CMMC – Preparation Gameplan


The CMMC model measures cybersecurity maturity with five levels.  Each level builds upon the ones before it.

LEVEL1:  Safeguard Federal Contract Information (FCI)
LEVEL2: Serve as transition step to protect CUI
LEVEL3: Protect Controlled Unclassified Information (CUI)
LEVEL 4/5: Protect CUI and reduce risk of Advanced Persistent Threats (APT)

This page will outline the requirements in each level of the CMMC model.


LEVEL 1

3.1 ACCESS CONTROL (AC)

1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
[See Documentation]

2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
[See Documentation]

3 Verify and control/limit connections to and use of external information systems.
[See Documentation]

4 Control information posted or processed on publicly accessible information systems.
[See Documentation]

3.5 IDENTIFICATION AND AUTHENTICATION

1 Identify information system users, processes acting on behalf of users, or devices.
[See Documentation]

2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
[See Documentation]

3.8 MEDIA PROTECTION

1 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
[See Documentation]

3.10 PHYSICAL PROTECTION

1 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
[See Documentation]

2 Escort visitors and monitor visitor activity.
[See Documentation]

3 Maintain audit logs of physical access.
[See Documentation]

4 Control and manage physical access devices.
[See Documentation]

3.13 SYSTEM AND COMMUNICATIONS PROTECTIONS

1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
[See Documentation]

2 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
[See Documentation]

3.14 SYSTEM AND INFORMATION INTEGRITY

1 Identify, report, and correct information and information system flaws in a timely manner.
[See Documentation]

2 Provide protection from malicious code at appropriate locations within organizational information systems.
[See Documentation]

3 Update malicious code protection mechanisms when new releases are available.
[See Documentation]

4 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
[See Documentation]


LEVEL 2

3.1 ACCESS CONTROL (AC)

1 Provide privacy and security notices consistent with applicable CUI rules.
[See Documentation]

2 Limit use of portable storage devices on external systems.
[See Documentation]

3 Employ the principle of least privilege, including for specific security functions and privileged accounts.
[See Documentation]

4 Use non-privileged accounts or roles when accessing non-security functions.
[See Documentation]

5 Limit unsuccessful logon attempts.
[See Documentation]

6 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
[See Documentation]

7 Authorize wireless access prior to allowing such connections.
[See Documentation]

8 Monitor and control remote access sessions.
[See Documentation]

9 Route remote access via managed access control points.
[See Documentation]

10 Control the flow of CUI in accordance with approved authorizations.
[See Documentation]

3.2 AWARENESS AND TRAINING (AT)

1 Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
[See Documentation]

2 Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
[See Documentation]

3.3 AUDIT AND ACCOUNTABILITY (AU)

1 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
[See Documentation]

2 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
[See Documentation]

3 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
[See Documentation]

4 Review audit logs.
[See Documentation]

3.4 CONFIGURATION MANAGEMENT (CM)

1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
[See Documentation]

2 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
[See Documentation]

3 Control and monitor user-installed software.
[See Documentation]

4 Establish and enforce security configuration settings for information technology products employed in organizational systems.
[See Documentation]

5 Track, review, approve, or disapprove, and log changes to organizational systems.
[See Documentation]

6 Analyze the security impact of changes prior to implementation.
[See Documentation]

3.5 IDENTIFICATION AND AUTHENTICATION (IA)

1 Enforce a minimum password complexity and change of characters when new passwords are created.
[See Documentation]

2 Prohibit password reuse for a specified number of generations.
[See Documentation]

3 Allow temporary password use for system logons with an immediate change to a permanent password.
[See Documentation]

4 Store and transmit only cryptographically-protected passwords.
[See Documentation]

5 Obscure feedback of authentication information.
[See Documentation]

3.6 INCIDENT RESPONSE (IR)

1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
[See Documentation]

2 Detect and report events.
[See Documentation]

3 Analyze and triage events to support event resolution and incident declaration.
[See Documentation]

4 Develop and implement responses to declared incidents according to pre-defined procedures.
[See Documentation]

5 Perform root cause analysis on incidents to determine underlying causes.
[See Documentation]

3.7 MAINTENANCE (MA)

1 Perform maintenance on organizational systems.
[See Documentation]

2 Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
[See Documentation]

3 Require multi-factor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
[See Documentation]

4 Supervise the maintenance activities of personnel without required access authorization.
[See Documentation]

3.8 MEDIA PROTECTION (MP)

1 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
[See Documentation]

2 Limit access to CUI on system media to authorized users.
[See Documentation]

3 Control the use of removable media on system components.
[See Documentation]

3.9 PERSONNEL SECURITY (PS)

1 Screen individuals prior to authorizing access to organizational systems containing CUI.
[See Documentation]

2 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
[See Documentation]

3.10 PHYSICAL PROTECTION (PE)

1 Protect and monitor the physical facility and support infrastructure for organizational systems.
[See Documentation]

3.? RECOVERY (RE)

1 Regularly perform and test data backups.
[See Documentation]

2 Protect the confidentiality of backup CUI at storage locations.
[See Documentation]

3.11 RISK MANAGEMENT (RM)

1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
[See Documentation]

2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
[See Documentation]

3 Remediate vulnerabilities in accordance with risk assessments.
[See Documentation]

3.12 SECURITY ASSESSMENT (CA)

1 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
[See Documentation]

2 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
[See Documentation]

3 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
[See Documentation]

3.13 SYSTEM AND COMMUNICATIONS PROTECTIONS (SC)

1 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
[See Documentation]

2 Use encrypted sessions for the management of network devices.
[See Documentation]

3.14 SYSTEM AND INFORMATION INTEGRITY (SI)

1 Monitor system security alerts and advisories and take action in response.
[See Documentation]

2 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
[See Documentation]

3 Identify unauthorized use of organizational systems.
[See Documentation]


LEVEL 3

 

 


REFERENCES – all source materials for this overview are derived from the official CMMC Assessment Guides webpage (https://www.acq.osd.mil/cmmc/draft.html).