CMMC Lvl3+4

Domain Capability Combined requirements (Level 3) Level 4 Company polices Notes
Access Control Establish internal system access requirements Utilize seperate users with unique accounts
Display banners at login
Control internal systems Seperation of duties
Principle of least privilege Comprehensively apply these principles across the organization
Use role based access Automated scans to assess ACLs in place
Do not use admin accounts
Encrypt wireless connections Use a IPS to monitor for unauthorized WAPs
Lock a system on inactivity
Terminate sessions on inactivity
Control mobile devices connected to the system
Control remote system access Encrypt all remote sessions
All remote access is monitored and controlled
Identify access requirements for each class of data accessible from the internal network CUI stored on portable storage devices on external systems are idenified and documented. Limits are defined.
Limit access to data to authorized users and processes acting on behalf of authorized users Control the flow of information through the network at switches, routers, firewalls The organization applies need-to-know and fine-grained access control for CUI data access
Utilize active discovery tool to identify senstive data Enforce access control to data through automated tools
Mobile devices containing CUI are identified and encrypted
Asset Management Identify assets Maintain and automated and active inventory of all hardware and software including who uses it and what for Asset definition and scope of cybersecurity program includes operational technology like SCADA, ICS, IoT, embedded, and real-time applications
Use active and passive discover tools for inventory Use DHCP logging to update assets
Remove old unused assets
Develop a common definition for assets and their attributes All CUI is identified classified and labeled
Inventory attributes are defined and applied, including information to support the cybersecurity strategy (e.g., location, asset owner, asset custodian, applicable security requirements, service dependencies, service level agreements, and conformance of assets to relevant industry standards).
Have procedures on handling CUI
Identify asset inventory change criteria Criteria are developed and documented establishing when a change in the asset inventory must be considered Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components
Maintain changes to assets and inventory Keep current asset inventory Use automated tools
Perform spot checks
Audit and Accountability Define the content of audit records Defined logs can be traced to a user and is reviewed periodically
Identify stakeholders Entities needing audit logs are known
Define audit storage requirements Audit storage and retention is defined
Alert on audit process failure
Auditing is performed A process is defined to create and retain logs Network packets passing through boundaries are logged
Time on logs is accurate
All logs are pulled to a central repository
Aduit information is identified and protected Limit managment of logging to correct admins Audit information is stored physically separate from the systems making the logs + encrypted
Assign staff to review and manage audit logs Someone is assigned to audit logs Logs analysis is semi-automated
Audit logs are reviewed Correlates the audit review, analysis and reporting processes Audit information is automatically pre-processed to identify and act on critical indicators
Reports can be made from logs Audit information is reviewed for system-wide activity in addition to per-machine activity
Information collected is distributed to the appropriate stakeholders <-
Awareness Training Just read the real one
Configuration Mangement Establish change management requirements Have a change management process
Establish configuration management requirements Have a change managment process defined that includes who can make and when changes can be made
Configuration baselines are established Baselines configurations for organization systems are defined The organization establishes and maintains an authoritative source and repository for configuration baselines of organizational systems.
Non-essenential applications are disabled (principle of least functionality)
Restrict software ran on machines with a whitelist or blacklist
Configuration and change management is performed The change managment process is used for all changes
Existing security requirements are analyzed before a change is made
Configuration management is performed Configuration managment is performed based on the established processes Automated tools are used for configuration mangement
Authorized admins perform configuration mangement Enforcement has adjustable restriction levels based on needs
Employ root of trust with signatures to verify integrity of changes
Control IoT where possible
Cybersecurity governance Define cybersecurity objectives Have defined cyber security objectives and plans to achieve/manage them Review and update cybersecurity objectives
Define cybersecurity critical success factors Have a defined process for managing cybersecurity critical success factors Review and update cybersecurity critical success factors
Manage cybersecurity plans Cybersecurity objectives are implemented through defined cybersecurity plans Collect, monitor, and control performance data for defined security plans
Cybersecurity plans include policies and procedures to carry out defined security objectives
Align funding, staffing, and accountability to cybersecurity plans
Manage cybersecurity critical success factors Establish and monitor cybersecurity critical success factors Collect, monitor, and control performance data for cybersecurity critial success factors
Align functing, staffing, and accountability for cybersecurity critical success factors
Create and maintain a business impact assessment including systems, data, and infrastrcuture
Create and maintain a business impact assessment from adverse cyber activities to inform cybersecurity prioritization and incident response
Identify and incorporate risk metrics and measures to monitor and improve cyber security governance.
Identification and authorization System users, processes and devices are identified before access is granted Use unique logins for all processes and services
Access is granted to authorized entities MFA is used for local and network access to privileged accounts and for network access to non-privileged accounts Require MFA for all users on all systems regardless of being third party or onsite
Employ replay-resistant authentication mechanisms for netwokr access to privileged and non-privileged accounts Employ password managers for the generation, rotation, and management of passwords on systems that do not use MFA or have complex account managment (Shared accounts)
Prevent the reuse of identifiers for a defined period
Disable identifiers after a defined period of inactivity
Minimum password complexity is defined and enforced
Prevent password reuse
Use temporary passwords for initial login but force an immediate change
Ensure all stored passwords are hashed/encrypted
Feedback of authentication information is obscured
Incident response Detect and report events Have processes for detecting, reporting, categorizing, managing, and tracking events Identifie and classify events in a semi-automated fashion
Analyze events to determine of they relate to other events
Define and maintain criteria for declaring incidents A repository is established for tracking incidents
Criteria for declaring incidents is defined
Declare and report events Have a process for declaring and reporting events to the appropriate stakeholders
Escalate incidents to appropriate stakeholders Have a process for escalting incidents to the proper stakeholders for input and resolution
Develop and implement a response to a declared incident Have a process for analyzing incidents to determine a response and test it Maintain a security operations center during relevant business hours with on call response after hours
Have a process for developing and implementing responses including preparation, detection, analysis, containmenty, recovery, and user response activities, test this reponse capability Incident management capabilities (including the SOC and CIRT) are tested and improved based on test results
Incidents are tracked to a resolution The organization uses a combination of manual and real-time responses to anomalous activities that matches incident patterns
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities
Communicate incidents to relevant stakeholders as appropriate Have a process for communicating incident status and responses to affected parties
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization
Manage incidents to resolution Have a process for managing incidents to resolution including: declaring, escalating, and developing and implementing a response
Roles and responsibilities for managing incidents have been established and staff has been assigned
Perform post incident reviews to determine unerlying cuases Root cause analysis is performed on incidents to determine underlying causes Lessons learned from incident management is translated into improvements in organizational processes for asset protection and continuity
Incidents are analyzed to determine if the incident is linked to other processes within the organization Establishes and improves response plans based on type and severity of incident to drive effective use of people and tools
Periodically review incident response plans to ensure effectiveness across the enterprise
Plan incident response Demonstrates an ability to use knowledge of attacker tactics, techniques, and procedures in incident response planning and execution
The organization implements pre-planned responses to threats
Maintenance Maintenance is performed Schedule, perform, and review records of maintenance activities performed on systems
Maintenance is controlled Identify approved tools and techniques to conduct system maintenance
Identify and implement controls on the tools, techniques, mechanisms and staff that are used to conduct maintenance
Idenify MFA requirements for maintenance sessions via external network connections
Supervise maintenance activities of staff without required access authorization All systems are treated as if they contain the highest level of CUI data contained on any system they maintain
Scan media containing test programs for malicious code before using media in organizational systems
Follow asset disposal guidelines for equipment removed for off-site maintenance
Media protection Media is identified Have a process for identifying non-digital and digital media containing CUI
Media is protected Have a process for physically and cryptographically protecting media containing CUI
Have a process for limiting access to media containing CUI to authorized users
Media is sanitzied Have a process for santizing or destroying media before displosal
Media is marked Have a process for marking media with necessary CUI markings
Media is protected during transport Have process for controlling access to and encrypting media containing CUI while transported outside of controlled areas
Control the use of removable media on system components Have a process for controlling the use of removable media on systems
Prohibit the use of portable storage devices when they have no idenifiable owner Have a process that prohibits the use of portable storage when there is no owner
Protect the confidentiality of backup CUI at storage locations Have a process for protecting the confidentiality of backup CUI at storage locations
Personnel Security Screen Personnel Have a proccess for screening individuals prior to authorizing access to organizational systems containing CUI
Proctect CUI during personnel actions Have a process to ensure CUI is protected during personnel actions
Physical protection Identify organizational system, equipmnet, and respective operating environments that require limited access
Develop physical access requirments for identified organizational systems, equipment and respective operating environments Develop physical access and audit requirements for organization systems and environemtns, including alternate work sites
Develop security requirements for visitors
Develop security requirements for physcial access devices (keys)
Manage physcial access requirements for identified organizational systems and equipment operating environments Review and update physical security requirements at a defined frequency
Limit physical access to organizational systems based on defined access policies Protect and monitor physical facilities and alternate worksites based on established requirements
Control and manage physical access to devices based on established requirements
Monitor physical facilities for adherence to physcial security access requirements Escort and monitor visitors and their activity
Protect and monitor physcial facilities and infrastructure
Maintain audit logs of physical access
Recovery Manage back-ups Perform complete and automated backups Ensure all backups have at least one offline destination
Routinely test backup-data
Manage information security continuity Develop an information security continuity plan that incudes redundancy and availability requirements
Ensure information processing facilities meet redundancy and availability requirements
Risk Management Determine risk categories, sources, and measurement criteria Have documented risk sources, categories and measurement criteria Develop thread models appropriate to the environment to inform risk management
Have a risk managmenet strategy that defines the processes for identifying, analalyzing, managing and mitigating risk Determination of risk tolerance is informed by the orgs role in critical infrastrucutre and sector specific risk analysis
Have a process established to recieve, analyze and respond to vulnerabilities disclosed to the organization
Document organizational risk Have a process for recording risk in the risk register or structured risk repository
Identify risk Risk assesments are performed to identify risks according to the defined risk categories, risk sources, and risk measurement criteria Threat profiles and adversary TTPs are cataloged and routinely updated
Vuln scans are performed Create threat profiles for organizational assets and likely targets based on thread intelligence
Vuln scans are automated
Scans are performed for unauthorized connections from acorss network boundries
Evaluate and prioritize risk based on defined measurement criteria Have a process for periodically analyzing risk The system and secruity architecture, system components, boundry isolation, or protection mechanisms and dependencies on external service providers is used to perform risk analysis
Have a process for prioritizing tasks
Manage risk Have a process to develop and implement a risk mitigation plan Risk mititgation plans are assessed to ensure they are effective and the results are communicated to management
Risk mitigation plans are tracked to ensure responses are met
Risk mitiagation plans are developed and implemented Apply cybersecurity elements to governance, risk, and compliance processes
Actions are taken to manage exposure vulnerabilities EOL products are managed separately and restricted as necessary to reduce risk
Manage supply chain risk Check the docs, this is only level 4+
Security Assesment Have an SSP Create, maintain, and leverage a security roadmap for improvement
Apply cyber security analysis to all acquisition and merger activities
Manage the SSP Peridoically update the SSP as security requirements change
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulns in the organziational systems
Define control objectives Document control objectives based on the SSP defined requirements
Define controls Ensure the selected controls are documented and satisfy control objectives
Manage controls Montior security controls on an ongoing basis to ensure the continued effectiveness of controls Conduct pentesting at least annually, leveraging automated scanning tools and ad hoc tests using human experts
Have the ability to perform red testing against defensive capabilities
Employ an independent organization to perform advanced adversarial assetment at least annually
Perform code reviews to identify weaknesses in in-house-developed software Employ human performed code reviews to identify areas of concern that require additional improvements
Situational Awareness Establish threat monitoring requirements Have established threat monitoring procedures Implement and continually improve the process for monitoring reporting and alerting that increases effectiveness in threat hunting and monitoring operations
Implement threat monitoring based on defined requirements Receive and manaage cyber threat intelligence based on established threat monitoring procedures
Establish the requirements for communicating threat inforamtion Have established requiremnts for communicating threat information
Have identified stakeholders to whom threat information must be communicated
Communicate threat information to stakeholders Communicate threat information to identified stakeholders
System and communications protection Define security requiremetns for systems and communications Have a process to establish security requiremnts for monitoring, controling, and protecting system boundaries
Have a process to require that publicly accessible systems are physically or logically separated from internal networks
Establish and manage cryptographic keys for cryptographic implementations acorss the organization
Establish FIPS compliant cryptography when protecting the confidentiality of organizational information
Establish architectual design guidelines that promote effective information security within organizational systems
Establish software development technique guidelines that promote effective information security within organizational systems
Establish system engineering guidelines that promote effective information security within organizational systems
Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device
Use encrypted sessions for the management of network devices
Separate user functionality from system management functionality
Prevent unauthorized and unintended information transfer via shared system resources
Deny network communications by default and allow network communications by exception
Prevent split tunneling
Implement crypographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless protected by alternate physical controls
Protect the authenticity of communications sessions
Establish requirements to protect CUI at rest
Manage and update the security requirements for external system boundaries at a frequency defined by the organization
Terminate network connections are the end of a session or a defined period of inactivity
Establish requirements to control and monitor the use of mobile code
Establish requirements to control and monitor the use of VOIP
Control communications at system boundaries Monitor, control, and protect communications at system boundaries based on established requirments
Implement DNS filtering services
System and infromational integrity A process exists to identify and correct infromation system flaws
Utilize automated patch management tools
Sources of vulnerability information are identified and monitored Monitor system security alerts and advisories and take action in response
Malicious content is identified Use Antivirus, antimalware, scan downloaded files
Network and system monitoring is performed Operational environments are monitored for anomalous behaviour that may indicate cybersecurity events
Organizational systems are monitored for unauthorized use