Skip to main content

CMMC

logo

Summary

The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the Defense Industrial Base (DIB). It is aimed at measuring the maturity of an organization's cybersecurity processes (process institutionalization). The version used in this section is CMMC 2.0.

Definitions

DefinitionRequirements
AC_L1-3_1_1. Authorized access control033. Restrict administrative access
035. Manage privilege modifications
095. Define users with privileges
096. Set user's required privileges
176. Restrict system objects
227. Display access notification
265. Restrict access to critical processes
AC_L1-3_1_2. Transaction & function control030. Avoid object reutilization
084. Allow transaction history queries
147. Use pre-existent mechanisms
174. Transactions without a distinguishable pattern
176. Restrict system objects
229. Request access credentials
264. Request authentication
265. Restrict access to critical processes
346. Use initialization vectors once
AC_L1-3_1_20. External connections092. Use externally signed certificates
262. Verify third-party components
284. Define maximum number of connections
324. Control redirects
330. Verify Subresource Integrity
AC_L1-3_1_22. Control public information045. Remove metadata when sharing files
123. Restrict the reading of emails
261. Avoid exposing sensitive information
325. Protect WSDL files
364. Provide extended validation (EV) certificates
AC_L2-3_1_3. Control CUI flow331. Guarantee legal compliance
AC_L2-3_1_4. Separation of duties033. Restrict administrative access
035. Manage privilege modifications
095. Define users with privileges
096. Set user's required privileges
AC_L2-3_1_5. Least privilege186. Use the principle of least privilege
AC_L2-3_1_6. Non-privileged account use033. Restrict administrative access
096. Set user's required privileges
AC_L2-3_1_7. Privileged functions035. Manage privilege modifications
080. Prevent log modification
083. Avoid logging sensitive data
AC_L2-3_1_8. Unsuccessful logon attempts131. Deny multiple password changing attempts
210. Delete information from mobile devices
225. Proper authentication responses
226. Avoid account lockouts
227. Display access notification
AC_L2-3_1_9. Privacy & security notices225. Proper authentication responses
227. Display access notification
301. Notify configuration changes
318. Notify third parties of changes
358. Notify upcoming expiration dates
AC_L2-3_1_10. Session lock027. Allow session lockout
114. Deny access with inactive credentials
144. Remove inactive accounts periodically
AC_L2-3_1_11. Session termination023. Terminate inactive user sessions
031. Discard user session data
141. Force re-authentication
AC_L2-3_1_12. Control remote access153. Out of band transactions
213. Allow geographic location
253. Restrict network access
257. Access based on user credentials
377. Store logs based on valid regulation
AC_L2-3_1_13. Remote access confidentiality147. Use pre-existent mechanisms
172. Encrypt connection strings
181. Transmit data using secure protocols
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
AC_L2-3_1_14. Remote access routing249. Locate access points
250. Manage access points
320. Avoid client-side control enforcement
AC_L2-3_1_15. Privileged remote access095. Define users with privileges
096. Set user's required privileges
AC_L2-3_1_16. Wireless access authorization253. Restrict network access
AC_L2-3_1_17. Wireless access protection250. Manage access points
252. Configure key encryption
253. Restrict network access
255. Allow access only to the necessary ports
AC_L2-3_1_18. Mobile device connection205. Configure PIN
206. Configure communication protocols
213. Allow geographic location
AC_L2-3_1_19. Encrypt CUI on mobile026. Encrypt client-side session information
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
AC_L2-3_1_21. Portable storage use210. Delete information from mobile devices
214. Allow data destruction
AT_L2-3_2_1. Role-based risk awareness062. Define standard configurations
077. Avoid disclosing technical information
155. Application free of malicious code
156. Source code without sensitive information
158. Use a secure programming language
161. Define secure default options
167. Close unused resources
171. Remove commented-out code
AU_L2-3_3_1. System audit075. Record exceptional events in logs
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system
AU_L2-3_3_2. User accountability075. Record exceptional events in logs
079. Record exact occurrence time of events
085. Allow session history queries
AU_L2-3_3_3. Event review075. Record exceptional events in logs
322. Avoid excessive logging
AU_L2-3_3_4. Audit failure alerting225. Proper authentication responses
301. Notify configuration changes
313. Inform inability to identify users
AU_L2-3_3_7. Authoritative time source079. Record exact occurrence time of events
363. Synchronize system clocks
AU_L2-3_3_8. Audit protection080. Prevent log modification
AU_L2-3_3_9. Audit management095. Define users with privileges
378. Use of log management system
CA_L2-3_12_2. Plan of action039. Define maximum file size
161. Define secure default options
164. Use optimized structures
175. Protect pages from clickjacking
262. Verify third-party components
273. Define a fixed security suite
340. Use octet stream downloads
345. Establish protections against overflows
CA_L2-3_12_3. Security control monitoring075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level
378. Use of log management system
CM_L2-3_4_2. Security configuration enforcement062. Define standard configurations
266. Disable insecure functionalities
273. Define a fixed security suite
CM_L2-3_4_3. System change management301. Notify configuration changes
378. Use of log management system
CM_L2-3_4_5. Access restrictions for change033. Restrict administrative access
176. Restrict system objects
253. Restrict network access
265. Restrict access to critical processes
CM_L2-3_4_6. Least functionality186. Use the principle of least privilege
CM_L2-3_4_7. Nonessential functionality167. Close unused resources
CM_L2-3_4_8. Application execution policy313. Inform inability to identify users
CM_L2-3_4_9. User-installed software026. Encrypt client-side session information
320. Avoid client-side control enforcement
329. Keep client-side storage without sensitive data
352. Enable trusted execution
375. Remove sensitive data from client-side applications
IA_L1-3_5_2. Authentication122. Validate credential ownership
229. Request access credentials
264. Request authentication
IA_L2-3_5_3. Multifactor authentication328. Request MFA for critical systems
362. Assign MFA mechanisms to a single account
IA_L2-3_5_4. Replay-resistant authentication030. Avoid object reutilization
033. Restrict administrative access
IA_L2-3_5_5. Identifier reuse030. Avoid object reutilization
140. Define OTP lifespan
335. Define out of band token lifespan
IA_L2-3_5_6. Identifier handling023. Terminate inactive user sessions
114. Deny access with inactive credentials
144. Remove inactive accounts periodically
369. Set a maximum lifetime in sessions
IA_L2-3_5_7. Password complexity129. Validate previous passwords
131. Deny multiple password changing attempts
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
334. Avoid knowledge-based authentication
IA_L2-3_5_8. Password reuse130. Limit password lifespan
332. Prevent the use of breached passwords
IA_L2-3_5_9. Temporary passwords126. Set a password regeneration mechanism
136. Force temporary password change
137. Change temporary passwords of third parties
138. Define lifespan for temporary passwords
367. Proper generation of temporary passwords
IA_L2-3_5_10. Cryptographically-protected passwords127. Store hashed passwords
134. Store passwords with salt
209. Manage passwords in cache
380. Define a password management tool
MA_L2-3_7_3. Equipment sanitization183. Delete sensitive data securely
360. Remove unnecessary sensitive information
MA_L2-3_7_4. Media inspection041. Scan files for malicious code
155. Application free of malicious code
MA_L2-3_7_5. Nonlocal maintenance328. Request MFA for critical systems
362. Assign MFA mechanisms to a single account
MP_L1-3_8_3. Media disposal183. Delete sensitive data securely
315. Provide processed data information
317. Allow erasure requests
318. Notify third parties of changes
360. Remove unnecessary sensitive information
MP_L2-3_8_1. Media protection153. Out of band transactions
232. Require equipment identity
255. Allow access only to the necessary ports
350. Enable memory protection mechanisms
351. Assign unique keys to each device
362. Assign MFA mechanisms to a single account
MP_L2-3_8_2. Media access176. Restrict system objects
205. Configure PIN
229. Request access credentials
264. Request authentication
351. Assign unique keys to each device
MP_L2-3_8_5. Media accountability153. Out of band transactions
181. Transmit data using secure protocols
MP_L2-3_8_6. Portable storage encryption185. Encrypt sensitive information
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
MP_L2-3_8_7. Removable media205. Configure PIN
210. Delete information from mobile devices
213. Allow geographic location
214. Allow data destruction
221. Disconnect unnecessary input devices
255. Allow access only to the necessary ports
326. Detect rooted devices
MP_L2-3_8_8. Shared media232. Require equipment identity
PE_L1-3_10_1. Limit physical access250. Manage access points
257. Access based on user credentials
273. Define a fixed security suite
362. Assign MFA mechanisms to a single account
PE_L1-3_10_4. Physical access logs075. Record exceptional events in logs
085. Allow session history queries
PE_L1-3_10_5. Manage physical access205. Configure PIN
255. Allow access only to the necessary ports
362. Assign MFA mechanisms to a single account
373. Use certificate pinning
PE_L2-3_10_6. Alternative work sites273. Define a fixed security suite
RA_L2-3_11_2. Vulnerability scan041. Scan files for malicious code
062. Define standard configurations
155. Application free of malicious code
SC_L1-3_13_1. Boundary protection030. Avoid object reutilization
145. Protect system cryptographic keys
147. Use pre-existent mechanisms
206. Configure communication protocols
224. Use secure cryptographic mechanisms
249. Locate access points
250. Manage access points
252. Configure key encryption
253. Restrict network access
255. Allow access only to the necessary ports
257. Access based on user credentials
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
346. Use initialization vectors once
SC_L1-3_13_5. Public-access system separation259. Segment the organization network
SC_L2-3_13_3. Role separation095. Define users with privileges
096. Set user's required privileges
SC_L2-3_13_4. Shared resource control075. Record exceptional events in logs
096. Set user's required privileges
127. Store hashed passwords
176. Restrict system objects
SC_L2-3_13_6. Network communication by exception341. Use the principle of deny by default
359. Avoid using generic exceptions
SC_L2-3_13_7. Split tunneling025. Manage concurrent sessions
284. Define maximum number of connections
SC_L2-3_13_8. Data in transit077. Avoid disclosing technical information
147. Use pre-existent mechanisms
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
SC_L2-3_13_9. Connections termination023. Terminate inactive user sessions
031. Discard user session data
SC_L2-3_13_10. Key management145. Protect system cryptographic keys
151. Separate keys for encryption and signatures
252. Configure key encryption
351. Assign unique keys to each device
SC_L2-3_13_13. Mobile code205. Configure PIN
SC_L2-3_13_15. Communications authenticity030. Avoid object reutilization
147. Use pre-existent mechanisms
178. Use digital signatures
338. Implement perfect forward secrecy
SC_L2-3_13_16. Data at rest062. Define standard configurations
146. Remove cryptographic keys from RAM
329. Keep client-side storage without sensitive data
SI_L1-3_14_2. Malicious code protection041. Scan files for malicious code
155. Application free of malicious code
SI_L1-3_14_4. Update malicious code protection353. Schedule firmware updates
SI_L1-3_14_5. System & file scanning041. Scan files for malicious code
323. Exclude unverifiable files
339. Avoid storing sensitive files in the web root
340. Use octet stream downloads
352. Enable trusted execution
SI_L2-3_14_3. Security alerts & advisories075. Record exceptional events in logs
SI_L2-3_14_7. Identify unauthorized use075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level