The following table contains the required 58 Practices, including controls mapping from NIST SP 800-171 Rev 2 ,for Cybersecurity Maturity Model Certification (CMMC) Level 3 (L3) systems.
Systems categorized as CMMC L3 must also implement the 17 L1 and 55 L2 Practices.
| DOMAIN | CAPABILITY | LEVEL 3 | |
|---|---|---|---|
| 1 | ACCESS CONTROL (AC) | C001 – Establish system access requirements | N/A |
| C002 – Control internal system access | AC.3.017 – Separate the duties of individuals to reduce the risk of malevolent activity without collusion: NIST SP 800-171 Rev 2 3.1.4 | ||
| AC.3.018 – Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs: NIST SP 800-171 Rev 2 3.1.7 | |||
| AC.3.019 – Terminate (automatically) user sessions after a defined condition: NIST SP 800-171 Rev 2 3.1.11 | |||
| AC.3.012 – Protect wireless access using authentication and encryption: NIST SP 800-171 Rev 2 3.1.17 | |||
| AC.3.020- Control connection of mobile devices: NIST SP 800-171 Rev 2 3.1.18 | |||
| C003 – Control remote system access | AC.3.014 – Employ cryptographic mechanisms to protect the confidentiality of remote access sessions: NIST SP 800-171 Rev 2 3.1.13 | ||
| AC.3.021 – Authorize remote execution of privileged commands and remote access to security-relevant information: NIST SP 800-171 Rev 2 3.1.15 | |||
| C004 – Limit data access to authorized users and processes | AC.3.022 – Encrypt CUI on mobile devices and mobile computing platforms: NIST SP 800-171 Rev 2 3.1.19 | ||
| 2 | ASSET MANAGEMENT (AM) | C005 – Identify and document assets | AM.3.036 – Define procedures for the handling of CUI data. |
| C006 – Manage asset inventory | N/A | ||
| 3 | AUDIT AND ACCOUNTABILITY (AU) | C007 – Define audit requirements | AU.3.045 – Review and update logged events: NIST SP 800-171 Rev 2 3.3.3 |
| AU.3.046 – Alert in the event of an audit logging process failure: NIST SP 800-171 Rev 2 3.3.4 | |||
| C008 – Perform auditing | AU.3.048 – Collect audit information (e.g., logs) into one or more central repositories. | ||
| C009 – Identify and protect audit information | AU.3.049 – Protect audit information and audit logging tools from unauthorized access, modification, and deletion: NIST SP 800-171 Rev 2 3.3.8 | ||
| AU.3.050 – Limit management of audit logging functionality to a subset of privileged users: NIST SP 800-171 Rev 2 3.3.9 | |||
| C010 – Review and manage audit logs | AU.3.051 – Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity: NIST SP 800-171 Rev 2 3.3.5 | ||
| AU.3.052 – Provide audit record reduction and report generation to support on-demand analysis and reporting: NIST SP 800-171 Rev 2 3.3.6 | |||
| 4 | AWARENESS AND TRAINING (AT) | C011 – Conduct security awareness activities | AT.3.058 – Provide security awareness training on recognizing and reporting potential indicators of insider threat: NIST SP 800-171 Rev 2 3.2.3 |
| C012 – Conduct training | N/A | ||
| 5 | CONFIGURATION MANAGEMENT (CM) | C013 – Establish configuration baselines | N/A |
| C014 – Perform configuration and change management | CM.3.067 – Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems: NIST SP 800-171 Rev 2 3.4.5 | ||
| CM.3.068 -Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services: NIST SP 800-171 Rev 2 3.4.7 | |||
| CM.3.069 – Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software: NIST SP 800-171 Rev 2 3.4.8 | |||
| 6 | IDENTIFICATION AND AUTHENTICATION (IA) | C015 – Grant access to authenticated entities | IA.3.083 – Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts: NIST SP 800-171 Rev 2 3.5.3 |
| IA.3.084 – Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts: NIST SP 800-171 Rev 2 3.5.4 | |||
| IA.3.085 – Prevent the reuse of identifiers for a defined period: NIST SP 800-171 Rev 2 3.5.5 | |||
| IA.3.086 – Disable identifiers after a defined period of inactivity: NIST SP 800-171 Rev 2 3.5.6 | |||
| 7 | INCIDENT RESPONSE (IR) | C016 – Plan incident response | N/A |
| C017 – Detect and report events | N/A | ||
| C018 – Develop and implement a response to a declared incident | IR.3.098 – Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization: NIST SP 800-171 Rev 2 3.6.2 | ||
| C019 – Perform post incident reviews | N/A | ||
| C020 – Test incident response | IR.3.099 – Test the organizational incident response capability: NIST SP 800-171 Rev 2 3.6.3 | ||
| 8 | MAINTENANCE (MA) | C021 – Manage maintenance | MA.3.115 – Ensure equipment removed for off-site maintenance is sanitized of any CUI: NIST SP 800-171 Rev 2 3.7.3 |
| MA.3.116 – Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems: NIST SP 800-171 Rev 2 3.7.4 | |||
| 9 | MEDIA PROTECTION (MP) | C022 – Identify and mark media | MP.3.122 – Mark media with necessary CUI markings and distribution limitations: NIST SP 800-171 Rev 2 3.8.4 |
| C023 – Protect and control media | MP.3.123 – Prohibit the use of portable storage devices when such devices have no identifiable owner: NIST SP 800-171 Rev 2 3.8.8 | ||
| C024 – Sanitize media | N/A | ||
| C025 – Protect media during transport | MP.3.124 – Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas: NIST SP 800-171 Rev 2 3.8.5 | ||
| MP.3.125 – Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards: NIST SP 800-171 Rev 2 3.8.6 | |||
| 10 | PERSONNEL SECURITY (PS) | C026 – Screen personnel | N/A |
| C027 – Protect CUI during personnel actions | N/A | ||
| 11 | PHYSICAL PROTECTION (PE) | C028 – Limit physical access | PE.3.136 – Enforce safeguarding measures for CUI at alternate work sites: NIST SP 800-171 Rev 2 3.10.6 |
| 12 | RECOVERY (RE) | C029 – Manage backups | RE.3.139 – Regularly perform complete, comprehensive, and resilient data backups as organizationally defined. |
| C030 – Manage information security continuity | N/A | ||
| 13 | RISK MANAGEMENT (RM) | C031 – Identify and evaluate risk | RM.3.144 – Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria. |
| C032 – Manage risk | RM.3.146 – Develop and implement risk mitigation plans. | ||
| RM.3.147 – Manage non-vendor- supported products (e.g., end of life) separately and restrict as necessary to reduce risk. | |||
| C033 – Manage supply chain risk | N/A | ||
| 14 | SECURITY ASSESSMENT (CA) | C034 – Develop and manage a system security plan | N/A |
| C035 – Define and manage controls | CA.3.161 – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls: NIST SP 800-171 Rev 2 3.12.3 | ||
| C036 – Perform code reviews | CA.3.162 – Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk. | ||
| 15 | SITUATIONAL AWARENESS (SA) | C037 – Implement threat monitoring | SA.3.169 – Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders. |
| 16 | SYSTEM AND COMMUNICATIONS PROTECTION (SC) | C038 – Define security requirements for systems and communications | SC.3.177 – Employ FIPS-validated cryptography when used to protect the confidentiality of CUI: NIST SP 800-171 Rev 2 3.13.11 |
| SC.3.180 – Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems: NIST SP 800-171 Rev 2 3.13.2 | |||
| SC.3.181 – Separate user functionality from system management functionality: NIST SP 800-171 Rev 2 3.13.3 | |||
| SC.3.182 – Prevent unauthorized and unintended information transfer via shared system resources: NIST SP 800-171 Rev 2 3.13.4 | |||
| SC.3.183 – Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception): NIST SP 800-171 Rev 2 3.13.6 | |||
| SC.3.184 – Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling): NIST SP 800-171 Rev 2 3.13.7 | |||
| SC.3.185 – Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards: NIST SP 800-171 Rev 2 3.13.8 | |||
| SC.3.186 – Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity: NIST SP 800-171 Rev 2 3.13.9 | |||
| SC.3.187 – Establish and manage cryptographic keys for cryptography employed in organizational systems: NIST SP 800-171 Rev 2 3.13.10 | |||
| SC.3.188 – Control and monitor the use of mobile code: NIST SP 800-171 Rev 2 3.13.13 | |||
| SC.3.189 – Control and monitor the use of Voice over Internet Protocol (VoIP) technologies: NIST SP 800-171 Rev 2 3.13.14 | |||
| SC.3.190 – Protect the authenticity of communications sessions: NIST SP 800-171 Rev 2 3.13.15 | |||
| SC.3.191 – Protect the confidentiality of CUI at rest: NIST SP 800-171 Rev 2 3.13.16 | |||
| C039 – Control communications at system boundaries | SC.3.192 – Implement Domain Name System (DNS) filtering services. | ||
| SC.3.193 – Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter). | |||
| 17 | SYSTEM AND INFORMATION INTEGRITY (SI) | C040 – Identify and manage information system flaws | N/A |
| C041 – Identify malicious content | N/A | ||
| C042 – Perform network and system monitoring | SI.3.218 – Employ spam protection mechanisms at information system access entry and exit points. | ||
| C043 – Implement advanced email protections | SI.3.219 – Implement email forgery protections | ||
| SI.3.220 – Utilize sandboxing to detect or block potentially malicious email. |