Intermediate cyber hygiene
CMMC Level 2 adds a further 55 security controls practices to those of level 1 (17). Increasing the total number of controls under evaluation, to 72 (17+55) controls. Level 2 includes the 17 controls identified at level 1, 48 additional practices from NIST 800-171 r1 (now r2) and a further 7 controls from other sources. Level 2 compliance requires an organization to both demonstrate Level 1 practice compliance (control procedures are performed across all 72 controls) and demonstrate Level 2 process compliance demonstrating practices are documented in policies and procedures to guide the implementation of Level 2.
By demonstrating that Level 2 control procedures are being performed and are documented the organization will develop its cyber security maturity, for the protection of Federal Contract Information (FCI).
| Processes: Documented | Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented. |
| Practices: Intermediate cyber hygiene | Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 [4] as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices reference the protection of CUI. |
CMMC Level 2 consist of 15 security domains addressing 28 capabilities with additional 55 security controls.
| Domain | Capability | Control | Control description |
| Access Control (AC) | C001 Establish system access requirements | AC.2.005 | Provide privacy and security notices consistent with applicable Controlled Unclassified Information (CUI) rules. |
| AC.2.006 | Limit use of portable storage devices on external systems. | ||
| C002 Control internal system access | AC.2.007 | Employ the principle of least privilege, including for specific security functions and privileged accounts. | |
| AC.2.008 | Use non-privileged accounts or roles when accessing non-security functions. | ||
| AC.2.009 | Limit unsuccessful logon attempts. | ||
| AC.2.010 | Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. | ||
| AC.2.011 | Authorize wireless access prior to allowing such connections. | ||
| C003 Control remote system access | AC.2.013 | Monitor and control remote access sessions. | |
| AC.2.015 | Route remote access via managed access control points. | ||
| AC.2.016 | Control the flow of CUI in accordance with approved authorizations. | ||
| Audit & Accountability (AU) | C007 Define audit requirements | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. |
| C008 Perform auditing | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity. | |
| AU.2.043 | Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. | ||
| C010 Review and manage audit logs | AU.2.044 | Review audit logs. | |
| Awareness & Training (AT) | C011 Conduct security awareness activities | AT.2.056 | Ensure that managers, system administrators and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of those systems. |
| C012 Conduct training | AT.2.057 | Ensure that personnel are trained to carry out their assigned information security- related duties and responsibilities. | |
| Configuration Management (CM) | C013 Establish configuration baselines | CM.2.061 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware and documentation) throughout the respective system development life cycles. |
| CM.2.062 | Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. | ||
| CM.2.063 | Control and monitor user-installed software. | ||
| C014 Perform configuration and change management | CM.2.064 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | |
| CM.2.065 | Track, review, approve or disapprove and log changes to organizational systems. | ||
| CM.2.066 | Analyze the security impact of changes prior to implementation. | ||
| Identification & Authentication (IA) | C015 Grant access to authenticated entities | IA.2.078 | Enforce a minimum password complexity and change of characters when new passwords are created. |
| IA.2.079 | Prohibit password reuse for a specified number of generations. | ||
| IA.2.080 | Allow temporary password use for system logons with an immediate change to a permanent password. | ||
| IA.2.081 | Store and transmit only cryptographically- protected passwords. | ||
| IA.2.082 | Obscure feedback of authentication information. | ||
| Incident Response (IR) | C016 Plan incident response | IR.2.092 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery and user response activities. |
| C017 Detect and report events | IR.2.093 | Detect and report events. | |
| IR.2.094 | Analyze and triage events to support event resolution and incident declaration. | ||
| C018 Develop and implement a response to a declared incident | IR.2.095 | Develop and implement responses to declared incidents according to pre- defined procedures. | |
| C019 Perform post incident reviews |
IR.2.097 | Perform root cause analysis on incidents to determine underlying causes. | |
| Maintenance (MA) | C021 Manage maintenance |
MA.2.111 | Perform maintenance on organizational systems. |
| MA.2.112 | Provide controls on the tools, techniques, mechanisms and personnel used to conduct system maintenance. | ||
| MA.2.113 | Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. | ||
| MA.2.114 | Supervise the maintenance activities of personnel without required access authorization. | ||
| Media Protection (MP) | C023 Protect and control media | MP.2.119 | Protect (e.g., physically control and securely store) system media containing Federal Contract Information, both paper and digital. |
| MP.2.120 | Limit access to CUI on system media to authorized users. | ||
| MP.2.121 | Control the use of removable media on system components. | ||
| Personnel Security (PS) | C026 Screen personnel | PS.2.127 | Screen individuals prior to authorizing access to organizational systems containing CUI. |
| C027 Protect federal contract information during personnel actions | PS.2.128 | Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. | |
| Physical Protection (PE) | C028 Limit physical access | PE.2.135 | Protect and monitor the physical facility and support infrastructure for organizational systems. |
| Recovery (RE) | C029 Manage back-ups | RE.2.137 | Regularly perform and test data back-ups. |
| RE.2.138 | Protect the confidentiality of backup CUI at storage locations. | ||
| Risk Management (RM) | C031 Identify and evaluate risk | RM.2.141 | Periodically assess the risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals, resulting from the operation of organizational systems and the associated processing, storage or transmission of CUI. |
| RM.2.142 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | ||
| C032 Manage risk | RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | |
| Security Assessment (CA) | C034 Develop and manage a system security plan | CA.2.157 | Develop, document and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems. |
| C035 Define and manage controls | CA.2.158 | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | |
| CA.2.159 | Develop and implement plans of action (e.g., POA&M) designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. | ||
| System & Communications Protection (SC) | C038 Define security requirements for systems and communications | SC.2.178 | Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. |
| SC.2.179 | Use encrypted sessions for the management of network devices. | ||
| System & Information Integrity (SI) | CO40 Identify and manage information system flaws | SI.2.214 | Monitor system security alerts and advisories and take action in response. |
| C042 Perform network and system monitoring | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | |
| SI.2.217 | Identify unauthorized use of organizational systems. |
Table: CMMC Maturity Level 2 domains, capabilities and security controls
Recent Comments