|-
|13A
|4.1.3.H(7)
|
:(7) MP.L2-3.8.8 – Shared Media
|-
|13A
|4.1.3.H(8)
|
:(8) MP.L2-3.8.9 – Protect Backups
|-
|15A, 15B
|4.1.3.I
|I. Personnel Security (PS)
|-
|15A
|4.1.3.I(1)
|
:(1) PS.L2-3.9.1 – Screen Individuals
|-
|15A
|4.1.3.I(2)
|
:(2) PS.L2-3.9.2 – Personnel Actions
|-
|14A, 14B
|4.1.3.J
|J. Physical Protection (PE)
|-
|14A
|4.1.3.J(1)
|
:(1) PE.L2-3.10.2 – Monitor Facility
|-
|14A
|4.1.3.J(2)
|
:(2) PE.L2-3.10.6 – Alternative Work Sites
|-
|16A, 16B
|4.1.3.K
|K. Risk Assessment (RA)
|-
|16A
|4.1.3.K(1)
|
:(1) RA.L2-3.11.1 – Risk Assessments
|-
|16A
|4.1.3.K(2)
|
:(2) RA.L2-3.11.2 – Vulnerability Scan
|-
|16A
|4.1.3.K(3)
|
:(3) RA.L2-3.11.3 – Vulnerability Remediation
|-
|8A, 8B
|4.1.3.L
|L. Security Assessment (CA)
|-
|8A
|4.1.3.L(1)
|
:(1) CA.L2-3.12.1 – Security Control Assessment
|-
|8A
|4.1.3.L(2)
|
:(2) CA.L2-3.12.2 – Plan of Action
|-
|8A
|4.1.3.L(3)
|
:(3) CA.L2-3.12.3 – Security Control Monitoring
|-
|8A
|4.1.3.L(4)
|
:(4) CA.L2-3.12.4 – System Security Plan
|-
|17A, 17B
|4.1.3.M
|M. System & Communications Protection (SC)
|-
|17A
|4.1.3.M(1)
|
:(1) SC.L2-3.13.2 – Security Engineering
|-
|17A
|4.1.3.M(2)
|
:(2) SC.L2-3.13.3 – Role Separation
|-
|17A
|4.1.3.M(3)
|
:(3) SC.L2-3.13.4 – Shared Resource Control
|-
|17A
|4.1.3.M(4)
|
:(4) SC.L2-3.13.6 – Network Communication by Exception
|-
|17A
|4.1.3.M(5)
|
:(5) SC.L2-3.13.7 – Split Tunneling
|-
|17A
|4.1.3.M(6)
|
:(6) SC.L2-3.13.8 – Data in Transit
|-
|17A
|4.1.3.M(7)
|
:(7) SC.L2-3.13.9 – Connections Termination
|-
|17A
|4.1.3.M(8)
|
:(8) SC.L2-3.13.10 – Key Management
|-
|17A
|4.1.3.M(9)
|
:(9) SC.L2-3.13.11 – CUI Encryption
|-
|17A
|4.1.3.M(10)
|
:(10) SC.L2-3.13.12 – Collaborative Device Control
|-
|17A
|4.1.3.M(11)
|
:(11) SC.L2-3.13.13 – Mobile Code
|-
|17A
|4.1.3.M(12)
|
:(12) SC.L2-3.13.14 – Voice over Internet Protocol
|-
|17A
|4.1.3.M(13)
|
:(13) SC.L2-3.13.15 – Communications Authenticity
|-
|17A
|4.1.3.M(14)
|
:(14) SC.L2-3.13.16 – Data at Rest
|-
|18A, 18B
|4.1.3.N
|N. System & Information Integrity (SI)
|-
|18A
|4.1.3.N(1)
|
:(1) SI.L2-3.14.3 – Security Alerts & Advisories
|-
|18A
|4.1.3.N(2)
|
:(2) SI.L2-3.14.6 – Monitor Communications for Attacks
|-
|18A
|4.1.3.N(3)
|
:(3) SI.L2-3.14.7 – Identify Unauthorized Use
|}

Latest revision as of 23:14, 8 May 2023

Source of Reference: The CCA blueprint document from Cybersecurity Maturity Model Certification Accreditation Body, Inc.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

Domains

Upon successful completion of this exam, the candidate will be able to apply skills and knowledge to the below domains:

Domain Exam Weight
1. Evaluating Organizations Seeking Certification (OSC) against CMMC Level 2 requirement 15%
2. CMMC Level 2 Assessment Scoping 20%
3. CMMC Assessment Process (CAP) 25%
4. Assessing CMMC Level 2 Practices 40%

Domain 1: Evaluating Organizations Seeking Certification (OSC) against CMMC Level 2 requirements

Task 1. Assess the various environmental considerations of Organizations Seeking Certification (OSCs) against CMMC L2 practices.

Lesson Topic Objective Objective Description
4C 1.1.1 # The difference between logical (virtual) and physical locations
4C 1.1.2 # The difference between professional and industrial environments
4C 1.1.3 # Single and multi-site environmental constraints and Evidence requirements
4C 1.1.4 # Cloud and hybrid environment constraints and Evidence requirements
4C 1.1.5 # On-premises environmental constraints
4C 1.1.6 # Environmental exclusions for a level 2 CMMC assessment

Domain 2: Scoping

Task 1. Analyze the CMMC Assessment Scope of Controlled Unclassified Information (CUI) Assets as they pertain to a CMMC assessment using the five categories of CUI assets as defined in the CMMC Level 2 Assessment Scoping Guide.

Lesson Topic Objective Objective Description
4B 2.1.1 1. Categorization of CUI data in the form of Assets that are in scope:
4B 2.1.1.A
A. #1: Controlled Unclassified Information (CUI) Assets
4B 2.1.1.A(1)
(1) Process, store, or transmit CUI
4B 2.1.1.B
B. #2: Security Protection Assets
4B 2.1.1.B(1)
(1) Assets that provide security functions and capabilities to contractor’s CMMC Assessment Scope
4B 2.1.1.C
C. #3: Contractor Risked Managed Assets
4B 2.1.1.C(1)
(1) Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
4B 2.1.1.D
D. #4: Specialized Assets
4B 2.1.1.D(1)
(1) Assets that may/may not process, store, or transmit CUI
4B 2.1.1.D(2)
(2) Assets include government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment
4B 2.1.1.E
E. #5: Out-of-Scope Assets
4B 2.1.1.E(1)
(1) Assets that cannot process, store, or transmit CUI

Task 2. Given a scenario, analyze the CMMC Assessment Scope based on the predetermined CUI categories within the CMMC Level 2 Assessment Scoping Guide.

Lesson Topic Objective Objective Description
4B 2.2.1 1. CMMC assessment asset categories (In-scope)
4B 2.2.1.A
A. CUI Assets
4B 2.2.1.B
B. Security Protection Assets
4B 2.2.1.C
C. Contractor Risked Managed Assets
4B 2.2.1.D
D. Specialized Assets
4B 2.2.2 2. CMMC assessment asset categories (Out-of-scope)
4A 2.2.3 3. Separation Techniques
4A 2.2.3.A
A. Logical separation
4A 2.2.3.A(1)
(1) Firewalls; and
4A 2.2.3.A(2)
(2) Virtual Local Area Network (VLANs)
4A 2.2.3.B
B. Physical separation
4A 2.2.3.B(1)
(1) Gates;
4A 2.2.3.B(2)
(2) Locks;
4A 2.2.3.B(3)
(3) Badge access; and
4A 2.2.3.B(4)
(4) Guards

Task 3. Evaluate CMMC assessment scope considerations based on the CMMC Level 2 Assessment Scoping Guide.

Lesson Topic Objective Objective Description
4E 2.3.1 1. FCI and CUI within the same Assessment Scope:
4E 2.3.1.A
A. Contractor defines FCI/CUI assets (In-scope)
4E 2.3.1.B
B. CMMC Assessor certifies implementation of Level 1 & 2 practices
4E 2.3.2 2. FCI and CUI NOT within the same Assessment Scope:
4E 2.3.2.A
A. Contractor defines Self-Assessment of FCI assets (In-scope)
4E 2.3.2.B
B. Contractor defines CUI assets (In-scope), CMMC Assessor certifies implementation of Level 1 & 2 practices
4C, 4D 2.3.3 3. External Services Providers
4D 2.3.3.A
A. Evaluation of responsibility matrix
2C, 4E 2.3.3.B
B. Non-Duplication
4D 2.3.3.C
C. Agreements, Service-Level Agreements (SLAs)

Domain 3: CMMC Assessment Process (CAP) v5.X

Task 1. Given a scenario, apply the appropriate phases and steps to plan, prepare, conduct, and report on a CMMC Level 2 Assessment.

Lesson Topic Objective Objective Description
3A, 3B, 3C 3.1.1 1. Phase 1 - Plan and Prepare Assessments:
3B 3.1.1.A
A. Analyze requirements
3C 3.1.1.B
B. Develop Assessment plan
3B 3.1.1.C
C. Verify readiness to conduct assessment
3A, 3D 3.1.2 2. Phase 2 - Conduct assessment:
3D 3.1.2.A
a. Collect and examine Evidence
3D 3.1.2.B
b. Score practices and validate preliminary results
3D 3.1.2.C
c. Generate final recommended Assessment Results
3A 3.1.3 3. Phase 3 - Report Recommended Assessment Results:
3F 3.1.3.A
a. Deliver Recommended Assessment Results

Domain 4: CMMC Levels 2 Practices

Task 1. Identify evidence verification/validation methods and objects for Practices based on the CMMC Level 2 Assessment Guide and CMMC Assessment Process (CAP) documentation.

Lesson Topic Objective Objective Description
3D 4.1.1 1. Methods and objects for determining evidence
3D 4.1.1.A
A. Examine
3D 4.1.1.B
B. Interview
3D 4.1.1.C
C. Test
3D 4.1.2 2. Adequacy and sufficiency related to Evidence around all below practices
3D 4.1.2.A
A. Characteristics of acceptable Evidence
3D 4.1.2.B
B. Evidence of enabling persistent and habitual application of practices
3D 4.1.2.B(1)
(1) Policy
3D 4.1.2.B(2)
(2) Plan
3D 4.1.2.B(3)
(3) Resourcing
3D 4.1.2.B(4)
(4) Communication
3D 4.1.2.B(5)
(5) Training
3D 4.1.2.C
C. Characterization of evidence
2C, 3D 4.1.2.C(1)
(1) Validate that evidence effectively meets intent of standard
3D 4.1.2.C(2)
(2) An objective and systematic examination of evidence for the purpose of providing an independent assessment of the performance of CMMC
5A, 6A, 7A, 8A, 9A, 10A, 11A, 12A, 13A, 14A, 15A, 16, 17A, 18A 4.1.3 3. CMMC Level 2 Assessment Practice objectives including potential methods, objects, and assessment considerations (by domain):

(at a minimum the practices listed below must be evaluated for CCA candidates)

5A, 5B 4.1.3.A A. Access Control (AC)
5A 4.1.3.A(1)
(1) AC.L2-3.1.3 – Control CUI Flow
5A 4.1.3.A(2)
(2) AC.L2-3.1.4 – Separation of Duties
5A 4.1.3.A(3)
(3) AC.L2-3.1.5 – Least Privilege
5A 4.1.3.A(4)
(4) AC.L2-3.1.6 – Non-Privileged Account Use
5A 4.1.3.A(5)
(5) AC.L2-3.1.7 – Privileged Functions
5A 4.1.3.A(6)
(6) AC.L2-3.1.8 – Unsuccessful Logon Attempts
5A 4.1.3.A(7)
(7) AC.L2-3.1.9 – Privacy & Security Notices
5A 4.1.3.A(8)
(8) AC.L2-3.1.10 – Session Lock
5A 4.1.3.A(9)
(9) AC.L2-3.1.11 – Session Termination
5A 4.1.3.A(10)
(10) AC.L2-3.1.12 – Control Remote Access
5A 4.1.3.A(11)
(11) AC.L2-3.1.13 – Remote Access Confidentiality
5A 4.1.3.A(12)
(12) AC.L2-3.1.14 – Remote Access Routing
5A 4.1.3.A(13)
(13) AC.L2-3.1.15 – Privileged Remote Access
5A 4.1.3.A(14)
(14) AC.L2-3.1.16 – Wireless Access Authorization
5A 4.1.3.A(15)
(15) AC.L2-3.1.17 – Wireless Access Protection
5A 4.1.3.A(16)
(16) AC.L2-3.1.18 – Mobile Device Connection
5A 4.1.3.A(17)
(17) AC.L2-3.1.19 – Encrypt CUI on Mobile
5A 4.1.3.A(18)
(18) AC.L2-3.1.21 – Portable Storage Use
6A, 6B 4.1.3.B B. Awareness & Training (AT)
6A 4.1.3.B(1)
(1) AT.L2-3.2.1 – Role-Based Risk Awareness
6A 4.1.3.B(2)
(2) AT.L2-3.2.2 – Role-Based Training
6A 4.1.3.B(3)
(3) AT.L2-3.2.3 – Insider Threat Awareness
7A, 7B 4.1.3.C C. Audit & Accountability (AU)
7A 4.1.3.C(1)
(1) AU.L2-3.3.1 – System Auditing
7A 4.1.3.C(2)
(2) AU.L2-3.3.2 – User Accountability
7A 4.1.3.C(3)
(3) AU.L2-3.3.3 – Event Review
7A 4.1.3.C(4)
(4) AU.L2-3.3.4 – Audit Failure Alerting
7A 4.1.3.C(5)
(5) AU.L2-3.3.5 – Audit Correlation
7A 4.1.3.C(6)
(6) AU.L2-3.3.6 – Reduction & Reporting
7A 4.1.3.C(7)
(7) AU.L2-3.3.7 – Authoritative Time Source
7A 4.1.3.C(8)
(8) AU.L2-3.3.8 – Audit Protection
7A 4.1.3.C(9)
(9) AU.L2-3.3.9 – Audit Management
9A, 9B 4.1.3.D D. Configuration Management (CM)
9A 4.1.3.D(1)
(1) CM.L2-3.4.1 – System Baselining
9A 4.1.3.D(2)
(2) CM.L2-3.4.2 – Security Configuration Enforcement
9A 4.1.3.D(3)
(3) CM.L2-3.4.3 – System Change Management
9A 4.1.3.D(4)
(4) CM.L2-3.4.4 – Security Impact Analysis
9A 4.1.3.D(5)
(5) CM.L2-3.4.5 – Access Restrictions for Change
9A 4.1.3.D(6)
(6) CM.L2-3.4.6 – Least Functionality
9A 4.1.3.D(7)
(7) CM.L2-3.4.7 – Nonessential Functionality
9A 4.1.3.D(8)
(8) CM.L2-3.4.8 – Application Execution Policy
9A 4.1.3.D(9)
(9) CM.L2-3.4.9 – User-Installed Software
10A, 10B 4.1.3.E E. Identification & Authentication (IA)
10A 4.1.3.E(1)
(1) IA.L2-3.5.3 – Multifactor Authentication
10A 4.1.3.E(2)
(2) IA.L2-3.5.4 – Replay-Resistant Authentication
10A 4.1.3.E(3)
(3) IA.L2-3.5.5 – Identifier Reuse
10A 4.1.3.E(4)
(4) IA.L2-3.5.6 – Identifier Handling
10A 4.1.3.E(5)
(5) IA.L2-3.5.7 – Password Complexity
10A 4.1.3.E(6)
(6) IA.L2-3.5.8 – Password Reuse
10A 4.1.3.E(7)
(7) IA.L2-3.5.9 – Temporary Passwords
10A 4.1.3.E(8)
(8) IA.L2-3.5.10 – Cryptographically-Protected Passwords
10A 4.1.3.E(9)
(9) IA.L2-3.5.11 – Obscure Feedback
11A, 11B 4.1.3.F F. Incident Response (IR)
11A 4.1.3.F(1)
(1) IR.L2-3.6.1 – Incident Handling
11A 4.1.3.F(2)
(2) IR.L2-3.6.2 – Incident Reporting
11A 4.1.3.F(3)
(3) IR.L2-3.6.3 – Incident Response Testing
12A, 12B 4.1.3.G G. Maintenance (MA)
12A 4.1.3.G(1)
(1) MA.L2-3.7.1 – Perform Maintenance
12A 4.1.3.G(2)
(2) MA.L2-3.7.2 – System Maintenance Control
12A 4.1.3.G(3)
(3) MA.L2-3.7.3 – Equipment Sanitization
12A 4.1.3.G(4)
(4) MA.L2-3.7.4 – Media Inspection
12A 4.1.3.G(5)
(5) MA.L2-3.7.5 – Nonlocal Maintenance
12A 4.1.3.G(6)
(6) MA.L2-3.7.6 – Maintenance Personnel
13A, 13B 4.1.3.H H. Media Protection (MP)
13A 4.1.3.H(1)
(1) MP.L2-3.8.1 – Media Protection
13A 4.1.3.H(2)
(2) MP.L2-3.8.2 – Media Access
13A 4.1.3.H(3)
(3) MP.L2-3.8.4 – Media Markings
13A 4.1.3.H(4)
(4) MP.L2-3.8.5 – Media Accountability
13A 4.1.3.H(5)
(5) MP.L2-3.8.6 – Portable Storage Encryption
13A 4.1.3.H(6)
(6) MP.L2-3.8.7 – Removeable Media
13A 4.1.3.H(7)
(7) MP.L2-3.8.8 – Shared Media
13A 4.1.3.H(8)
(8) MP.L2-3.8.9 – Protect Backups
15A, 15B 4.1.3.I I. Personnel Security (PS)
15A 4.1.3.I(1)
(1) PS.L2-3.9.1 – Screen Individuals
15A 4.1.3.I(2)
(2) PS.L2-3.9.2 – Personnel Actions
14A, 14B 4.1.3.J J. Physical Protection (PE)
14A 4.1.3.J(1)
(1) PE.L2-3.10.2 – Monitor Facility
14A 4.1.3.J(2)
(2) PE.L2-3.10.6 – Alternative Work Sites
16A, 16B 4.1.3.K K. Risk Assessment (RA)
16A 4.1.3.K(1)
(1) RA.L2-3.11.1 – Risk Assessments
16A 4.1.3.K(2)
(2) RA.L2-3.11.2 – Vulnerability Scan
16A 4.1.3.K(3)
(3) RA.L2-3.11.3 – Vulnerability Remediation
8A, 8B 4.1.3.L L. Security Assessment (CA)
8A 4.1.3.L(1)
(1) CA.L2-3.12.1 – Security Control Assessment
8A 4.1.3.L(2)
(2) CA.L2-3.12.2 – Plan of Action
8A 4.1.3.L(3)
(3) CA.L2-3.12.3 – Security Control Monitoring
8A 4.1.3.L(4)
(4) CA.L2-3.12.4 – System Security Plan
17A, 17B 4.1.3.M M. System & Communications Protection (SC)
17A 4.1.3.M(1)
(1) SC.L2-3.13.2 – Security Engineering
17A 4.1.3.M(2)
(2) SC.L2-3.13.3 – Role Separation
17A 4.1.3.M(3)
(3) SC.L2-3.13.4 – Shared Resource Control
17A 4.1.3.M(4)
(4) SC.L2-3.13.6 – Network Communication by Exception
17A 4.1.3.M(5)
(5) SC.L2-3.13.7 – Split Tunneling
17A 4.1.3.M(6)
(6) SC.L2-3.13.8 – Data in Transit
17A 4.1.3.M(7)
(7) SC.L2-3.13.9 – Connections Termination
17A 4.1.3.M(8)
(8) SC.L2-3.13.10 – Key Management
17A 4.1.3.M(9)
(9) SC.L2-3.13.11 – CUI Encryption
17A 4.1.3.M(10)
(10) SC.L2-3.13.12 – Collaborative Device Control
17A 4.1.3.M(11)
(11) SC.L2-3.13.13 – Mobile Code
17A 4.1.3.M(12)
(12) SC.L2-3.13.14 – Voice over Internet Protocol
17A 4.1.3.M(13)
(13) SC.L2-3.13.15 – Communications Authenticity
17A 4.1.3.M(14)
(14) SC.L2-3.13.16 – Data at Rest
18A, 18B 4.1.3.N N. System & Information Integrity (SI)
18A 4.1.3.N(1)
(1) SI.L2-3.14.3 – Security Alerts & Advisories
18A 4.1.3.N(2)
(2) SI.L2-3.14.6 – Monitor Communications for Attacks
18A 4.1.3.N(3)
(3) SI.L2-3.14.7 – Identify Unauthorized Use
Retrieved from "https://cmmcwiki.org/index.php?title=CCA_Blueprint&oldid=608"