| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | CMMC Level 1 vs NIST Controls | |||||||||||||||||||||||||
2 | NIST 800-171 Control ID | Control Name | Family/Domain | Family/Domain Shortened | CMMC Practice ID | Evidence Examples | Personnel Interviewed | Auditor Testing | ||||||||||||||||||
3 | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Access Control | AC | AC.L1-3.1.1 | Access control policy; procedures addressing account management; system security plan; system design documentation; system configuration settings and associated documentation; list of active system accounts and the name of the individual associated with each account; notifications or records of recently transferred, separated, or terminated employees; list of conditions for group and role membership; list of recently disabled system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; system monitoring records; system audit logs and records; list of devices and systems authorized to connect to organizational systems | Personnel with account management responsibilities; system or network administrators; personnel with information security responsibilities | Organizational processes for managing system accounts; mechanisms for implementing account management | ||||||||||||||||||
4 | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Access Control | AC | AC.L1-3.1.2 | Access control policy; procedures addressing access enforcement; system security plan; system design documentation; list of approved authorizations including remote access authorizations; system audit logs and records; system configuration settings and associated documentation | Personnel with access enforcement responsibilities; system or network administrators; personnel with information security responsibilities; system developers | Mechanisms implementing access control policy | ||||||||||||||||||
5 | 3.1.10 | Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. | Access Control | AC | AC.L1-3.1.10 | Access control policy; procedures addressing session lock; procedures addressing identification and authentication; system design documentation; system configuration settings and associated documentation; system security plan | System or network administrators; personnel with information security responsibilities; system developers | Mechanisms implementing access control policy for session lock | ||||||||||||||||||
6 | 3.1.20 | Verify and control/limit connections to and use of external systems. | Access Control | AC | AC.L1-3.1.20 | Access control policy; procedures addressing the use of external systems; terms and conditions for external systems; system security plan; list of applications accessible from external systems; system configuration settings and associated documentation; system connection or processing agreements; account management documents | Personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems; system or network administrators; personnel with information security responsibilities | Mechanisms implementing terms and conditions on use of external systems | ||||||||||||||||||
7 | 3.1.22 | Control CUI posted or processed on publicly accessible systems. | Access Control | AC | AC.L1-3.1.22 | Access control policy; procedures addressing publicly accessible content; system security plan; list of users authorized to post publicly accessible content on organizational systems; training materials and/or records; records of publicly accessible information reviews; records of response to nonpublic information on public websites; system audit logs and records; security awareness training records | Personnel with responsibilities for managing publicly accessible information posted on organizational systems; personnel with information security responsibilities | Mechanisms implementing management of publicly accessible content | ||||||||||||||||||
8 | 3.5.1 | Identify system users, processes acting on behalf of users, and devices. | Identification and Authorization | IA | IA.L1-3.5.1 | Identification and authentication policy; procedures addressing user identification and authentication; system security plan, system design documentation; system configuration settings and associated documentation; system audit logs and records; list of system accounts | Personnel with system operations responsibilities; personnel with information security responsibilities; system or network administrators; personnel with account management responsibilities; system developers | Organizational processes for uniquely identifying and authenticating users; mechanisms supporting or implementing identification and authentication capability | ||||||||||||||||||
9 | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems | Identification and Authorization | IA | IA.L1-3.5.2 | Identification and authentication policy; system security plan; procedures addressing authenticator management; procedures addressing user identification and authentication; system design documentation; list of system authenticator types; system configuration settings and associated documentation; change control records associated with managing system authenticators; system audit logs and records | Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators | Mechanisms supporting or implementing authenticator management capability | ||||||||||||||||||
10 | 3.8.3 | Sanitize or destroy system media containing CUI before disposal or release for reuse. | Media Protection | MP | MP.L1-3.8.3 | System media protection policy; procedures addressing media sanitization and disposal; applicable standards and policies addressing media sanitization; system security plan; media sanitization records; system audit logs and records; system design documentation; system configuration settings and associated documentation | Personnel with media sanitization responsibilities; personnel with information security responsibilities; system or network administrators | Organizational processes for media sanitization; mechanisms supporting or implementing media sanitization | ||||||||||||||||||
11 | 3.10.1 | Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. | Physical Protection | PE | PE.L1-3.10.1 | Physical and environmental protection policy; procedures addressing physical access authorizations; system security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation | Personnel with physical access authorization responsibilities; personnel with physical access to system facility; personnel with information security responsibilities | Organizational processes for physical access authorizations; mechanisms supporting or implementing physical access authorizations | ||||||||||||||||||
12 | 3.10.3 | Escort visitors and monitor visitor activity. | Physical Protection | PE | PE.L1-3.10.3 | Physical and environmental protection policy; procedures addressing physical access control; system security plan; physical access control logs or records; inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility | Personnel with physical access control responsibilities; personnel with information security responsibilities | Organizational processes for physical access control; mechanisms supporting or implementing physical access control; physical access control devices | ||||||||||||||||||
13 | 3.10.4 | Maintain audit logs of physical access. | Physical Protection | PE | PE.L1-3.10.4 | Physical and environmental protection policy; procedures addressing physical access control; system security plan; physical access control logs or records; inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility | Personnel with physical access control responsibilities; personnel with information security responsibilities | Organizational processes for physical access control; mechanisms supporting or implementing physical access control; physical access control devices | ||||||||||||||||||
14 | 3.10.5 | Control and manage physical access devices. | Physical Protection | PE | PE.L1-3.10.5 | Physical and environmental protection policy; procedures addressing physical access control; system security plan; physical access control logs or records; inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility | Personnel with physical access control responsibilities; personnel with information security responsibilities | Organizational processes for physical access control; mechanisms supporting or implementing physical access control; physical access control devices | ||||||||||||||||||
15 | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | System and Communications Protection | SC | SC.L1-3.13.1 | System and communications protection policy; procedures addressing boundary protection; system security plan; list of key internal boundaries of the system; system design documentation; boundary protection hardware and software; enterprise security architecture documentation; system audit logs and records; system configuration settings and associated documentation | System or network administrators; personnel with information security responsibilities; system developer; personnel with boundary protection responsibilities | Mechanisms implementing boundary protection capability | ||||||||||||||||||
16 | 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | System and Communications Protection | SC | SC.L1-3.13.5 | System and communications protection policy; procedures addressing boundary protection; system security plan; list of key internal boundaries of the system; system design documentation; boundary protection hardware and software; system configuration settings and associated documentation; enterprise security architecture documentation; system audit logs and records | System or network administrators; personnel with information security responsibilities; system developer; personnel with boundary protection responsibilities | Mechanisms implementing boundary protection capability | ||||||||||||||||||
17 | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | System and Information Integrity | SI | SI.L1-3.14.2 | System and information integrity policy; configuration management policy and procedures; procedures addressing malicious code protection; records of malicious code protection updates; malicious code protection mechanisms; system security plan; system configuration settings and associated documentation; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; scan results from malicious code protection mechanisms; system design documentation; system audit logs and records | System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility for malicious code protection; personnel with configuration management responsibility | Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational process for addressing false positives and resulting potential impact; mechanisms supporting or implementing employing, updating, and configuring malicious code protection mechanisms; mechanisms supporting or implementing malicious code scanning and subsequent actions | ||||||||||||||||||
18 | 3.14.4 | Update malicious code protection mechanisms when new releases are available. | System and Information Integrity | SI | SI.L1-3.14.4 | System and information integrity policy; configuration management policy and procedures; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; system security plan; system design documentation; system configuration settings and associated documentation; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; system audit logs and records | System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility for malicious code protection; personnel with configuration management responsibility | Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational process for addressing false positives and resulting potential impact; mechanisms supporting or implementing malicious code protection mechanisms (including updates and configurations); mechanisms supporting or implementing malicious code scanning and subsequent actions | ||||||||||||||||||
19 | 3.14.5 | Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. | System and Information Integrity | SI | SI.L1-3.14.5 | System and information integrity policy; configuration management policy and procedures; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; system security plan; system design documentation; system configuration settings and associated documentation; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; system audit logs and records | System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility for malicious code protection; personnel with configuration management responsibility | Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational process for addressing false positives and resulting potential impact; mechanisms supporting or implementing malicious code protection mechanisms (including updates and configurations); mechanisms supporting or implementing malicious code scanning and subsequent actions | ||||||||||||||||||
20 | ||||||||||||||||||||||||||
21 | ||||||||||||||||||||||||||
22 | ||||||||||||||||||||||||||
23 | ||||||||||||||||||||||||||
24 | ||||||||||||||||||||||||||
25 | ||||||||||||||||||||||||||
26 | ||||||||||||||||||||||||||
27 | ||||||||||||||||||||||||||
28 | ||||||||||||||||||||||||||
29 | ||||||||||||||||||||||||||
30 | ||||||||||||||||||||||||||
31 | ||||||||||||||||||||||||||
32 | ||||||||||||||||||||||||||
33 | ||||||||||||||||||||||||||
34 | ||||||||||||||||||||||||||
35 | ||||||||||||||||||||||||||
36 | ||||||||||||||||||||||||||
37 | ||||||||||||||||||||||||||
38 | ||||||||||||||||||||||||||
39 | ||||||||||||||||||||||||||
40 | ||||||||||||||||||||||||||
41 | ||||||||||||||||||||||||||
42 | ||||||||||||||||||||||||||
43 | ||||||||||||||||||||||||||
44 | ||||||||||||||||||||||||||
45 | ||||||||||||||||||||||||||
46 | ||||||||||||||||||||||||||
47 | ||||||||||||||||||||||||||
48 | ||||||||||||||||||||||||||
49 | ||||||||||||||||||||||||||
50 | ||||||||||||||||||||||||||
51 | ||||||||||||||||||||||||||
52 | ||||||||||||||||||||||||||
53 | ||||||||||||||||||||||||||
54 | ||||||||||||||||||||||||||
55 | ||||||||||||||||||||||||||
56 | ||||||||||||||||||||||||||
57 | ||||||||||||||||||||||||||
58 | ||||||||||||||||||||||||||
59 | ||||||||||||||||||||||||||
60 | ||||||||||||||||||||||||||
61 | ||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 | ||||||||||||||||||||||||||