Skip to main content

CMMC

logo

Summary

The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the Defense Industrial Base (DIB). It is aimed at measuring the maturity of an organization's cybersecurity processes (process institutionalization). The version used in this section is CMMC 2.0.

Definitions

DefinitionRequirements
AC_L1-3_1_1. Authorized access control
033. Restrict administrative access
035. Manage privilege modifications
095. Define users with privileges
096. Set user's required privileges
176. Restrict system objects
227. Display access notification
265. Restrict access to critical processes
AC_L1-3_1_2. Transaction & function control
030. Avoid object reutilization
084. Allow transaction history queries
147. Use pre-existent mechanisms
174. Transactions without a distinguishable pattern
176. Restrict system objects
229. Request access credentials
264. Request authentication
265. Restrict access to critical processes
346. Use initialization vectors once
AC_L1-3_1_20. External connections
092. Use externally signed certificates
262. Verify third-party components
284. Define maximum number of connections
324. Control redirects
330. Verify Subresource Integrity
AC_L1-3_1_22. Control public information
045. Remove metadata when sharing files
123. Restrict the reading of emails
261. Avoid exposing sensitive information
325. Protect WSDL files
364. Provide extended validation (EV) certificates
AC_L2-3_1_3. Control CUI flow
331. Guarantee legal compliance
AC_L2-3_1_4. Separation of duties
033. Restrict administrative access
035. Manage privilege modifications
095. Define users with privileges
096. Set user's required privileges
AC_L2-3_1_5. Least privilege
186. Use the principle of least privilege
AC_L2-3_1_6. Non-privileged account use
033. Restrict administrative access
096. Set user's required privileges
AC_L2-3_1_7. Privileged functions
035. Manage privilege modifications
080. Prevent log modification
083. Avoid logging sensitive data
AC_L2-3_1_8. Unsuccessful logon attempts
131. Deny multiple password changing attempts
210. Delete information from mobile devices
225. Proper authentication responses
226. Avoid account lockouts
227. Display access notification
AC_L2-3_1_9. Privacy & security notices
225. Proper authentication responses
227. Display access notification
301. Notify configuration changes
318. Notify third parties of changes
358. Notify upcoming expiration dates
AC_L2-3_1_10. Session lock
027. Allow session lockout
114. Deny access with inactive credentials
144. Remove inactive accounts periodically
AC_L2-3_1_11. Session termination
023. Terminate inactive user sessions
031. Discard user session data
141. Force re-authentication
AC_L2-3_1_12. Control remote access
153. Out of band transactions
213. Allow geographic location
253. Restrict network access
257. Access based on user credentials
377. Store logs based on valid regulation
AC_L2-3_1_13. Remote access confidentiality
147. Use pre-existent mechanisms
172. Encrypt connection strings
181. Transmit data using secure protocols
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
AC_L2-3_1_14. Remote access routing
249. Locate access points
250. Manage access points
320. Avoid client-side control enforcement
AC_L2-3_1_15. Privileged remote access
095. Define users with privileges
096. Set user's required privileges
AC_L2-3_1_16. Wireless access authorization
253. Restrict network access
AC_L2-3_1_17. Wireless access protection
250. Manage access points
252. Configure key encryption
253. Restrict network access
255. Allow access only to the necessary ports
AC_L2-3_1_18. Mobile device connection
205. Configure PIN
206. Configure communication protocols
213. Allow geographic location
AC_L2-3_1_19. Encrypt CUI on mobile
026. Encrypt client-side session information
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
AC_L2-3_1_21. Portable storage use
210. Delete information from mobile devices
214. Allow data destruction
AT_L2-3_2_1. Role-based risk awareness
062. Define standard configurations
077. Avoid disclosing technical information
155. Application free of malicious code
156. Source code without sensitive information
158. Use a secure programming language
161. Define secure default options
167. Close unused resources
171. Remove commented-out code
AU_L2-3_3_1. System audit
075. Record exceptional events in logs
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system
AU_L2-3_3_2. User accountability
075. Record exceptional events in logs
079. Record exact occurrence time of events
085. Allow session history queries
AU_L2-3_3_3. Event review
075. Record exceptional events in logs
322. Avoid excessive logging
AU_L2-3_3_4. Audit failure alerting
225. Proper authentication responses
301. Notify configuration changes
313. Inform inability to identify users
AU_L2-3_3_7. Authoritative time source
079. Record exact occurrence time of events
363. Synchronize system clocks
AU_L2-3_3_8. Audit protection
080. Prevent log modification
AU_L2-3_3_9. Audit management
095. Define users with privileges
378. Use of log management system
CM_L2-3_4_2. Security configuration enforcement
062. Define standard configurations
266. Disable insecure functionalities
273. Define a fixed security suite
CM_L2-3_4_3. System change management
301. Notify configuration changes
378. Use of log management system
CM_L2-3_4_5. Access restrictions for change
033. Restrict administrative access
176. Restrict system objects
253. Restrict network access
265. Restrict access to critical processes
CM_L2-3_4_6. Least functionality
186. Use the principle of least privilege
CM_L2-3_4_7. Nonessential functionality
167. Close unused resources
CM_L2-3_4_8. Application execution policy
313. Inform inability to identify users
CM_L2-3_4_9. User-installed software
026. Encrypt client-side session information
320. Avoid client-side control enforcement
329. Keep client-side storage without sensitive data
352. Enable trusted execution
375. Remove sensitive data from client-side applications
IA_L1-3_5_2. Authentication
122. Validate credential ownership
229. Request access credentials
264. Request authentication
IA_L2-3_5_3. Multifactor authentication
328. Request MFA for critical systems
362. Assign MFA mechanisms to a single account
IA_L2-3_5_4. Replay-resistant authentication
030. Avoid object reutilization
033. Restrict administrative access
IA_L2-3_5_5. Identifier reuse
030. Avoid object reutilization
140. Define OTP lifespan
335. Define out of band token lifespan
IA_L2-3_5_6. Identifier handling
023. Terminate inactive user sessions
114. Deny access with inactive credentials
144. Remove inactive accounts periodically
369. Set a maximum lifetime in sessions
IA_L2-3_5_7. Password complexity
129. Validate previous passwords
131. Deny multiple password changing attempts
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
334. Avoid knowledge-based authentication
IA_L2-3_5_8. Password reuse
130. Limit password lifespan
332. Prevent the use of breached passwords
IA_L2-3_5_9. Temporary passwords
126. Set a password regeneration mechanism
136. Force temporary password change
137. Change temporary passwords of third parties
138. Define lifespan for temporary passwords
367. Proper generation of temporary passwords
IA_L2-3_5_10. Cryptographically-protected passwords
127. Store hashed passwords
134. Store passwords with salt
209. Manage passwords in cache
380. Define a password management tool
MA_L2-3_7_3. Equipment sanitization
183. Delete sensitive data securely
360. Remove unnecessary sensitive information
MA_L2-3_7_4. Media inspection
041. Scan files for malicious code
155. Application free of malicious code
MA_L2-3_7_5. Nonlocal maintenance
328. Request MFA for critical systems
362. Assign MFA mechanisms to a single account
MP_L1-3_8_3. Media disposal
183. Delete sensitive data securely
315. Provide processed data information
317. Allow erasure requests
318. Notify third parties of changes
360. Remove unnecessary sensitive information
MP_L2-3_8_1. Media protection
153. Out of band transactions
232. Require equipment identity
255. Allow access only to the necessary ports
350. Enable memory protection mechanisms
351. Assign unique keys to each device
362. Assign MFA mechanisms to a single account
MP_L2-3_8_2. Media access
176. Restrict system objects
205. Configure PIN
229. Request access credentials
264. Request authentication
351. Assign unique keys to each device
MP_L2-3_8_5. Media accountability
153. Out of band transactions
181. Transmit data using secure protocols
MP_L2-3_8_6. Portable storage encryption
185. Encrypt sensitive information
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
MP_L2-3_8_7. Removable media
205. Configure PIN
210. Delete information from mobile devices
213. Allow geographic location
214. Allow data destruction
221. Disconnect unnecessary input devices
255. Allow access only to the necessary ports
326. Detect rooted devices
MP_L2-3_8_8. Shared media
232. Require equipment identity
PE_L1-3_10_1. Limit physical access
250. Manage access points
257. Access based on user credentials
273. Define a fixed security suite
362. Assign MFA mechanisms to a single account
PE_L1-3_10_4. Physical access logs
075. Record exceptional events in logs
085. Allow session history queries
PE_L1-3_10_5. Manage physical access
205. Configure PIN
255. Allow access only to the necessary ports
362. Assign MFA mechanisms to a single account
373. Use certificate pinning
PE_L2-3_10_6. Alternative work sites
273. Define a fixed security suite
RA_L2-3_11_2. Vulnerability scan
041. Scan files for malicious code
062. Define standard configurations
155. Application free of malicious code
CA_L2-3_12_2. Plan of action
039. Define maximum file size
161. Define secure default options
164. Use optimized structures
175. Protect pages from clickjacking
262. Verify third-party components
273. Define a fixed security suite
340. Use octet stream downloads
345. Establish protections against overflows
CA_L2-3_12_3. Security control monitoring
075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level
378. Use of log management system
SC_L1-3_13_1. Boundary protection
030. Avoid object reutilization
145. Protect system cryptographic keys
147. Use pre-existent mechanisms
206. Configure communication protocols
224. Use secure cryptographic mechanisms
249. Locate access points
250. Manage access points
252. Configure key encryption
253. Restrict network access
255. Allow access only to the necessary ports
257. Access based on user credentials
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
346. Use initialization vectors once
SC_L1-3_13_5. Public-access system separation
259. Segment the organization network
SC_L2-3_13_3. Role separation
095. Define users with privileges
096. Set user's required privileges
SC_L2-3_13_4. Shared resource control
075. Record exceptional events in logs
096. Set user's required privileges
127. Store hashed passwords
176. Restrict system objects
SC_L2-3_13_6. Network communication by exception
341. Use the principle of deny by default
359. Avoid using generic exceptions
SC_L2-3_13_7. Split tunneling
025. Manage concurrent sessions
284. Define maximum number of connections
SC_L2-3_13_8. Data in transit
077. Avoid disclosing technical information
147. Use pre-existent mechanisms
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
SC_L2-3_13_9. Connections termination
023. Terminate inactive user sessions
031. Discard user session data
SC_L2-3_13_10. Key management
145. Protect system cryptographic keys
151. Separate keys for encryption and signatures
252. Configure key encryption
351. Assign unique keys to each device
SC_L2-3_13_13. Mobile code
205. Configure PIN
SC_L2-3_13_15. Communications authenticity
030. Avoid object reutilization
147. Use pre-existent mechanisms
178. Use digital signatures
338. Implement perfect forward secrecy
SC_L2-3_13_16. Data at rest
062. Define standard configurations
146. Remove cryptographic keys from RAM
329. Keep client-side storage without sensitive data
SI_L1-3_14_2. Malicious code protection
041. Scan files for malicious code
155. Application free of malicious code
SI_L1-3_14_4. Update malicious code protection
353. Schedule firmware updates
SI_L1-3_14_5. System & file scanning
041. Scan files for malicious code
323. Exclude unverifiable files
339. Avoid storing sensitive files in the web root
340. Use octet stream downloads
352. Enable trusted execution
SI_L2-3_14_3. Security alerts & advisories
075. Record exceptional events in logs
SI_L2-3_14_7. Identify unauthorized use
075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Last updated on