CMMC Level 2

Domain AC: Access Control

Identify and control who and what has access to your systems.

AC.1.001
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
AC.1.002
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
AC.1.003
Verify and control/limit connections to and use of external information systems.
AC.1.004
Control information posted or processed on publicly accessible information systems.
AC.2.005
Provide privacy and security notices consistent with applicable CUI rules.
AC.2.006
Limit use of portable storage devices on external systems.
AC.2.007
Employ the principle of least privilege, including for specific security functions and privileged accounts.
AC.2.008
Use non-privileged accounts or roles when accessing nonsecurity functions.
AC.2.009
Limit unsuccessful logon attempts.
AC.2.010
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
AC.2.011
Authorize wireless access prior to allowing such connections.
AC.2.013
Monitor and control remote access sessions.
AC.2.015
Route remote access via managed access control points.
AC.2.016
Control the flow of CUI in accordance with approved authorizations.

Domain AT: Awareness and Training

Establish a program to continuously educate your staff, vendors, and contractors about how you safeguard your data, and the threats you face.

AT.2.056
Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
AT.2.057
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

Domain AU: Audit and Accountability

Practices and capabilities which relate to creating, storing, and reviewing audit trails of user and system activity.

AU.2.041
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
AU.2.042
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
AU.2.043
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
AU.2.044
Review audit logs.

Domain CA: Security Assessment

The organization will need to periodically conduct assessments and tests to ensure that practices are in place and working as expected.

CA.2.157
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
CA.2.158
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
CA.2.159
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

Domain CM: Configuration Management

Implementing practices for creating standard configurations, approving changes, and monitoring for unapproved changes.

CM.2.061
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
CM.2.062
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
CM.2.063
Control and monitor user-installed software.
CM.2.064
Establish and enforce security configuration settings for information technology products employed in organizational systems.
CM.2.065
Track, review, approve, or disapprove, and log changes to organizational systems.
CM.2.066
Analyze the security impact of changes prior to implementation.

Domain IA: Identification and Authentication

Closely tied to Access Control, this Domain contains practices to ensure that only the person assigned to a user account is the one using it.

IA.1.076
Identify information system users, processes acting on behalf of users, or devices.
IA.1.077
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
IA.2.078
Enforce a minimum password complexity and change of characters when new passwords are created.
IA.2.079
Prohibit password reuse for a specified number of generations.
IA.2.080
Allow temporary password use for system logons with an immediate change to a permanent password.
IA.2.081
Store and transmit only cryptographically-protected passwords.
IA.2.082
Obscure feedback of authentication information.

Domain IR: Incident Response

Develop a plan to prepare for a security incident before it occurs.

IR.2.092
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recover, and user response activities.
IR.2.093
Detect and report events.
IR.2.094
Analyze and triage events to support event resolution and incident declaration.
IR.2.096
Develop and implement responses to declared incidents according to predefined procedures.
IR.2.097
Perform root cause analysis on incidents to determine underlying causes.

Domain MA: Maintenance

100% of computer systems will fail, eventually. These practices define a strategy to limit opportunities which may expose critical data and services to intentional, or unintentional, misconfiguration, malicious code, and outages.

MA.2.111
Perform maintenance on organizational systems.
MA.2.112
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
MA.2.113
Require multifactor authentication to establish non-local maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
MA.2.114
Supervise the maintenance activities of personnel without required access authorization.

Domain MP: Media Protection

Safeguard data stored on removable media, such as a USB drive, or even on paper.

MP.1.118
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
MP.2.119
Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
MP.2.120
Limit access to CUI on system media to authorized users.
MP.2.121
Control the use of removable media on system components.

Domain PE: Physical Protection

You must protect physical access to your facility and data, as a breach of physical security can be used to quickly override logical security practices.

PE.1.131
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
PE.1.132
Escort visitors and monitor visitor activity.
PE.1.133
Maintain audit logs of physical access.
PE.1.134
Control and manage physical access devices.
PE.2.135
Protect and monitor the physical facility and support infrastructure for organizational systems.

Domain PS: Personnel Security

Practices for screening individuals before allowing access to systems, and protecting those systems when an individual is terminated or transferred.

PS.2.127
Screen individuals prior to authorizing access to organizational systems containing CUI.
PS.2.128
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Domain RE: Recovery

Practices to securely backup and protect your data.

RE.2.137
Regularly perform and test data backups.
RE.2.138
Protect the confidentiality of backup CUI at storage locations.

Domain RM: Risk Management

Create practices to monitor, manage, and remediate risks to your systems and data.

RM.2.141
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
RM.2.142
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
RM.2.143
Remediate vulnerabilities in accordance with risk assessments.

Domain SC: Systems and Communications Protection

Secure your network boundaries and communications.

SC.1.175
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems.
SC.1.176
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
SC.2.178
Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
SC.2.179
Use encrypted sessions for the management of network devices.

Domain SI: System and Information Integrity

Protect your network from malicious code execution by applying security patches in a timely manner and using anti-malware software.

SI.1.210
Identify, report, and correct information system flaws in a timely manner.
SI.1.211
Provide protection from malicious code at appropriate locations within organizational information systems.
SI.1.212
Update malicious code protection mechanisms when new releases are available.
SI.1.213
Perform periodic scans of information systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
SI.2.214
Monitor system security alerts and advisories and take action in response.
SI.2.216
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
SI.2.217
Identify unauthorized use of organizational systems.

No practices required for the following domains at CMMC Level 2

  • Domain AM Asset Management

  • Domain SA Situational Awareness