CMMC Explorer

Access Control

AC.L1-3.1.1/b.1.i Authorized Access Control

AC.L1-3.1.2/b.1.ii Transaction & Function Control

AC.L3-3.1.2e Organizationally Controlled Assets

AC.L2-3.1.3 Control CUI Flow

AC.L3-3.1.3e Secured Information Transfer

AC.L2-3.1.4 Separation of Duties

AC.L2-3.1.5 Least Privilege

AC.L2-3.1.6 Non-Privileged Account Use

AC.L2-3.1.7 Privileged Functions

AC.L2-3.1.8 Unsuccessful Logon Attempts

AC.L2-3.1.9 Privacy & Security Notices

AC.L2-3.1.10 Session Lock

AC.L2-3.1.11 Session Termination

AC.L2-3.1.12 Control Remote Access

AC.L2-3.1.13 Remote Access Confidentiality

AC.L2-3.1.14 Remote Access Routing

AC.L2-3.1.15 Privileged Remote Access

AC.L2-3.1.16 Wireless Access Authorization

AC.L2-3.1.17 Wireless Access Protection

AC.L2-3.1.18 Mobile Device Connection

AC.L2-3.1.19 Encrypt CUI on Mobile

AC.L1-3.1.20/b.1.iii External Connections

AC.L2-3.1.21 Portable Storage Use

AC.L1-3.1.22/b.1.iv Control Public Information

Awareness and Training

AT.L2-3.2.1 Role-Based Risk Awareness

AT.L3-3.2.1e Advanced Threat Awareness

AT.L2-3.2.2 Role-Based Training

AT.L3-3.2.2e Practical Training Exercises

AT.L2-3.2.3 Insider Threat Awareness

Audit and Accountability

AU.L2-3.3.1 System Auditing

AU.L2-3.3.2 User Accountability

AU.L2-3.3.3 Event Review

AU.L2-3.3.4 Audit Failure Alerting

AU.L2-3.3.5 Audit Correlation

AU.L2-3.3.6 Reduction & Reporting

AU.L2-3.3.7 Authoritative Time Source

AU.L2-3.3.8 Audit Protection

AU.L2-3.3.9 Audit Management

Configuration Management

CM.L2-3.4.1 System Baselining

CM.L3-3.4.1e Authoritative Respository

CM.L2-3.4.2 Security Configuration Enforcement

CM.L3-3.4.2e Automated Detection & Remediation

CM.L2-3.4.3 System Change Management

CM.L3-3.4.3e Automated Inventory

CM.L2-3.4.4 Security Impact Analysis

CM.L2-3.4.5 Access Restrictions for Change

CM.L2-3.4.6 Least Functionality

CM.L2-3.4.7 Nonessential Functionality

CM.L2-3.4.8 Application Execution Policy

CM.L2-3.4.9 User-Installed Software

Identification and Authentication

IA.L1-3.5.1/b.1.v Identification

IA.L3-3.5.1e Bidirectional Authentication

IA.L1-3.5.2/b.1.vi Authentication

IA.L2-3.5.3 Multifactor Authentication

IA.L3-3.5.3e Block Untrusted Assets

IA.L2-3.5.4 Replay-Resistant Authentication

IA.L2-3.5.5 Identifier Reuse

IA.L2-3.5.6 Identifier Handling

IA.L2-3.5.7 Password Complexity

IA.L2-3.5.8 Password Reuse

IA.L2-3.5.9 Temporary Passwords

IA.L2-3.5.10 Cryptographically-Protected Passwords

IA.L2-3.5.11 Obscure Feedback

Incident Response

IR.L2-3.6.1 Incident Handling

IR.L3-3.6.1e Security Operations Center

IR.L2-3.6.2 Incident Reporting

IR.L3-3.6.2e Cyber Incident Response Team

IR.L2-3.6.3 Incident Response Testing

Maintentance

MA.L2-3.7.1 Perform Maintenance

MA.L2-3.7.2 System Maintenance Control

MA.L2-3.7.3 Equipment Sanitization

MA.L2-3.7.4 Media Inspection

MA.L2-3.7.5 Nonlocal Maintenance

MA.L2-3.7.6 Maintenance Personnel

Media Protection

MP.L2-3.8.1 Media Protections

MP.L2-3.8.2 Media Access

MP.L1-3.8.3/b.1.vii Media Disposal

MP.L2-3.8.4 Media Markings

MP.L2-3.8.5 Media Accountability

MP.L2-3.8.6 Portable Storage Encryption

MP.L2-3.8.7 Removable Media

MP.L2-3.8.8 Shared Media

MP.L2-3.8.9 Protect Backups

Personnel Security

PS.L2-3.9.1 Screen Individuals

PS.L2-3.9.2 Personnel Actions

PS.L3-3.9.2e Adverse Information

Physical Protection

PE.L1-3.10.1/b.1.viii Limit Physical Access

PE.L2-3.10.2 Monitor Facility

PE.L1-3.10.3/b.1.ix Escort Visitors

PE.L1-3.10.4/b.1.ix Physical Access Logs

PE.L1-3.10.5/b.1.ix Manage Physical Access

PE.L2-3.10.6 Alternative Work Sites

Risk Assessment

RA.L2-3.11.1 Risk Assessments

RA.L3-3.11.1e Threat Hunting

RA.L2-3.11.2 Vulnerability Scan

RA.L3-3.11.2e Threat Hunting

RA.L2-3.11.3 Vulnerability Remediation

RA.L3-3.11.3e Advanced Risk Identification

RA.L3-3.11.4e Security Solution Rationale

RA.L3-3.11.5e Security Solution Effectiveness

RA.L3-3.11.6e Supply Chain Risk Response

RA.L3-3.11.7e Supply Chain Risk Plan

Security Assessment

CA.L2-3.12.1 Security Control Assessment

CA.L3-3.12.1e Penetration Testing

CA.L2-3.12.2 Plan of Action

CA.L2-3.12.3 Security Control Monitoring

CA.L2-3.12.4 System Security Plan

System and Communications Protection

SC.L1-3.13.1/b.1.xi Boundary Protection

SC.L2-3.13.2 Security Engineering

SC.L2-3.13.3 Role Separation

SC.L2-3.13.4 Shared Resource Control

SC.L3-3.13.4e Isolation

SC.L1-3.13.5/b.1.xi Public-Access System Separation

SC.L2-3.13.6 Network Communication by Exception

SC.L2-3.13.7 Split Tunneling

SC.L2-3.13.8 Data in Transit

SC.L2-3.13.9 Connections Termination

SC.L2-3.13.10 Key Management

SC.L2-3.13.11 CUI Encryption

SC.L2-3.13.12 Collaborative Device Control

SC.L2-3.13.13 Mobile Code

SC.L2-3.13.14 Voice over Internet Protocol

SC.L2-3.13.15 Communications Authenticity

SC.L2-3.13.16 Data at Rest

System and Informational Integrity

SI.L1-3.14.1/b.1.xii Flaw Remediation

SI.L3-3.14.1e Integrity Verification

SI.L1-3.14.2/b.1.xiii Malicious Code Protection

SI.L2-3.14.3 Security Alerts & Advisories

SI.L3-3.14.3e Specialized Asset Security

SI.L1-3.14.4/b.1.xiv Update Malicious Code Protection

SI.L1-3.14.5/b.1.xv System & File Scanning

SI.L2-3.14.6 Monitor Communications for Attacks

SI.L3-3.14.6e Threat-Guided Intrusion Detection

SI.L2-3.14.7 Identify Unauthorized Use