Model Overview

From CMMC Toolkit Wiki
Revision as of 21:58, 22 February 2022 by Wikiadmin (talk | contribs)
Jump to navigation Jump to search

Source of Reference: The official Model Overview from the Office of the Under Secretary of Defense Acquisition & Sustainment.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

Access Control (AC)

Level 1 Level 2 Level 3 (TBD)
AC.L1-3.1.1

Authorized Access Control

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

  • FAR Clause 52.204-21 b.1.i
  • NIST SP 800-171 Rev 2 3.1.1
AC.L2-3.1.3

Control CUI Flow

Control the flow of CUI in accordance with approved authorizations.

  • NIST SP 800-171 Rev 2 3.1.3
AC.L1-3.1.2

Transaction & Function Control

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

  • FAR Clause 52.204-21 b.1.ii
  • NIST SP 800-171 Rev 2 3.1.2
AC.L2-3.1.4

Separation of Duties

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

  • NIST SP 800-171 Rev 2 3.1.4
AC.L1-3.1.20

External Connections

Verify and control/limit connections to and use of external information systems.

  • FAR Clause 52.204-21 b.1.iii
  • NIST SP 800-171 Rev 2 3.1.20
AC.L2-3.1.5

Least Privilege

Employ the principle of least privilege, including for specific security functions and privileged accounts.

  • NIST SP 800-171 Rev 2 3.1.5
AC.L1-3.1.22

Control Public Information

Control information posted or processed on publicly accessible information systems.

  • FAR Clause 52.204-21 b.1.iv
  • NIST SP 800-171 Rev 2 3.1.22
AC.L2-3.1.6

Non-Privileged Account Use

Use non-privileged accounts or roles when accessing nonsecurity functions.

  • NIST SP 800-171 Rev 2 3.1.6
AC.L2-3.1.7

Privileged Functions

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

  • NIST SP 800-171 Rev 2 3.1.7
AC.L2-3.1.8

Unsuccessful Logon Attempts

Limit unsuccessful logon attempts.

  • NIST SP 800-171 Rev 2 3.1.8
AC.L2-3.1.9

Privacy & Security Notices

Provide privacy and security notices consistent with applicable CUI rules.

  • NIST SP 800-171 Rev 2 3.1.9
AC.L2-3.1.10

Session Lock

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

  • NIST SP 800-171 Rev 2 3.1.10
AC.L2-3.1.11

Session Termination

Terminate (automatically) a user session after a defined condition.

  • NIST SP 800-171 Rev 2 3.1.11
AC.L2-3.1.12

Control Remote Access

Monitor and control remote access sessions.

  • NIST SP 800-171 Rev 2 3.1.12
AC.L2-3.1.13

Remote Access Confidentiality

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • NIST SP 800-171 Rev 2 3.1.13
AC.L2-3.1.14

Remote Access Routing

Route remote access via managed access control points.

  • NIST SP 800-171 Rev 2 3.1.14
AC.L2-3.1.15

Privileged Remote Access

Authorize remote execution of privileged commands and remote access to security-relevant information.

  • NIST SP 800-171 Rev 2 3.1.15
AC.L2-3.1.16

Wireless Access Authorization

Authorize wireless access prior to allowing such connections.

  • NIST SP 800-171 Rev 2 3.1.16
AC.L2-3.1.17

Wireless Access Protection

Protect wireless access using authentication and encryption.

  • NIST SP 800-171 Rev 2 3.1.17
AC.L2-3.1.18

Mobile Device Connection

Control connection of mobile devices.

  • NIST SP 800-171 Rev 2 3.1.18
AC.L2-3.1.19

Encrypt CUI on Mobile

Encrypt CUI on mobile devices and mobile computing platforms.

  • NIST SP 800-171 Rev 2 3.1.19
AC.L2-3.1.21

Portable Storage Use Limit use of portable storage devices on external systems.

  • NIST SP 800-171 Rev 2 3.1.21