Level 2 Assessment Guide: Difference between revisions

Revision as of 00:38, 21 February 2022

Source of Reference: The official CMMC Level 2 Assessment Guide from the Office of the Under Secretary of Defense Acquisition & Sustainment.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

Access Control (AC)

Level 1 AC Practices

AC.L1-3.1.1 - Authorized Access Control

SECURITY REQUIREMENT Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
ASSESSMENT OBJECTIVES [a] authorized users are identified; [b] processes acting on behalf of authorized users are identified; [c] devices (and other systems) authorized to connect to the system are identified; [d] system access is limited to authorized users; [e] system access is limited to processes acting on behalf of authorized users; and [f] system access is limited to authorized devices (including other systems).
More Practice Details...

AC.L1-3.1.2 - Transaction & Function Control

SECURITY REQUIREMENT Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
ASSESSMENT OBJECTIVES [a] the types of transactions and functions that authorized users are permitted to execute are defined; and [b] system access is limited to the defined types of transactions and functions for authorized users.
More Practice Details...

AC.L1-3.1.20 - External Connections

SECURITY REQUIREMENT Verify and control/limit connections to and use of external information systems.
ASSESSMENT OBJECTIVES [a] connections to external systems are identified; [b] the use of external systems is identified; [c] connections to external systems are verified; [d] the use of external systems is verified; [e] connections to external systems are controlled/limited; and [f] the use of external systems is controlled/limited.
More Practice Details...

AC.L1-3.1.22 - Control Public Information

SECURITY REQUIREMENT Control information posted or processed on publicly accessible information systems.
ASSESSMENT OBJECTIVES [a] individuals authorized to post or process information on publicly accessible systems are identified; [b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified; [c] a review process is in place prior to posting of any content to publicly accessible systems; [d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and [e] mechanisms are in place to remove and address improper posting of FCI.
More Practice Details...

Level 2 AC Practices

AC.L2-3.1.3 – Control CUI Flow

SECURITY REQUIREMENT Control the flow of CUI in accordance with approved authorizations.	ASSESSMENT OBJECTIVES [a] information flow control policies are defined; [b] methods and enforcement mechanisms for controlling the flow of CUI are defined; [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified; [d] authorizations for controlling the flow of CUI are defined; and [e] approved authorizations for controlling the flow of CUI are enforced.
More Practice Details...

Awareness and Training (AT)

Level 2 AT Practices

Audit and Accountability (AU)

Level 2 AU Practices

Configuration Management (CM)

Level 2 CM Practices

Identification and Authentication (IA)

Level 1 IA Practices

Level 2 IA Practices

Incident Response (IR)

Level 2 IR Practices

Maintenance (MA)

Level 2 MA Practices

Media Protection (MP)

Level 1 MP Practices

Level 2 MP Practices

Personnel Security (PS)

Level 2 PS Practices

Physical Protection (PE)

Level 1 PE Practices

Level 2 PE Practices

Risk Assessment (RA)

Level 2 RA Practices

Security Assessment (CA)

Level 2 CA Practices

System and Communications Protection (SC)

Level 1 SC Practices

Level 2 SC Practices

System and Information Integrity (SI)

Level 1 SI Practices

Level 2 SI Practices

@@ Line 1: / Line 1: @@
-'''Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.'''
+'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.'''
+For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
 == Access Control (AC) ==
@@ Line 67: / Line 69: @@
 === Level 2 AC Practices ===
+==== AC.L2-3.1.3 – Control CUI Flow ====
+{|class="wikitable"
+|-
+|'''SECURITY REQUIREMENT'''
+Control the flow of CUI in accordance with approved authorizations.
+|'''ASSESSMENT OBJECTIVES'''
+: [a] information flow control policies are defined;
+: [b] methods and enforcement mechanisms for controlling the flow of CUI are defined;
+: [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;
+: [d] authorizations for controlling the flow of CUI are defined; and
+: [e] approved authorizations for controlling the flow of CUI are enforced.
+|-
+|[[Practice_AC.L2-3.1.3_Details|More Practice Details...]]
+|}
 == Awareness and Training (AT) ==