{"frameworkId":"cmmc","label":"CMMC 2.0","version":"2.0","css":"fw-cmmc","totalControls":110,"registryKey":"cmmc","csvColumn":"Cmmc","displayOrder":7,"scoring":{"method":"maturity-level","maturityLevels":{"L1":{"label":"Level 1 \u2014 Foundational","description":"Basic safeguarding of Federal Contract Information (FCI)","practiceCount":17},"L2":{"label":"Level 2 \u2014 Advanced","description":"Protection of Controlled Unclassified Information (CUI), aligned with NIST SP 800-171 Rev 2","practiceCount":110},"L3":{"label":"Level 3 \u2014 Expert","description":"Enhanced protection against Advanced Persistent Threats (APTs), adds NIST SP 800-172 requirements","practiceCount":134}}},"colors":{"light":{"background":"#f0fdfa","color":"#134e4a"},"dark":{"background":"#134E4A","color":"#5EEAD4"}},"controls":[{"controlId":"AC.L1-3.1.1","title":"Authorized Access Control","domain":"Access Control","level":"L1"},{"controlId":"AC.L1-3.1.2","title":"Transaction and Function Control","domain":"Access Control","level":"L1"},{"controlId":"AC.L2-3.1.3","title":"Control CUI Flow","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.4","title":"Separation of Duties","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.5","title":"Least Privilege","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.6","title":"Non-Privileged Account Use","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.7","title":"Privileged Functions","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.8","title":"Unsuccessful Logon Attempts","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.9","title":"Privacy and Security Notices","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.10","title":"Session Lock","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.11","title":"Session Termination","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.12","title":"Control Remote Access","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.13","title":"Remote Access Confidentiality","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.14","title":"Remote Access Routing","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.15","title":"Privileged Remote Access","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.16","title":"Wireless Access Authorization","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.17","title":"Wireless Access Protection","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.18","title":"Mobile Device Connection","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.19","title":"Encrypt CUI on Mobile","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.20","title":"External System Connections","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.21","title":"Portable Storage Use","domain":"Access Control","level":"L2"},{"controlId":"AC.L2-3.1.22","title":"Control Public Information","domain":"Access Control","level":"L2"},{"controlId":"AT.L2-3.2.1","title":"Role-Based Risk Awareness","domain":"Awareness and Training","level":"L2"},{"controlId":"AT.L2-3.2.2","title":"Role-Based Training","domain":"Awareness and Training","level":"L2"},{"controlId":"AT.L2-3.2.3","title":"Insider Threat Awareness","domain":"Awareness and Training","level":"L2"},{"controlId":"AU.L2-3.3.1","title":"System Auditing","domain":"Audit and Accountability","level":"L2"},{"controlId":"AU.L2-3.3.2","title":"User Accountability","domain":"Audit and Accountability","level":"L2"},{"controlId":"AU.L2-3.3.3","title":"Event Review","domain":"Audit and Accountability","level":"L2"},{"controlId":"AU.L2-3.3.4","title":"Audit Failure Alerting","domain":"Audit and Accountability","level":"L2"},{"controlId":"AU.L2-3.3.5","title":"Audit Correlation","domain":"Audit and Accountability","level":"L2"},{"controlId":"AU.L2-3.3.6","title":"Reduction and Reporting","domain":"Audit and Accountability","level":"L2"},{"controlId":"AU.L2-3.3.7","title":"Authoritative Time Source","domain":"Audit and Accountability","level":"L2"},{"controlId":"AU.L2-3.3.8","title":"Audit Protection","domain":"Audit and Accountability","level":"L2"},{"controlId":"AU.L2-3.3.9","title":"Audit Management","domain":"Audit and Accountability","level":"L2"},{"controlId":"CA.L2-3.12.1","title":"Security Assessment","domain":"Security Assessment","level":"L2"},{"controlId":"CA.L2-3.12.2","title":"Plan of Action","domain":"Security Assessment","level":"L2"},{"controlId":"CA.L2-3.12.3","title":"Security Control Monitoring","domain":"Security Assessment","level":"L2"},{"controlId":"CA.L2-3.12.4","title":"System Security Plan","domain":"Security Assessment","level":"L2"},{"controlId":"CM.L2-3.4.1","title":"System Baselining","domain":"Configuration Management","level":"L2"},{"controlId":"CM.L2-3.4.2","title":"Security Configuration Enforcement","domain":"Configuration Management","level":"L2"},{"controlId":"CM.L2-3.4.3","title":"System Change Control","domain":"Configuration Management","level":"L2"},{"controlId":"CM.L2-3.4.4","title":"Security Impact Analysis","domain":"Configuration Management","level":"L2"},{"controlId":"CM.L2-3.4.5","title":"Access Restrictions for Change","domain":"Configuration Management","level":"L2"},{"controlId":"CM.L2-3.4.6","title":"Least Functionality","domain":"Configuration Management","level":"L2"},{"controlId":"CM.L2-3.4.7","title":"Nonessential Functionality","domain":"Configuration Management","level":"L2"},{"controlId":"CM.L2-3.4.8","title":"Application Execution Policy","domain":"Configuration Management","level":"L2"},{"controlId":"CM.L2-3.4.9","title":"User-Installed Software","domain":"Configuration Management","level":"L2"},{"controlId":"IA.L1-3.5.1","title":"Identification","domain":"Identification and Authentication","level":"L1"},{"controlId":"IA.L1-3.5.2","title":"Authentication","domain":"Identification and Authentication","level":"L1"},{"controlId":"IA.L2-3.5.3","title":"Multifactor Authentication","domain":"Identification and Authentication","level":"L2"},{"controlId":"IA.L2-3.5.4","title":"Replay-Resistant Authentication","domain":"Identification and Authentication","level":"L2"},{"controlId":"IA.L2-3.5.5","title":"Identifier Reuse","domain":"Identification and Authentication","level":"L2"},{"controlId":"IA.L2-3.5.6","title":"Identifier Handling","domain":"Identification and Authentication","level":"L2"},{"controlId":"IA.L2-3.5.7","title":"Password Complexity","domain":"Identification and Authentication","level":"L2"},{"controlId":"IA.L2-3.5.8","title":"Password Reuse","domain":"Identification and Authentication","level":"L2"},{"controlId":"IA.L2-3.5.9","title":"Temporary Passwords","domain":"Identification and Authentication","level":"L2"},{"controlId":"IA.L2-3.5.10","title":"Cryptographically-Protected Passwords","domain":"Identification and Authentication","level":"L2"},{"controlId":"IA.L2-3.5.11","title":"Obscure Feedback","domain":"Identification and Authentication","level":"L2"},{"controlId":"IR.L2-3.6.1","title":"Incident Handling","domain":"Incident Response","level":"L2"},{"controlId":"IR.L2-3.6.2","title":"Incident Reporting","domain":"Incident Response","level":"L2"},{"controlId":"IR.L2-3.6.3","title":"Incident Response Testing","domain":"Incident Response","level":"L2"},{"controlId":"MA.L2-3.7.1","title":"Perform Maintenance","domain":"Maintenance","level":"L2"},{"controlId":"MA.L2-3.7.2","title":"System Maintenance Controls","domain":"Maintenance","level":"L2"},{"controlId":"MA.L2-3.7.3","title":"Equipment Sanitization","domain":"Maintenance","level":"L2"},{"controlId":"MA.L2-3.7.4","title":"Media Inspection","domain":"Maintenance","level":"L2"},{"controlId":"MA.L2-3.7.5","title":"Nonlocal Maintenance","domain":"Maintenance","level":"L2"},{"controlId":"MA.L2-3.7.6","title":"Maintenance Personnel","domain":"Maintenance","level":"L2"},{"controlId":"MP.L1-3.8.3","title":"Media Disposal","domain":"Media Protection","level":"L1"},{"controlId":"MP.L2-3.8.1","title":"Media Protection","domain":"Media Protection","level":"L2"},{"controlId":"MP.L2-3.8.2","title":"Media Access","domain":"Media Protection","level":"L2"},{"controlId":"MP.L2-3.8.4","title":"Media Markings","domain":"Media Protection","level":"L2"},{"controlId":"MP.L2-3.8.5","title":"Media Accountability","domain":"Media Protection","level":"L2"},{"controlId":"MP.L2-3.8.6","title":"Portable Storage Encryption","domain":"Media Protection","level":"L2"},{"controlId":"MP.L2-3.8.7","title":"Removable Media","domain":"Media Protection","level":"L2"},{"controlId":"MP.L2-3.8.8","title":"Shared Media","domain":"Media Protection","level":"L2"},{"controlId":"MP.L2-3.8.9","title":"Protect Backups","domain":"Media Protection","level":"L2"},{"controlId":"PE.L1-3.10.1","title":"Limit Physical Access","domain":"Physical Protection","level":"L1"},{"controlId":"PE.L1-3.10.2","title":"Monitor Facility","domain":"Physical Protection","level":"L1"},{"controlId":"PE.L1-3.10.3","title":"Escort Visitors","domain":"Physical Protection","level":"L1"},{"controlId":"PE.L1-3.10.4","title":"Physical Access Logs","domain":"Physical Protection","level":"L1"},{"controlId":"PE.L1-3.10.5","title":"Manage Physical Access Devices","domain":"Physical Protection","level":"L1"},{"controlId":"PE.L2-3.10.6","title":"Alternative Work Sites","domain":"Physical Protection","level":"L2"},{"controlId":"PS.L2-3.9.1","title":"Screen Individuals","domain":"Personnel Security","level":"L2"},{"controlId":"PS.L2-3.9.2","title":"Termination and Transfer","domain":"Personnel Security","level":"L2"},{"controlId":"RA.L2-3.11.1","title":"Risk Assessments","domain":"Risk Assessment","level":"L2"},{"controlId":"RA.L2-3.11.2","title":"Vulnerability Scan","domain":"Risk Assessment","level":"L2"},{"controlId":"RA.L2-3.11.3","title":"Vulnerability Remediation","domain":"Risk Assessment","level":"L2"},{"controlId":"SC.L1-3.13.1","title":"Boundary Protection","domain":"System and Communications Protection","level":"L1"},{"controlId":"SC.L1-3.13.5","title":"Public-Access System Separation","domain":"System and Communications Protection","level":"L1"},{"controlId":"SC.L2-3.13.2","title":"Security Engineering","domain":"System and Communications Protection","level":"L2"},{"controlId":"SC.L2-3.13.3","title":"Role Separation","domain":"System and Communications Protection","level":"L2"},{"controlId":"SC.L2-3.13.4","title":"Shared Resource Control","domain":"System and Communications Protection","level":"L2"},{"controlId":"SC.L2-3.13.6","title":"Network Communication by Exception","domain":"System and Communications Protection","level":"L2"},{"controlId":"SC.L2-3.13.7","title":"Split Tunneling","domain":"System and Communications Protection","level":"L2"},{"controlId":"SC.L2-3.13.8","title":"Data in Transit","domain":"System and Communications Protection","level":"L2"},{"controlId":"SC.L2-3.13.9","title":"Connections Termination","domain":"System and Communications Protection","level":"L2"},{"controlId":"SC.L2-3.13.10","title":"Key Management","domain":"System and Communications Protection","level":"L2"},{"controlId":"SC.L2-3.13.11","title":"CUI Encryption","domain":"System and Communications Protection","level":"L2"},{"controlId":"SC.L2-3.13.12","title":"Collaborative Computing","domain":"System and Communications Protection","level":"L2"},{"controlId":"SC.L2-3.13.13","title":"Mobile Code","domain":"System and Communications Protection","level":"L2"},{"controlId":"SC.L2-3.13.14","title":"Voice over Internet Protocol","domain":"System and Communications Protection","level":"L2"},{"controlId":"SC.L2-3.13.15","title":"Communications Authenticity","domain":"System and Communications Protection","level":"L2"},{"controlId":"SC.L2-3.13.16","title":"Data at Rest","domain":"System and Communications Protection","level":"L2"},{"controlId":"SI.L1-3.14.1","title":"Flaw Remediation","domain":"System and Information Integrity","level":"L1"},{"controlId":"SI.L1-3.14.2","title":"Malicious Code Protection","domain":"System and Information Integrity","level":"L1"},{"controlId":"SI.L1-3.14.3","title":"Security Alerts","domain":"System and Information Integrity","level":"L1"},{"controlId":"SI.L1-3.14.4","title":"Update Malicious Code Protection","domain":"System and Information Integrity","level":"L1"},{"controlId":"SI.L1-3.14.5","title":"System and File Scanning","domain":"System and Information Integrity","level":"L1"},{"controlId":"SI.L2-3.14.6","title":"Security Alert Monitoring","domain":"System and Information Integrity","level":"L2"},{"controlId":"SI.L2-3.14.7","title":"Identify Unauthorized Use","domain":"System and Information Integrity","level":"L2"}]}
|