CMMC Lvl 3

Domain Capability Combined requirements (Level 3) Company polices Notes
Access Control Establish internal system access requirements Utilize seperate users with unique accounts
Display banners at login
Control internal systems Seperation of duties
Principle of least privilege
Use role based access
Do not use admin accounts
Encrypt wireless connections
Lock a system on inactivity
Terminate sessions on a certain condition
Control mobile devices connected to the system
Control remote system access Encrypt all remote sessions
All remote access is monitored and controlled
Identify access requirements for each class of data accessible from the internal network CUI stored on portable storage devices on external systems are idenified and documented. Limits are defined.
Limit access to data to authorized users and processes acting on behalf of authorized users Control the flow of information through the network at switches, routers, firewalls
Utilize active discovery tool to identify sensitive data
Mobile devices containing CUI are identified and encrypted
Asset Management Identify assets Maintain and automated and active inventory of all hardware and software including who uses it and what for
Use active and passive discover tools for inventory
Remove old unused assets
Develop a common definition for assets and their attributes All CUI is identified classified and labeled
Inventory attributes are defined and applied, including information to support the cybersecurity strategy (e.g., location, asset owner, asset custodian, applicable security requirements, service dependencies, service level agreements, and conformance of assets to relevant industry standards).
Have procedures on handling CUI
Identify asset inventory change criteria Criteria are developed and documented establishing when a change in the asset inventory must be considered
Maintain changes to assets and inventory Keep current asset inventory
Audit and Accountability Define the content of audit records Defined logs can be traced to a user and is reviewed periodically
Identify stakeholders Entities needing audit logs are known
Define audit storage requirements Audit storage and retention is defined
Alert on audit process failure
Auditing is performed A process is defined to create and retain logs
Time on logs is accurate
All logs are pulled to a central repository
Audit information is identified and protected Limit management of logging to correct admins
Assign staff to review and manage audit logs Someone is assigned to audit logs
Audit logs are reviewed Correlates the audit review, analysis and reporting processes
Reports can be made from logs
Information collected is distributed to the appropriate stakeholders <-
Awareness Training Just read the real one
Configuration Management Establish change management requirements Have a change management process
Establish configuration management requirements Have a change management process defined that includes who can make and when changes can be made
Configuration baselines are established Baselines configurations for organization systems are defined
Non-essential applications are disabled (principle of least functionality)
Restrict software ran on machines with a whitelist or blacklist
Configuration and change management is performed The change management process is used for all changes
Existing security requirements are analyzed before a change is made
Configuration management is performed Configuration management is performed based on the established processes
Authorized admins perform configuration management
Cybersecurity governance Define cybersecurity objectives Have defined cybersecurity objectives and plans to achieve/manage them
Define cybersecurity critical success factors Have a defined process for managing cybersecurity critical success factors
Manage cybersecurity plans Cybersecurity objectives are implemented through defined cybersecurity plans
Cybersecurity plans include policies and procedures to carry out defined security objectives
Align funding, staffing, and accountability to cybersecurity plans
Manage cybersecurity critical success factors Establish and monitor cybersecurity critical success factors, prioritization and incident response
Identification and authorization System users, processes and devices are identified before access is granted A process exists to identify users and services before access is granted to systems
Access is granted to authorized entities MFA is used for local and network access to privileged accounts and for network access to non-privileged accounts
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts
Prevent the reuse of identifiers for a defined period
Disable identifiers after a defined period of inactivity
Minimum password complexity is defined and enforced
Prevent password reuse
Use temporary passwords for initial login but force an immediate change
Ensure all stored passwords are hashed/encrypted
Feedback of authentication information is obscured
Incident response Detect and report events Have processes for detecting, reporting, categorizing, managing, and tracking events
Analyze events to determine of they relate to other events
Define and maintain criteria for declaring incidents A repository is established for tracking incidents
Criteria for declaring incidents is defined
Declare and report events Have a process for declaring and reporting events to the appropriate stakeholders
Escalate incidents to appropriate stakeholders Have a process for escalating incidents to the proper stakeholders for input and resolution
Develop and implement a response to a declared incident Have a process for analyzing incidents to determine a response and test it
Have a process for developing and implementing responses including preparation, detection, analysis, containment, recovery, and user response activities, test this response capability
Incidents are tracked to a resolution
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities
Communicate incidents to relevant stakeholders as appropriate Have a process for communicating incident status and responses to affected parties
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization
Manage incidents to resolution Have a process for managing incidents to resolution including: declaring, escalating, and developing and implementing a response
Roles and responsibilities for managing incidents have been established and staff has been assigned
Perform post incident reviews to determine underlying causes Root cause analysis is performed on incidents to determine underlying causes
Incidents are analyzed to determine if the incident is linked to other processes within the organization
Maintenance Maintenance is performed Schedule, perform, and review records of maintenance activities performed on systems
Maintenance is controlled Identify approved tools and techniques to conduct system maintenance
Identify and implement controls on the tools, techniques, mechanisms and staff that are used to conduct maintenance
Identify MFA requirements for maintenance sessions via external network connections
Supervise maintenance activities of staff without required access authorization
Scan media containing test programs for malicious code before using media in organizational systems
Follow asset disposal guidelines for equipment removed for off-site maintenance
Media protection Media is identified Have a process for identifying non-digital and digital media containing CUI
Media is protected Have a process for physically and cryptographically protecting media containing CUI
Have a process for limiting access to media containing CUI to authorized users
Media is sanitized Have a process for sanitizing or destroying media before disposal
Media is marked Have a process for marking media with necessary CUI markings
Media is protected during transport Have process for controlling access to and encrypting media containing CUI while transported outside of controlled areas
Control the use of removable media on system components Have a process for controlling the use of removable media on systems
Prohibit the use of portable storage devices when they have no identifiable owner Have a process that prohibits the use of portable storage when there is no owner
Protect the confidentiality of backup CUI at storage locations Have a process for protecting the confidentiality of backup CUI at storage locations
Personnel Security Screen Personnel Have a process for screening individuals prior to authorizing access to organizational systems containing CUI
Protect CUI during personnel actions Have a process to ensure CUI is protected during personnel actions
Physical protection Identify organizational system, equipment, and respective operating environments that require limited access
Develop physical access requirements for identified organizational systems, equipment and respective operating environments Develop physical access and audit requirements for organization systems and environments, including alternate work sites
Develop security requirements for visitors
Develop security requirements for physical access devices (keys)
Manage physical access requirements for identified organizational systems and equipment operating environments Review and update physical security requirements at a defined frequency
Limit physical access to organizational systems based on defined access policies Protect and monitor physical facilities and alternate worksites based on established requirements
Control and manage physical access to devices based on established requirements
Monitor physical facilities for adherence to physical security access requirements Escort and monitor visitors and their activity
Protect and monitor physical facilities and infrastructure
Maintain audit logs of physical access
Recovery Manage back-ups Perform complete and automated backups
Routinely test backup-data
Manage information security continuity
Ensure information processing facilities meet redundancy and availability requirements
Risk Management Determine risk categories, sources, and measurement criteria Have documented risk sources, categories and measurement criteria
Have a risk management strategy that defines the processes for identifying, analyzing, managing and mitigating risk
Have a process established to receive, analyze and respond to vulnerabilities disclosed to the organization
Document organizational risk Have a process for recording risk in the risk register or structured risk repository
Identify risk Risk assessments are performed to identify risks according to the defined risk categories, risk sources, and risk measurement criteria
Vuln scans are performed
Evaluate and prioritize risk based on defined measurement criteria Have a process for periodically analyzing risk
Manage risk Have a process to develop and implement a risk mitigation plan
Risk mitigation plans are tracked to ensure responses are met
Risk mitigation plans are developed and implemented
Actions are taken to manage exposure vulnerabilities
Manage supply chain risk Check the docs, this is only level 4+
Security Assessment Have an SSP
Manage the SSP Periodically update the SSP as security requirements change
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulns in the organizational systems
Define control objectives Document control objectives based on the SSP defined requirements
Define controls Ensure the selected controls are documented and satisfy control objectives
Manage controls Montior security controls on an ongoing basis to ensure the continued effectiveness of controls
Perform code reviews to identify weaknesses in in-house-developed software Employ human performed code reviews to identify areas of concern that require additional improvements
Situational Awareness Establish threat monitoring requirements Have established threat monitoring procedures
Implement threat monitoring based on defined requirements Receive and manage cyber threat intelligence based on established threat monitoring procedures
Establish the requirements for communicating threat information Have established requirements for communicating threat information
Have identified stakeholders to whom threat information must be communicated
Communicate threat information to stakeholders Communicate threat information to identified stakeholders
System and communications protection Define security requirements for systems and communications Have a process to establish security requirements for monitoring, controlling, and protecting system boundaries
Have a process to require that publicly accessible systems are physically or logically separated from internal networks
Establish and manage cryptographic keys for cryptographic implementations across the organization
Establish FIPS compliant cryptography when protecting the confidentiality of organizational information
Establish architectural design guidelines that promote effective information security within organizational systems
Establish software development technique guidelines that promote effective information security within organizational systems
Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device
Use encrypted sessions for the management of network devices
Separate user functionality from system management functionality
Prevent unauthorized and unintended information transfer via shared system resources
Deny network communications by default and allow network communications by exception
Prevent split tunneling
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless protected by alternate physical controls
Protect the authenticity of communications sessions
Establish requirements to protect CUI at rest
Manage and update the security requirements for external system boundaries at a frequency defined by the organization
Terminate network connections are the end of a session or a defined period of inactivity
Establish requirements to control and monitor the use of mobile code
Establish requirements to control and monitor the use of VOIP
Control communications at system boundaries Monitor, control, and protect communications at system boundaries based on established requirements
Implement DNS filtering services
System and informational integrity A process exists to identify and correct information system flaws
Utilize automated patch management tools
Sources of vulnerability information are identified and monitored Monitor system security alerts and advisories and take action in response
Malicious content is identified Use Antivirus, anti malware, scan downloaded files
Network and system monitoring is performed Operational environments are monitored for anomalous behavior that may indicate cybersecurity events
Organizational systems are monitored for unauthorized use