Level 2 Assessment Guide: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(14 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.'''
'''Source of Reference: The official [https://dodcio.defense.gov/CMMC/Documentation/ CMMC Level 2 Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).'''


For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.


== Access Control (AC) ==
== Access Control (AC) ==
=== Level 1 AC Practices ===
==== AC.L1-3.1.1 - Authorized Access Control ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] authorized users are identified;
: [b] processes acting on behalf of authorized users are identified;
: [c] devices (and other systems) authorized to connect to the system are identified;
: [d] system access is limited to authorized users;
: [e] system access is limited to processes acting on behalf of authorized users; and
: [f] system access is limited to authorized devices (including other systems).
|-
|[[Practice_AC.L1-3.1.1_Details|More Practice Details...]]
|}
==== AC.L1-3.1.2 - Transaction & Function Control ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Limit information system access to the types of transactions and functions that authorized  users are permitted to execute.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] the types of transactions and functions that authorized users are permitted to execute are defined; and
: [b] system access is limited to the defined types of transactions and functions for authorized users.
|-
|[[Practice_AC.L1-3.1.2_Details|More Practice Details...]]
|}
==== AC.L1-3.1.20 - External Connections ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Verify and control/limit connections to and use of external information systems.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] connections to external systems are identified;
: [b] the use of external systems is identified;
: [c] connections to external systems are verified;
: [d] the use of external systems is verified;
: [e] connections to external systems are controlled/limited; and
: [f]  the use of external systems is controlled/limited.
|-
|[[Practice_AC.L1-3.1.20_Details|More Practice Details...]]
|}
==== AC.L1-3.1.22 - Control Public Information ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Control information posted or processed on publicly accessible information systems.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] individuals authorized to post or process information on publicly accessible systems are identified;
: [b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;
: [c] a review process is in place prior to posting of any content to publicly accessible systems;
: [d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and
: [e] mechanisms are in place to remove and address improper posting of FCI.
|-
|[[Practice_AC.L1-3.1.22_Details|More Practice Details...]]
|}
=== Level 2 AC Practices ===
=== Level 2 AC Practices ===
==== AC.L2-3.1.3 – Control CUI Flow ====
==== AC.L2-3.1.3 – CONTROL CUI FLOW ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 76: Line 16:
: [d] authorizations for controlling the flow of CUI are defined; and
: [d] authorizations for controlling the flow of CUI are defined; and
: [e] approved authorizations for controlling the flow of CUI are enforced.
: [e] approved authorizations for controlling the flow of CUI are enforced.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AC.L2-3.1.3_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.3_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.4 – Separation of Duties ====
==== AC.L2-3.1.4 – SEPARATION OF DUTIES ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 89: Line 31:
: [b] responsibilities for duties that require separation are assigned to separate individuals; and
: [b] responsibilities for duties that require separation are assigned to separate individuals; and
: [c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
: [c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AC.L2-3.1.4_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.4_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.5 – Least Privilege ====
==== AC.L2-3.1.5 – LEAST PRIVILEGE ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 103: Line 47:
: [c] security functions are identified; and
: [c] security functions are identified; and
: [d] access to security functions is authorized in accordance with the principle of least privilege.
: [d] access to security functions is authorized in accordance with the principle of least privilege.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
|-
|-
|[[Practice_AC.L2-3.1.5_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.5_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.6 – Non-Privileged Account Use ====
==== AC.L2-3.1.6 – NON-PRIVILEGED ACCOUNT USE ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 115: Line 61:
: [a] nonsecurity functions are identified; and
: [a] nonsecurity functions are identified; and
: [b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions.
: [b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AC.L2-3.1.6_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.6_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.7 – Privileged Functions ====
==== AC.L2-3.1.7 – PRIVILEGED FUNCTIONS ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 129: Line 77:
: [c] non-privileged users are prevented from executing privileged functions; and
: [c] non-privileged users are prevented from executing privileged functions; and
: [d] the execution of privileged functions is captured in audit logs.
: [d] the execution of privileged functions is captured in audit logs.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AC.L2-3.1.7_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.7_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.8 – Unsuccessful Logon Attempts ====
==== AC.L2-3.1.8 – UNSUCCESSFUL LOGON ATTEMPTS ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 141: Line 91:
: [a] the means of limiting unsuccessful logon attempts is defined; and
: [a] the means of limiting unsuccessful logon attempts is defined; and
: [b] the defined means of limiting unsuccessful logon attempts is implemented.
: [b] the defined means of limiting unsuccessful logon attempts is implemented.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AC.L2-3.1.8_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.8_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.9 – Privacy & Security Notices ====
==== AC.L2-3.1.9 – PRIVACY & SECURITY NOTICES ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 153: Line 105:
: [a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and
: [a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and
: [b] privacy and security notices are displayed.
: [b] privacy and security notices are displayed.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AC.L2-3.1.9_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.9_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.10 – Session Lock ====
==== AC.L2-3.1.10 – SESSION LOCK ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 166: Line 120:
: [b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and
: [b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and
: [c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.
: [c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AC.L2-3.1.10_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.10_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.11 – Session Termination ====
==== AC.L2-3.1.11 – SESSION TERMINATION ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 178: Line 134:
: [a] conditions requiring a user session to terminate are defined; and
: [a] conditions requiring a user session to terminate are defined; and
: [b] a user session is automatically terminated after any of the defined conditions  
: [b] a user session is automatically terminated after any of the defined conditions  
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AC.L2-3.1.11_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.11_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.12 – Control Remote Access ====
==== AC.L2-3.1.12 – CONTROL REMOTE ACCESS ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 192: Line 150:
: [c] remote access sessions are controlled; and
: [c] remote access sessions are controlled; and
: [d] remote access sessions are monitored.
: [d] remote access sessions are monitored.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_AC.L2-3.1.12_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.12_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.13 – Remote Access Confidentiality ====
==== AC.L2-3.1.13 – REMOTE ACCESS CONFIDENTIALITY ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 204: Line 164:
: [a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and
: [a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and
: [b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
: [b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_AC.L2-3.1.13_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.13_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.14 – Remote Access Routing ====
==== AC.L2-3.1.14 – REMOTE ACCESS ROUTING ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 216: Line 178:
: [a] managed access control points are identified and implemented; and  
: [a] managed access control points are identified and implemented; and  
: [b] remote access is routed through managed network access control points.
: [b] remote access is routed through managed network access control points.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AC.L2-3.1.14_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.14_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.15 – Privileged Remote Access ====
==== AC.L2-3.1.15 – PRIVILEGED REMOTE ACCESS ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 230: Line 194:
: [c] the execution of the identified privileged commands via remote access is authorized; and
: [c] the execution of the identified privileged commands via remote access is authorized; and
: [d] access to the identified security-relevant information via remote access is authorized.
: [d] access to the identified security-relevant information via remote access is authorized.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AC.L2-3.1.15_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.15_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.16 – Wireless Access Authorization ====
==== AC.L2-3.1.16 – WIRELESS ACCESS AUTHORIZATION ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 242: Line 208:
: [a] wireless access points are identified; and
: [a] wireless access points are identified; and
: [b] wireless access is authorized prior to allowing such connections.
: [b] wireless access is authorized prior to allowing such connections.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_AC.L2-3.1.16_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.16_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.17 – Wireless Access Protection ====
==== AC.L2-3.1.17 – WIRELESS ACCESS PROTECTION ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 254: Line 222:
: [a] wireless access to the system is protected using authentication; and
: [a] wireless access to the system is protected using authentication; and
: [b] wireless access to the system is protected using encryption.
: [b] wireless access to the system is protected using encryption.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_AC.L2-3.1.17_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.17_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.18 – Mobile Device Connection ====
==== AC.L2-3.1.18 – MOBILE DEVICE CONNECTION ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 267: Line 237:
: [b] mobile device connections are authorized; and
: [b] mobile device connections are authorized; and
: [c] mobile device connections are monitored and logged.
: [c] mobile device connections are monitored and logged.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_AC.L2-3.1.18_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.18_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.19 – Encrypt CUI on Mobile ====
==== AC.L2-3.1.19 – ENCRYPT CUI ON MOBILE ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 279: Line 251:
: [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and
: [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and
: [b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
: [b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
|-
|-
|[[Practice_AC.L2-3.1.19_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.19_Details|More Practice Details...]]
|}
|}


==== AC.L2-3.1.21 – Portable Storage Use ====
==== AC.L2-3.1.21 – PORTABLE STORAGE USE ====
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Line 292: Line 266:
: [b] limits on the use of portable storage devices containing CUI on external systems are defined; and
: [b] limits on the use of portable storage devices containing CUI on external systems are defined; and
: [c] the use of portable storage devices containing CUI on external systems is limited as defined.
: [c] the use of portable storage devices containing CUI on external systems is limited as defined.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AC.L2-3.1.21_Details|More Practice Details...]]
|[[Practice_AC.L2-3.1.21_Details|More Practice Details...]]
Line 305: Line 281:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] security risks associated with organizational activities involving CUI are identified;
: [a] security risks associated with organizational activities involving CUI are identified;
: [b] policies, standards, and procedures related to the security of the system are identified;[c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
: [b] policies, standards, and procedures related to the security of the system are identified;
: [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
: [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
: [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_AT.L2-3.2.1_Details|More Practice Details...]]
|[[Practice_AT.L2-3.2.1_Details|More Practice Details...]]
Line 315: Line 294:
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|-
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] information security-related duties, roles, and responsibilities are defined;
: [a] information security-related duties, roles, and responsibilities are defined;
: [b] information security-related duties, roles, and responsibilities are assigned to  
: [b] information security-related duties, roles, and responsibilities are assigned to designated personnel; and
designated personnel; and  
: [c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.
: [c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_AT.L2-3.2.2_Details|More Practice Details...]]
|[[Practice_AT.L2-3.2.2_Details|More Practice Details...]]
Line 332: Line 313:
: [a] potential indicators associated with insider threats are identified; and  
: [a] potential indicators associated with insider threats are identified; and  
: [b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
: [b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AT.L2-3.2.3_Details|More Practice Details...]]
|[[Practice_AT.L2-3.2.3_Details|More Practice Details...]]
Line 344: Line 327:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis,  
: [a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified;
investigation, and reporting of unlawful or unauthorized system activity are specified;[b] the content of audit records needed to support monitoring, analysis, investigation, and  
: [b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined;
reporting of unlawful or unauthorized system activity is defined;
: [c] audit records are created (generated);
: [c] audit records are created (generated);
: [d] audit records, once created, contain the defined content;
: [d] audit records, once created, contain the defined content;
: [e] retention requirements for audit records are defined; and  
: [e] retention requirements for audit records are defined; and  
: [f] audit records are retained as defined.
: [f] audit records are retained as defined.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_AU.L2-3.3.1_Details|More Practice Details...]]
|[[Practice_AU.L2-3.3.1_Details|More Practice Details...]]
Line 361: Line 345:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] the content of the audit records needed to support the ability to uniquely trace users to  
: [a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined; and  
their actions is defined; and  
: [b] audit records, once created, contain the defined content.
: [b] audit records, once created, contain the defined content.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
|-
|-
|[[Practice_AU.L2-3.3.2_Details|More Practice Details...]]
|[[Practice_AU.L2-3.3.2_Details|More Practice Details...]]
Line 375: Line 360:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] a process for determining when to review logged events is defined;
: [a] a process for determining when to review logged events is defined;
: [b] event types being logged are reviewed in accordance with the defined review process;
: [b] event types being logged are reviewed in accordance with the defined review process; and
and  
: [c] event types being logged are updated based on the review.
: [c] event types being logged are updated based on the review.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AU.L2-3.3.3_Details|More Practice Details...]]
|[[Practice_AU.L2-3.3.3_Details|More Practice Details...]]
Line 388: Line 374:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] personnel or roles to be alerted in the event of an audit logging process failure are  
: [a] personnel or roles to be alerted in the event of an audit logging process failure are identified;
identified;
: [b] types of audit logging process failures for which alert will be generated are defined; and  
: [b] types of audit logging process failures for which alert will be generated are defined; and  
: [c] identified personnel or roles are alerted in the event of an audit logging process failure.
: [c] identified personnel or roles are alerted in the event of an audit logging process failure.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AU.L2-3.3.4_Details|More Practice Details...]]
|[[Practice_AU.L2-3.3.4_Details|More Practice Details...]]
Line 402: Line 389:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] audit record review, analysis, and reporting processes for investigation and response to  
: [a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and
indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and  
: [b] defined audit record review, analysis, and reporting processes are correlated.
: [b] defined audit record review, analysis, and reporting processes are correlated.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_AU.L2-3.3.5_Details|More Practice Details...]]
|[[Practice_AU.L2-3.3.5_Details|More Practice Details...]]
Line 415: Line 403:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] an audit record reduction capability that supports on-demand analysis is provided; and [b] a report generation capability that supports on-demand reporting is provided.
: [a] an audit record reduction capability that supports on-demand analysis is provided; and
: [b] a report generation capability that supports on-demand reporting is provided.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AU.L2-3.3.6_Details|More Practice Details...]]
|[[Practice_AU.L2-3.3.6_Details|More Practice Details...]]
Line 427: Line 418:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] internal system clocks are used to generate time stamps for audit records;
: [a] internal system clocks are used to generate time stamps for audit records;
: [b] an authoritative source with which to compare and synchronize internal system clocks  
: [b] an authoritative source with which to compare and synchronize internal system clocks is specified; and
is specified; and  
: [c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.
: [c] internal system clocks used to generate time stamps for audit records are compared to  
|-
and synchronized with the specified authoritative time source.
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AU.L2-3.3.7_Details|More Practice Details...]]
|[[Practice_AU.L2-3.3.7_Details|More Practice Details...]]
Line 447: Line 438:
: [e] audit logging tools are protected from unauthorized modification; and  
: [e] audit logging tools are protected from unauthorized modification; and  
: [f] audit logging tools are protected from unauthorized deletion.
: [f] audit logging tools are protected from unauthorized deletion.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AU.L2-3.3.8_Details|More Practice Details...]]
|[[Practice_AU.L2-3.3.8_Details|More Practice Details...]]
Line 454: Line 447:
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Limit management of audit logging functionality to a subset of privileged users.ASSESSMENT OBJECTIVES'''
Limit management of audit logging functionality to a subset of privileged users.
: [a] a subset of privileged users granted access to manage audit logging functionality is  
|-
defined; and  
|'''ASSESSMENT OBJECTIVES'''
: [b] management of audit logging functionality is limited to the defined subset of privileged  
: [a] a subset of privileged users granted access to manage audit logging functionality is defined; and
users.
: [b] management of audit logging functionality is limited to the defined subset of privileged users.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_AU.L2-3.3.9_Details|More Practice Details...]]
|[[Practice_AU.L2-3.3.9_Details|More Practice Details...]]
Line 472: Line 467:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] a baseline configuration is established;
: [a] a baseline configuration is established;
: [b] the baseline configuration includes hardware, software, firmware, and documentation;[c] the baseline configuration is maintained (reviewed and updated) throughout the  
: [b] the baseline configuration includes hardware, software, firmware, and documentation;
system development life cycle;
: [c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle;
: [d] a system inventory is established;
: [d] a system inventory is established;
: [e] the system inventory includes hardware, software, firmware, and documentation; and [f] the inventory is maintained (reviewed and updated) throughout the system  
: [e] the system inventory includes hardware, software, firmware, and documentation; and
development life cycle.
: [f] the inventory is maintained (reviewed and updated) throughout the system development life cycle.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_CM.L2-3.4.1_Details|More Practice Details...]]
|[[Practice_CM.L2-3.4.1_Details|More Practice Details...]]
Line 487: Line 484:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] security configuration settings for information technology products employed in the  
: [a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration; and
system are established and included in the baseline configuration; and  
: [b] security configuration settings for information technology products employed in the system are enforced.
: [b] security configuration settings for information technology products employed in the  
|-
system are enforced.
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_CM.L2-3.4.2_Details|More Practice Details...]]
|[[Practice_CM.L2-3.4.2_Details|More Practice Details...]]
Line 498: Line 495:
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Track, review, approve or disapprove, and log changes to organizational systems.ASSESSMENT OBJECTIVES'''
Track, review, approve or disapprove, and log changes to organizational systems.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] changes to the system are tracked;
: [a] changes to the system are tracked;
: [b] changes to the system are reviewed;
: [b] changes to the system are reviewed;
: [c] changes to the system are approved or disapproved; and  
: [c] changes to the system are approved or disapproved; and  
: [d] changes to the system are logged.
: [d] changes to the system are logged.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_CM.L2-3.4.3_Details|More Practice Details...]]
|[[Practice_CM.L2-3.4.3_Details|More Practice Details...]]
Line 514: Line 515:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] the security impact of changes to the system is analyzed prior to implementation.
: [a] the security impact of changes to the system is analyzed prior to implementation.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_CM.L2-3.4.4_Details|More Practice Details...]]
|[[Practice_CM.L2-3.4.4_Details|More Practice Details...]]
Line 532: Line 535:
: [g] logical access restrictions associated with changes to the system are approved; and  
: [g] logical access restrictions associated with changes to the system are approved; and  
: [h] logical access restrictions associated with changes to the system are enforced.
: [h] logical access restrictions associated with changes to the system are enforced.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_CM.L2-3.4.5_Details|More Practice Details...]]
|[[Practice_CM.L2-3.4.5_Details|More Practice Details...]]
Line 542: Line 547:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] essential system capabilities are defined based on the principle of least functionality;
: [a] essential system capabilities are defined based on the principle of least functionality; and
and  
: [b] the system is configured to provide only the defined essential capabilities.
: [b] the system is configured to provide only the defined essential capabilities.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_CM.L2-3.4.6_Details|More Practice Details...]]
|[[Practice_CM.L2-3.4.6_Details|More Practice Details...]]
Line 568: Line 574:
: [l] the use of nonessential protocols is restricted, disabled, or prevented as defined;
: [l] the use of nonessential protocols is restricted, disabled, or prevented as defined;
: [m] essential services are defined;
: [m] essential services are defined;
: [n] the use of nonessential services is defined; and  
: [n] the use of nonessential services is defined; and
: [o] the use of nonessential services is restricted, disabled, or prevented as defined.
: [o] the use of nonessential services is restricted, disabled, or prevented as defined.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_CM.L2-3.4.7_Details|More Practice Details...]]
|[[Practice_CM.L2-3.4.7_Details|More Practice Details...]]
Line 580: Line 588:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] a policy specifying whether whitelisting or blacklisting is to be implemented is  
: [a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified;
specified;
: [b] the software allowed to execute under whitelisting or denied use under blacklisting is specified; and
: [b] the software allowed to execute under whitelisting or denied use under blacklisting is  
: [c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
specified; and  
|-
: [c] whitelisting to allow the execution of authorized software or blacklisting to prevent the  
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
use of unauthorized software is implemented as specified.
|-
|-
|[[Practice_CM.L2-3.4.8_Details|More Practice Details...]]
|[[Practice_CM.L2-3.4.8_Details|More Practice Details...]]
Line 597: Line 604:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] a policy for controlling the installation of software by users is established;
: [a] a policy for controlling the installation of software by users is established;
: [b] installation of software by users is controlled based on the established policy; and  
: [b] installation of software by users is controlled based on the established policy; and
: [c] installation of software by users is monitored.
: [c] installation of software by users is monitored.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_CM.L2-3.4.9_Details|More Practice Details...]]
|[[Practice_CM.L2-3.4.9_Details|More Practice Details...]]
Line 604: Line 613:


== Identification and Authentication (IA) ==
== Identification and Authentication (IA) ==
=== Level 1 IA Practices ===
==== IA.L1-3.5.1 – IDENTIFICATION ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Identify information system users, processes acting on behalf of users, or devices.ASSESSMENT OBJECTIVES'''
: [a] system users are identified;
: [b] processes acting on behalf of users are identified; and
: [c] devices accessing the system are identified.
|-
|[[Practice_IA.L1-3.5.1_Details|More Practice Details...]]
|}
==== IA.L1-3.5.2 – AUTHENTICATION ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] the identity of each user is authenticated or verified as a prerequisite to system access;[b] the identity of each process acting on behalf of a user is authenticated or verified as a
prerequisite to system access; and
: [c] the identity of each device accessing or connecting to the system is authenticated or
verified as a prerequisite to system access.
|-
|[[Practice_IA.L1-3.5.2_Details|More Practice Details...]]
|}
=== Level 2 IA Practices ===
=== Level 2 IA Practices ===
==== IA.L2-3.5.3 – MULTIFACTOR AUTHENTICATION ====
==== IA.L2-3.5.3 – MULTIFACTOR AUTHENTICATION ====
Line 639: Line 622:
: [a] privileged accounts are identified;
: [a] privileged accounts are identified;
: [b] multifactor authentication is implemented for local access to privileged accounts;
: [b] multifactor authentication is implemented for local access to privileged accounts;
: [c] multifactor authentication is implemented for network access to privileged accounts;
: [c] multifactor authentication is implemented for network access to privileged accounts; and
and  
: [d] multifactor authentication is implemented for network access to non-privileged accounts.
: [d] multifactor authentication is implemented for network access to non-privileged  
|-
accounts.
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_IA.L2-3.5.3_Details|More Practice Details...]]
|[[Practice_IA.L2-3.5.3_Details|More Practice Details...]]
Line 653: Line 636:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] replay-resistant authentication mechanisms are implemented for network account  
: [a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.
access to privileged and non-privileged accounts.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_IA.L2-3.5.4_Details|More Practice Details...]]
|[[Practice_IA.L2-3.5.4_Details|More Practice Details...]]
Line 665: Line 649:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] a period within which identifiers cannot be reused is defined; and  
: [a] a period within which identifiers cannot be reused is defined; and
: [b] reuse of identifiers is prevented within the defined period.
: [b] reuse of identifiers is prevented within the defined period.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_IA.L2-3.5.5_Details|More Practice Details...]]
|[[Practice_IA.L2-3.5.5_Details|More Practice Details...]]
Line 677: Line 663:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] a period of inactivity after which an identifier is disabled is defined; and  
: [a] a period of inactivity after which an identifier is disabled is defined; and
: [b] identifiers are disabled after the defined period of inactivity.
: [b] identifiers are disabled after the defined period of inactivity.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_IA.L2-3.5.6_Details|More Practice Details...]]
|[[Practice_IA.L2-3.5.6_Details|More Practice Details...]]
Line 691: Line 679:
: [a] password complexity requirements are defined;
: [a] password complexity requirements are defined;
: [b] password change of character requirements are defined;
: [b] password change of character requirements are defined;
: [c] minimum password complexity requirements as defined are enforced when new  
: [c] minimum password complexity requirements as defined are enforced when new passwords are created; and
passwords are created; and  
: [d] minimum password change of character requirements as defined are enforced when new passwords are created.
: [d] minimum password change of character requirements as defined are enforced when  
|-
new passwords are created.
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_IA.L2-3.5.7_Details|More Practice Details...]]
|[[Practice_IA.L2-3.5.7_Details|More Practice Details...]]
Line 706: Line 694:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] the number of generations during which a password cannot be reused is specified and [b] reuse of passwords is prohibited during the specified number of generations.
: [a] the number of generations during which a password cannot be reused is specified and [b] reuse of passwords is prohibited during the specified number of generations.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_IA.L2-3.5.8_Details|More Practice Details...]]
|[[Practice_IA.L2-3.5.8_Details|More Practice Details...]]
Line 716: Line 706:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] an immediate change to a permanent password is required when a temporary password  
: [a] an immediate change to a permanent password is required when a temporary password is used for system logon.
is used for system logon.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_IA.L2-3.5.9_Details|More Practice Details...]]
|[[Practice_IA.L2-3.5.9_Details|More Practice Details...]]
Line 728: Line 719:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] passwords are cryptographically protected in storage; and  
: [a] passwords are cryptographically protected in storage; and
: [b] passwords are cryptographically protected in transit.
: [b] passwords are cryptographically protected in transit.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_IA.L2-3.5.10_Details|More Practice Details...]]
|[[Practice_IA.L2-3.5.10_Details|More Practice Details...]]
Line 741: Line 734:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] authentication information is obscured during the authentication process.
: [a] authentication information is obscured during the authentication process.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_IA.L2-3.5.11_Details|More Practice Details...]]
|[[Practice_IA.L2-3.5.11_Details|More Practice Details...]]
Line 758: Line 753:
: [d] the operational incident-handling capability includes analysis;
: [d] the operational incident-handling capability includes analysis;
: [e] the operational incident-handling capability includes containment;
: [e] the operational incident-handling capability includes containment;
: [f] the operational incident-handling capability includes recovery; and  
: [f] the operational incident-handling capability includes recovery; and
: [g] the operational incident-handling capability includes user response  
: [g] the operational incident-handling capability includes user response  
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_IR.L2-3.6.1_Details|More Practice Details...]]
|[[Practice_IR.L2-3.6.1_Details|More Practice Details...]]
Line 774: Line 771:
: [c] authorities to whom incidents are to be reported are identified;
: [c] authorities to whom incidents are to be reported are identified;
: [d] organizational officials to whom incidents are to be reported are identified;
: [d] organizational officials to whom incidents are to be reported are identified;
: [e] identified authorities are notified of incidents; and  
: [e] identified authorities are notified of incidents; and
: [f] identified organizational officials are notified of incidents.
: [f] identified organizational officials are notified of incidents.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_IR.L2-3.6.2_Details|More Practice Details...]]
|[[Practice_IR.L2-3.6.2_Details|More Practice Details...]]
Line 787: Line 786:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] the incident response capability is tested.
: [a] the incident response capability is tested.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_IR.L2-3.6.3_Details|More Practice Details...]]
|[[Practice_IR.L2-3.6.3_Details|More Practice Details...]]
Line 796: Line 797:
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Perform maintenance on organizational systems.ASSESSMENT OBJECTIVES'''
Perform maintenance on organizational systems.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] system maintenance is performed.
: [a] system maintenance is performed.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
|-
|-
|[[Practice_MA.L2-3.7.1_Details|More Practice Details...]]
|[[Practice_MA.L2-3.7.1_Details|More Practice Details...]]
Line 810: Line 815:
: [a] tools used to conduct system maintenance are controlled;
: [a] tools used to conduct system maintenance are controlled;
: [b] techniques used to conduct system maintenance are controlled;
: [b] techniques used to conduct system maintenance are controlled;
: [c] mechanisms used to conduct system maintenance are controlled; and  
: [c] mechanisms used to conduct system maintenance are controlled; and
: [d] personnel used to conduct system maintenance are controlled.
: [d] personnel used to conduct system maintenance are controlled.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_MA.L2-3.7.2_Details|More Practice Details...]]
|[[Practice_MA.L2-3.7.2_Details|More Practice Details...]]
Line 822: Line 829:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] equipment to be removed from organizational spaces for off-site maintenance is  
: [a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.
sanitized of any CUI.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_MA.L2-3.7.3_Details|More Practice Details...]]
|[[Practice_MA.L2-3.7.3_Details|More Practice Details...]]
Line 834: Line 842:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] media containing diagnostic and test programs are checked for malicious code before  
: [a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.
being used in organizational systems that process, store, or transmit CUI.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
|-
|-
|[[Practice_MA.L2-3.7.4_Details|More Practice Details...]]
|[[Practice_MA.L2-3.7.4_Details|More Practice Details...]]
Line 846: Line 855:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] multifactor authentication is used to establish nonlocal maintenance sessions via  
: [a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections; and
external network connections; and  
: [b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.
: [b] nonlocal maintenance sessions established via external network connections are  
|-
terminated when nonlocal maintenance is complete.
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_MA.L2-3.7.5_Details|More Practice Details...]]
|[[Practice_MA.L2-3.7.5_Details|More Practice Details...]]
Line 860: Line 869:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] maintenance personnel without required access authorization are supervised during  
: [a] maintenance personnel without required access authorization are supervised during maintenance activities.
maintenance activities.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_MA.L2-3.7.6_Details|More Practice Details...]]
|[[Practice_MA.L2-3.7.6_Details|More Practice Details...]]
Line 867: Line 877:


== Media Protection (MP) ==
== Media Protection (MP) ==
=== Level 1 MP Practices ===
==== MP.L1-3.8.3 – MEDIA DISPOSAL ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] system media containing FCI is sanitized or destroyed before disposal; and
: [b] system media containing FCI is sanitized before it is released for reuse.
|-
|[[Practice_MP.L1-3.8.3_Details|More Practice Details...]]
|}
=== Level 2 MP Practices ===
=== Level 2 MP Practices ===
==== MP.L2-3.8.1 – MEDIA PROTECTION ====
==== MP.L2-3.8.1 – MEDIA PROTECTION ====
Line 889: Line 886:
: [a] paper media containing CUI is physically controlled;
: [a] paper media containing CUI is physically controlled;
: [b] digital media containing CUI is physically controlled;
: [b] digital media containing CUI is physically controlled;
: [c] paper media containing CUI is securely stored; and  
: [c] paper media containing CUI is securely stored; and
: [d] digital media containing CUI is securely stored.
: [d] digital media containing CUI is securely stored.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
|-
|-
|[[Practice_MP.L2-3.8.1_Details|More Practice Details...]]
|[[Practice_MP.L2-3.8.1_Details|More Practice Details...]]
Line 902: Line 901:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] access to CUI on system media is limited to authorized users.
: [a] access to CUI on system media is limited to authorized users.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
|-
|-
|[[Practice_MP.L2-3.8.2_Details|More Practice Details...]]
|[[Practice_MP.L2-3.8.2_Details|More Practice Details...]]
Line 912: Line 913:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] media containing CUI is marked with applicable CUI markings; and  
: [a] media containing CUI is marked with applicable CUI markings; and
: [b] media containing CUI is marked with distribution limitations.
: [b] media containing CUI is marked with distribution limitations.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_MP.L2-3.8.4_Details|More Practice Details...]]
|[[Practice_MP.L2-3.8.4_Details|More Practice Details...]]
Line 924: Line 927:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] access to media containing CUI is controlled; and  
: [a] access to media containing CUI is controlled; and
: [b] accountability for media containing CUI is maintained during transport outside of  
: [b] accountability for media containing CUI is maintained during transport outside of controlled areas.
controlled areas.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_MP.L2-3.8.5_Details|More Practice Details...]]
|[[Practice_MP.L2-3.8.5_Details|More Practice Details...]]
Line 937: Line 941:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] the confidentiality of CUI stored on digital media is protected during transport using  
: [a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.
cryptographic mechanisms or alternative physical safeguards.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_MP.L2-3.8.6_Details|More Practice Details...]]
|[[Practice_MP.L2-3.8.6_Details|More Practice Details...]]
Line 950: Line 955:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] the use of removable media on system components is controlled.
: [a] the use of removable media on system components is controlled.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_MP.L2-3.8.7_Details|More Practice Details...]]
|[[Practice_MP.L2-3.8.7_Details|More Practice Details...]]
|}
|}


==== MP.L2-3.8.8 – SHARED MEDIA  
==== MP.L2-3.8.8 – SHARED MEDIA ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Prohibit the use of portable storage devices when such devices have no identifiable owner.ASSESSMENT OBJECTIVES'''
Prohibit the use of portable storage devices when such devices have no identifiable owner.ASSESSMENT OBJECTIVES'''
: [a] the use of portable storage devices is prohibited when such devices have no identifiable  
|-
owner.
|'''ASSESSMENT OBJECTIVES'''
: [a] the use of portable storage devices is prohibited when such devices have no identifiable owner.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
|-
|-
|[[Practice_MP.L2-3.8.8_Details|More Practice Details...]]
|[[Practice_MP.L2-3.8.8_Details|More Practice Details...]]
Line 969: Line 981:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] the confidentiality of backup CUI is protected at storage locations.
: [a] the confidentiality of backup CUI is protected at storage locations.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_MP.L2-3.8.9_Details|More Practice Details...]]
|[[Practice_MP.L2-3.8.9_Details|More Practice Details...]]
Line 978: Line 992:
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Screen individuals prior to authorizing access to organizational systems containing CUI.ASSESSMENT OBJECTIVES'''
Screen individuals prior to authorizing access to organizational systems containing CUI.
: [a] individuals are screened prior to authorizing access to organizational systems  
|-
containing CUI.
|'''ASSESSMENT OBJECTIVES'''
: [a] individuals are screened prior to authorizing access to organizational systems containing CUI.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
|-
|-
|[[Practice_PS.L2-3.9.1_Details|More Practice Details...]]
|[[Practice_PS.L2-3.9.1_Details|More Practice Details...]]
Line 991: Line 1,008:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] a policy and/or process for terminating system access and any credentials coincident  
: [a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established;
with personnel actions is established;
: [b] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and
: [b] system access and credentials are terminated consistent with personnel actions such as  
termination or transfer; and  
: [c] the system is protected during and after personnel transfer actions.
: [c] the system is protected during and after personnel transfer actions.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_PS.L2-3.9.2_Details|More Practice Details...]]
|[[Practice_PS.L2-3.9.2_Details|More Practice Details...]]
Line 1,001: Line 1,018:


== Physical Protection (PE) ==
== Physical Protection (PE) ==
=== Level 1 PE Practices ===
==== PE.L1-3.10.1 – LIMIT PHYSICAL ACCESS ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] authorized individuals allowed physical access are identified;
: [b] physical access to organizational systems is limited to authorized individuals;
: [c] physical access to equipment is limited to authorized individuals; and
: [d] physical access to operating environments is limited to authorized
|-
|[[Practice_PE.L1-3.10.1_Details|More Practice Details...]]
|}
==== PE.L1-3.10.3 – ESCORT VISITORS ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Escort visitors and monitor visitor activity.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] visitors are escorted; and
: [b] visitor activity is monitored.
|-
|[[Practice_PE.L1-3.10.3_Details|More Practice Details...]]
|}
==== PE.L1-3.10.4 – PHYSICAL ACCESS LOGS ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Maintain audit logs of physical access.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] audit logs of physical access are maintained.
|-
|[[Practice_PE.L1-3.10.4_Details|More Practice Details...]]
|}
==== PE.L1-3.10.5 – MANAGE PHYSICAL ACCESS ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Control and manage physical access devices.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] physical access devices are identified;
: [b] physical access devices are controlled; and
: [c] physical access devices are managed.
|-
|[[Practice_PE.L1-3.10.5_Details|More Practice Details...]]
|}
=== Level 2 PE Practices ===
=== Level 2 PE Practices ===
==== PE.L2-3.10.2 – MONITOR FACILITY ====
==== PE.L2-3.10.2 – MONITOR FACILITY ====
Line 1,061: Line 1,027:
: [a] the physical facility where organizational systems reside is protected;
: [a] the physical facility where organizational systems reside is protected;
: [b] the support infrastructure for organizational systems is protected;
: [b] the support infrastructure for organizational systems is protected;
: [c] the physical facility where organizational systems reside is monitored; and  
: [c] the physical facility where organizational systems reside is monitored; and
: [d] the support infrastructure for organizational systems is monitored.
: [d] the support infrastructure for organizational systems is monitored.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_PE.L2-3.10.2_Details|More Practice Details...]]
|[[Practice_PE.L2-3.10.2_Details|More Practice Details...]]
Line 1,073: Line 1,041:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] safeguarding measures for CUI are defined for alternate work sites; and  
: [a] safeguarding measures for CUI are defined for alternate work sites; and
: [b] safeguarding measures for CUI are enforced for alternate work sites.
: [b] safeguarding measures for CUI are enforced for alternate work sites.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_PE.L2-3.10.6_Details|More Practice Details...]]
|[[Practice_PE.L2-3.10.6_Details|More Practice Details...]]
Line 1,087: Line 1,057:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] the frequency to assess risk to organizational operations, organizational assets, and  
: [a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined; and
individuals is defined; and  
: [b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
: [b] risk to organizational operations, organizational assets, and individuals resulting from  
|-
the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
|-
|-
|[[Practice_RA.L2-3.11.1_Details|More Practice Details...]]
|[[Practice_RA.L2-3.11.1_Details|More Practice Details...]]
Line 1,101: Line 1,071:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] the frequency to scan for vulnerabilities in organizational systems and applications is  
: [a] the frequency to scan for vulnerabilities in organizational systems and applications is defined;
defined;
: [b] vulnerability scans are performed on organizational systems with the defined frequency;
: [b] vulnerability scans are performed on organizational systems with the defined  
frequency;
: [c] vulnerability scans are performed on applications with the defined frequency;
: [c] vulnerability scans are performed on applications with the defined frequency;
: [d] vulnerability scans are performed on organizational systems when new vulnerabilities  
: [d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified; and
are identified; and  
: [e] vulnerability scans are performed on applications when new vulnerabilities are  
: [e] vulnerability scans are performed on applications when new vulnerabilities are  
identified.
identified.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_RA.L2-3.11.2_Details|More Practice Details...]]
|[[Practice_RA.L2-3.11.2_Details|More Practice Details...]]
Line 1,120: Line 1,089:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] vulnerabilities are identified; and  
: [a] vulnerabilities are identified; and
: [b] vulnerabilities are remediated in accordance with risk assessments.
: [b] vulnerabilities are remediated in accordance with risk assessments.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_RA.L2-3.11.3_Details|More Practice Details...]]
|[[Practice_RA.L2-3.11.3_Details|More Practice Details...]]
Line 1,134: Line 1,105:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] the frequency of security control assessments is defined; and  
: [a] the frequency of security control assessments is defined; and
: [b] security controls are assessed with the defined frequency to determine if the controls  
: [b] security controls are assessed with the defined frequency to determine if the controls are effective in their application.
are effective in their application.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_CA.L2-3.12.1_Details|More Practice Details...]]
|[[Practice_CA.L2-3.12.1_Details|More Practice Details...]]
Line 1,148: Line 1,120:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] deficiencies and vulnerabilities to be addressed by the plan of action are identified;
: [a] deficiencies and vulnerabilities to be addressed by the plan of action are identified;
: [b] a plan of action is developed to correct identified deficiencies and reduce or eliminate  
: [b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities; and
identified vulnerabilities; and  
: [c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
: [c] the plan of action is implemented to correct identified deficiencies and reduce or  
|-
eliminate identified vulnerabilities.
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
|-
|-
|[[Practice_CA.L2-3.12.2_Details|More Practice Details...]]
|[[Practice_CA.L2-3.12.2_Details|More Practice Details...]]
Line 1,162: Line 1,134:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] security controls are monitored on an ongoing basis to ensure the continued  
: [a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
effectiveness of those controls.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_CA.L2-3.12.3_Details|More Practice Details...]]
|[[Practice_CA.L2-3.12.3_Details|More Practice Details...]]
Line 1,171: Line 1,144:
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] a system security plan is developed;
: [a] a system security plan is developed;
: [b] the system boundary is described and documented in the system security plan;
: [b] the system boundary is described and documented in the system security plan;
: [c] the system environment of operation is described and documented in the system  
: [c] the system environment of operation is described and documented in the system security plan;
security plan;
: [d] the security requirements identified and approved by the designated authority as non-applicable are identified;
: [d] the security requirements identified and approved by the designated authority as  
: [e] the method of security requirement implementation is described and documented in the system security plan;
non-applicable are identified;
: [f] the relationship with or connection to other systems is described and documented in the system security plan;
: [e] the method of security requirement implementation is described and documented in  
: [g] the frequency to update the system security plan is defined; and
the system security plan;
: [f] the relationship with or connection to other systems is described and documented in  
the system security plan;
: [g] the frequency to update the system security plan is defined; and  
: [h] system security plan is updated with the defined frequency.
: [h] system security plan is updated with the defined frequency.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''NA'''
|-
|-
|[[Practice_CA.L2-3.12.4_Details|More Practice Details...]]
|[[Practice_CA.L2-3.12.4_Details|More Practice Details...]]
Line 1,191: Line 1,162:


== System and Communications Protection (SC) ==
== System and Communications Protection (SC) ==
=== Level 1 SC Practices ===
==== SC.L1-3.13.1 – BOUNDARY PROTECTION ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] the external system boundary is defined;
: [b] key internal system boundaries are defined;
: [c] communications are monitored at the external system boundary;
: [d] communications are monitored at key internal boundaries;
: [e] communications are controlled at the external system boundary;
: [f] communications are controlled at key internal boundaries;
: [g] communications are protected at the external system boundary; and
: [h] communications are protected at key internal boundaries.
|-
|[[Practice_SC.L1-3.13.1_Details|More Practice Details...]]
|}
==== SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] publicly accessible system components are identified; and
: [b] subnetworks for publicly accessible system components are physically or logically
separated from internal networks.
|-
|[[Practice_SC.L1-3.13.5_Details|More Practice Details...]]
|}
=== Level 2 SC Practices ===
=== Level 2 SC Practices ===
==== SC.L2-3.13.2 – SECURITY ENGINEERING ====
==== SC.L2-3.13.2 – SECURITY ENGINEERING ====
Line 1,231: Line 1,170:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] architectural designs that promote effective information security are identified;
: [a] architectural designs that promote effective information security are identified;
: [b] software development techniques that promote effective information security are  
: [b] software development techniques that promote effective information security are identified;
identified;
: [c] systems engineering principles that promote effective information security are identified;
: [c] systems engineering principles that promote effective information security are  
: [d] identified architectural designs that promote effective information security are employed;
identified;
: [e] identified software development techniques that promote effective information security are employed; and
: [d] identified architectural designs that promote effective information security are  
: [f] identified systems engineering principles that promote effective information security are employed.
employed;
|-
: [e] identified software development techniques that promote effective information  
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
security are employed; and  
: [f] identified systems engineering principles that promote effective information security  
are employed.
|-
|-
|[[Practice_SC.L2-3.13.2_Details|More Practice Details...]]
|[[Practice_SC.L2-3.13.2_Details|More Practice Details...]]
Line 1,252: Line 1,188:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] user functionality is identified;
: [a] user functionality is identified;
: [b] system management functionality is identified; and  
: [b] system management functionality is identified; and
: [c] user functionality is separated from system management functionality.
: [c] user functionality is separated from system management functionality.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_SC.L2-3.13.3_Details|More Practice Details...]]
|[[Practice_SC.L2-3.13.3_Details|More Practice Details...]]
Line 1,261: Line 1,199:
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Prevent unauthorized and unintended information transfer via shared system resources.ASSESSMENT OBJECTIVES'''
Prevent unauthorized and unintended information transfer via shared system resources.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] unauthorized and unintended information transfer via shared system resources is  
: [a] unauthorized and unintended information transfer via shared system resources is  
prevented.
prevented.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_SC.L2-3.13.4_Details|More Practice Details...]]
|[[Practice_SC.L2-3.13.4_Details|More Practice Details...]]
Line 1,274: Line 1,216:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] network communications traffic is denied by default; and  
: [a] network communications traffic is denied by default; and
: [b] network communications traffic is allowed by exception.
: [b] network communications traffic is allowed by exception.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_SC.L2-3.13.6_Details|More Practice Details...]]
|[[Practice_SC.L2-3.13.6_Details|More Practice Details...]]
Line 1,286: Line 1,230:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] remote devices are prevented from simultaneously establishing non-remote  
: [a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).
connections with the system and communicating via some other connection to  
|-
resources in external networks (i.e., split tunneling).
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_SC.L2-3.13.7_Details|More Practice Details...]]
|[[Practice_SC.L2-3.13.7_Details|More Practice Details...]]
Line 1,299: Line 1,243:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are  
: [a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified;
identified;
: [b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified; and
: [b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are  
: [c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.
identified; and  
|-
: [c] either cryptographic mechanisms or alternative physical safeguards are implemented  
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
to prevent unauthorized disclosure of CUI during transmission.
|-
|-
|[[Practice_SC.L2-3.13.8_Details|More Practice Details...]]
|[[Practice_SC.L2-3.13.8_Details|More Practice Details...]]
Line 1,315: Line 1,258:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] a period of inactivity to terminate network connections associated with  
: [a] a period of inactivity to terminate network connections associated with communications sessions is defined;
communications sessions is defined;
: [b] network connections associated with communications sessions are terminated at the end of the sessions; and
: [b] network connections associated with communications sessions are terminated at the  
: [c] network connections associated with communications sessions are terminated after the defined period of inactivity.
end of the sessions; and  
|-
: [c] network connections associated with communications sessions are terminated after the  
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
defined period of inactivity.
|-
|-
|[[Practice_SC.L2-3.13.9_Details|More Practice Details...]]
|[[Practice_SC.L2-3.13.9_Details|More Practice Details...]]
Line 1,331: Line 1,273:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] cryptographic keys are established whenever cryptography is employed; and  
: [a] cryptographic keys are established whenever cryptography is employed; and
: [b] cryptographic keys are managed whenever cryptography is employed.
: [b] cryptographic keys are managed whenever cryptography is employed.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_SC.L2-3.13.10_Details|More Practice Details...]]
|[[Practice_SC.L2-3.13.10_Details|More Practice Details...]]
Line 1,340: Line 1,284:
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.ASSESSMENT OBJECTIVES'''
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
: [a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3 to 5'''
|-
|-
|[[Practice_SC.L2-3.13.11_Details|More Practice Details...]]
|[[Practice_SC.L2-3.13.11_Details|More Practice Details...]]
Line 1,355: Line 1,303:
: [b] collaborative computing devices provide indication to users of devices in use; and  
: [b] collaborative computing devices provide indication to users of devices in use; and  
: [c] remote activation of collaborative computing devices is prohibited.
: [c] remote activation of collaborative computing devices is prohibited.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_SC.L2-3.13.12_Details|More Practice Details...]]
|[[Practice_SC.L2-3.13.12_Details|More Practice Details...]]
Line 1,365: Line 1,315:
|-
|-
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] use of mobile code is controlled; and  
: [a] use of mobile code is controlled; and
: [b] use of mobile code is monitored.
: [b] use of mobile code is monitored.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_SC.L2-3.13.13_Details|More Practice Details...]]
|[[Practice_SC.L2-3.13.13_Details|More Practice Details...]]
Line 1,374: Line 1,326:
{|class="wikitable"
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
|'''SECURITY REQUIREMENT'''
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.ASSESSMENT OBJECTIVES'''
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
: [a] use of Voice over Internet Protocol (VoIP) technologies is controlled; and  
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] use of Voice over Internet Protocol (VoIP) technologies is controlled; and
: [b] use of Voice over Internet Protocol (VoIP) technologies is monitored.
: [b] use of Voice over Internet Protocol (VoIP) technologies is monitored.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_SC.L2-3.13.14_Details|More Practice Details...]]
|[[Practice_SC.L2-3.13.14_Details|More Practice Details...]]
Line 1,388: Line 1,344:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] the authenticity of communications sessions is protected.
: [a] the authenticity of communications sessions is protected.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_SC.L2-3.13.15_Details|More Practice Details...]]
|[[Practice_SC.L2-3.13.15_Details|More Practice Details...]]
Line 1,399: Line 1,357:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] the confidentiality of CUI at rest is protected.
: [a] the confidentiality of CUI at rest is protected.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''1'''
|-
|-
|[[Practice_SC.L2-3.13.16_Details|More Practice Details...]]
|[[Practice_SC.L2-3.13.16_Details|More Practice Details...]]
Line 1,404: Line 1,364:


== System and Information Integrity (SI) ==
== System and Information Integrity (SI) ==
=== Level 1 SI Practices ===
==== SI.L1-3.14.1 – FLAW REMEDIATION ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Identify, report, and correct information and information system flaws in a timely manner.ASSESSMENT OBJECTIVES'''
: [a] the time within which to identify system flaws is specified;
: [b] system flaws are identified within the specified time frame;
: [c] the time within which to report system flaws is specified;
: [d] system flaws are reported within the specified time frame;
: [e] the time within which to correct system flaws is specified; and
: [f] system flaws are corrected within the specified time frame.
|-
|[[Practice_SI.L1-3.14.1_Details|More Practice Details...]]
|}
==== SI.L1-3.14.2 – MALICIOUS CODE PROTECTION ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Provide protection from malicious code at appropriate locations within organizational information systems.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] designated locations for malicious code protection are identified; and
: [b] protection from malicious code at designated locations is provided.
|-
|[[Practice_SI.L1-3.14.2_Details|More Practice Details...]]
|}
==== SI.L1-3.14.4 – UPDATE MALICIOUS CODE PROTECTION ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Update malicious code protection mechanisms when new releases are available.ASSESSMENT OBJECTIVES'''
: [a] malicious code protection mechanisms are updated when new releases are available.
|-
|[[Practice_SI.L1-3.14.4_Details|More Practice Details...]]
|}
==== SI.L1-3.14.5 – SYSTEM & FILE SCANNING ====
{|class="wikitable"
|'''SECURITY REQUIREMENT'''
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
|-
|'''ASSESSMENT OBJECTIVES'''
: [a] the frequency for malicious code scans is defined;
: [b] malicious code scans are performed with the defined frequency; and
: [c] real-time malicious code scans of files from external sources as files are downloaded,
opened, or executed are performed.
|-
|[[Practice_SI.L1-3.14.5_Details|More Practice Details...]]
|}
=== Level 2 SI Practices ===
=== Level 2 SI Practices ===
==== SI.L2-3.14.3 – SECURITY ALERTS & ADVISORIES ====
==== SI.L2-3.14.3 – SECURITY ALERTS & ADVISORIES ====
Line 1,464: Line 1,374:
: [b] system security alerts and advisories are monitored; and  
: [b] system security alerts and advisories are monitored; and  
: [c] actions in response to system security alerts and advisories are taken.
: [c] actions in response to system security alerts and advisories are taken.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_SI.L2-3.14.3_Details|More Practice Details...]]
|[[Practice_SI.L2-3.14.3_Details|More Practice Details...]]
Line 1,475: Line 1,387:
|'''ASSESSMENT OBJECTIVES'''
|'''ASSESSMENT OBJECTIVES'''
: [a] the system is monitored to detect attacks and indicators of potential attacks;
: [a] the system is monitored to detect attacks and indicators of potential attacks;
: [b] inbound communications traffic is monitored to detect attacks and indicators of  
: [b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks; and
potential attacks; and  
: [c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks.
: [c] outbound communications traffic is monitored to detect attacks and indicators of  
|-
potential attacks.
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''5'''
|-
|-
|[[Practice_SI.L2-3.14.6_Details|More Practice Details...]]
|[[Practice_SI.L2-3.14.6_Details|More Practice Details...]]
Line 1,491: Line 1,403:
: [a] authorized use of the system is defined; and  
: [a] authorized use of the system is defined; and  
: [b] unauthorized use of the system is identified.
: [b] unauthorized use of the system is identified.
|-
|[[DoD_Assessment_Methodology|DoD Assessment Scoring Value]]: '''3'''
|-
|-
|[[Practice_SI.L2-3.14.7_Details|More Practice Details...]]
|[[Practice_SI.L2-3.14.7_Details|More Practice Details...]]
|}
|}

Latest revision as of 23:34, 30 November 2022

Source of Reference: The official CMMC Level 2 Assessment Guide from the Department of Defense Chief Information Officer (DoD CIO).

For inquiries and reporting errors on this wiki, please contact us. Thank you.

Access Control (AC)

Level 2 AC Practices

AC.L2-3.1.3 – CONTROL CUI FLOW

SECURITY REQUIREMENT

Control the flow of CUI in accordance with approved authorizations.

ASSESSMENT OBJECTIVES
[a] information flow control policies are defined;
[b] methods and enforcement mechanisms for controlling the flow of CUI are defined;
[c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;
[d] authorizations for controlling the flow of CUI are defined; and
[e] approved authorizations for controlling the flow of CUI are enforced.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.4 – SEPARATION OF DUTIES

SECURITY REQUIREMENT

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

ASSESSMENT OBJECTIVES
[a] the duties of individuals requiring separation are defined;
[b] responsibilities for duties that require separation are assigned to separate individuals; and
[c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.5 – LEAST PRIVILEGE

SECURITY REQUIREMENT

Employ the principle of least privilege, including for specific security functions and privileged accounts.

ASSESSMENT OBJECTIVES
[a] privileged accounts are identified;
[b] access to privileged accounts is authorized in accordance with the principle of least privilege;
[c] security functions are identified; and
[d] access to security functions is authorized in accordance with the principle of least privilege.
DoD Assessment Scoring Value: 3
More Practice Details...

AC.L2-3.1.6 – NON-PRIVILEGED ACCOUNT USE

SECURITY REQUIREMENT

Use non-privileged accounts or roles when accessing nonsecurity functions.

ASSESSMENT OBJECTIVES
[a] nonsecurity functions are identified; and
[b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.7 – PRIVILEGED FUNCTIONS

SECURITY REQUIREMENT

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

ASSESSMENT OBJECTIVES
[a] privileged functions are defined;
[b] non-privileged users are defined;
[c] non-privileged users are prevented from executing privileged functions; and
[d] the execution of privileged functions is captured in audit logs.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.8 – UNSUCCESSFUL LOGON ATTEMPTS

SECURITY REQUIREMENT

Limit unsuccessful logon attempts.

ASSESSMENT OBJECTIVES
[a] the means of limiting unsuccessful logon attempts is defined; and
[b] the defined means of limiting unsuccessful logon attempts is implemented.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.9 – PRIVACY & SECURITY NOTICES

SECURITY REQUIREMENT

Provide privacy and security notices consistent with applicable CUI rules.

ASSESSMENT OBJECTIVES
[a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and
[b] privacy and security notices are displayed.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.10 – SESSION LOCK

SECURITY REQUIREMENT

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

ASSESSMENT OBJECTIVES
[a] the period of inactivity after which the system initiates a session lock is defined;
[b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and
[c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.11 – SESSION TERMINATION

SECURITY REQUIREMENT

Terminate (automatically) a user session after a defined condition.

ASSESSMENT OBJECTIVES
[a] conditions requiring a user session to terminate are defined; and
[b] a user session is automatically terminated after any of the defined conditions
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.12 – CONTROL REMOTE ACCESS

SECURITY REQUIREMENT

Monitor and control remote access sessions.

ASSESSMENT OBJECTIVES
[a] remote access sessions are permitted;
[b] the types of permitted remote access are identified;
[c] remote access sessions are controlled; and
[d] remote access sessions are monitored.
DoD Assessment Scoring Value: 5
More Practice Details...

AC.L2-3.1.13 – REMOTE ACCESS CONFIDENTIALITY

SECURITY REQUIREMENT

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

ASSESSMENT OBJECTIVES
[a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and
[b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
DoD Assessment Scoring Value: 5
More Practice Details...

AC.L2-3.1.14 – REMOTE ACCESS ROUTING

SECURITY REQUIREMENT

Route remote access via managed access control points.

ASSESSMENT OBJECTIVES
[a] managed access control points are identified and implemented; and
[b] remote access is routed through managed network access control points.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.15 – PRIVILEGED REMOTE ACCESS

SECURITY REQUIREMENT

Authorize remote execution of privileged commands and remote access to security-relevant information.

ASSESSMENT OBJECTIVES
[a] privileged commands authorized for remote execution are identified;
[b] security-relevant information authorized to be accessed remotely is identified;
[c] the execution of the identified privileged commands via remote access is authorized; and
[d] access to the identified security-relevant information via remote access is authorized.
DoD Assessment Scoring Value: 1
More Practice Details...

AC.L2-3.1.16 – WIRELESS ACCESS AUTHORIZATION

SECURITY REQUIREMENT

Authorize wireless access prior to allowing such connections.

ASSESSMENT OBJECTIVES
[a] wireless access points are identified; and
[b] wireless access is authorized prior to allowing such connections.
DoD Assessment Scoring Value: 5
More Practice Details...

AC.L2-3.1.17 – WIRELESS ACCESS PROTECTION

SECURITY REQUIREMENT

Protect wireless access using authentication and encryption.

ASSESSMENT OBJECTIVES
[a] wireless access to the system is protected using authentication; and
[b] wireless access to the system is protected using encryption.
DoD Assessment Scoring Value: 5
More Practice Details...

AC.L2-3.1.18 – MOBILE DEVICE CONNECTION

SECURITY REQUIREMENT

Control connection of mobile devices.

ASSESSMENT OBJECTIVES
[a] mobile devices that process, store, or transmit CUI are identified;
[b] mobile device connections are authorized; and
[c] mobile device connections are monitored and logged.
DoD Assessment Scoring Value: 5
More Practice Details...

AC.L2-3.1.19 – ENCRYPT CUI ON MOBILE

SECURITY REQUIREMENT

Encrypt CUI on mobile devices and mobile computing platforms.

ASSESSMENT OBJECTIVES
[a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and
[b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
DoD Assessment Scoring Value: 3
More Practice Details...

AC.L2-3.1.21 – PORTABLE STORAGE USE

SECURITY REQUIREMENT

Limit use of portable storage devices on external systems.

ASSESSMENT OBJECTIVES
[a] the use of portable storage devices containing CUI on external systems is identified and documented;
[b] limits on the use of portable storage devices containing CUI on external systems are defined; and
[c] the use of portable storage devices containing CUI on external systems is limited as defined.
DoD Assessment Scoring Value: 1
More Practice Details...

Awareness and Training (AT)

Level 2 AT Practices

AT.L2-3.2.1 – ROLE-BASED RISK AWARENESS

SECURITY REQUIREMENT

Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

ASSESSMENT OBJECTIVES
[a] security risks associated with organizational activities involving CUI are identified;
[b] policies, standards, and procedures related to the security of the system are identified;
[c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
[d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
DoD Assessment Scoring Value: 5
More Practice Details...

AT.L2-3.2.2 – ROLE-BASED TRAINING

SECURITY REQUIREMENT

Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|-

ASSESSMENT OBJECTIVES
[a] information security-related duties, roles, and responsibilities are defined;
[b] information security-related duties, roles, and responsibilities are assigned to designated personnel; and
[c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.
DoD Assessment Scoring Value: 5
More Practice Details...

AT.L2-3.2.3 – INSIDER THREAT AWARENESS

SECURITY REQUIREMENT

Provide security awareness training on recognizing and reporting potential indicators of insider threat.

ASSESSMENT OBJECTIVES
[a] potential indicators associated with insider threats are identified; and
[b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
DoD Assessment Scoring Value: 1
More Practice Details...

Audit and Accountability (AU)

Level 2 AU Practices

AU.L2-3.3.1 – SYSTEM AUDITING

SECURITY REQUIREMENT

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

ASSESSMENT OBJECTIVES
[a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified;
[b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined;
[c] audit records are created (generated);
[d] audit records, once created, contain the defined content;
[e] retention requirements for audit records are defined; and
[f] audit records are retained as defined.
DoD Assessment Scoring Value: 5
More Practice Details...

AU.L2-3.3.2 – USER ACCOUNTABILITY

SECURITY REQUIREMENT

Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

ASSESSMENT OBJECTIVES
[a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined; and
[b] audit records, once created, contain the defined content.
DoD Assessment Scoring Value: 3
More Practice Details...

AU.L2-3.3.3 – EVENT REVIEW

SECURITY REQUIREMENT

Review and update logged events.

ASSESSMENT OBJECTIVES
[a] a process for determining when to review logged events is defined;
[b] event types being logged are reviewed in accordance with the defined review process; and
[c] event types being logged are updated based on the review.
DoD Assessment Scoring Value: 1
More Practice Details...

AU.L2-3.3.4 – AUDIT FAILURE ALERTING

SECURITY REQUIREMENT

Alert in the event of an audit logging process failure.

ASSESSMENT OBJECTIVES
[a] personnel or roles to be alerted in the event of an audit logging process failure are identified;
[b] types of audit logging process failures for which alert will be generated are defined; and
[c] identified personnel or roles are alerted in the event of an audit logging process failure.
DoD Assessment Scoring Value: 1
More Practice Details...

AU.L2-3.3.5 – AUDIT CORRELATION

SECURITY REQUIREMENT

Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

ASSESSMENT OBJECTIVES
[a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and
[b] defined audit record review, analysis, and reporting processes are correlated.
DoD Assessment Scoring Value: 5
More Practice Details...

AU.L2-3.3.6 – REDUCTION & REPORTING

SECURITY REQUIREMENT

Provide audit record reduction and report generation to support on-demand analysis and reporting.

ASSESSMENT OBJECTIVES
[a] an audit record reduction capability that supports on-demand analysis is provided; and
[b] a report generation capability that supports on-demand reporting is provided.
DoD Assessment Scoring Value: 1
More Practice Details...

AU.L2-3.3.7 – AUTHORITATIVE TIME SOURCE

SECURITY REQUIREMENT

Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

ASSESSMENT OBJECTIVES
[a] internal system clocks are used to generate time stamps for audit records;
[b] an authoritative source with which to compare and synchronize internal system clocks is specified; and
[c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.
DoD Assessment Scoring Value: 1
More Practice Details...

AU.L2-3.3.8 – AUDIT PROTECTION

SECURITY REQUIREMENT

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

ASSESSMENT OBJECTIVES
[a] audit information is protected from unauthorized access;
[b] audit information is protected from unauthorized modification;
[c] audit information is protected from unauthorized deletion;
[d] audit logging tools are protected from unauthorized access;
[e] audit logging tools are protected from unauthorized modification; and
[f] audit logging tools are protected from unauthorized deletion.
DoD Assessment Scoring Value: 1
More Practice Details...

AU.L2-3.3.9 – AUDIT MANAGEMENT

SECURITY REQUIREMENT

Limit management of audit logging functionality to a subset of privileged users.

ASSESSMENT OBJECTIVES
[a] a subset of privileged users granted access to manage audit logging functionality is defined; and
[b] management of audit logging functionality is limited to the defined subset of privileged users.
DoD Assessment Scoring Value: 1
More Practice Details...

Configuration Management (CM)

Level 2 CM Practices

CM.L2-3.4.1 – SYSTEM BASELINING

SECURITY REQUIREMENT

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

ASSESSMENT OBJECTIVES
[a] a baseline configuration is established;
[b] the baseline configuration includes hardware, software, firmware, and documentation;
[c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle;
[d] a system inventory is established;
[e] the system inventory includes hardware, software, firmware, and documentation; and
[f] the inventory is maintained (reviewed and updated) throughout the system development life cycle.
DoD Assessment Scoring Value: 5
More Practice Details...

CM.L2-3.4.2 – SECURITY CONFIGURATION ENFORCEMENT

SECURITY REQUIREMENT

Establish and enforce security configuration settings for information technology products employed in organizational systems.

ASSESSMENT OBJECTIVES
[a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration; and
[b] security configuration settings for information technology products employed in the system are enforced.
DoD Assessment Scoring Value: 5
More Practice Details...

CM.L2-3.4.3 – SYSTEM CHANGE MANAGEMENT

SECURITY REQUIREMENT

Track, review, approve or disapprove, and log changes to organizational systems.

ASSESSMENT OBJECTIVES
[a] changes to the system are tracked;
[b] changes to the system are reviewed;
[c] changes to the system are approved or disapproved; and
[d] changes to the system are logged.
DoD Assessment Scoring Value: 1
More Practice Details...

CM.L2-3.4.4 – SECURITY IMPACT ANALYSIS

SECURITY REQUIREMENT

Analyze the security impact of changes prior to implementation.

ASSESSMENT OBJECTIVES
[a] the security impact of changes to the system is analyzed prior to implementation.
DoD Assessment Scoring Value: 1
More Practice Details...

CM.L2-3.4.5 – ACCESS RESTRICTIONS FOR CHANGE

SECURITY REQUIREMENT

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

ASSESSMENT OBJECTIVES
[a] physical access restrictions associated with changes to the system are defined;
[b] physical access restrictions associated with changes to the system are documented;
[c] physical access restrictions associated with changes to the system are approved;
[d] physical access restrictions associated with changes to the system are enforced;
[e] logical access restrictions associated with changes to the system are defined;
[f] logical access restrictions associated with changes to the system are documented;
[g] logical access restrictions associated with changes to the system are approved; and
[h] logical access restrictions associated with changes to the system are enforced.
DoD Assessment Scoring Value: 5
More Practice Details...

CM.L2-3.4.6 – LEAST FUNCTIONALITY

SECURITY REQUIREMENT

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

ASSESSMENT OBJECTIVES
[a] essential system capabilities are defined based on the principle of least functionality; and
[b] the system is configured to provide only the defined essential capabilities.
DoD Assessment Scoring Value: 5
More Practice Details...

CM.L2-3.4.7 – NONESSENTIAL FUNCTIONALITY

SECURITY REQUIREMENT

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

ASSESSMENT OBJECTIVES
[a] essential programs are defined;
[b] the use of nonessential programs is defined;
[c] the use of nonessential programs is restricted, disabled, or prevented as defined;
[d] essential functions are defined;
[e] the use of nonessential functions is defined;
[f] the use of nonessential functions is restricted, disabled, or prevented as defined;
[g] essential ports are defined;
[h] the use of nonessential ports is defined;
[i] the use of nonessential ports is restricted, disabled, or prevented as defined;
[j] essential protocols are defined;
[k] the use of nonessential protocols is defined;
[l] the use of nonessential protocols is restricted, disabled, or prevented as defined;
[m] essential services are defined;
[n] the use of nonessential services is defined; and
[o] the use of nonessential services is restricted, disabled, or prevented as defined.
DoD Assessment Scoring Value: 5
More Practice Details...

CM.L2-3.4.8 – APPLICATION EXECUTION POLICY

SECURITY REQUIREMENT

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

ASSESSMENT OBJECTIVES
[a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified;
[b] the software allowed to execute under whitelisting or denied use under blacklisting is specified; and
[c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
DoD Assessment Scoring Value: 5
More Practice Details...

CM.L2-3.4.9 – USER-INSTALLED SOFTWARE

SECURITY REQUIREMENT

Control and monitor user-installed software.

ASSESSMENT OBJECTIVES
[a] a policy for controlling the installation of software by users is established;
[b] installation of software by users is controlled based on the established policy; and
[c] installation of software by users is monitored.
DoD Assessment Scoring Value: 1
More Practice Details...

Identification and Authentication (IA)

Level 2 IA Practices

IA.L2-3.5.3 – MULTIFACTOR AUTHENTICATION

SECURITY REQUIREMENT

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

ASSESSMENT OBJECTIVES
[a] privileged accounts are identified;
[b] multifactor authentication is implemented for local access to privileged accounts;
[c] multifactor authentication is implemented for network access to privileged accounts; and
[d] multifactor authentication is implemented for network access to non-privileged accounts.
DoD Assessment Scoring Value: 5
More Practice Details...

IA.L2-3.5.4 – REPLAY-RESISTANT AUTHENTICATION

SECURITY REQUIREMENT

Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

ASSESSMENT OBJECTIVES
[a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.
DoD Assessment Scoring Value: 1
More Practice Details...

IA.L2-3.5.5 – IDENTIFIER REUSE

SECURITY REQUIREMENT

Prevent reuse of identifiers for a defined period.

ASSESSMENT OBJECTIVES
[a] a period within which identifiers cannot be reused is defined; and
[b] reuse of identifiers is prevented within the defined period.
DoD Assessment Scoring Value: 1
More Practice Details...

IA.L2-3.5.6 – IDENTIFIER HANDLING

SECURITY REQUIREMENT

Disable identifiers after a defined period of inactivity.

ASSESSMENT OBJECTIVES
[a] a period of inactivity after which an identifier is disabled is defined; and
[b] identifiers are disabled after the defined period of inactivity.
DoD Assessment Scoring Value: 1
More Practice Details...

IA.L2-3.5.7 – PASSWORD COMPLEXITY

SECURITY REQUIREMENT

Enforce a minimum password complexity and change of characters when new passwords are created.

ASSESSMENT OBJECTIVES
[a] password complexity requirements are defined;
[b] password change of character requirements are defined;
[c] minimum password complexity requirements as defined are enforced when new passwords are created; and
[d] minimum password change of character requirements as defined are enforced when new passwords are created.
DoD Assessment Scoring Value: 1
More Practice Details...

IA.L2-3.5.8 – PASSWORD REUSE

SECURITY REQUIREMENT

Prohibit password reuse for a specified number of generations.

ASSESSMENT OBJECTIVES
[a] the number of generations during which a password cannot be reused is specified and [b] reuse of passwords is prohibited during the specified number of generations.
DoD Assessment Scoring Value: 1
More Practice Details...

IA.L2-3.5.9 – TEMPORARY PASSWORDS

SECURITY REQUIREMENT

Allow temporary password use for system logons with an immediate change to a permanent password.

ASSESSMENT OBJECTIVES
[a] an immediate change to a permanent password is required when a temporary password is used for system logon.
DoD Assessment Scoring Value: 1
More Practice Details...

IA.L2-3.5.10 – CRYPTOGRAPHICALLY-PROTECTED PASSWORDS

SECURITY REQUIREMENT

Store and transmit only cryptographically-protected passwords.

ASSESSMENT OBJECTIVES
[a] passwords are cryptographically protected in storage; and
[b] passwords are cryptographically protected in transit.
DoD Assessment Scoring Value: 5
More Practice Details...

IA.L2-3.5.11 – OBSCURE FEEDBACK

SECURITY REQUIREMENT

Obscure feedback of authentication information.

ASSESSMENT OBJECTIVES
[a] authentication information is obscured during the authentication process.
DoD Assessment Scoring Value: 1
More Practice Details...

Incident Response (IR)

Level 2 IR Practices

IR.L2-3.6.1 – INCIDENT HANDLING

SECURITY REQUIREMENT

Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

ASSESSMENT OBJECTIVES
[a] an operational incident-handling capability is established;
[b] the operational incident-handling capability includes preparation;
[c] the operational incident-handling capability includes detection;
[d] the operational incident-handling capability includes analysis;
[e] the operational incident-handling capability includes containment;
[f] the operational incident-handling capability includes recovery; and
[g] the operational incident-handling capability includes user response
DoD Assessment Scoring Value: 5
More Practice Details...

IR.L2-3.6.2 – INCIDENT REPORTING

SECURITY REQUIREMENT

Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

ASSESSMENT OBJECTIVES
[a] incidents are tracked;
[b] incidents are documented;
[c] authorities to whom incidents are to be reported are identified;
[d] organizational officials to whom incidents are to be reported are identified;
[e] identified authorities are notified of incidents; and
[f] identified organizational officials are notified of incidents.
DoD Assessment Scoring Value: 5
More Practice Details...

IR.L2-3.6.3 – INCIDENT RESPONSE TESTING

SECURITY REQUIREMENT

Test the organizational incident response capability.

ASSESSMENT OBJECTIVES
[a] the incident response capability is tested.
DoD Assessment Scoring Value: 1
More Practice Details...

Maintenance (MA)

Level 2 MA Practices

MA.L2-3.7.1 – PERFORM MAINTENANCE

SECURITY REQUIREMENT

Perform maintenance on organizational systems.

ASSESSMENT OBJECTIVES
[a] system maintenance is performed.
DoD Assessment Scoring Value: 3
More Practice Details...

MA.L2-3.7.2 – SYSTEM MAINTENANCE CONTROL

SECURITY REQUIREMENT

Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

ASSESSMENT OBJECTIVES
[a] tools used to conduct system maintenance are controlled;
[b] techniques used to conduct system maintenance are controlled;
[c] mechanisms used to conduct system maintenance are controlled; and
[d] personnel used to conduct system maintenance are controlled.
DoD Assessment Scoring Value: 5
More Practice Details...

MA.L2-3.7.3 – EQUIPMENT SANITIZATION

SECURITY REQUIREMENT

Ensure equipment removed for off-site maintenance is sanitized of any CUI.

ASSESSMENT OBJECTIVES
[a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.
DoD Assessment Scoring Value: 1
More Practice Details...

MA.L2-3.7.4 – MEDIA INSPECTION

SECURITY REQUIREMENT

Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.

ASSESSMENT OBJECTIVES
[a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.
DoD Assessment Scoring Value: 3
More Practice Details...

MA.L2-3.7.5 – NONLOCAL MAINTENANCE

SECURITY REQUIREMENT

Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

ASSESSMENT OBJECTIVES
[a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections; and
[b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.
DoD Assessment Scoring Value: 1
More Practice Details...

MA.L2-3.7.6 – MAINTENANCE PERSONNEL

SECURITY REQUIREMENT

Supervise the maintenance activities of maintenance personnel without required access authorization.

ASSESSMENT OBJECTIVES
[a] maintenance personnel without required access authorization are supervised during maintenance activities.
DoD Assessment Scoring Value: 1
More Practice Details...

Media Protection (MP)

Level 2 MP Practices

MP.L2-3.8.1 – MEDIA PROTECTION

SECURITY REQUIREMENT

Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

ASSESSMENT OBJECTIVES
[a] paper media containing CUI is physically controlled;
[b] digital media containing CUI is physically controlled;
[c] paper media containing CUI is securely stored; and
[d] digital media containing CUI is securely stored.
DoD Assessment Scoring Value: 3
More Practice Details...

MP.L2-3.8.2 – MEDIA ACCESS

SECURITY REQUIREMENT

Limit access to CUI on system media to authorized users.

ASSESSMENT OBJECTIVES
[a] access to CUI on system media is limited to authorized users.
DoD Assessment Scoring Value: 3
More Practice Details...

MP.L2-3.8.4 – MEDIA MARKINGS

SECURITY REQUIREMENT

Mark media with necessary CUI markings and distribution limitations.

ASSESSMENT OBJECTIVES
[a] media containing CUI is marked with applicable CUI markings; and
[b] media containing CUI is marked with distribution limitations.
DoD Assessment Scoring Value: 1
More Practice Details...

MP.L2-3.8.5 – MEDIA ACCOUNTABILITY

SECURITY REQUIREMENT

Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

ASSESSMENT OBJECTIVES
[a] access to media containing CUI is controlled; and
[b] accountability for media containing CUI is maintained during transport outside of controlled areas.
DoD Assessment Scoring Value: 1
More Practice Details...

MP.L2-3.8.6 – PORTABLE STORAGE ENCRYPTION

SECURITY REQUIREMENT

Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

ASSESSMENT OBJECTIVES
[a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.
DoD Assessment Scoring Value: 1
More Practice Details...

MP.L2-3.8.7 – REMOVEABLE MEDIA

SECURITY REQUIREMENT

Control the use of removable media on system components.

ASSESSMENT OBJECTIVES
[a] the use of removable media on system components is controlled.
DoD Assessment Scoring Value: 5
More Practice Details...

MP.L2-3.8.8 – SHARED MEDIA

SECURITY REQUIREMENT

Prohibit the use of portable storage devices when such devices have no identifiable owner.ASSESSMENT OBJECTIVES

ASSESSMENT OBJECTIVES
[a] the use of portable storage devices is prohibited when such devices have no identifiable owner.
DoD Assessment Scoring Value: 3
More Practice Details...

MP.L2-3.8.9 – PROTECT BACKUPS

SECURITY REQUIREMENT

Protect the confidentiality of backup CUI at storage locations.

ASSESSMENT OBJECTIVES
[a] the confidentiality of backup CUI is protected at storage locations.
DoD Assessment Scoring Value: 1
More Practice Details...

Personnel Security (PS)

Level 2 PS Practices

PS.L2-3.9.1 – SCREEN INDIVIDUALS

SECURITY REQUIREMENT

Screen individuals prior to authorizing access to organizational systems containing CUI.

ASSESSMENT OBJECTIVES
[a] individuals are screened prior to authorizing access to organizational systems containing CUI.
DoD Assessment Scoring Value: 3
More Practice Details...

PS.L2-3.9.2 – PERSONNEL ACTIONS

SECURITY REQUIREMENT

Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

ASSESSMENT OBJECTIVES
[a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established;
[b] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and
[c] the system is protected during and after personnel transfer actions.
DoD Assessment Scoring Value: 5
More Practice Details...

Physical Protection (PE)

Level 2 PE Practices

PE.L2-3.10.2 – MONITOR FACILITY

SECURITY REQUIREMENT

Protect and monitor the physical facility and support infrastructure for organizational systems.

ASSESSMENT OBJECTIVES
[a] the physical facility where organizational systems reside is protected;
[b] the support infrastructure for organizational systems is protected;
[c] the physical facility where organizational systems reside is monitored; and
[d] the support infrastructure for organizational systems is monitored.
DoD Assessment Scoring Value: 5
More Practice Details...

PE.L2-3.10.6 – ALTERNATIVE WORK SITES

SECURITY REQUIREMENT

Enforce safeguarding measures for CUI at alternate work sites.

ASSESSMENT OBJECTIVES
[a] safeguarding measures for CUI are defined for alternate work sites; and
[b] safeguarding measures for CUI are enforced for alternate work sites.
DoD Assessment Scoring Value: 1
More Practice Details...

Risk Assessment (RA)

Level 2 RA Practices

RA.L2-3.11.1 – RISK ASSESSMENTS

SECURITY REQUIREMENT

Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

ASSESSMENT OBJECTIVES
[a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined; and
[b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
DoD Assessment Scoring Value: 3
More Practice Details...

RA.L2-3.11.2 – VULNERABILITY SCAN

SECURITY REQUIREMENT

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

ASSESSMENT OBJECTIVES
[a] the frequency to scan for vulnerabilities in organizational systems and applications is defined;
[b] vulnerability scans are performed on organizational systems with the defined frequency;
[c] vulnerability scans are performed on applications with the defined frequency;
[d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified; and
[e] vulnerability scans are performed on applications when new vulnerabilities are

identified.

DoD Assessment Scoring Value: 5
More Practice Details...

RA.L2-3.11.3 – VULNERABILITY REMEDIATION

SECURITY REQUIREMENT

Remediate vulnerabilities in accordance with risk assessments.

ASSESSMENT OBJECTIVES
[a] vulnerabilities are identified; and
[b] vulnerabilities are remediated in accordance with risk assessments.
DoD Assessment Scoring Value: 1
More Practice Details...

Security Assessment (CA)

Level 2 CA Practices

CA.L2-3.12.1 – SECURITY CONTROL ASSESSMENT

SECURITY REQUIREMENT

Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

ASSESSMENT OBJECTIVES
[a] the frequency of security control assessments is defined; and
[b] security controls are assessed with the defined frequency to determine if the controls are effective in their application.
DoD Assessment Scoring Value: 5
More Practice Details...

CA.L2-3.12.2 – PLAN OF ACTION

SECURITY REQUIREMENT

Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

ASSESSMENT OBJECTIVES
[a] deficiencies and vulnerabilities to be addressed by the plan of action are identified;
[b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities; and
[c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
DoD Assessment Scoring Value: 3
More Practice Details...

CA.L2-3.12.3 – SECURITY CONTROL MONITORING

SECURITY REQUIREMENT

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

ASSESSMENT OBJECTIVES
[a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
DoD Assessment Scoring Value: 5
More Practice Details...

CA.L2-3.12.4 – SYSTEM SECURITY PLAN

SECURITY REQUIREMENT

Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

ASSESSMENT OBJECTIVES
[a] a system security plan is developed;
[b] the system boundary is described and documented in the system security plan;
[c] the system environment of operation is described and documented in the system security plan;
[d] the security requirements identified and approved by the designated authority as non-applicable are identified;
[e] the method of security requirement implementation is described and documented in the system security plan;
[f] the relationship with or connection to other systems is described and documented in the system security plan;
[g] the frequency to update the system security plan is defined; and
[h] system security plan is updated with the defined frequency.
DoD Assessment Scoring Value: NA
More Practice Details...

System and Communications Protection (SC)

Level 2 SC Practices

SC.L2-3.13.2 – SECURITY ENGINEERING

SECURITY REQUIREMENT

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

ASSESSMENT OBJECTIVES
[a] architectural designs that promote effective information security are identified;
[b] software development techniques that promote effective information security are identified;
[c] systems engineering principles that promote effective information security are identified;
[d] identified architectural designs that promote effective information security are employed;
[e] identified software development techniques that promote effective information security are employed; and
[f] identified systems engineering principles that promote effective information security are employed.
DoD Assessment Scoring Value: 5
More Practice Details...

SC.L2-3.13.3 – ROLE SEPARATION

SECURITY REQUIREMENT

Separate user functionality from system management functionality.

ASSESSMENT OBJECTIVES
[a] user functionality is identified;
[b] system management functionality is identified; and
[c] user functionality is separated from system management functionality.
DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.4 – SHARED RESOURCE CONTROL

SECURITY REQUIREMENT

Prevent unauthorized and unintended information transfer via shared system resources.

ASSESSMENT OBJECTIVES
[a] unauthorized and unintended information transfer via shared system resources is

prevented.

DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.6 – NETWORK COMMUNICATION BY EXCEPTION

SECURITY REQUIREMENT

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

ASSESSMENT OBJECTIVES
[a] network communications traffic is denied by default; and
[b] network communications traffic is allowed by exception.
DoD Assessment Scoring Value: 5
More Practice Details...

SC.L2-3.13.7 – SPLIT TUNNELING

SECURITY REQUIREMENT

Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

ASSESSMENT OBJECTIVES
[a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).
DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.8 – DATA IN TRANSIT

SECURITY REQUIREMENT

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

ASSESSMENT OBJECTIVES
[a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified;
[b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified; and
[c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.
DoD Assessment Scoring Value: 3
More Practice Details...

SC.L2-3.13.9 – CONNECTIONS TERMINATION

SECURITY REQUIREMENT

Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

ASSESSMENT OBJECTIVES
[a] a period of inactivity to terminate network connections associated with communications sessions is defined;
[b] network connections associated with communications sessions are terminated at the end of the sessions; and
[c] network connections associated with communications sessions are terminated after the defined period of inactivity.
DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.10 – KEY MANAGEMENT

SECURITY REQUIREMENT

Establish and manage cryptographic keys for cryptography employed in organizational systems.

ASSESSMENT OBJECTIVES
[a] cryptographic keys are established whenever cryptography is employed; and
[b] cryptographic keys are managed whenever cryptography is employed.
DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.11 – CUI ENCRYPTION

SECURITY REQUIREMENT

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

ASSESSMENT OBJECTIVES
[a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
DoD Assessment Scoring Value: 3 to 5
More Practice Details...

SC.L2-3.13.12 – COLLABORATIVE DEVICE CONTROL

SECURITY REQUIREMENT

Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

ASSESSMENT OBJECTIVES
[a] collaborative computing devices are identified;
[b] collaborative computing devices provide indication to users of devices in use; and
[c] remote activation of collaborative computing devices is prohibited.
DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.13 – MOBILE CODE

SECURITY REQUIREMENT

Control and monitor the use of mobile code.

ASSESSMENT OBJECTIVES
[a] use of mobile code is controlled; and
[b] use of mobile code is monitored.
DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.14 – VOICE OVER INTERNET PROTOCOL

SECURITY REQUIREMENT

Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

ASSESSMENT OBJECTIVES
[a] use of Voice over Internet Protocol (VoIP) technologies is controlled; and
[b] use of Voice over Internet Protocol (VoIP) technologies is monitored.
DoD Assessment Scoring Value: 1
More Practice Details...

SC.L2-3.13.15 – COMMUNICATIONS AUTHENTICITY

SECURITY REQUIREMENT

Protect the authenticity of communications sessions.

ASSESSMENT OBJECTIVES
[a] the authenticity of communications sessions is protected.
DoD Assessment Scoring Value: 5
More Practice Details...

SC.L2-3.13.16 – DATA AT REST

SECURITY REQUIREMENT

Protect the confidentiality of CUI at rest.

ASSESSMENT OBJECTIVES
[a] the confidentiality of CUI at rest is protected.
DoD Assessment Scoring Value: 1
More Practice Details...

System and Information Integrity (SI)

Level 2 SI Practices

SI.L2-3.14.3 – SECURITY ALERTS & ADVISORIES

SECURITY REQUIREMENT

Monitor system security alerts and advisories and take action in response.

ASSESSMENT OBJECTIVES
[a] response actions to system security alerts and advisories are identified;
[b] system security alerts and advisories are monitored; and
[c] actions in response to system security alerts and advisories are taken.
DoD Assessment Scoring Value: 5
More Practice Details...

SI.L2-3.14.6 – MONITOR COMMUNICATIONS FOR ATTACKS

SECURITY REQUIREMENT

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

ASSESSMENT OBJECTIVES
[a] the system is monitored to detect attacks and indicators of potential attacks;
[b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks; and
[c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks.
DoD Assessment Scoring Value: 5
More Practice Details...

SI.L2-3.14.7 – IDENTIFY UNAUTHORIZED USE

SECURITY REQUIREMENT

Identify unauthorized use of organizational systems.

ASSESSMENT OBJECTIVES
[a] authorized use of the system is defined; and
[b] unauthorized use of the system is identified.
DoD Assessment Scoring Value: 3
More Practice Details...