FrameworksCMMC 2.0
assurancev2.0Published
CMMC 2.0
The Cybersecurity Maturity Model Certification (CMMC) framework is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in the defense industrial base. CMMC 2.0 streamlined the model to 3 levels aligned with NIST SP 800-171 and 800-172.
Issuing Body
U.S. Department of Defense (DoD)
Version
2.0
Published
2021-11-04
Controls
26
Mapped Laws
—
| Control ID | Title | Domain | Maturity |
|---|---|---|---|
| CMMC-AC.L2-3.1.1 | Authorized Access Control Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Limit system access to the types of transactions and functions that authorized users are permitted to execute. | — | managed |
| CMMC-AC.L2-3.1.2 | Transaction and Function Control Limit system access to the types of transactions and functions that authorized users are permitted to execute. | — | managed |
| CMMC-AC.L2-3.1.3 | Control CUI Flow Control the flow of CUI in accordance with approved authorizations. | — | managed |
| CMMC-AC.L2-3.1.5 | Least Privilege Employ the principle of least privilege, including for specific security functions and privileged accounts. | — | managed |
| CMMC-AC.L2-3.1.6 | Non-Privileged Account Use Use non-privileged accounts or roles when accessing non-security functions. | — | managed |
| CMMC-AC.L2-3.1.12 | Remote Access Control Monitor and control remote access sessions. | — | managed |
| CMMC-AC.L2-3.1.13 | Remote Access Encryption Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. | — | managed |
| CMMC-AU.L2-3.3.1 | System Auditing Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | — | managed |
| CMMC-AU.L2-3.3.2 | User Accountability Ensure that the actions of individual system users can be traced to those users so they can be held accountable for their actions. | — | managed |
| CMMC-CM.L2-3.4.1 | System Baselining Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | — | managed |
| CMMC-CM.L2-3.4.2 | Security Configuration Enforcement Establish and enforce security configuration settings for information technology products employed in organizational systems. | — | managed |
| CMMC-IA.L2-3.5.3 | Multi-Factor Authentication Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. | — | managed |
| CMMC-IR.L2-3.6.1 | Incident Handling Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | — | managed |
| CMMC-IR.L2-3.6.2 | Incident Reporting Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. | — | managed |
| CMMC-MA.L2-3.7.1 | Managed Maintenance Perform maintenance on organizational systems. | — | defined |
| CMMC-MP.L2-3.8.1 | Media Protection Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. | — | managed |
| CMMC-PS.L2-3.9.2 | Personnel Termination Ensure that CUI and organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. | — | defined |
| CMMC-PE.L1-3.10.1 | Physical Access Authorization Limit physical access to organizational systems to authorized individuals. | — | managed |
| CMMC-RA.L2-3.11.1 | Risk Assessment Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | — | managed |
| CMMC-CA.L2-3.12.1 | Security Assessment Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | — | managed |
| CMMC-SC.L2-3.13.1 | Boundary Protection Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | — | managed |
| CMMC-SC.L2-3.13.5 | Public-Access System Separation Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | — | managed |
| CMMC-SC.L2-3.13.8 | Transmission Confidentiality Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | — | managed |
| CMMC-SI.L2-3.14.1 | Flaw Remediation Identify, report, and correct information and information system flaws in a timely manner. | — | managed |
| CMMC-SI.L2-3.14.2 | Malicious Code Protection Provide protection from malicious code at appropriate locations within organizational systems. | — | managed |
| CMMC-SI.L2-3.14.6 | Security Alerts Monitor organizational systems including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | — | managed |