Level 2 Assessment Guide: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
(Created page with "'''Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' == Access Control (AC) == === Level 1 AC Practices === ==== AC.L1-3.1.1 – AUTHORIZED ACCESS CONTROL ==== {|class="wikitable" |- |'''SECURITY REQUIREMENT''' Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other...")
 
No edit summary
Line 3: Line 3:
== Access Control (AC) ==
== Access Control (AC) ==
=== Level 1 AC Practices ===
=== Level 1 AC Practices ===
==== AC.L1-3.1.1 – AUTHORIZED ACCESS CONTROL ====
==== AC.L1-3.1.1 - Authorized Access Control ====
{|class="wikitable"
{|class="wikitable"
|-
|-
Line 20: Line 20:
|}
|}


==== AC.L1-3.1.2 Transaction & Function Control ====
==== AC.L1-3.1.2 - Transaction & Function Control ====
{|class="wikitable"
{|class="wikitable"
|-
|-
Line 33: Line 33:
|}
|}


==== AC.L1-3.1.20 – EXTERNAL CONNECTIONS ====
==== AC.L1-3.1.20 - External Connections ====
{|class="wikitable"
{|class="wikitable"
|-
|-
Line 50: Line 50:
|}
|}


==== AC.L1-3.1.22 – CONTROL PUBLIC INFORMATION ====
==== AC.L1-3.1.22 - Control Public Information ====
{|class="wikitable"
{|class="wikitable"
|-
|-

Revision as of 03:12, 20 February 2022

Reference: The official CMMC Level 2 Assessment Guide from the Office of the Under Secretary of Defense Acquisition & Sustainment.

Access Control (AC)

Level 1 AC Practices

AC.L1-3.1.1 - Authorized Access Control

SECURITY REQUIREMENT

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

ASSESSMENT OBJECTIVES
[a] authorized users are identified;
[b] processes acting on behalf of authorized users are identified;
[c] devices (and other systems) authorized to connect to the system are identified;
[d] system access is limited to authorized users;
[e] system access is limited to processes acting on behalf of authorized users; and
[f] system access is limited to authorized devices (including other systems).
More Practice Details...

AC.L1-3.1.2 - Transaction & Function Control

SECURITY REQUIREMENT

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

ASSESSMENT OBJECTIVES
[a] the types of transactions and functions that authorized users are permitted to execute are defined; and
[b] system access is limited to the defined types of transactions and functions for authorized users.
More Practice Details...

AC.L1-3.1.20 - External Connections

SECURITY REQUIREMENT

Verify and control/limit connections to and use of external information systems.

ASSESSMENT OBJECTIVES
[a] connections to external systems are identified;
[b] the use of external systems is identified;
[c] connections to external systems are verified;
[d] the use of external systems is verified;
[e] connections to external systems are controlled/limited; and
[f] the use of external systems is controlled/limited.
More Practice Details...

AC.L1-3.1.22 - Control Public Information

SECURITY REQUIREMENT

Control information posted or processed on publicly accessible information systems.

ASSESSMENT OBJECTIVES
[a] individuals authorized to post or process information on publicly accessible systems are identified;
[b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;
[c] a review process is in place prior to posting of any content to publicly accessible systems;
[d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and
[e] mechanisms are in place to remove and address improper posting of FCI.
More Practice Details...

Access Control (AC)

Level 2 AC Practices

Retrieved from "https://cmmcwiki.org/index.php?title=Level_2_Assessment_Guide&oldid=33"