Model Overview: Difference between revisions
(Created page with "== Access Control (AC) == {|class="wikitable" style="width: 85%;" ! style="width: 33%"| Level 1 ! style="width: 33%"| Level 2 ! style="width: 33%"| Level 3 (TBD) |- |'''AC.L1-3.1.1''' ''Authorized Access Control'' Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). * FAR Clause 52.204-21 b.1.i * NIST SP 800-171 Rev 2 3.1.1 |'''AC.L2-3.1.3''' ''Control CUI Flow'' Cont...") |
No edit summary |
||
| Line 1: | Line 1: | ||
'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html Model Overview] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' | |||
For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. | |||
== Access Control (AC) == | == Access Control (AC) == | ||
{|class="wikitable" style="width: 85%;" | {|class="wikitable" style="width: 85%;" | ||
| Line 8: | Line 12: | ||
''Authorized Access Control'' | ''Authorized Access Control'' | ||
Limit information system access to | Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). | ||
* FAR Clause 52.204-21 b.1.i | * FAR Clause 52.204-21 b.1.i | ||
* NIST SP 800-171 Rev 2 3.1.1 | * NIST SP 800-171 Rev 2 3.1.1 | ||
| Line 34: | Line 38: | ||
''External Connections'' | ''External Connections'' | ||
Verify and control/limit connections to and | Verify and control/limit connections to and use of external information systems. | ||
* FAR Clause 52.204-21 b.1.iii | * FAR Clause 52.204-21 b.1.iii | ||
* NIST SP 800-171 Rev 2 3.1.20 | * NIST SP 800-171 Rev 2 3.1.20 | ||
| Line 40: | Line 44: | ||
''Least Privilege'' | ''Least Privilege'' | ||
Employ the principle of least privilege, | Employ the principle of least privilege, including for specific security functions and privileged accounts. | ||
* NIST SP 800-171 Rev 2 3.1.5 | * NIST SP 800-171 Rev 2 3.1.5 | ||
| | | | ||
| Line 57: | Line 61: | ||
| | | | ||
|- | |- | ||
| | |'''AC.L2-3.1.7''' | ||
''Privileged Functions'' | |||
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | |||
* NIST SP 800-171 Rev 2 3.1.7 | |||
| | | | ||
|- | |- | ||
| | |'''AC.L2-3.1.8''' | ||
''Unsuccessful Logon Attempts'' | |||
Limit unsuccessful logon attempts. | |||
* NIST SP 800-171 Rev 2 3.1.8 | |||
| | | | ||
|- | |- | ||
| | |'''AC.L2-3.1.9''' | ||
''Privacy & Security Notices'' | |||
Provide privacy and security notices consistent with applicable CUI rules. | |||
* NIST SP 800-171 Rev 2 3.1.9 | |||
| | | | ||
|- | |- | ||
| | |'''AC.L2-3.1.10''' | ||
''Session Lock'' | |||
Use session lock with pattern-hiding displays | |||
to prevent access and viewing of data after a | |||
period of inactivity. | |||
* NIST SP 800-171 Rev 2 3.1.10 | |||
| | | | ||
|- | |- | ||
| | |'''AC.L2-3.1.11''' | ||
''Session Termination'' | |||
Terminate (automatically) a user session after a defined condition. | |||
* NIST SP 800-171 Rev 2 3.1.11 | |||
| | | | ||
|- | |- | ||
| | |'''AC.L2-3.1.12''' | ||
''Control Remote Access'' | |||
Monitor and control remote access sessions. | |||
* NIST SP 800-171 Rev 2 3.1.12 | |||
| | | | ||
|- | |- | ||
| | |'''AC.L2-3.1.13''' | ||
''Remote Access Confidentiality'' | |||
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. | |||
* NIST SP 800-171 Rev 2 3.1.13 | |||
| | | | ||
|- | |- | ||
| | |'''AC.L2-3.1.14''' | ||
''Remote Access Routing'' | |||
Route remote access via managed access | |||
control points. | |||
* NIST SP 800-171 Rev 2 3.1.14 | |||
| | | | ||
|- | |- | ||
| | |'''AC.L2-3.1.15''' | ||
''Privileged Remote Access'' | |||
Authorize remote execution of privileged commands and remote access to security-relevant information. | |||
* NIST SP 800-171 Rev 2 3.1.15 | |||
| | | | ||
|- | |- | ||
| | |'''AC.L2-3.1.16''' | ||
''Wireless Access Authorization'' | |||
Authorize wireless access prior to allowing | |||
such connections. | |||
* NIST SP 800-171 Rev 2 3.1.16 | |||
| | | | ||
|- | |- | ||
| | |'''AC.L2-3.1.17''' | ||
''Wireless Access Protection'' | |||
Protect wireless access using authentication and encryption. | |||
* NIST SP 800-171 Rev 2 3.1.17 | |||
| | | | ||
|- | |- | ||
| | |'''AC.L2-3.1.18''' | ||
''Mobile Device Connection'' | |||
Control connection of mobile devices. | |||
* NIST SP 800-171 Rev 2 3.1.18 | |||
| | | | ||
|- | |- | ||
| | |'''AC.L2-3.1.19''' | ||
''Encrypt CUI on Mobile'' | |||
Encrypt CUI on mobile devices and mobile computing platforms. | |||
* NIST SP 800-171 Rev 2 3.1.19 | |||
| | | | ||
|- | |- | ||
| | |'''AC.L2-3.1.21''' | ||
''Portable Storage Use'' | |||
Limit use of portable storage devices on | |||
external systems. | |||
* NIST SP 800-171 Rev 2 3.1.21 | |||
| | | | ||
|} | |} | ||
Revision as of 21:58, 22 February 2022
Source of Reference: The official Model Overview from the Office of the Under Secretary of Defense Acquisition & Sustainment.
For inquiries and reporting errors on this wiki, please contact us. Thank you.
Access Control (AC)
| Level 1 | Level 2 | Level 3 (TBD) |
|---|---|---|
| AC.L1-3.1.1
Authorized Access Control Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
|
AC.L2-3.1.3
Control CUI Flow Control the flow of CUI in accordance with approved authorizations.
|
|
| AC.L1-3.1.2
Transaction & Function Control Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
|
AC.L2-3.1.4
Separation of Duties Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
|
|
| AC.L1-3.1.20
External Connections Verify and control/limit connections to and use of external information systems.
|
AC.L2-3.1.5
Least Privilege Employ the principle of least privilege, including for specific security functions and privileged accounts.
|
|
| AC.L1-3.1.22
Control Public Information Control information posted or processed on publicly accessible information systems.
|
AC.L2-3.1.6
Non-Privileged Account Use Use non-privileged accounts or roles when accessing nonsecurity functions.
|
|
| AC.L2-3.1.7
Privileged Functions Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
|
||
| AC.L2-3.1.8
Unsuccessful Logon Attempts Limit unsuccessful logon attempts.
|
||
| AC.L2-3.1.9
Privacy & Security Notices Provide privacy and security notices consistent with applicable CUI rules.
|
||
| AC.L2-3.1.10
Session Lock Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
|
||
| AC.L2-3.1.11
Session Termination Terminate (automatically) a user session after a defined condition.
|
||
| AC.L2-3.1.12
Control Remote Access Monitor and control remote access sessions.
|
||
| AC.L2-3.1.13
Remote Access Confidentiality Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
|
||
| AC.L2-3.1.14
Remote Access Routing Route remote access via managed access control points.
|
||
| AC.L2-3.1.15
Privileged Remote Access Authorize remote execution of privileged commands and remote access to security-relevant information.
|
||
| AC.L2-3.1.16
Wireless Access Authorization Authorize wireless access prior to allowing such connections.
|
||
| AC.L2-3.1.17
Wireless Access Protection Protect wireless access using authentication and encryption.
|
||
| AC.L2-3.1.18
Mobile Device Connection Control connection of mobile devices.
|
||
| AC.L2-3.1.19
Encrypt CUI on Mobile Encrypt CUI on mobile devices and mobile computing platforms.
|
||
| AC.L2-3.1.21
Portable Storage Use Limit use of portable storage devices on external systems.
|