ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
CMMC Level 1
2
CMMC IDCMMC Family/DomainCMMC ControlFedRAMP/NIST 800-53 Control IDsExample FedRAMP Control 1Example FedRAMP Control 2
3
AC.L1-3.1.1Access ControlLimit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).AC-2, AC-3, AC-17AC-3 ACCESS ENFORCEMENT
Control: Enforce approved authorizations for logical access to information and system resources
in accordance with applicable access control policies.		AC-17 REMOTE ACCESS
Control:
a. Establish and document usage restrictions, configuration/connection requirements, and
implementation guidance for each type of remote access allowed; and
b. Authorize each type of remote access to the system prior to allowing such connections.
4
AC.L1-3.1.2Access ControlLimit system access to the types of transactions and functions that authorized users are permitted to execute.AC-2, AC-3, AC-17AC-3 ACCESS ENFORCEMENT
Control: Enforce approved authorizations for logical access to information and system resources
in accordance with applicable access control policies.		AC-17 REMOTE ACCESS
Control:
a. Establish and document usage restrictions, configuration/connection requirements, and
implementation guidance for each type of remote access allowed; and
b. Authorize each type of remote access to the system prior to allowing such connections.
5
AC.L1-3.1.10Access ControlUse session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.AC-11, AC-11(1)AC-11 DEVICE LOCK Control: a. Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and b. Retain the device lock until the user reestablishes access using established identification and authentication procedures.AC-11(1) DEVICE LOCK Control: Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
6
AC.L1-3.1.20Access ControlVerify and control/limit connections to and use of external systems.AC-20, AC-20(1)AC-20 USE OF EXTERNAL SYSTEMS Control: a. [Selection (one or more): Establish [Assignment: organization-defined terms and conditions]; Identify [Assignment: organization-defined controls asserted to be implemented on external systems]], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: 1. Access the system from external systems; and 2. Process, store, or transmit organization-controlled information using external systems; or b. Prohibit the use of [Assignment: organizationally-defined types of external systems].AC-20(1) USE OF EXTERNAL SYSTEMS Control: Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after: (a) Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or (b) Retention of approved system connection or processing agreements with the organizational entity hosting the external system.
7
AC.L1-3.1.22Access ControlControl CUI posted or processed on publicly accessible systems.AC-22AC-22 PUBLICLY ACCESSIBLE CONTENT Control: a. Designate individuals authorized to make information publicly accessible; b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and d. Review the content on the publicly accessible system for nonpublic information [Assignment: organization-defined frequency] and remove such information, if discovered.
8
IA.L1-3.5.1Identification and AuthenticationIdentify system users, processes acting on behalf of users, and devices.IA-2, IA-3, IA-5IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) Control: Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION Control: Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.
9
IA.L1-3.5.2Identification and AuthenticationAuthenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systemsIA-2, IA-3, IA-5IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) Control: Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION Control: Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.
10
MP.L1-3.8.3Media ProtectionSanitize or destroy system media containing CUI before disposal or release for reuse.MP-2, MP-4, MP-6MP-2 MEDIA ACCESS Control: Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].MP-4 MEDIA STORAGE
Control: a. Physically control and securely store [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and b. Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
11
PE.L1-3.10.1Physical ProtectionLimit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. PE-2, PE-4, PE-5, PE-6PE-2 PHYSICAL ACCESS AUTHORIZATIONS Control: a. Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; b. Issue authorization credentials for facility access; c. Review the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and d. Remove individuals from the facility access list when access is no longer required.PE-4 ACCESS CONTROL FOR TRANSMISSION Control: Control physical access to [Assignment: organization-defined system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security controls].
12
PE.L1-3.10.3Physical ProtectionEscort visitors and monitor visitor activity. PE-3PE-3 PHYSICAL ACCESS CONTROL Control: a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by: 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress and egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems or devices]; guards]; b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points]; c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: organization-defined physical access controls]; d. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity]; e. Secure keys, combinations, and other physical access devices; f. Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
13
PE.L1-3.10.4Physical ProtectionMaintain audit logs of physical access. PE-3PE-3 PHYSICAL ACCESS CONTROL Control: a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by: 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress and egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems or devices]; guards]; b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points]; c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: organization-defined physical access controls]; d. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity]; e. Secure keys, combinations, and other physical access devices; f. Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
14
PE.L1-3.10.5Physical ProtectionControl and manage physical access devices. PE-3PE-3 PHYSICAL ACCESS CONTROL Control: a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by: 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress and egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems or devices]; guards]; b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points]; c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: organization-defined physical access controls]; d. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity]; e. Secure keys, combinations, and other physical access devices; f. Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
15
SC.L1-3.13.1
System and Communications Protection
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. SC-7, SA-8SC-7 BOUNDARY PROTECTION Control: a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.SA-8 SECURITY AND PRIVACY ENGINEERING PRINCIPLES
Control: Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [Assignment: organization-defined systems security and privacy engineering principles].
16
SC.L1-3.13.5
System and Communications Protection
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. SC-7SC-7 BOUNDARY PROTECTION Control: a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
17
SI.L1-3.14.2System and Information IntegrityProvide protection from malicious code at designated locations within organizational systems. SI-2, SI-3, SI-5SI-2 FLAW REMEDIATION Control: a. Identify, report, and correct system flaws; b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d. Incorporate flaw remediation into the organizational configuration management process.SI-3 MALICIOUS CODE PROTECTION Control: a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
18
SI.L1-3.14.4System and Information IntegrityUpdate malicious code protection mechanisms when new releases are available. SI-3SI-3 MALICIOUS CODE PROTECTION Control: a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
19
SI.L1-3.14.5System and Information IntegrityPerform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. SI-3SI-3 MALICIOUS CODE PROTECTION Control: a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100